Before public sector agencies can assess the privacy impacts of new projects or proposed new legislation, they first need to be able to quickly identify whether the proposal is likely to raise any privacy issues. This task can be daunting for staff who are not privacy specialists.
The Identifying Privacy Issues early Checklist(Word) is designed to assist staff to identify the things that should trigger their consultation with their Privacy Contact Officer (or with the NSW Privacy Commissioner) early in the project or legislation's design stage.
Privacy Impact Assessment (PIA) is a different process. A PIA involves a comprehensive analysis of the likely impacts of a project upon the privacy rights of individuals. It is a little bit like an environmental impact assessment done for a new development proposal. The assessment can ensure that any problems are identified – and resolved – at the design stage.
A PIA is not only about ensuring compliance with the relevant information privacy laws such as the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act), but can also help to minimise the risk of reputational damage by identifying broader privacy concerns.
The Privacy Commissioner hopes to develop a guide to conducting PIAs in the near future. Similar jurisdictions to NSW have, or are currently developing, their own guides. Please contact us for further information.
New government initiatives
When examining new proposals or laws, the following questions may help point out whether the proposals or the laws comply with the privacy principles:
- Is it likely to increase the amount of personal information collected by government/business?
- Does it propose a new use for an existing source of personal information?
- Does it propose sharing, linking or matching personal information between different organisations?
- Does it propose new powers of entry, search or seizure?
- Does it propose surveillance as a method of achieving a policy or law enforcement objective?
- Does it create an identification system or require a new use of existing forms of ID?
- Is it being proposed by the makers or sellers of a new technology, looking for a market?