Salinger Privacy

  • About
    • About Salinger Privacy
    • Videos, Podcasts and Media Mentions
  • Consulting
    • Our Consulting Services
    • Privacy Impact Assessments
    • Privacy Compliance Reviews
  • Training
    • Overview
    • Training Calendar
    • Public Courses and Workshops
    • In-house Privacy Training and Workshops
    • Online Training
    • Webinars
    • IAPP Certifications
    • Login
  • Privacy Resources
    • Privacy Resources
    • Compliance Kits
    • Resources on key privacy topics
    • Free Handbook
    • Login
  • Who We Are
    • Anna Johnston
    • Melanie Casley
    • Samantha Floreani
    • Andrea Calleia
    • Stephen Wilson
    • Chris Culnane
  • Blog
  • Contact
  • Compliance Kits

There’s more than one way to bake a pia

September 1, 2015, Anna Johnston

Share this post

Share this post on twitter Share this post on Linkedin Share this on Facebook

Although it is great to see Privacy Impact Assessment (PIA) being discussed in mainstream media, the recent Lateline program on ABC TV was also depressing in its conclusion: that PIAs are not being done routinely (and if done, are mostly not being done ‘properly’), even when the privacy issues are most acute – as is typically the case with major national security initiatives.

But how do you know when to do a PIA? And how are you supposed to know if you are doing it ‘properly’?

The analysis underpinning Lateline’s story was this report from privacy advocate Roger Clarke. He developed a five-factor test, to judge 72 national security initiatives, legislative or otherwise, introduced since 2001.

Clarke reviewed:

  • whether there was evidence of a PIA being performed
  • whether advocacy organisations were aware of the PIA
  • whether advocacy organisations were engaged in the PIA
  • whether the PIA Report was published, and
  • whether advocacy organisations’ views were appropriately reflected in the PIA Report.

He concluded that only three of the 72 initiatives passed this test.

There is a conflict of interest here – not only is Roger Clarke the immediate past Chair of one of the advocacy organisations he expects to be consulted, the Australian Privacy Foundation (APF), but he also runs a privacy consultancy business, offering PIA services – as do we. So he is sitting in judgment on not only himself, but also his professional competitors. (Luckily for us, Salinger Privacy got Clarke’s stamp of approval for two of the three PIAs he deemed to be sufficient; his own was the third. And my own declaration: I was also an active member of the APF, including two years as Chair, from 2004 to 2007.)

I am a big fan of stakeholder consultation when conducting PIAs. It’s common sense project management. Why wouldn’t you want a ‘heads up’ on what your biggest critics might think or say? And if your initiative is a major national security project or piece of legislation affecting large numbers of citizens or visitors, then absolutely, meet with the APF, EFA, CCL or Liberty Victoria, and others. You might be surprised at how they can assist.

But is engagement with privacy or civil liberties advocates a pre-condition of what makes a ‘proper’ PIA? No. Sometimes the stakeholders to consult with will be purely internal; or they might be individuals or organisations representing your customers.

I think the question of whether or not a PIA has been done ‘properly’ is too subjective to be tested at all. It is often said that PIAs are more art than science. They don’t sit easily with black letter lawyers.

Actually, PIAs are more like cooking than either art or science. A privacy impact assessment has to take the business objective of the project, whisk it thoroughly with some law that is already ‘fuzzy’, and then stir in a measure of stakeholder input, a good dollop of community expectations, and a pinch of unpredictability. And don’t forget to set the oven dial to ‘Privacy by Design’.

There are cookbooks like the OAIC PIA guide to help you along your way. There are handy lists of the ingredients that might trigger a PIA, or the questions that you might ask.

But the ultimate tests are: Have you identified all the privacy risks that might arise? And then, have you found ways to mitigate those risks?

The proof of that pudding will only ever be in the eating.

 

Photograph © Shutterstock

Filed Under: Uncategorized

Recent Posts

  • How to earn your social licence: the role of trust in project design
  • Representative redress required to mop up after asylum seeker data breach
  • Design jam leaves customers in a privacy pickle
  • What’s in store for privacy law in Australia?
  • Location, location, location: online or offline, privacy matters
  • The Data-Sharing Dilemma
  • Putting a price tag on privacy
  • Why privacy is a public good in need of better protection
  • Re-thinking transparency: If notice and consent is broken, what now?
  • Should I download the COVID-Safe app? The privacy pros and cons

Archive

  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015

Search

Salinger Privacy we know privacy inside out

Salinger Privacy can help you navigate the complexity of the regulatory environment, and ensure the trust of your customers.

CONTACT US

T: 02 9043 2632
PO Box 1250, Manly NSW 1655
Email Enquiry

© Salinger Consulting Pty Ltd
ABN 84 110 386 537

Our Privacy Policy

Subscribe to our newsletter.

These details will be added to our mailing list to receive the Salinger Privacy eNews and Product News newsletters. You can unsubscribe or adjust your preferences at any time, from the bottom of any newsletter.