APF Policy Statement on Privacy Impact Assessments

Privacy Impact Assessment (PIA) is a systematic process that identifies and evaluates, from the perspectives of all stakeholders, the potential effects on privacy of a project, initiative or proposed system or scheme, and includes a search for ways to avoid or mitigate negative privacy impacts.

This Policy Statement comprises the following sections:

PIA compared with Other Business Processes

A PIA differs from other privacy-related business processes, in the following ways:

Activities Conducted Prior to a PIA

Activities with Narrower Scope than a PIA

Activities Conducted Subsequent to a PIA

Characteristics of a PIA

In order to fulfil its purpose, a Privacy Impact Assessment process needs to have all of the following characteristics.

1. Purpose of the PIA

From the perspective of people whose privacy may be negatively affected by a project, the PIA's purpose is to ensure that the projects's impacts and implications are understood prior to implementation, and that unnecessary negative impacts are avoided or that mitigating measures are in place.

From the perspective of the sponsoring organisation(s), the PIA's purpose is to enable the organisation and its partners to appreciate privacy concerns, to avoid or mitigate negative privacy impacts and implications, and to do so at a sufficiently early stage in the project life-cycle that costly re-work and feature retro-fit are avoided.

2. Responsibility for the PIA

The responsibility for the conduct of a PIA rests with organisations that sponsor, propose or perform projects that have the potential to negatively impact privacy.

In many cases, external expertise will be acquired under contract, because few organisations would find it appropriate to invest in full-time employees who already had, and could sustain, up-to-date knowledge in such a specialised area. In addition, an appropriate consultant can provide access to external perspectives that may otherwise be difficult for the organisation to appreciate. However, merely delegating the conduct of the PIA to an external contractor does not satisfy the requirements. Similarly, an assessment undertaken by a regulatory or oversight agency is not a PIA, but rather a form of accountability and external control.

Within the sponsoring agency, governance arrangements are necessary, to ensure that:

3. Timing of the PIA

The PIA must be commenced sufficiently early that information arising from it is fed forward into the design process. If that is not the case, then there is a considerable risk that the design will have undue negative privacy impacts, and that re-work and feature retro-fitting will be necessary. This creates project risk, and gives rise to delays and to much higher costs than is the case where an in-depth understanding of privacy concerns is factored into the design process from the outset.

Where a project is large or long, the PIA process needs to be multi-phased, commencing at project initiation or at least during the requirements analysis phase, and running in parallel and inter-leaved with design, implementation and deployment.

4. Scope of the PIA

A PIA process has to have sufficient scope. Three aspects are particularly crucial to a successful undertaking.

• The Dimensions of Privacy

A PIA process must not be limited to data/information privacy, i.e. the protection of personal data. Other categories of importance are:

• Stakeholders

The perspectives of all stakeholders must be reflected, not merely those of the sponsor(s) and its/their strategic partners. In particular, the scope of the stakeholder notion must include:

Stakeholder Analysis needs to be undertaken in order to identify the categories of entities that are or may be affected by the project, and whose actions may affect the success of the project

• Reference-Points

A PIA process must of course take into account laws relevant to privacy. This may include one or more privacy or data protection statutes, but it also includes many other pieces of legislation that provide incidental protections or that establish privacy-relevant regulatory requirements, and, in common law jurisdictions, torts (such as confidentiality) and case law. In the case of government agencies and government business enterprises, their own enabling and/or governing legislation generally also contains privacy-relevant requirements.

However, the reference-points used in identifying negative privacy impacts need to be much broader than just the applicable laws. There are many public needs, expectations and concerns that are felt by individuals, categories of individuals and communities that may not be (or may not yet be) reflected in law. A PIA process that overlooks these aspects will result in a design that earns opprobrium from advocacy organisations and the affected public. Hence, despite being legally compliant, schemes will encounter resistance, and be the subject of complaints and negative media coverage.

5. Stakeholder Engagement

The PIA process must include meaningful engagement by the sponsoring organisation with all stakeholders. For meaningful engagement to be achieved, all of the following are necessary:

Some organisations may be concerned about the exposure of information of commercial or competitive value or security-sensitivity, and others about the disclosure of information that is subject to constraints, e.g. because no Cabinet decision has yet been made. It is necessary to reconcile the need for meaningful engagement with the affected public against such security and confidentiality limitations.

6. Orientation

The PIA process needs to have appropriate orientation.

• Process vs. Product

The PIA needs to be clearly and consistently depicted as being primarily about process. If, on the other hand, a PIA is projected or perceived as being merely a formal procedure that produces a PIA Report, then the project will fail to achieve the insights, understanding, behavioural change and business process features that an effective PIA process leads to.

• Solutions vs. Problems

PIA is a form of risk management. This means that it goes beyond 'problems', 'issues' and 'concerns', and extends to a search for 'solutions'. More specifically, it involves active search for means of avoiding negative privacy impacts wherever that can be achieved, and for means of mitigating the negative impacts where avoidance is not feasible.

7. The PIA Process

A preliminary privacy issues analysis process enables projects to be screened, and threshhold tests applied, in order to determine whether a PIA is necessary, and, if so, what the scope of the assessment should be.

The PIA process as a whole needs a degree of structure, such as a preliminary phase, followed by preparatory, performance, documentation and review phases.

Considerable benefits can be gained from integration of the PIA process into relevant corporate processes, such as project funding, project approval, risk management, project management and internal review mechanisms.

PIA guidance documents offer considerable value in planning and performing the process; but they need to be applied intelligently rather than being thought of as a recipe, and checklists need to be recognised as not necessarily being sufficiently comprehensive to support the assessment of any particular project.

8. Outcomes from the PIA Process

The documents that are produced by the PIA process importantly include the following:

The outcomes derive from the implementation of the Privacy Management and Control Plan. They importantly include the following:

Guidance Documents Published by Australian Privacy Commissioners

The Australian Privacy Commissioner

The Commonwealth Commissioner published a PIA Guide 2006. There has been one subsequent revision (OAPC 2010).

In general, much of that document provides valuable guidance; but unfortunately it suffers from several critical deficiencies, which the Privacy Commissioner has declined to address. These are:

The Victorian Privacy Commissioner

Since the revisions made to its original 2004 document, the guidance document published by the Victorian Privacy Commissioner (OVPC 2009a) is one of the best such documents published anywhere in the world.

Its one disadvantage in that it structures and describes the PIA process in terms of the preparation of the PIA Report - which risks readers thinking of a PIA as a mere product rather than primarily a process. On the other hand, the Template (OVPC 2009b) and the Accompanying Guide (OVPC 2009c) draw the assessor well beyond mere legal compliance, place considerable emphasis on consultation and solution-orientation, and provide instruction without permitting the assessor to abandon intellectual engagement with the work.