Conducting a Privacy Impact Assessment (PIA)

Have more questions? Submit a request

PIA stands for a Privacy Impact Assessment. It is designed to accomplish 3 goals:

  1. Ensure conformance and compliance with privacy, sensitive information and data security laws, government agency code, and policy requirements for privacy
  2. Determine the risks and effects; and
  3. Evaluate protections and alternative processes to mitigate potential privacy risks.

It is a process that should begin at the earliest possible stages, when there are still opportunities to influence the outcome of a project and should continue up until the deployment of the project and even after it.

 

Benefits of doing a Privacy Impact Assessment

  • Enabling early identification of adverse privacy impacts and an opportunity to address these
  • Promoting awareness of privacy issues and building privacy risk management capacity in an organisation
  • Complying with privacy laws
  • Demonstrating that privacy is a core corporate value and that a project is designed with privacy and privacy safeguards in mind
  • Building good will, trust and confidence of the community and stakeholders that your projects/initiatives are privacy compliant

 

Risks associated when a Privacy Impact Assessment is not conducted

If a PIA has not been conducted, your project is at risk of the following:

  • Failure to comply with privacy laws
  • Loss of credibility and reputational damage if the project fails to meet community expectations about how privacy and personal or health information will be protected
  • Late identification of privacy risks, resulting in unnecessary costs or inadequate solutions

 

The role of submitting a PIA request at the earliest opportunity

Every time your agency collects personal information, it may pose a risk to the privacy of the people who provide the information.

The risk level varies. It depends on the type of personal information your agency collects and the people it collects it from.

Submitting a PIA request allows us to find the risk level. Then, we can recommend suitable mitigation strategies. Raising the request before the webform is built will help your agency. It will integrate privacy measures from the start.

 

How to undertake a Privacy Impact Assessment

The first step in undertaking a Privacy Impact Assessment (PIA) is to assess whether the project collects or uses personal information. Note: The term ‘project’ is used broadly. It is intended to cover the full range of activities and initiatives that may have privacy implications, such as new policies or processes, an information sharing or disclosing initiative (e.g., publishing it on nsw.gov.au), social media campaign, or new systems for storing or accessing personal information.

Personal information is defined as information or an opinion about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion (section 4 of the Privacy and Personal Information Protection Act 1998 (PPIP Act). Personal information includes, but is not limited to, person’s name, contact details (street address, email, phone number), signature, date and place of birth, education and employment details, photograph, government- related identifiers (such as driver licence number, Medicare number, passport number, TFN), health information and sensitive information (such as, information about ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership).

  • The PIA Support request form serves as a privacy threshold assessment and will allow you to determine the level of risk associated with the collection and/or handling of personal information. For more information on identifying potential privacy risks and determining which type of PIA is needed, see nsw.gov.au Privacy Threshold Assessment Guide.

If the project is going to proceed with a PIA, download the applicable Privacy Impact Assessment template below to get started on the process.

A link to a PIA document must be added in the Content Management System (CMS) to every new or modified webform. Refer to Adding a Privacy Impact Assessment (PIA) link in a webform article to find out more.

An additional measure to ensure your project is complying with privacy guidelines and legislation is to include a Privacy Collection Notice on any webform you may use on your project. Read Using a Privacy Collection Notice for your form to find out more.

 

Privacy Impact Assessment documents

Depending on the level of risk, our privacy team will issue one of the following:

  • PIA Lite:
    • low-risk collections, where only basic personal information is collected, and
    • medium-risk collections, where a variety of personal information is collected or free-text fields are used on the form
  • PIA: high-risk collections, where sensitive information is collected or information is collected from vulnerable individuals 

In each document we will recommend suitable mitigation strategies to ensure you manage the privacy risk adequately.

Ensure your PIA documents are retained for record keeping

It is important that you retain the PIA for your records and as a reference point should any privacy issues arise regarding the webform. 

 

More information

  1. Check out the NSW Government Cyber Security Policy to find out the requirements NSW government departments and agencies must adhere to ensure cyber security risks are appropriately managed
  2. Head over to the Information and Privacy Commission NSW site to up-skill yourself in legislation dealing with privacy and access to government held information in NSW

Articles in this section

Was this article helpful?
0 out of 0 found this helpful