Welcome back to TRANSPARENT – a quarterly newsletter providing information to help you meet your privacy obligations under the Student Identifiers Act 2014 (SI Act) and the Privacy Act 1988 (Privacy Act).
This newsletter is published by the Unique Student Identifier (USI) Office and written in collaboration with the Office of the Australian Information Commissioner (OAIC), the regulator of the Privacy Act.
In this newsletter, we focus on how Registered Training Organisations (RTOs) can manage risks of non-compliance with the Australian Privacy Principles (APPs), and the role of privacy impact assessments and privacy management plans, in particular.
We hope you find the newsletter helpful and look forward to receiving your feedback.
IMPORTANT NOTE: The Privacy Act, including the APPs, applies to APP entities only. To determine whether your training organisation is an APP entity, refer to Chapter B of the APP Guidelines.
Inside this edition:
- Why good privacy practices are essential
- What are ‘reasonable steps’?
- What is a privacy impact assessment (PIA)?
- Why do a PIA?
- How to do a PIA
- How often should a PIA be reviewed?
- What is a Privacy Management Plan?
- OAIC resources
Why good privacy practices are essential
The APPs in the Privacy Act describe the minimum expectations of the community in relation to how you handle their personal information. Where the Privacy Act covers your organisation, they are also legally binding. Good privacy practices help your organisation build and maintain individuals’ confidence that their personal information will be protected and respected, which is a driver of enhanced business performance.
What are ‘reasonable steps’?
Several of the Privacy Act’s obligations are framed as requiring organisations to take steps that are ‘reasonable in the circumstances’. For example, under APP 11 entities must take ‘such steps as are reasonable in the circumstances’ to protect personal information they hold from misuse, interference, loss and from unauthorised access, modification, or disclosure.
What qualifies as ‘reasonable steps’ will depend on the circumstances of your organisation, including, for example, the types of personal information being handled and any related privacy risks. The circumstances of your organisation will change over time, so it is important to review regularly your practices and processes for managing personal information and USIs to ensure they effectively protect individuals’ privacy and reduce privacy risks.
A PIA is one tool you can use to consider how ‘reasonable’ your steps are in relation to a particular project or activity.
What is a privacy impact assessment (PIA)?
A PIA is a systematic assessment of a project that identifies the impact the project or activity might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact. Undertaking a PIA will help you to:
describe how personal information flows in a project
analyse the possible privacy impacts on individuals’ privacy
identify and recommend options for avoiding, minimising, or mitigating negative privacy impacts
build privacy considerations into the design of a project
achieve the project’s goals while minimising the privacy impact.
A PIA is more than a simple compliance check. It should ‘tell the full story’ of a project from a privacy perspective and consider a project’s broader privacy implications and risks. This includes whether the planned uses of personal information in the project will be acceptable to the community.
Why do a PIA?
A PIA can help your organisation meet both legislative obligations and community expectations, which builds public trust in your handling of personal information. In particular, conducting a PIA will:
ensure that the project is compliant with privacy laws
reflect community values around privacy in the project design
reduce future costs in management time, legal expenses, and potential negative publicity, by considering privacy issues early in a project
demonstrate to stakeholders that the project has been designed with privacy in mind.
When to do a PIA
To be effective, a PIA should be an integral part of the project planning process, not an afterthought. It should be undertaken early enough in the development of a project that it can still influence the project design or, if there are significant negative privacy impacts, to prompt a review of whether the project should proceed.
For any project that involves the handling of personal information, you should first do a threshold assessment (see below) to determine whether the rest of the steps involved in a PIA will be necessary.
How to do a PIA
Not every project will need a PIA. The first question to ask when assessing whether a PIA is needed is: ‘Will any personal information be collected, stored, used, or disclosed in the project?’ This is the ‘threshold assessment’, which is the first step in undertaking a PIA (see the OAIC website). Generally, if personal information is involved in the project, some form of PIA may be necessary.
You should record the threshold assessment undertaken to determine whether a PIA is needed for a particular project. Consider recording the following information:
a description of the project
whether the project involves the collection, storage, use, or disclosure of personal information
whether you will proceed to undertake a PIA
details of the person or team responsible for assessing whether a PIA is necessary.
Next steps if a PIA is necessary
There are a number of steps involved in completing a PIA. The following list sets out a brief summary of these steps, based on guidance from the OAIC (see ‘OAIC resources’ below for more information).
Plan the PIA: After the threshold assessment is complete, you should plan the PIA. One of the most important initial questions is how detailed the PIA needs to be, based on a broad assessment of the project and its privacy scope.
Describe the project: Describing the project, including its overall aims and timeframes, will provide context for the rest of the PIA.
Consult with stakeholders: Allow enough time to seek and consider the input of internal and external stakeholders.
Map information flows: Describing or creating a visual representation of how personal information will be collected, used, disclosed, stored, protected, and accessed can help you quickly identify any key areas of concern.
Privacy impact analysis and compliance check: Investigating the project impact on privacy (both positively and negatively) can determine whether the project has acceptable privacy outcomes or risks that must be addressed.
Privacy management — addressing risks: If any privacy risks are identified, the next step is devising strategies to reduce or mitigate these risks.
- < > These could address a range of issues, including changes to the project that would achieve a more appropriate balance between the project’s goals, the interests of affected individuals, and the business interests of your organisation.
Respond and review: Finally, your organisation should provide a response to the PIA recommendations. Later in the project, reviews of the PIA should take place to address the implementation of measures set out in the recommendations, and whether any further changes are required to reduce privacy risks.
How often should a PIA be reviewed?
A PIA is a living document that should evolve with a project. The intervals at which a PIA is revisited will depend on the project. As a general rule, any changes to a project that have an impact on the way personal information is handled should prompt consideration of whether the PIA should be revised to reflect those changes.
What is a privacy management plan (PMP)?
While PIAs are effective at managing privacy risks on a project-by-project basis, a more holistic approach to privacy is necessary to manage privacy risks across your organisation.
A privacy management plan (PMP) is a document that identifies specific, measurable goals and targets for your organisation to meet in complying with your obligations under APP 1.2. Risks that are identified through project specific PIAs can feed into your organisation’s PMP, particularly where similar privacy risks are identified across multiple projects. An effective PMP will set out the timeframes for addressing any identified privacy risks and will be refreshed at least annually.
The OAIC website has a number of resources that provide guidance on how to conduct PIAs and create a PMP.
You may find the following links useful in relation to conducting a PIA:
The Privacy management framework can assist you in developing and maintaining your PMP.
The next edition of TRANSPARENT will be the first in a two-part discussion on the security of personal information. It will discuss:
physical security controls
general IT protections (such as firewalls and anti-virus)
other protections (such as encryption, patching and whitelisting)
testing (including penetration testing).