Data custodians must consider the privacy and confidentiality issues associated with a project before the project can proceed. Privacy Impact Assessments are one tool available to assess the potential privacy impacts of the project. These may be undertaken at the discretion of the data custodians or the integrating authority.
Privacy Impact Assessments are useful for mapping the project’s personal (or business) information flows and documenting procedures for collection, use, disclosure and retention of this information as well as the associated legislative and organisational rules. This provides a basis for analysing risks to privacy and examining how these risks will be managed, avoided or reduced.
Recommendations from a Privacy Impact Assessment can be used to refine the project proposal, and may also help inform the decision on whether to proceed with a project.
Privacy Impact Assessments may be considered by the integrating authority when evaluating the feasibility of a high risk project, but are not mandatory. In some circumstances, where a project presents a very high risk of an adverse public sentiment, data custodians may decide to conduct a Privacy Impact Assessment before they give in principle approval for the project to proceed. Generally the decision of whether or not to conduct a Privacy Impact Assessment should be guided by the advice of the Office of the Australian Information Commissioner (see below for links to further information).
Examples of Privacy Impact Assessments
Department of Health and Ageing – PIA for the Personally Controlled Electronic Health Record
Australian Bureau of Statistics – PIA for the Census Data Enhancement project
Further information about the Privacy Act 1988 can also be found in the Legal & Policy considerations topic.
For more information about steps in finalising project details see:
- Outsourcing or working in partnership
- Human Research Ethics Committee approvals
- Privacy Impact Assessments
- Data management
- Drafting project agreements