There is something magical about the number seven. The seven deadly sins, the seven dwarfs, the seven year itch, those plucky child detectives who formed the Secret Seven, and the barn-raising dance number from Seven Brides for Seven Brothers. Plus of course, the seven habits of highly effective people.
Here’s our own set of seven. They might not be magical, but hopefully they are practical. In addition to the PIA tools we have available via our Compliance Kits, these are our seven tips on how to make sure that a Privacy Impact Assessment is effective.
Do more than a legal compliance check
Despite the definition of PIAs from the Privacy Act making clear that they are about measuring and mitigating “the impact that the activity or function might have on the privacy of individuals”, many PIAs are conducted as if they are simply a compliance check against statutory privacy principles. They test that the organisation commissioning or conducting the activity will comply with the law, without ever asking what impact the activity will have on individuals.
An example of how looking for privacy impacts is broader than simply reviewing compliance with data privacy laws is in relation to body scanning technology. When first trialled at airports in the wake of the 11 September 2001 terrorist attacks, full body scanners offered screening officials a real-time image of what a passenger looks like naked. Despite the image not being visible to anyone else, and the image not being recorded, and no other ‘personal information’ being collected by the technology (and thus the technology posed no difficulties complying with the Privacy Act), the visceral reaction by the public against the invasion of their privacy was immediate. The technology was as a result re-configured to instead show screening officers an image of a generic outline of a human body, with heat maps showing where on any given passenger’s body the security staff should pat down or examine for items of concern.
Review the…
OAIC determinations shed light on when data is regulated as ‘personal information’
Recent caselaw demonstrates that privacy laws reach further than some organisations might …
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
