Privacy impact assessment process

Objectives

To provide a practical framework for the completion of a privacy impact assessment (PIA);

To facilitate the identification and management of privacy risks associated with a new or amended project / process;

To ensure appropriate endorsement and acceptance of residual risk of a new or amended project / process; and

To actively prevent privacy breaches complaints and/or prohibitive costs in retro-fitting a process/system to address compliance issues or community concerns about privacy.

Exclusions

Nil

Definitions

Personal Information: information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Sensitive information: information about an individual’s race, ethnicity, political opinions, religious or philosophical beliefs, sexual preferences or practices, criminal record, or membership details, such as trade union or professional, political or trade associations

Health Information: information or opinion about the physical, mental or psychological health of an individual (including deceased individual) or a health service provided to them

Reasonable: a judgement in context of what is fair, proper and moderate.

Process steps

What is a privacy impact assessment (PIA)?

Privacy impact assessments (PIAs) are a way of measuring the potential privacy impact and risk posed by a new project, initiative or process; whether it is a legislative, policy or technological initiative.

PIAs are undertaken as part of a risk management strategy, at the planning stage, to assess whether it is safe to proceed to the implementation phase of a project. A failure to properly embed appropriate privacy protection measures may result in a breach of privacy laws, or prohibitive costs in retro-fitting a system to ensure legal compliance or address community concerns about privacy.

PIAs are undertaken by the project manager or relevant person responsible for planning the proposed project and general risk assessment activities. The RMIT Privacy Officer can be consulted to assist privacy related risk assessment, where required, and with PIA completion after review by the appropriate manager or senior project officer.

Examples of activities likely to benefit from a PIA:

  • Existing, new or increased collection, use or disclosure of personal information
  • Change to handling of personal information
  • Creation or modification of databases dealing with personal information
  • Merging of internal databases
  • Introduction of new information technologies / applications, e.g. software as a service contracts, cloud based systems.
  • Adoption of identification and authentication methods (especially biometrics)
  • Surveillance, data matching or aggregating personal information within the University
  • Linking of databases between the University, offshore partners or controlled entities
  • Transfer of personal information outside of Victoria, e.g. use of an externally hosted application.

A PIA is not required for scholarly research activities assessed by the College Human Ethics Advisory Network (CHEAN) or Human Research Ethics Committee (HREC).

Non-scholarly research such as market research or feedback surveys must be assessed by the Survey Reference Group, Business Analytics & Planning.

Privacy considerations such as consent and data security are addressed as part of the HREC or Survey Reference Group processes.

1. Is a PIA needed? Conduct a threshold privacy assessment.

A threshold privacy assessment is a brief, initial consideration of a project, to determine whether any potential impact upon privacy warrants the completion of a full PIA report.

Complete the Privacy Impact Assessment Checklist (see supporting templates).

2. A PIA is needed – who should I involve?

The categories of stakeholders who should be involved in your PIA process include:

  • Internal stakeholders – e.g. data owners, project managers, ITS, operational staff, records management and archives staff, procurement, HR, staff with specialist compliance responsibilities / knowledge.
  • Internal or external specialist advisers – privacy / compliance officers, legal services, Officer of the Victorian Privacy and Data Protection Commissioner.
  • External stakeholders – e.g. partner organisations, suppliers, contracted service providers.

A public consultation process can be considered if there is likely to be public concern about the actual or perceived privacy impact – e.g. students.

3. Determine the PIA scope

Develop terms of reference, allowing for assessment of a project’s potential future uses, foreseeable project expansions, or likely changes in structure or scope.

Knowledge of what is intended to happen with the project in the future, or what is reasonably likely to happen, should influence the project’s up-front design.

4. Do I need to consider any other compliance obligations?

A PIA should primarily assess compliance with the following legislation:

  • Privacy and Data Protection Act 2014 (Vic) (re personal information)
  • Health Records Act 2001 (Vic) (re health information)

All projects and activities must be consistent with RMIT policies and processes. Depending upon the project, you may also need to consider obligations under legislation such as the:

  • Surveillance Devices Act 1999 (Vic)
  • Public Records Act 1973 (Vic) and statutory recordkeeping standards
  • Freedom of Information Act 1982 (Vic)
  • Telecommunications (Interception) Act 1979 (Cwth)
  • Spam Act 2003 (Cwth)
  • Charter of Human Rights and Responsibilities

as well as the RMIT Privacy and data protection policy and any other internal confidentiality restrictions specific to the information concerned.

You should consult with the Assistant Director, Compliance (Global Quality Regulation and Compliance) or with specialist compliance officers where required or appropriate.

5. Structuring the PIA

The PIA requires the following information:

  • Project description
  • Proposed data flows
  • Analysis against the Information Privacy Principles (IPPs) as detailed in the PIA report templates
  • Findings, recommendations and mitigating actions and responsibilities
  • Signed endorsement and acceptance of residual risk by the appropriate business owner and data owner

6. Meeting RMIT community expectations

Ensuring the project complies with the law may not be sufficient.

Proposals may be subject to stakeholder criticism even where the requirements of the Act have been met. If people perceive their privacy is at risk, they are unlikely to be satisfied by a justification of actions that technically do not breach the law.

To protect a project against such criticism, ensure that you have a solid understanding of stakeholder (staff, students or external) perceptions and expectations.

7. Conduct the PIA

Conduct the PIA utilising the PIA Report Template or PIA Checklist (see supporting templates).

An initial meeting is strongly recommended with the RMIT Privacy Officer (or compliance staff within your area) to ensure the correct considerations are included. A meeting at an early phase will ensure project timelines are not interrupted if privacy compliance is not sufficiently examined.

It is recommended that the RMIT Privacy Officer, or appropriate privacy or legal officer, be consulted following the completion of the PIA template to discuss findings and recommended actions. The quality of PIA documentation must be ensured by the area responsible for the project, including revision of documents by the appropriate manager before provision to the RMIT Privacy Officer.

8. Mapping the personal information data flows within the PIA

Privacy principles focus on the life cycle of personal information – from collection through to disposal. Working through the life cycle of the information will help you determine at which points decisions are made and where privacy becomes particularly vulnerable.

Include the following within the PIA:

  • Collection (the type of personal information collected, whether it is a new collection or existing information, whether the use fits with the original collection purpose and statement, whether a new collection statement is needed)
  • Use (the processing of the information and its intended uses – matched with RMIT functions)
  • Disclosure (who the information will be distributed to, for what purposes and in what circumstances)
  • Data quality (how the currency and quality of personal information will be assured)
  • Data security (the safeguards that will operate against misuse, loss, unauthorised access, modification or disclosure, including at disposal)
  • Access and correction (how individuals will be able to access and, if necessary, correct their personal information)

The PIA Report Template provides guidance on what should be included in each of these areas.

9. Assessing the privacy risks

Risks to privacy can arise in many circumstances; collecting excessive information, inappropriate use, using intrusive means of collection, or disclosing sensitive details more widely than justified. All involve risks both to individual’s privacy and to RMIT’s compliance and reputation.

Privacy risks of a project should be identified, assessed and actions determined to mitigate or reduce the risks. Think about ways that things could go wrong – e.g. how data could be misused or accessed – and then design systems and processes to minimise the risk of that happening.

Ask questions like:

  • Why is each piece of personal information needed?
  • Can we not collect / use some of it?
  • How can we protect it?
  • How will people expect us to use or disclose it?

Personal information belongs to the individual. RMIT and its staff are only its custodians.

Also consider what has worked and what hasn’t in similar projects in the past.

10. Mitigating privacy risks

A PIA identifies solutions or strategies to mitigate identified risks.

When developing recommendations, keep in mind a few basic strategies:

  • Ensure the project has a sound justification with a clear benefit
  • Minimise the personal information collected / used to only what is absolutely necessary
  • Maximise transparency about what personal information will be collected, stored, used and disclosed
  • Limit access to and disclosures of the information
  • Maximise data security.

Recommendations to mitigate privacy risks can originate in:

  • IT design
  • Policies and processes
  • Transparency (communication)
  • Staff awareness and training
  • Accountability measures.

11. Concluding the PIA

Conclude the PIA with an overview of:

  • The most significant findings, in relation to both privacy risks and privacy enhancing features
  • The key actions required to mitigate privacy risks and impact
  • Which privacy risks cannot be mitigated, the likely reaction to such risks and whether the risks are outweighed by the benefit to RMIT / stakeholders / public in the project proceeding.

12. Finalisation and Endorsement

It is recommended that the RMIT Privacy Officer and Data Security Officer be consulted as part of the finalisation of the PIA. This will ensure that all relevant privacy and data security risks are identified and enable feedback on the adequacy of proposed mitigating actions.

Endorsement by the business or project owner and the relevant data owner includes:

  • Acceptance of responsibility for actions and/or controls that are required to mitigate risk
  • Acceptance of residual risk.

13. Agreement and monitoring of mitigating action plans

Proposed mitigating actions should be agreed with the project sponsor, project management team and other appropriate stakeholders.

Agreed actions should be transferred to an action plan, with identified responsibilities (individuals) and target timelines.

Monitoring is essential to ensure that actions are completed adequately and on time.

It is recommended that action completions are monitored as a formal and integral part of the project management process with records made of progress and completion.

14. Who should receive a copy of the PIA?

The completed PIA should form part of the project planning stage and be kept alongside project documentation. A copy should be provided to the project sponsor and team.

A copy is also to be provided to the RMIT Privacy Officer.

[Next: Supporting documents and information]