Australian Privacy Act Reforms and our IAPP Sydney KnowledgeNet:
The review report described organisational accountability as the implementation of “privacy management processes which internally reflect their responsibility for compliance with applicable privacy laws and for managing privacy risks on an ongoing basis.” Further, measures for accountability could include building “community trust in the entity as a responsible steward of personal information.”
Feedback provided prior to the review, revealed a community expectation that high-risk practices should be subject to additional requirements under the Privacy Act.
The current position in Australia, is that government agencies are required to complete a Privacy Impact Assessment (PIA) for all high privacy risk projects (broadly, high risk includes new or changed ways of handling PI likely to have a significant impact on the privacy of individuals). However, as part of the reforms, the Government has agreed in-principle that non-government entities should also be required to conduct a PIA for activities with high privacy risks. They also agreed in-principle for the PIA to be made available to the Office of the Australian Information Commissioner (OAIC) on request.
So, in view of the announcement, it wasn’t surprising to have such a high level of interest in our IAPP Sydney KnowledgeNet late last year regarding PIAs.
Now I know people who wouldn’t find the idea of doing a PIA exciting(!). But, I have been known to be excited because the opportunity for detailed analysis of the risks of a privacy breach, and then to decide how to remediate those risks, offers a very high return on investment.
However, a PIA is a tool used to operationalise privacy. And, as anyone in privacy knows, getting engagement for privacy is more challenging than simply discussing it and I was keen to hear how organisations were approaching the task.
Our groups were aware of the opportunity to provide a few high-level learnings for this article, and as always comments depended on the sector and size of organisation, and maturity of the privacy practice.
Concerning Delivery:
It was agreed that a PIA is a powerful risk management tool, and a proactive measure to ensure that the privacy rights of individuals are respected and protected.
I’d also add that there can be significant cost efficiencies when dealing with privacy risks at the commencement of a project, rather than at a later stage. The value of projects promoted as “transformation” projects to increase revenues and/or reduce costs, can be far out-weighed by the costs of a serious privacy breach ie damage to reputation and share price, regulatory action and fines, etc.
The driver for organisations planning to implement PIAs was the awareness of escalating risks including a combination of the increased amount of data collected, the movement of data online and stored in the cloud, emerging technologies such as AI, and the high impact to individuals especially as so much sensitive and detailed information is now digitised.
However, some organisations were just starting to add PIAs to their privacy practice and consider how to embed the process.
In organisations already implementing PIAs, many had started with templates from the OAIC and other privacy regulators, but pointed out that these should be tailored to the needs of the business.
A threshold assessment can really help to communicate the need for a detailed risk assessment, before the PIA process commences. The OAIC website currently provides guidance on threshold assessments.
My experience is that when done well, the PIA process enables stakeholders to understand and record relevant privacy risks specific to a project, and consider fully what harms to individuals are possible. It’s terrific to see teams become motivated to eliminate, mitigate or manage the risks once they completely understand how, and what can occur. The process creates the time and space for those discussions to develop.
To ensure PIA recommendations were not overlooked, those recommendations were added to a central spreadsheet with an owner and deadline to ensure the task of completing the PIA wasn’t the end of the risk management.
Concerning Embedding:
Embedding change in any organisation is impossible without ownership. One way to create ownership is to ensure the requirement for PIAs is included in the organisation’s internal procedures.
And, it’s well-worn idea, but the need for PIAs should of course be actively supported and promoted by all senior leaders, including the CEO.
Workshopping scenarios relevant to your project, and the harms to individuals which would be caused by a data breach, can deliver internal support by bringing to life the need to complete a thorough assessment of privacy risks.
When promoting PIAs, there’s another great return on investment; completing a PIA also supports ongoing privacy awareness and training. The budget for effective training is often in short supply and the assumption that training once, is sufficient to embed any new practice simply doesn’t work.
A PIA based on the Australian Privacy Act, should include questions relevant to each of the Australian Privacy Principles. As PIAs are completed by various parts of an organisation, familiarity with the principles lifts privacy capability organisation-wide. If the privacy team are the only team convinced of the importance of privacy, risks will continue to be hard to manage.
We can assist you to develop privacy impact assessments and lift capability in your organisation. Call us on 1300 264 946 to discuss our solutions.