The Australian Privacy Principles implicitly promote ‘privacy by design’ – where good privacy practice is not treated as a bolt-on or an afterthought but is embedded into the design of processes and the implementation of technology. Privacy by design is essential to incorporate into any Australian Government agency’s operations and governance. Conducting a privacy impact assessment (PIA) for new projects plays an important role in achieving privacy by design.
What the APP Code says
The Privacy (Australian Government Agencies — Governance) APP Code 2017 (APP Code), which came into force on 1 July 2018, requires Australian Government agencies to:
- have a privacy management plan with specific, measurable privacy goals and targets;
- appoint one or more Privacy Officers;
- designate a Privacy Champion;
- maintain an internal privacy capability (including through appropriate education and training, at least annually, and regular reviews of internal privacy processes); and
- conduct a PIA for all ‘high privacy risk’ projects.
In relation to the last dot point, the APP Code specifies that a project may be a ‘high privacy risk’ project ‘if the agency reasonably considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals’. This description leaves a fair bit of discretion to each Australian Government agency.
The new OAIC guidance
Undertaking a PIA properly, while extremely important, can be an expensive exercise (particularly when carried out without the right experts at the table). To help Australian Government agencies determine whether a PIA is truly required, the OAIC released a new resource today setting out:
- guidance on how to screen for potentially ‘high privacy risk’ projects by completing a threshold assessment;
- benefits of conducting a PIA even when a project does not meet the ‘high privacy risk’ threshold; and
- a template for completing a threshold assessment.
The new OAIC guidance may be accessed here: When do agencies need to conduct a privacy impact assessment?
What is a threshold assessment?
A threshold assessment is preliminary in nature and helps an agency to determine whether a project meets the ‘high privacy risk’ threshold, which would enliven the APP Code requirement to conduct a PIA. This approach is consistent with practices in the private sector.
When should our agency conduct a threshold assessment?
If your agency’s project (e.g. new policy proposal, legislative reform, changed program or activity, new IT system or organisational restructure) involves new or changed ways of handling personal information, you should undertake a threshold assessment. We also recommend this to the private sector.
What you need to do now
You should already have incorporated a trigger point for conducting a PIA into your agency’s project initiation process/template. If so, you should now update your process/template to also incorporate the new OAIC guidance into the same document, including a trigger point for conducting a threshold assessment. If not, you need to do so now.
You will also need to update your privacy management plan to reflect the new guidance.