(1) This Procedure is effective from 1 December 2020. (2) This Procedure provides instruction on when and how to conduct a Privacy Impact Assessment. (3) This Procedure applies to Projects in which Personal Information will be collected, accessed, used, disclosed, aggregated, stored, deleted or destroyed. (4) This Procedure is pursuant to the Privacy policy. (5) A Privacy Screening Form must be completed by a Project Manager before a new Project, or a proposed change to an existing Project, is approved, and must be entered into TRIM. Examples of Projects to which this Procedure applies include: (6) If the Privacy Screening Form indicates that the Project will involve or affect Personal Information held by or intended to be held by the University, it must be forwarded to the Privacy Officer. (7) The Privacy Officer will review the Privacy Screening Form and will determine if the Project requires a Privacy Impact Assessment (PIA). (8) The University General Counsel may authorise referral of the PIA to an external provider. The Project Manager will liaise directly with the external provider and the finalised PIA will be provided by the external provider to the Project Manager. (9) Project areas will bear the costs of the external provider and these costs should be included in the Project budget. (10) The PIA will be undertaken in the form approved by the Privacy Officer. The Privacy Officer will make available on the Office of General Counsel staff webpage the Privacy Screening Form. (11) The PIA must be completed before a contract is signed, so that the privacy risk mitigators (if any) in the PIA may be addressed with the contractor and implemented at the time the product is deployed. (12) Each PIA must consider (13) A Faculty, Institute or Portfolio may decide to accept the risks identified in the PIA, in which case a risk owner must be identified. The risk owner will manage the risk in accordance with the Risk Management policy. (14) The completed PIA must be signed by the Project Manager and the Project Sponsor and the fully executed PIA entered into TRIM by the Project Manager, with a copy provided to the Privacy Officer. (15) PIAs must be reviewed throughout the Project and additional PIAs should be undertaken if the scope of the Project changes, if additional technologies are added or if additional Personal Information will be impacted by the Project. (16) The Privacy Officer may authorise the conduct of a retrospective PIA if a PIA was not undertaken prior to the implementation of a Project. (17) For the purpose of this Procedure:Privacy Impact Assessment procedure
Section 1 - Preamble
Section 2 - Purpose
Section 3 - Scope
Top of PageSection 4 - Policy
Section 5 - Procedure
Section 6 - Definitions
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.