NSW Privacy Impact Assessments

Guide to Privacy Impact Assessments in NSW

A Privacy Impact Assessment (PIA) helps identify and minimize privacy risks in new projects or changes to existing initiatives.
A PIA is a process that should begin at the earliest stages and continue until and even after the deployment of the project.

Benefits of a PIA

Enables early identification of adverse privacy impacts and opportunities to address these
Promotes awareness of privacy issues and builds privacy risk management capacity in an organisation
Complies with privacy laws
Demonstrates that privacy is a core corporate value and that a project is designed with privacy and privacy safeguards in mind
Builds goodwill, trust, and confidence of the community and stakeholders that projects/initiatives are privacy compliant

Risks of Not Conducting a PIA

Failure to comply with privacy laws
Loss of credibility and reputational damage if the project fails to meet community expectations about how privacy and personal or health information will be protected
Late identification of privacy risks, resulting in unnecessary costs or inadequate solutions

NSW Privacy Legislation

The Privacy and Personal Information Protection Act 1998 (PPIP Act) protects personal information and applies to NSW public sector agencies.
The Health Records and Information Privacy Act 2002 (HRIP Act) protects health information and applies to NSW public sector agencies, private health service providers, and private organisations that hold health information.

Core Elements of an Effective PIA

Integral to an organisation’s governance: a PIA is most effective when it is a standard organisational commitment to assessing privacy risks.
Fit for Purpose: the PIA needs to be sized according to the potential privacy risks.
Comprehensive: PIAs cover all privacy issues, not just compliance for the handling of personal or health information.
Available: the PIA report demonstrates accountability and is available to a wider audience.
Enables compliance: legal and policy compliance checks are core elements of a PIA.
Ongoing: allows updating or revision according to any changes in the project.
Constructive: a good PIA adds to the privacy culture of an organisation by demonstrating the value of managing privacy risks and contributing to organisational success.

The PIA Process

Determine if a PIA is necessary through a threshold assessment.
Identify projects with privacy implications and determines the likely scope and scale of the PIA.
Document the outcome of the threshold assessment, including project description, personal and/or health information involved, and access to and amendment of the information.

Technology and Privacy Impacts

Innovative technology, including artificial intelligence (AI), can give rise to unique and complex privacy issues.
Other jurisdictions, such as the European Union, require data protection impact assessments for certain types of processing, including large-scale use of sensitive data, systematic and extensive profiling, and public monitoring.### Privacy Impact Assessments (PIAs)
PIAs involve identifying and assessing the potential privacy impacts of a project
They should consider the risks and consequences of processing personal and health information

Types of Processing that Require a PIA

Innovative technology, including AI
Denial of service based on automated decision-making
Large scale profiling of individuals
Processing of biometric data
Processing of genetic data, except by an individual GP or health professional
Invisible processing: processing of personal data not obtained directly from the data subject
Tracking of an individual's geolocation or behaviour
Targeting of children or other vulnerable individuals
Risk of physical harm: processing that could jeopardise the health or safety of individuals

Planning a PIA

Assign responsibilities and describe the project
Identify the nature and size of the project
Determine who will undertake the PIA and their expertise
Establish milestones, key decision-making points, and consultation processes
Outline the project's context, aims, and objectives

Stakeholder Consultation

Early engagement with stakeholders is essential
Identify stakeholders who will be affected by the project
Consultation can help identify privacy risks and concerns
Offers stakeholders the opportunity to discuss risks and mitigation strategies
Can gain stakeholder confidence in the project

Mapping Information Flows

Map the flow of personal and health information in a project
Describe who will collect what information, how it will be collected, used, and disclosed
Identify how information will be stored and protected
Consider data linkage or matching, and how it will be done

Identifying Privacy Risks

Identify potential privacy impacts of the project
Assess the likelihood and severity of the risks
Consider specific risks to individuals, such as re-identification of pseudonymised data, identity theft, or reputational damage
Evaluate the costs, risks, and benefits of different options to mitigate privacy risks

Formulating and Consulting on Draft Recommendations

Develop a set of recommendations that include an action plan and timeline
Identify how privacy protection measures can be enhanced
Identify how negative privacy impacts or risks can be avoided or reduced### Privacy Impact Assessments (PIAs)
A PIA is a process to identify and mitigate privacy risks in a project
The goal of a PIA is to achieve a balance between the project's goals and the protection of personal and health information

Recommendations in a PIA Report

Changes to the project to achieve a better balance between goals and privacy protection
Privacy management strategies to reduce or mitigate privacy risks
The need for further stakeholder consultation
Whether the project needs significant re-design or feasibility examination due to significant privacy impacts
Creation of privacy documentation or amendment of existing agency privacy management plans
Issues beyond project-specific matters to overall privacy risk management for the organization

PIA Report Components

Introduction and background information, including project context
Project description, including information flows and handling of personal and health information
Description of the PIA approach, including who was responsible and the methodology used
Results of stakeholder consultation, including feedback
Outcome of risk assessment and compliance check, including identified privacy risks, mitigation options, and recommended actions
Description of privacy risks that cannot be mitigated, likely response, and whether they are outweighed by public benefits
Recommendations, including actions required, priorities, and target dates

Publishing a PIA Report

Best practice to publish a PIA report to demonstrate transparency and provide a public record
May need to consider releasing a summarized or edited version of the PIA report in certain circumstances (e.g., early project stages, privileged or confidential information, or security concerns)

Review and Update

Seek external review of a PIA by an independent third party to ensure proper implementation and recommendation adoption
May need to undertake a new PIA if project changes result in significant new privacy impacts

Handling Privacy Breaches

A visible, comprehensive, and effective complaint handling mechanism is necessary to address privacy breaches.
Auditing and oversight mechanisms are crucial to identify and address system failures.

Project Consistency with Community Values

The project should align with community values about privacy to ensure trust and transparency.

Risk Assessment and Resolution

Identify specific risks to individuals, such as re-identification of pseudonymised data, identity theft or fraud, reputational damage, loss of confidentiality, or financial loss.
Consider the likelihood and severity of identified risks based on the project's handling of personal information.
Take action to resolve privacy risks and address potential issues.

Conducting a Privacy Impact Assessment (PIA)

A PIA helps identify and mitigate privacy risks in a project.
Consider seeking external review of a PIA by an independent third party.
If significant changes occur during the project, a new PIA may be necessary.

Resources for Conducting a PIA

The Office of the Australian Information Commissioner provides a guide to undertaking PIAs, including resources and sample PIA reports.
The UK Information Commissioner's Office offers guidance on data protection impact assessments under the GDPR.
Sample PIA reports are available, such as the PIA for the IPC's Information Access Self-assessment tool.