HOME > Publications > Privacy Impact Assessment Guide

Privacy Impact Assessment Guide

August 2006

MODULE D
Privacy Impact Analysis

The privacy impact analysis stage of a PIA investigates how the information flows in a project affect the choices individuals have regarding how information about them is handled, the potential degree of intrusiveness into the private lives of individuals, compliance with privacy law, and how the project fits into community expectations.

Key questions to be answered through the privacy impact analysis phase of a PIA include the following:

• Does the project comply with privacy legislation (see Module E) and agency-specific legislative requirements?
• Do individuals have to give up control of information about themselves to any degree?
• Will it require, or is it likely to result in, individuals changing their behaviour (e.g. having to present identification in more circumstances), or incurring costs?
  • Will the project impact disproportionately on individuals or groups without identity documentation?
• Will decisions that have consequences for individuals be made on the basis of the personal information handled in the project (e.g. decisions about services or benefits)?
  • Does the project deliver the right amount of accurate and relevant information to adequately inform these decisions?
• Is there provision for complaint-handling mechanisms, in the event that privacy breaches eventuate?
• Have emergency procedures been devised in the event that the system fails?
• Is there provision for audit and oversight mechanisms, including emergency procedures in the event that the system fails?
• Does the project include the potential for function creep (e.g. might there be an interest in using the personal information collected for the project, for other purposes) or other unplanned consequences?
• Assess the value of the information to unauthorised users (e.g. is it information that others would pay money or expend effort to gain access to)?
• Is any intrusion (physical or on property) or surveillance (whether covert or overt) fully justified and proportional to the outcome?
  • Is it the only way of achieving the aims of the project?
  • Is it done in the least intrusive manner?
  • Is it subject to legislative or judicial authority?
• How consistent is the project with community values about privacy (e.g. does it involve new ways of identifying individuals, the creation of significant databases or the use of genetic material or information)?
• How has privacy been factored in the project's cost-benefit analysis, and the analysis of the project's return on investment?

Privacy Policy Copyright Site map Join Email List Glossary Calendar Newsletter Top ↑