A privacy impact assessment is a process for assessing the impacts on privacy of a project, technology, service, policy, program, or initiative. It is carried out in consultation with stakeholders, and helps determine remedial actions to help mitigate negative impacts.

SpencerMaurice has a long track record of delivering independent reviews, to help boards and executive teams to gain an independent perspective, identify potential improvements, and model the impacts.

When you are trying to identify the best way to allocate resources, a clear-eyed independent point of view is critically important.

Our consultants have deep expertise. We work collaboratively with your executive team and stakeholders to deliver reviews that are timely, have clear recommendations, and are actionable.

The federal Office of the Australian Information Commissioner (OAIC) has defined a standardised process for carrying out privacy impact assessments.

There is federal legislation which outlines protections and mechanisms. Each state has their own corresponding state legislation which sits alongside the federal framework.

Privacy in NSW

The NSW Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP ACT) provide the framework for privacy protection in NSW.

NSW privacy legislation applies to NSW public sector entities, local councils, and universities. NSW legislation does not define a Privacy Impact Assessment (PIA).

The NSW Health Records and Information Privacy Act 2002 defines “health information” and the principles that must be applied when it is collected, stored, used, and handled. The act applies in a general sense to both private sector and public sector organisations, with some specific defined exemptions.

The following 15 Health Privacy Principles are specifically defined in the HRIP Act, and need to be applied to the collection and handling of health information.

A Privacy Code of Practice is a legal instrument which allows a public sector entity to make changes to an Information Protection Principle, provisions that deal with public registers, and how a rule will apply in a particular situation. Health Privacy Codes of Practice can modify the application of HPPs, or provisions for the private sector.

Codes of Practice need to meet certain requirements, and be prepared in consultation with the Privacy Commissioner, and authorised by the Minister for Health or Attorney General.

The 15 Health Privacy Principles are the key to the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).

These are legal obligations which NSW public sector agencies and private sector organisations must abide by when they collect, hold, use and disclose a person’s health information.

Our Privacy Impact Assessment services

• Independent privacy impact assessments
• Mapping of information flows
• Privacy impact analysis
• Review of privacy management
• Identification of privacy and data risks
• Development of remediations and controls
• Identification of business improvement opportunities to embed Privacy by Design
• Reviews and development of compliance and governance frameworks, enterprise risk frameworks, and risk maturity

Whitepaper: Turning Purpose into Outcomes

Learn more about turning strategy into sustainable action plans, and our four key recommended actions for leaders.

Would you like an easy to share PDF of this whitepaper? Please just fill in your details below.

Our recent client work

NSW Customer Service – GovConnect Funding Analysis & ICT Cost Management Review

NT Director of Public Prosecution – Strategic Planning

NSW Office of Local Government – Companion Animal Laws

NSW State Emergency Service – Policy and Procedure Management Review

NSW Education – Shared Services Strategic Plan and Implementation Roadmap

NSW Crown Lands – Review of Waterfront Occupancy Agreements

Information and Privacy Commission – Development of Strategic Plan and Workforce Culture Review

Office of National Rail Safety Regulation – Development of Strategic Plan

NSW Parliamentary Services – Independent Budgetary Review and Planning

NSW Office of Transport Safety Investigations – Update Enterprise Risk Framework and Business Continuity Planning

NSW Office of the Director of Public Prosecutions – Enterprise Risk Framework Review and Risk Maturity Assessment

NSW Climate Change, Environment, Energy & Water – Functional Review of Corporate Services

UTS Institute of Public Policy & Governance – Organisational Review and Design of Target Operating Model

NSW Rural Fire Service- Personal Protective Clothing Program Review and Business Case Preparation

NSW Planning, Housing & Infrastructure – ICT Funding Analysis and Budget Baseline Review

NSW Office of the Director of Public Prosecutions – Business Case Development

City of Ryde – Independent Organisational Review of Business & Operations Directorate

NSW Planning, Housing & Infrastructure – Public Open Space Governance Plan and Strategic Reporting Framework

NSW Education – Shared Services Division Strategic and Operational Planning

Law Society of NSW – Procurement Management and Independent Evaluation

NSW Crown Lands – Analysis of Native Title Impacts on Major Programs

IPH Limited – IT Architecture and IT Operations Review

IPH Limited – Project Management Office Support

NSW Department of Communities and Justice – Child and Family

NSW Police – Functional Review and Design of Target Operating Model for Staffing Solutions and Inclusion and Diversity branches within People and Capability (HR) Division

City of Sydney – Independent Review of Efficiency and Effectiveness