View Current

Privacy Impact Assessment procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Procedure is effective from 1 December 2020.

Top of Page

Section 2 - Purpose

(2) This Procedure provides instruction on when and how to conduct a Privacy Impact Assessment.

Top of Page

Section 3 - Scope

(3) This Procedure applies to Projects in which Personal Information will be collected, accessed, used, disclosed, aggregated, stored, deleted or destroyed. 

Top of Page

Section 4 - Policy

(4) This Procedure is pursuant to the Privacy policy.

Top of Page

Section 5 - Procedure

(5) A Privacy Screening Form must be completed by a Project Manager before a new Project, or a proposed change to an existing Project, is approved, and must be entered into TRIM. Examples of Projects to which this Procedure applies include:

  1. introduction of new technology or processes involving Personal Information;
  2. substantial changes to existing technology or processes involving Personal Information;
  3. migration of Personal Information to a cloud-based environment;
  4. Projects involving:
    1. large quantities of Personal Information;
    2. biometric data (fingerprints, retinal scans or body temperature);
    3. Sensitive Information;
    4. surveillance or monitoring;
    5. location-based identification;
    6. aggregation of data from other University technology or programs;
  5. Projects where regulator, community or media interest is anticipated.

(6) If the Privacy Screening Form indicates that the Project will involve or affect Personal Information held by or intended to be held by the University, it must be forwarded to the Privacy Officer.  

(7) The Privacy Officer will review the Privacy Screening Form and will determine if the Project requires a Privacy Impact Assessment (PIA).

(8) The University General Counsel may authorise referral of the PIA to an external provider.  The Project Manager will liaise directly with the external provider and the finalised PIA will be provided by the external provider to the Project Manager.  

(9) Project areas will bear the costs of the external provider and these costs should be included in the Project budget.

(10) The PIA will be undertaken in the form approved by the Privacy Officer. The Privacy Officer will make available on the Office of General Counsel staff webpage the Privacy Screening Form.

(11) The PIA must be completed before a contract is signed, so that the privacy risk mitigators (if any) in the PIA may be addressed with the contractor and implemented at the time the product is deployed.  

(12) Each PIA must consider

  1. the context and purpose of the Project;
  2. the necessity for and the benefits of the Project;
  3. the purpose of the processing of Personal Information;
  4. the necessity for and proportionality of the processing of Personal Information;
  5. an analysis of the processing of Personal Information against the Information Privacy Principles, the Health Privacy Principles, or other applicable privacy law;
  6. identification of the risks of processing in the context of the Privacy Breach Management procedure Schedule A: Privacy Breach Risk Matrix;
  7. recommendation of additional measures to mitigate identified risks;
  8. allocation of responsibility for implementing recommendations.

(13) A Faculty, Institute or Portfolio may decide to accept the risks identified in the PIA, in which case a risk owner must be identified. The risk owner will manage the risk in accordance with the Risk Management policy.

(14) The completed PIA must be signed by the Project Manager and the Project Sponsor and the fully executed PIA entered into TRIM by the Project Manager, with a copy provided to the Privacy Officer.

(15) PIAs must be reviewed throughout the Project and additional PIAs should be undertaken if the scope of the Project changes, if additional technologies are added or if additional Personal Information will be impacted by the Project.

(16) The Privacy Officer may authorise the conduct of a retrospective PIA if a PIA was not undertaken prior to the implementation of a Project.

Top of Page

Section 6 - Definitions

(17) For the purpose of this Procedure:

  1. Health Information: as defined in the Privacy policy.
  2. Personal Information: as defined in the Privacy policy and includes Health Information.
  3. Privacy Impact Assessment (PIA): an evaluation of the impact of a Project or process on individual privacy and the development of risk mitigation strategies to address these impacts.
  4. Project: a project, initiative or system undertaken, instituted or deployed by the University.
  5. Project Manager: the University staff member with oversight of the Project.
  6. Sensitive Information: as defined in the Privacy policy.
  7. TRIM: the University’s electronic content manager.