PIA Flashcards
When developing or reviewing a project, consider the need for a _______ _______ _______.
privacy impact assessment (PIA)
A PIA identifies how a project can have an impact on individuals’ privacy and makes recommendations to manage, minimise or eliminate privacy impacts.
OAIC recommends that organisations conduct PIAs as part of their risk management and planning processes. While each project is different, a PIA should generally include the following __ steps.
10
OAIC recommends that organisations conduct PIAs as part of their risk management and planning processes. While each project is different, a PIA should generally include the following __ steps.
10
- Threshold assessment
Ask if any personal information will be collected, stored, used or disclosed in the project. If the answer is yes, a PIA is usually necessary. Keep a record of this threshold assessment.
- Plan the PIA
Consider the scope of your assessment, who will conduct it, the timeframe, budget and who will be consulted
- Describe the project
Prepare a project description to provide context for the PIA project. This should be brief, but sufficiently detailed to allow external stakeholders to understand the project.
- Identify and consult with stakeholders
Identify the project stakeholders. Consulting them can help to identify new privacy risks and concerns, better understand known risks, and develop strategies to mitigate all risks.
- Map information flows
Describe and map the project’s personal information flows. Detail what information will be collected, used and disclosed, how it will be held and protected, and who will have access.
- Privacy impact analysis and compliance check
Critically analyse how the project impacts on privacy. Consider compliance with privacy legislation and any other information handling obligations that may apply to your organisation. Even if the project appears to be compliant with privacy legislation, there may be other privacy considerations that need to be addressed such as community expectations.
- Privacy management — considering risks
Consider options for removing, minimising or mitigating any privacy risks identified through the privacy impact analysis.
- Recommendations
Make recommendations to remove, minimise or mitigate the risks identified through the privacy impact analysis. Include a timeframe for implementing the recommendations.
- Report
Prepare a report that sets out all the PIA information. It should be a practical document that can easily be interpreted and applied. The OAIC encourages the publication of PIA reports and has developed a PIA tool to help you conduct a PIA, report its findings and respond to recommendations.
- Respond and review
Monitor the implementation of the PIA recommendations. A PIA should be regarded as an ongoing process that does not end with preparation of a report. It is important that action is taken to respond to the recommendations in the report, and to review and update the PIA, particularly if issues arise during implementation.
The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information.
The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian Government agencies. These are collectively referred to as ‘APP entities’. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.
Section 33C of the Privacy Act establishes that the Commissioner may conduct an assessment relating to the following:
the Australian Privacy Principles (s 33C(1)(a)(i))
a registered APP code (s 33C(1)(a)(ii))
credit information files and credit reports held by credit reporting agencies and credit providers (s 33C(1)(b))
tax file number recipients (s 33C(1)(c))
data matching programs (s 33C(1)(d))
claims information associated with the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme (s 33C(1)(e))
acts or practices of an entity or a state or territory authority in relation to COVID app data (s 33C, 94T(1)).
The Executive Branch go Mexico has also issued:
The Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the Regulations), which entered into force on December 22, 2011
The Privacy Notice Guidelines (the Guidelines), which entered into force on April 18, 2013
The Recommendations on Personal Data Security, on November 30, 2013
The Parameters for Self-Regulation regarding personal data, which entered into force on May 30, 2014
The General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), which entered into force on January 27, 2017