For the record, PIAs are "Privacy Impact Assessments" and I'm not convinced that 'feeling it in your bones' is a great test for deciding whether to run one. Plus, the stakes will be a lot higher with the proposed changes to the Privacy Act. If enacted, the privacy reforms will significantly expand the definition of personal information (PI). For Commonwealth agencies, GBEs and the private sector, executives and other leaders will need a lot more than just 'gut feel' to decide whether a new or revised program, service or business process could have a significant impact on thier organisation's PI holdings.
For the Commonwealth sector, the good news is that PIAs are 'old hat.' Since 2017, the Privacy (Australian Government Agencies - Governance) APP Code 2017 requires virtually all Australian Government entities to conduct PIAs for 'high privacy risk projects.' Guidance from the OAIC defines 'high risk' as "new or changed ways of handling PI that are likely to have a significant impact on the privacy of individuals.". The OAIC provides a 10-step summary outlining when PIAs may be required. For most Commonwealth agencies, their staff have a solid understanding of their PI holdings, vulnerabilities and risks. They would also be running Threshold PIAs, which often takes the form of a desktop review, featuring questions posed to business units, asking them to confirm whether they hold PI, how it is secured, what type of access controls exist and so on.
But here's the problem - Commonwealth agencies hold one heck of a lot of data, not to mention lots of PI. Add to the mix - staff turnover and the challenges of keeping track of 'who's-who-in-the-zoo,' not-to-mention whether all the (data) cages are locked. And that's why organisations need a system to double-check that their gut reaction is right - and to go beyond Q&A based Threshold and Standard PIAs. THose issues become acute when agencies roll out new IT applications with direct or indirect access to internal HR data, external client information and other PI holdings. Similar issues are at play when agencies roll out data platforms containing PI or data that can readily be linked and, thereby, identify a given individual.
To be clear, that does not mean agencies must buy into the latest-and-greatest search apps and run forensic tests across all datasets, platforms and repositories to identify any and all possible PI holdings. There are plenty of inbuilt apps and existing DIY processes that can give agencies high levels of comfort that their PI holdings are not at 'high risk'. What is clear is that agencies will need to apply more rigour in understanding desktop analyses, as well as for Threshold and Standard PIAs. Plus, they need to think more broadly about the risks that they might face with their PI holdings.
The privacy reforms are a key motivating factor for agencies to 'up their game.' Beyond the risk of fines, audits, investigations as well as regulatory and media scrutiny, there are other motivations at play, including a recognition that data breaches can take a significant emotional and financial toll on impacted individuals. No matter how you 'slice-and-dice it,' PI is a lot more than an acronym. It is, by definition, deeply personal. And organisations would be well serviced by asking one question when considering whether or not to undertake PIAs - What harm could be caused to someone specific, someone like me or my family? That question can help transform the process from a tick-box exercise into something much more nuanced and impactful.
If you have any concerns about PIAs, Synergy Group will be happy to field any questions or discuss how to structure Threshold or Standard PIA processes, or just sense-check current protocols. At Synergy Group, our objective is to provide best practice, strategic and value-for-money solutions that are not limited to a single engagement or project. We pride ourselves in thinking from a whole-of-agency and whole-sector perspective, with an in-depth understanding of the real risks faced by government agencies and other organisations.