Privacy Impact Assessment Guidelines


Application


These guidelines apply to all University members who may manage projects or systems that impact on personal information or who are responsible for making policy decisions about the way the University manages personal information.

Purpose


The Privacy Policy requires any University member responsible for creating or changing a process or system, that involves a new collection, use or disclosure of personal information or that may impact the security or integrity of personal information already held by the University, to consider completing a Privacy Impact Assessment (PIA). These guidelines explain how to do this.

Background


A PIA identifies the potential effects a change (to a process or system) may have on the personal information held by the University. For the University, the PIA process is about ensuring that a change does not impact on its ability to comply with the Privacy Act 1993 and the principles it has identified as important (as outlined in the University’s Privacy Statements):    

  • Data minimisation – limiting the amount of personal information the University collects and retains.
  • Transparency – being open and honest about what information the University collects and how it will be used.
  • Security – protecting the personal information the University holds from harm.
  • Use limitation – making sure the University uses and discloses personal information only when necessary and with a lawful basis.
  • Privacy rights – helping the University’s data subjects to exercise their privacy rights and maintain some control over their information. 

Anyone managing a change process, whether it is a major IT project or a new team process, should ensure that privacy impacts are considered. The PIA should take place early in the process to ensure privacy is embedded in the design. The  Privacy Impact Assessment Checklist may be used to complete the process, but sometimes just a conversation with the Privacy Officer will suffice.

Guidelines


Who is responsible for a PIA?

Where a change follows a formal project management framework, the project manager is responsible for assessing the need for a PIA and ensuring one is completed where appropriate. 

Where a change does not follow a formal project management framework, the relevant manager initiating or considering the change is responsible for assessing the need for a PIA and ensuring one is completed where appropriate. 

In all cases, to ensure that the change can achieve full functionality while protecting personal information, the PIA needs input from project staff, privacy experts, information security experts, and the project sponsor.

Where a change is identified in the PIA Template as being particularly high risk, the project manager or relevant manager should consult with the Privacy Officer. High risk issues are highlighted in the template with an instruction to talk to the Privacy Officer. 

When is a PIA required?

Not all changes will require a PIA. The University is concerned with changes that present a high risk to personal information about University data subjects. This can be determined by asking the following questions.

Q1. Does the change involve or alter the collection, storage, use or disclosure of personal information? If not, no PIA is required. If so, move to Q2

Note - For example, will the change involve the collection of new personal information; will existing personal information be disclosed to parties which did not previously have access to it; or will existing personal information be used for a new purpose?

Q2. Is the personal information involved sensitive? If it is, a PIA is requiredIf not, move to Q3.

Note - For example, is the information particularly likely to raise privacy expectations or concerns? Sensitive information might include student health information, employee performance or remuneration details, financial information (such as bank account and credit card details), or sensitive research data involving human participants.  

Q3. Would the change be contrary to customer expectations or put a significant amount of personal information at risk? If not, no PIA is required. If it would, a PIA is required.

Note - For example, will the change involve the use of new or intrusive technology (such as technology that uses location information); will existing databases be merged or new databases created; or would the change come as a surprise to the people affected by it? 

How is a PIA completed? 

A PIA does not have to be complex or lengthy to be effective. In fact, the simpler the PIA is, the more likely it will be consulted and used. 

University members may use the PIA Checklist to complete a basic PIA that covers all the key issues. However, provided that the project team has considered privacy, and followed the steps set out below, this should be sufficient for the purposes of assessing most privacy risks. 

 

What?

How?

Who?

1

Do we need a PIA at all?

This is the preliminary privacy analysis explained at steps 5 to 8 above.

This will help you decide whether a PIA is required.

Project/Relevant Manager

2

What’s the initiative?

Describe the initiative, its purposes and its desired outcomes.

This will help you understand what objectives might compete with your privacy obligations.

Project/Relevant Manager

3

What are the info flows, and why are they necessary?

Describe the personal information involved, how it will be used or disclosed.

This will help you to identify the risks created by the initiative and consider whether the collection, use and disclosure of personal information is necessary and proportionate.

Project/Relevant Manager

4

Does the initiative raise any privacy risks?

Work through the PIA Template, and answer questions honestly and accurately. 

This will help you create solutions that ensure compliance with the Privacy Policy and the Privacy Act. 

Project/Relevant Manager

5

What ways can these risks be addressed?

Consider ways to lessen or eliminate these risks. If possible, try to accommodate privacy while delivering the project’s desired outcomes. Add your solutions to the comments section in the PIA Template

This will help you to ensure that the initiative is a success, but not at the expense of individual privacy.

Project/Relevant Manager

6

If privacy risks were identified, now share with the Privacy Officer 

7

If the initiative raised privacy risks, have these been addressed?

The Privacy Officer will review the PIA Template and provide advice on addressing any privacy risks identified. 

Privacy Officer

8

Now share with the Project Sponsor for sign off

9

Sign off PIA

The PIA should be reviewed and signed off by the Project Sponsor or Relevant Manager.

This ensures oversight and accountability by those responsible for privacy compliance and project governance. 

Project Sponsor

10

Incorporate PIA outcomes into initiative

Ensure that the solutions are incorporated into the design of the initiative and are actioned.

This reduces the risk of the PIA being treated as a “tick the box” exercise. 

Project/Relevant Manager

Definitions


The following definitions apply to this document: 

Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses. 

Note – This is a global term which we are using to ensure consistency. The Privacy Act 1993 uses the term “individual concerned”.

Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject. 

Privacy Statement means a notice the University has provided to a particular category of data subjects that outlines in general the matters set out at item 4 of this policy, and includes the  Privacy Statement (covering personal information about students, alumni and friends, donors and website users) and the Employee Privacy Statement (covering personal information about staff members and contractors).

University means the University of Auckland and includes all subsidiaries.

University member includes members of Council, committee members, staff members, committee appointees, the University’s companies’ staff and board members and contractors working for and on behalf of the University and, for the purposes of this procedure, includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the University.

Key relevant documents


Are available at Privacy Centre

 

Document management and control


Owner: Registrar

Content manager: General Counsel and Privacy Officer

Date approved:  17 September 2020

Review date:  17 June 2023