The Defence Privacy Impact Checklist (PIC) has been developed to assist in assessing policies and procedures for potential privacy impacts. It is aimed at low level assessment of new policies and procedures during the development stage as well as extant policies and procedures under revision.
The PIC will step you through a series of questions that relate to the Information Privacy Principles. It will alert you to areas of your policies and procedures where you may need to give particular consideration to possible privacy implications. If you require more detailed questions to develop a greater understanding of the IPPs, go to Module E of the Privacy Commissioner’s Privacy Impact Assessment Guide 2006.
The PIC can also be used to determine whether a more comprehensive Privacy Impact Assessment (PIA) is required. A PIA is a tool that describes personal information flows in a project and analyses the possible effect on the privacy of individuals. It can help in managing privacy impacts by providing a thorough analysis of the effect of the project on individual privacy and help find potential solutions. The benefit of a PIA is that it allows identification and analysis of privacy impacts during a project's design phase and assists in determining appropriate management of any negative privacy impacts.
This model of a PIA could be used when developing a new policy that deals with the handling of significant levels of personal information.
|
Broadly describe the project, including the aims and whether any personal information will be handled. Projects can include policy development or policy review. |
- Mapping the Information Flows
|
Describe and map the flows of personal information in the project. |
|
Identify and analyse how the project affects the privacy of individuals |
|
Consider alternative options, particularly those that will improve privacy outcomes while still achieving the project's goals. |
|
Produce a final Privacy Impact Assessment Report, which includes the information above and recommendations. |
|
The Privacy Commissioner’ Privacy Impact Assessment Guide 2006 contains detailed information to assist you in conducting a PIA.
|
A PIA would usually be undertaken by the area managing the project. However, there may be instances where a project would benefit from a robust and independent assessment conducted by external assessors. To that end, Defence has compiled a register of external providers who can be contacted directly by Groups and Services. Outlines of the services the external providers offer in relation to the Act and PIAs can be accessed here .
