Managing Privacy Risk: Why Privacy Impact Assessments Should Be Added to Your Toolbox

Caroline Hayward and Cecilia Askvik explore how Privacy Impact Assessments can be used as a compliance tool to avoid costly and damaging privacy mistakes. Read on for the latest in KWM’s inhouse-centred series: From our inhouse to yours.

‘By failing to prepare you are preparing to fail.’ – Benjamin Franklin.

After a year of major data breaches and privacy reforms (slowly) moving forward in Australia, privacy is on everyone’s mind. In its response to the Privacy Act Review report, the Government has signalled that the already existing requirement for Commonwealth Government agencies to conduct privacy impact assessments (PIAs) for high privacy risk activities will be brought to private sector agencies. High-risk processing activities are also coming under increased regulatory scrutiny globally.

The reforms will increase public concern about handling of personal information and organisations will be under pressure to manage personal information in an open and transparent way. Although it remains unclear how soon we can expect to see draft legislation, organisations should not wait. No matter where your organisation is in your privacy journey, you need to start planning for coming reforms and get up to speed with compliance with current obligations. Implementing a PIA process is a good place to start and inhouse counsel have a role to play.

In our latest inhouse counsel post, we share advice how your organisation can adopt a Privacy by Design approach by developing a PIA process.

What is a Privacy Impact Assessment?

A PIA is a voluntary assessment a business undertakes to analyse a project’s risk of non-compliance with privacy legislation and will identify the impact the project may have on the privacy of individuals. A PIA will identify controls to manage, mitigate, or remove risks.

The OAIC’s PIA guide sets out 10 elements that should be included in any PIA process.

1. Threshold assessment: Not every project will require a PIA (e.g., no personal information involved or no changes to current information handling practices), so the first step is to identify if a PIA is necessary for the project. You might consider one for a new software product which will host personal information off premise, or for implementing a new loyalty program where your organisation will collect personal information of various clients and customers. Where a project is limited in privacy scope only a short PIA may be required.
2. Plan the PIA: Planning the PIA is one of the most important steps. This includes who will conduct it, timeframes, budget and other resources, consultations, and steps to take after completion of the PIA.
3. Project description: Identify the relevant project and settle on a project description. The project’s scope and extent must be identified to set the context for the PIA.
4. Consultations: This stage involves identifying and consulting key stakeholders that may be interested or affected by the project. Stakeholders can be internal or external.
5. Information flows: Based on the project description set out in step 3, this step requires the project team to map the project’s personal information flows.
6. Impact analysis & compliance check: Critically analyse what impacts the project will have on the privacy of individuals and if the project offers acceptable outcomes. Does the project comply with privacy laws and other relevant legislation?
7. Addressing risks: Identify mitigation strategies to reduce or mitigate each risk factor identified in step 6.
8. Recommendations: After completing previous steps, some recommendations might emerge that will identify avoidable impacts or risks and how they can be removed or reduced.
9. Report: The result of the assessment should be set out in a report which reflects the findings and responds to recommendations.
10. Respond and review: Action must be taken to respond to the recommendations set out in the report. The PIA is an ongoing process so it should be reviewed and updated.

It should be noted that some state privacy commissioners have issued similar guidance for state or territory government agencies under relevant state and territory privacy legislation. Globally, PIAs and data protection impact assessments have become a common requirement under many privacy laws.
Why should your organisation conduct a PIA?

Commonwealth Government agencies are required under The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) to conduct PIAs for all high privacy risk projects.

Although it is currently not mandatory for non-government agencies to undertake PIAs, the OAIC strongly encourages all entities to integrate PIAs into projects that involve personal information.

Australian Privacy Principle 1 (APP 1) requires APP entities to take reasonable steps to implement procedures, systems and practices that will ensure compliance with the APPs. In other words, APP 1 requires APP entities to adopt a ‘privacy by design’ approach. This means privacy compliance is built into your systems, practices, and processes. Implementing a PIA process is the best way to do this.

APP 11 requires APP entities to take active measures to protect the personal information it holds from interference, misuse, loss and from unauthorised access, modification, or disclosure. PIA is a useful tool to crystalise privacy risks associated with a project and strategies to mitigate risks, including security risks.  This will also help reduce the risk of experiencing a data breach, for example by minimising the amount of personal information collected. Similarly, a PIA can assist entities to respond to data breaches efficiently and assess the risk of harm by referring to the PIA.

How should you integrate a PIA process?

Although there are guides how to conduct a PIA, what the PIA process should look like and how to introduce it to the organisation will vary depending on the structure of your organisation and existing processes. Some aspects that should be considered when building a PIA process include:

• Existing processes: PIAs can be relevant to existing project and risk management processes. Consider whether PIAs can be integrated into any of your organisation’s existing project management and risk assessment processes. While different organisations might adopt different processes to conduct PIAs, ideally the PIA process should address the 10 elements included in the OAIC’s PIA guide.
• Stakeholders: Both internal and external stakeholders want to know if their privacy has been considered during the project and how their personal information will be handled and protected. Consulting stakeholders and publishing the PIA report will not only demonstrate that your organisation manages personal information in a transparent way but will also help gain clients’ and consumers’ trust.
• Timing: PIAs are commonly seen as an obstacle. Certainly, the time and costs of fixing a project might be burdensome if the PIA is an afterthought and presented to approving authorities or stakeholders at the very end of a project. To reduce costs and avoid public concerns, PIAs should be included at the early stages of a project. Inhouse counsel should be involved early in the process (see ‘Who should be part of the team’ below).
• Review:Oftentimes there are many changes to a project before completion. The PIA should evolve as the project progresses and should be continuously updated. When building a PIA process, you should consider how it should be built into your organisation’s risk management framework. If the changes are significant and may result in privacy impacts that have previously not been considered the team may need to conduct a new PIA.
• Data breach response: The PIA should address issues around data breach response and the steps that will be taken if a data breach involving the project occurs. If your organisation has a data breach response plan in place, a copy of the plan can be attached to the PIA. The project team should also consider and liaise with relevant teams whether changes to the data breach response plan need to be made as a result of the project. This includes how the organisation’s obligation under the Notifiable Data Breaches (NDB) scheme and relationships with third parties will be managed if personal information handling has been outsourced as part of the project.

Who should be part of the team?

Although the responsibility to carry out a PIA sits with the project team, conducting a PIA is not a one-man job. It is a team effort, and the PIA process should include seeking expertise from other parts of the organisation.

Inhouse counsel will play a valuable role in any PIA so it is important to identify during which steps of a PIA they should be involved. Inhouse counsel are uniquely positioned to assist with identifying key risks early on and ensuring the project complies not only with privacy legislation but also other legislative or regulatory requirements. Similarly, inhouse counsel can assist the project team to identify remediation options and how they should respond to some of the PIA questions.

Other representatives that may need to be involved in the PIA include:

• Privacy Officer
• Technology
• Information Security
• Risk Management
• Operational procedures

What happens if you do not conduct a PIA?

If the imminent privacy reforms are not convincing enough to implement a PIA process, then perhaps the risk of regulatory enforcement action is.

Several privacy regulators around the world have flagged they will continue to focus its enforcement actions on high-risk processing activities, including the OAIC. The OAIC has previously found that Clearview AI, the Australian Federal Police, and 7-Eleven all breached Australians’ privacy by not conducting a PIA for projects that involved the use of biometric technologies.

Although no fines were imposed, massive new privacy penalties have since then been introduced and further penalties for low and mid-tier interferences are being considered as part of the reforms.

What now?

Hopefully this article has provided some insights into privacy by design and the value inhouse counsel can bring by being a part of an organisation’s PIA framework. By getting up to speed with PIAs today, your organisation will be better prepared for the coming reforms.

Further information

If you or someone in your organisation needs further guidance on Privacy Impact Assessments, or advice on data protection & privacy matters, please reach out to your KWM contact or Michael Swinson and the Data Protection & Privacy team.

Check out other insights from the Office of General Counsel team here and subscribe to KWM Pulse using the button below to stay across upcoming articles in areas of interest.