Privacy is a fundamental human right which is protected under Article 17 of the International Covenant on Civil and Political Rights (ICCPR). At a national level, Australia has implemented various protections for privacy, with one of the key protections being the Privacy Act (1988).

Many of the services we use every day, and the purchases we make, involve the complex exchange and collection of data. While sometimes it is obvious that individuals are being asked to provide information, it is not always clear how information will be used later.

This is particularly true for situations where services are delivered remotely, or via multiple sub-contractors, or “cloud” based technology providers.

Business processes and service delivery are also likely to be modified on a regular basis, and can be changed very substantially over a period of a few years. Effective privacy controls put into place at the initial design phase of a process or service might be removed or weakened at a later point. Technologies may change, new suppliers might be included into supply chains, outsourcing may be introduced, and new threats may emerge.

This means that regular reviews are needed, and privacy related risks should be evaluated on a regular basis. This is the purpose of a Privacy Impact Assessment (PIA). Ideally these reviews should occur before process or service delivery changes are made.

What privacy protections need to be considered?

Privacy is a human right protected by the ICCPR, a major United Nations treaty which came into effect in 1976. Unfortunately, not every country has ratified the treaty, or implemented their privacy protections in a consistent manner.

As of November 2023, a number of Australia’s neighbours, and two of our largest trading partners have not ratified the ICCPR. These include China, Singapore, Malaysia, Papua New Guinea, and Fiji.

While China and Singapore do have data privacy laws in place, it is worth considering how protections and mechanisms to enforce them may differ in international jurisdictions.

The European Union General Data Protection Regulation (GDPR) came into effect in 2018. The economic influence of the EU, and the comprehensive nature of the GDPR framework, have meant that the GDPR has significantly impacted and influenced multinational organisations, and cloud based technology providers. It has also inspired some other countries to adopt similar methodologies.

The Australian Federal Government’s Privacy Act (1988) outlines how personal information collected and held by Australian Government agencies and some private sector organisations should be protected.

Various Australian state based laws enact further privacy protections which cover information collected by state government entities and local government.

For example

• NSW Privacy and Personal Information Protection Act 1998 (PPIP Act) covers NSW Government Agencies, with the NSW Health Records and Information Privacy Act 2002 (HRIP ACT) applying to health information for both public and private sector organisations.
• Queensland Information Privacy Act 2009 (IP Act) covers how Queensland Government agencies collect, store, use, and disclose personal information.
• Victoria Privacy and Data Protection Act 2014 (PDP Act) covers how Victorian Government agencies handle personal information, with the Victorial Health Records Act 2001 appyling to health information for both public and private sector organisations.

Privacy Impact Assessment Methodology

A privacy impact assessment is a process for assessing the impacts on privacy of a project, technology, service, policy, program, or initiative. It is carried out in consultation with stakeholders, and helps determine remedial actions to help mitigate negative impacts.

SpencerMaurice has adopted a flexible methodology, based on the recommendations of the NSW Privacy Commissioner, and the PIA methodology outlined by the OAIC.

Stage 1 – Initiate

Once it has been determined that a privacy impact assessment is warranted, then it is necessary to plan the execution of the assessment, using the agreed methodology, determine the scope, and the most relevant stakeholders to be consulted.

The scale of the assessment should be fit for purpose, and tailored to the circumstances.

Stage 2 – Discover

This stage of the project should focus on collecting relevant existing documents describing systems, processes, information flows, technologies, and information relating to service architecture, operating model, enterprise risk management, governance, delegations, policies, and reporting.

Once this initial information has been identified, a review is carried out to build an understanding of both the context and the details of the areas within the scope of the PIA.

Once the rapid desktop review is complete, attention will turn to consultations with key stakeholders. These will typically start with a series of individual consultations to allow in-depth sharing of information and perspectives, and be followed by facilitated information and control mapping workshops. These workshops should be scaled to meet the circumstances, and the number of stakeholders who need to participate.

Mapping might typically focus on

• Who collects information, and from whom
• How it is collected, and for what purpose
• How information will be used or processed
• How information will be stored, and how long it will be retained
• Who can access the information, and delegations
• Disclosures and transfers to other entities, and their purpose
• Whether information will be transferred to other legal jurisdictions
• Whether data matching is planned or may occur, and the mechanisms involved

Stage 3 – Analyse

Now that there is an established set of documented information flows and controls, and the relevant information has been uncovered through the review, a detailed phase of analysis can occur.

This analysis is tailored based on the circumstances and needs of each client, and typically agreed during project initiation.

It might be expected that an assessment considers the following areas:

• An analysis of privacy related impacts, risks, and their potential mitigations
• Compliance with the relevant laws and regulations
• Whether privacy impacts identified align with community expectations and project goals
• Any third-party handling of data
• Data quality and data management processes
• Alignment with the enterprise risk management framework
• Governance and reporting mechanisms
• Complaints mechanisms and opportunities for individuals to correct incorrect information
• Opportunities for business improvement, particularly with regard to privacy by design principles

The analytical lenses used can potentially be tailored to areas of particular concern.

Once the initial analysis has been drafted, a privacy impact analysis needs to be performed, considering the risks that have been identified in the preliminary impact analysis. These risks and opportunities for improvement need to be identified and further explored with key stakeholders, to formulate potential risk mitigations.

Stage 4 – Report

The PIA now includes materials from the prior review, information flow mapping and controls, and the analysis of the privacy impacts, proposed mitigations, and recommendations for related other business improvements.

Our recent client work

NSW Development Coordination Authority – Business Requirements Discovery for Technology

NSW Development Coordination Authority – Organisational Design for New Entity

NSW IPART – Strategic Planning and Risk Management Workshops

Royal Far West – Governance and Organisational Design Review

NSW Customer Service – GovConnect Funding Analysis & ICT Cost Management Review

NT Director of Public Prosecution – Strategic Planning

NSW Office of Local Government – Companion Animal Laws

NSW State Emergency Service – Policy and Procedure Management Review

NSW Education – Shared Services Strategic Plan and Implementation Roadmap

NSW Crown Lands – Review of Waterfront Occupancy Agreements

Information and Privacy Commission – Development of Strategic Plan and Workforce Culture Review

Office of National Rail Safety Regulation – Development of Strategic Plan

NSW Parliamentary Services – Independent Budgetary Review and Planning

NSW Office of Transport Safety Investigations – Update Enterprise Risk Framework and Business Continuity Planning

NSW Office of the Director of Public Prosecutions – Enterprise Risk Framework Review and Risk Maturity Assessment

NSW Climate Change, Environment, Energy & Water – Functional Review of Corporate Services

UTS Institute of Public Policy & Governance – Organisational Review and Design of Target Operating Model

NSW Rural Fire Service- Personal Protective Clothing Program Review and Business Case Preparation

NSW Planning, Housing & Infrastructure – ICT Funding Analysis and Budget Baseline Review

NSW Office of the Director of Public Prosecutions – Business Case Development

City of Ryde – Independent Organisational Review of Business & Operations Directorate

NSW Planning, Housing & Infrastructure – Public Open Space Governance Plan and Strategic Reporting Framework

NSW Education – Shared Services Division Strategic and Operational Planning

Law Society of NSW – Procurement Management and Independent Evaluation

NSW Crown Lands – Analysis of Native Title Impacts on Major Programs

IPH Limited – IT Architecture and IT Operations Review