Privacy Impact Assessment Guide
August 2006
Navigation
- Full Table of Contents
- Privacy Impact Assessment Guide
-
Module A
Threshold Assessment -
Module B
Nature of the Project -
Module C
Mapping the Information Flows -
Module D
Privacy Impact Analysis -
Module E
IPP Compliance Checklist -
Module F
Privacy Management
Full PIA Guide download
MODULE C
Mapping the Information Flows
Table of Contents
- 1 Collection
- 2 Use
- 3 Disclosure
- 4 Access and correction
- 5 Security
- 6 Data quality
- 7 Identity management
- Endnotes
The purpose of this stage of the PIA is to describe and map the flows of personal information in the project. The information compiled during this stage will form the basis for the forthcoming analysis of privacy impacts.
The elements of the project that are most likely to be relevant to information privacy impact include:
- the collection of personal information;
- its use and disclosure;
- the ability individuals have to access information about them;
- the ability individuals have to correct information about them if need be;
- the applicable security safeguards;
- the processes for ensuring data quality; and
- whether anidentity management system is involved.
The series of questions which appear below is designed to assist agencies in describing how their project deals with each of these areas. In doing so, the questions should also help draw agencies' attention to possible points where information privacy issues might arise.
In this regard, a "Privacy Risk" box indicates circumstances where a project may present a risk to individual privacy. This could be by altering an individual's choices about who knows what about them, or by otherwise compromising an individual's autonomy in relation to their personal information.
Any responses to the following questions should be documented for use at the privacy impact analysis stage. The responses will also be useful for any forthcoming PIA reporting documents.
1 Collection
Good collection practices underpin good privacy.
When considering collection, describe:
- how the collection relates to the agency's functions or activities;
- what public interest justifies the collection;
- why the personal information, including the particular data items and kinds of data, is necessary for the project;
- whether the information can be collected in a de-identified or anonymous manner; and
- whether individuals can choose not to provide some or all of the personal information sought.
How will the information be collected? Might some individuals feel that the method of collection is unreasonably intrusive? Examples of unreasonably intrusive collection practices may include requiring individuals to divulge intimate or sensitive information in a public area where others can overhear or collecting video footage of individuals' private activities without their knowledge.
Collecting unnecessary or irrelevant personal information, or intrusive collection.
1.1 Scope of collection
Detail the collection process.
Describe:
- the personal information, including the data items to be collected (e.g. name, address, occupation, identification numbers);
- where the information is to be collected from (e.g. from the individual directly, from other individuals, from other agencies or organisations, from publicly available sources);
- whether the information will be paid for or exchanged for something else of value;
- how the circumstances of the individuals involved will be taken into account when the personal information is being collected, e.g. cultural diversity, hearing impairment, languages other than English;
- why each element of the information is being collected (e.g. identify whether some data items are collected for some purposes and other data items for different purposes);
- whether the information to be collected is of a sensitive nature (including, for example, financial information, political or religious beliefs, health, sexual practices, biometric or genetic information);
- any statute, authority or requirement the agency is relying upon to collect the information; and
- alternatives to collection that have been considered and rejected (e.g. using de-identified data).
Where an individual's consent will be sought to the collection of their personal information, outline what other matters may depend on that consent. For example, is a particular service or benefit only available if the individual consents to the collection of some or all of the requested personal information?
Bulk collection of personal information, some of which is unnecessary or irrelevant.
1.2 Notice
What do individuals know about the collection?
Personal information should be handled in a transparent way so there are no surprises for the individual. Identify and describe what information is given to the individual about the collection, and how it is given, including:
-
Purpose and authority
- the purpose for which the personal information is being collected;
- whether the collection is authorised or required by law (and, if so, which law?);
-
Use and disclosure
- uses or disclosures that the agency considers consistent with the purpose for collection;
- the people, bodies or agencies to which the collecting agency usually or sometimes discloses personal information (and any further uses and disclosures by those people, bodies or agencies);
- proposed uses or disclosures for purposes other than the purpose of collection; and
-
Choice
- do individuals know they have a choice about the handling of their personal information where these choices exist? Has the agency told them?
Individuals unaware of collection or its purpose.
1.3 Method of collection
Identify and describe:
- how often the personal information is to be collected (e.g. only on one occasion or ongoing);
- any potentially sensitive or intrusive methods of collection (including photographs, fingerprinting, iris scanning, drug testing and the collection of genetic information, for example, through buccal swabs);
- any covert methods of collection, such as surveillance, and why they are necessary and appropriate (e.g. some website cookies and surveillance devices including electronic listening devices and cameras); and
- whether the technology is privacy enhancing or privacy invasive, and why.
Covert collection is generally highly privacy invasive, and should only occur under prescribed circumstances.
2 Use
No surprises! Use personal information in ways that are expected by the individual.
Generally speaking, "use" refers to what happens to personal information in the hands of the collector.
2.1 Use
Identify and describe:
- all the uses of the personal information (including ones which may be expected but uncommon);
- how all these uses relate to the purpose for which the personal information was collected;
- any changes to the purpose for using the information after the information is collected; and
- measures in place to prevent use for secondary purposes.
2.2 Secondary purposes
If the information collected may be used for an additional or secondary purpose, identify and describe:
- whether consent is required for the secondary use;
- if the use is directly related to the purpose of collection;
- whether an individual can decline the secondary use and still be involved in the project; and
- if new, unplanned purposes for handling personal information arise in the life of the project, the extent to which individuals will be involved in decisions about these new purposes.
Using personal information for unplanned secondary purposes.
2.3 Data linkage / matching
Aggregation or the bringing together of diverse groups of personal information collected for different purposes, either in the agency or by another agency or organisation, has privacy risks. For example, it may reveal personal information not previously available, or it may reveal information not necessary for the purpose at hand.
Identify and describe:
- any intention or potential for the personal information to be linked, matched or cross-referenced to other information held in different databases (held by the agency or by other agencies or organisations);11
- how this linkage, matching or cross-referencing might be done;
- any decisions affecting the individual that are to be made on the basis of such datamatching, linking or cross-referencing;
- what safeguards will be in place to limit inappropriate access, use and disclosures of the resulting information;
- what mechanisms will be in place to ensure audit trails and appropriate back-ups; and
- what protections are in place to ensure the accuracy of the data linkage and that individuals will not be adversely affected by erroneous data matching; for example, have individuals been informed of the data linkage?
Unnecessary or unplanned data linkage.
3 Disclosure
No surprises! Tell the individual about disclosures.
Generally speaking, "disclosure" refers to the process of releasing personal information outside the control of an agency.
Identify and describe:
- to whom and under what circumstances the personal information will be disclosed and why;
- whether the personal information disclosed to others outside the agency will be protected from privacy risks in the same way as information held by the agency (e.g. covered by the Privacy Act, or by a similar privacy law);
- if the information is to be published, or disclosed to a register, e.g. a public register;
- whether the individual has been told about the disclosure and what choices they have (including about the publication or suppression of their information); and
- whether the disclosure is authorised or required by law, specifying the relevant provisions.
Disclosures not originally planned can lead to privacy complaints.
4 Access and correction
Getting access to personal information should be clear and straightforward.
Identify and describe:
- how an individual can access their personal information (including any costs incurred by the individual); and
- how the individual can have the information about them corrected, or annotations made, if necessary.
Inaccurate information can cause problems for agencies and individuals.
5 Security
Logical (IT) and physical security measures.
Describe:
- what security measures will be taken to protect the personal information from loss, unauthorised access, use, modification, disclosure or other misuse, including how data is transferred between sites;
- what security measures will be taken to protect personal information where its handling will be or has been outsourced to external agencies or organisations;
- who will have access to the information, and who authorises those access rights;
- the systems in place to prevent and detect misuse of, or inappropriate access to, the personal information; and
- what action will be taken if there is a security breach (e.g. informing individuals of the breach).
Assess the project against agency IT plans and physical security, e.g. use of lap-tops, encrypted media for disks, access to sites and systems.
Unauthorised internal and external access and use.
5.1 Retention and destruction
Identify and describe the retention and destruction practices to be employed in the project, including:
- when personal information is to be de-identified or destroyed;
- how this is to be done and whether it will be done securely;
- whether a data retention policy and destruction schedule is in place; and
- how compliance with the data retention policy and any relevant legislation relating to record destruction will be measured.
Retaining personal information unnecessarily.
6 Data quality
Identify and describe:
- the consequences for individuals if the personal information is not accurate or up-to-date (e.g. the kinds of decisions made on the basis of the information; the risks to the agency and the individual posed by inaccurate information);
- how information will be kept up-to-date;
- the processes to ensure that the data is only used or disclosed when it is relevant, up-to-date and complete; and
- the updates and modifications to personal information which will be disseminated to others outside the agency to whom personal information has been disclosed.
Making decisions based on poor quality data.
7 Identity management
Don't authenticate identity unless necessary.
Agencies handling personal information may require identity management systems and processes robust enough to identify, to an appropriate level of confidence, the individuals whose personal information they are dealing with.12
Identify and describe:
- to what extent the project can proceed through the handling of anonymous or de-identified information;
- whether it is necessary to authenticate identity, and to what degree of confidence (e.g. taking into account a consideration of the value of the transaction);
- how evidence of identity is to be authenticated;
-
whether the project involves the issuing of a new identification number to individuals, and its purpose;
- this includes whether the new identification number could potentially be used for other purposes or adopted by other agencies or private sector organisations, and, if so, what protections could be put in place to address this;
- any expected uses and disclosures of this or other identification numbers (by any agency or organisation); and
- individual attributes, other than identity, that need to be authenticated (e.g. that an individual has a certain qualification).
Endnotes
11 Also see the OPC's Guidelines for the Use of Data-Matching in Commonwealth Administration at www.privacy.gov.au/publications/p6_4_23.doc.
12 See also "Proof of ID Required? Getting Identity Management Right." www.privacy.gov.au/publications/index/html#S.