As the Office of the Privacy Commissioner notes, a privacy impact assessment (PIA) is an essential part of many projects and proposals. A PIA can be used to help agencies identify the potential risks arising from their collection, use or handling of personal information, and to find out if they are meeting their legal obligations. At the same time, PIAs are not necessarily required for all projects and proposals, and they can be time-consuming and expensive. For these reasons, it can be important to distinguish between:
- situations where there are no or minimal privacy-related risks; and
- situations where there could be significant privacy-related risks that need to be assessed.
Doing this helps you answer the question: is a PIA required?
When to ask and answer the question
Usually at least a preliminary decision on this question should be made fairly early in the life of a project or proposal. Asking the question and doing a PIA after a project has substantially progressed, or after a new service or system has been designed and built, can be a recipe for error, new requirements, rework, time delays and extra costs. In some cases, a failure to ask the question and, if necessary, undertake a PIA, could derail a project or lead to non-compliance with the Privacy Act and investigation by the Privacy Commissioner.
The challenge that some agencies face is knowing how to answer the question posed above: is a PIA required?
This is where the threshold privacy assessment (TPA) comes in. It is not a full PIA. Rather, it helps you determine whether, in the circumstances, it is necessary or desirable to do a PIA. You can think of it as a form of triage.
StopLookGo Privacy’s* Threshold Privacy Assessment can be done quickly, online. You can start by clicking the button below. Once you’ve done that, just answer the questions, click submit, and you’ll be provided with a Threshold Privacy Assessment report based on the answers you’ve given. (Your report will be automatically deleted from our site within 24 hours.)
* StopLookGo’s TPA leverages the New Zealand Office of the Privacy Commissioner’s “Brief Privacy Analysis” (licensed under a Creative Commons Attribution 3.0 New Zealand licence) and the Queensland Office of the Information Commissioner’s Threshold Privacy Assessment document (licensed under a Creative Commons Attribution 4.0 International licence), but they have been adapted to take account of some additional issues, preliminary feedback on potential privacy issues is given, and the process of completing a TPA has been automated.