Preventing privacy issues – the role of a Privacy Impact Assessment 

Privacy is not just a compliance issue for the legal department. It should be a priority for everyone. You have to translate privacy into a customer issue because this is really becoming the holy grail of doing business for everyone in an on-line world.Larry Ponemon – Chairman and Founder of the Ponemon Institute

2017 saw a range of privacy breaches, hacking incidents and identity theft issues. Often these are unintended and arise from design decisions and preferences early in a project’s life.

For example, in 2015 a toy maker revealed that over 4.8 million parents’ names, physical and email addresses, passwords and some children’s details had been leaked through what a professional said was a ‘lack of basic precautions on the company’s website’. Following the leak, the company has invested in implementing more robust data security measures however, consumer confidence in the safety of their private information has not been restored.

When businesses get it wrong and fail to protect their customer’s private information they face the possibility of lawsuits, reputational damage and a downturn in customer satisfaction. By successfully managing customer information and taking steps to show that you care about individual’s privacy, you see higher customer satisfaction ratings and increased trust in your brand.

The best way that businesses can mitigate privacy concerns and breaches is to identify risks early in a project. This is typically done via a Privacy Impact Assessment (PIA).

What is it?

A Privacy Impact Assessment helps businesses to identify and reduce the privacy risks they’ll face when starting a new project or implementing a new policy. A PIA will identify;

  • What privacy laws or regulation apply to your organisation
  • Whether the information being accumulated complies with legal and regulatory compliance requirements
  • Risks associated with collecting, storing, using and disbursing personally identifiable information
  • Methods to mitigate any potential privacy risks early in a project when it’s cheaper and easier to make changes
  • If people’s expectations of privacy are being met
  • How well current systems are operating with personal information.

Why do it?

A Privacy Impact Assessment is one way decision makers can have confidence that they’ve considered which impacts to privacy may occur, have built in mechanisms to mitigate any privacy impacts and ensure compliance with applicable legislation and regulation that cover collecting, using or handling personal information.

When to do it?

The earlier a PIA is done in a project, the sooner its findings can be included in the project design. This prevents the possibility of large changes being introduced later on when it will cost more to do so, and reduces additional effort being wasted on changes.

In the initial stages of a PIA, the project may only be assessed at a high level. As the project specifications become clearer, the PIA should be reviewed periodically to continually assess the privacy risks. Businesses should choose to include PIA’s in the project assurance process, during project governance or in project related templates to cement its inclusion within project delivery.

How to do it?

The Queensland Office of the Information Commissioner Queensland suggests that a PIA should include the following steps:

  • Conduct a threshold assessment
  • Plan the PIA
  • Describe the project
  • Identify and consult with stakeholders
  • Map the personal information flow
  • Identify the privacy issues
  • Identify options to address privacy issues
  • Prepare the PIA report; and
  • Action the agency’s response to the PIA report.

These steps will determine if the project has acceptable or unacceptable privacy impacts.

Once the PIA has been completed, the project team and sponsor can identify actions that can be taken to resolve the risks and ensure compliance with applicable laws and regulations. Businesses need to decide which risks can be removed and which ones need to be reduced to an acceptable level, and this may vary from project to project.

Want to know more about privacy?

Most data breaches in Australia during 2017 were caused by employees mishandling information. Ensuring that your employees are across the new mandatory data breach notification laws and the Commonwealth’s Information Privacy Act will help businesses prevent data breaches, prevent the leaking of private information, identify solutions to remediate problems during project planning and grow a trusted brand.

GWI Consultant Elisabeth Brennan

Elisabeth Brennan

For more information about how GWI can help you conduct a privacy impact assessment contact GWI’s privacy specialist Dr Vanessa Douglas-Savage on 1300 364 430 or email info@gwi.com.au.