THE OFFICE OF THE PRIVACY COMMISSIONER

Office of the Privacy Commissioner

Publications

SPECIFIC PRIVACY INFORMATION FOR:


Privacy Impact Assessment Guide

August 2006

Navigation

Full PIA Guide download

PDF Word

MODULE A
Threshold Assessment

Table of Contents

Background

  1. This Threshold Assessment module was developed to assist employees of agencies to determine, early in the developmental stages of a proposed project, whether that project is likely to require a PIA. It could be deployed as a template on desktops, portable computers or internal websites (provided they are secure) for use by any employee proposing change.
  2. If an agency9 is developing a program, system, legislation or other initiative that involves personal information, the provisions of the Privacy Act 1988 (the Act) apply. Each agency is responsible and accountable for the personal information it collects, even when the personal information is in the custody of external service providers or contractors operating either in Australia or overseas.

How the Threshold Assessment works

  1. The Threshold Assessment basically aims to draw out whether the proposed project involves the collection, use or disclosure of "personal information". The discussion as to what constitutes personal information (below) should be useful in making this assessment.
  2. Generally speaking, if personal information is not involved in the project, the project is unlikely to have the degree of impact on information privacy which would necessitate the completion of a PIA. However, a lack of personal information will not necessarily guarantee that there will be no information privacy impact. For example, a project may not involve personal information now, but may present issues if personal information was to become involved down the track. Furthermore, the fact that personal information is not involved in a project does not guarantee that other types of privacy (such as bodily; territorial; communications privacy) are not relevant.10
  3. As such, whilst the Threshold Assessment is designed to help employees determine whether a PIA is necessary, there is no hard-and-fast rule about when to do a PIA. Each project needs to be considered within its own broader context.

What is personal information?

  1. A range of factors can be relevant when considering whether "personal information" is involved in a project. The Act defines "personal information" as:
  2. "...information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

  3. The Act also defines "sensitive information" as:

    1. " information or an opinion about an individual's:

      1. racial or ethnic origin; or
      2. political opinion; or
      3. membership of a political association; or
      4. religious beliefs or affiliations; or
      5. philosophical beliefs; or
      6. membership of a professional or trade association; or
      7. membership of a trade union; or
      8. sexual preference or practice; or
      9. criminal record;

      that is also personal information; or

    2. health information about an individual."
  4. Personal information does not always need to include an individual's name to be regulated by the Act. It may include information that can be linked to or can identify a specific individual through association or inference.

  5. The Act's definitions are culturally neutral. It is therefore important to consider the cultural context in which the personal information will become available. It should not be assumed that the stakeholders or clients operate under the same cultural framework as the record-keeper. So if a record-keeper operates under one cultural/institutional framework and the information becomes available to a particular group in our society, what appears deidentified or unidentifiable to the record-keeper may identify an individual, when placed in the hands of that group.

    For example, generic information such as ethnic origin may not by itself seem to identify an individual. However, if an ethnic identifier is disclosed along with other information and relates to an individual in a small town where there are only a limited number of people of that ethnic origin, it could identify an individual and therefore become personal information under the Act.

  6. Note also that personal information may be collected directly from an individual or indirectly from another source. It would therefore be prudent to consider the concept of "collection" broadly, encompassing for example personal information that flows through the agency as well as real-time online verifications and information from shared databases.
  7. The following is a suggested Threshold Assessment template.

Suggested Threshold Assessment Template

  1. Agency name.
 
 
 
  1. Contact details of the employee responsible for completing this Threshold Assessment.
 
 
 
  1. Brief description of the project being proposed.

Section 13 of the Guide (Project description) suggests some matters that might be useful for inclusion in this kind of broad project description, e.g.

If the project being proposed involves modifications to an existing program, first describe the current program and then the proposed changes. In these circumstances, it will also be relevant to provide details (if any) of any prior PIAs undertaken in relation to the existing program. If no PIA was undertaken, it may be appropriate to consider whether one should be undertaken now.

 
 
 
  1. Does the project being proposed involve the collection, use or disclosure of personal information?

In answering this question, consider whether the project involves the handling of any "personal information" (see What is personal information? above). Briefly describe (if any) the elements of personal information that will be collected, used or disclosed (e.g. name, address, date of birth). If so, also explain some of the key privacy elements (e.g. the general purposes for which it will be collected, used and disclosed; any authority under which it is collected; the nature and sensitivity of the personal information; etc).

If the project being proposed involves modifications to an existing program, describe the changes to the handling of any personal information (if any) that would be involved, should the proposal be implemented.

Yes tick box No tick box
 
 
 

If you have answered YES to question 4 then (subject to paragraphs 4 and 5 above) some form of PIA will probably be necessary. See Section 11 of the Guide (Key stages of a PIA) to continue.

Note: if you have come to the conclusion that a PIA is necessary, please ensure that you retain the description of the project compiled at question 3 above. It will be necessary for inclusion in the PIA. Sign off below and retain this Threshold Assessment for your records.

If you have answered NO to question 4 then (subject to paragraphs 4 and 5 above) a PIA may not be necessary.

Note: if you have come to the conclusion that a PIA is not necessary, you should record that you have reviewed the proposal and reached this conclusion by signing off below and retaining this Threshold Assessment for your records.

 

 

 

(Proponent)

Date: ___ / ___ / ________

 

 

(Proponent's manager)

Date: ___ / ___ / ________


Endnotes

9 Most Australian Government and ACT Government agencies are bound by the Privacy Act 1988: see sec 6(1) (definition of "agency").

10 Whilst this Guide deals with information privacy, other types of privacy can also be considered in a project's PIA, especially where such issues may pose risks to the overall success of the project. For a summary of different types of privacy see Banisar D, 2000, Privacy and Human Rights: an international survey of privacy laws and developments, Electronic Privacy Information Centre, Washington: www.privacyinternational.org/survey.