Entities that handle Personal Information should build privacy into their processes, systems, products and initiatives at the design stage. Privacy should be incorporated into your business planning, staff training, priorities, project objectives and design processes, in line with APP1. Building privacy into data handling practices from the start, rather than ‘bolting it on’ at a later stage is known as ‘privacy by design’.
The ‘privacy by design’ stage should also address Personal Information security, including the appropriateness of technology and the incorporation of information security measures that are able to evolve to support the changing technology landscape over time.
Entities should design their information security measures with the aim to:
- Prevent the misuse, loss or inappropriate accessing, modification or disclosure of Personal Information
- Detect privacy breaches promptly
- Be ready to respond to potential privacy breaches in a timely and appropriate manner.
One way to achieve privacy by design is to conduct a Privacy Impact Assessment (PIA). A PIA is an assessment tool that examines the privacy impacts of a project and assists in identifying ways to minimise those impacts. A PIA will assist in identifying where there are privacy risks, and where additional privacy protections may be required. Generally, a PIA should:
- Describe how personal information flows in a project
- Analyse the possible privacy impacts on individuals’ privacy
- Identify and recommend options for avoiding, minimising or mitigating negative privacy impacts
- Build privacy considerations into the design of a project
- Achieve the project’s goals while minimising the privacy impact.
A detailed Guide to conducting PIAs is available from the OAIC website.
You may also need to conduct an information security risk assessment in conjunction with a PIA. An information security risk assessment is generally more specific than a PIA because it involves the identification and evaluation of security risks, including threats and vulnerabilities, and the potential impacts of these risks to information (including personal information) handled by an entity. As with a PIA, an information security risk assessment can be seen as an iterative process and may be undertaken across your business generally.