View Current

Privacy Impact Assessment Procedures

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose and Context

(1) As a New South Wales (NSW) public sector agency, the University must comply with NSW privacy laws.

(2) There is some personal information, including Tax File Numbers and Individual Healthcare Identifiers, for which the University must also comply with Federal privacy laws.

(3) There are also limited circumstances in which the University may be subject to foreign privacy regulations, such as the European Union General Data Protection Regulation (GDPR).

(4) To support the University's compliance with privacy laws, staff who manage new or revised projects, technology and digital systems, products, services, programs and/or initiatives, that involve the collection, use, access, disclosure or sharing of, or storage or destruction of personal, health or sensitive information, or staff who are responsible for making decisions about how that is handled, must ensure that potential privacy impacts are considered throughout the entire undertaking concerned. Therefore, it is the responsibility of those staff to comply with these Procedures.

Top of Page

Section 2 - Definitions

(5) For the purposes of these Procedures, the following definitions apply:

  1. bundled consent means ‘bundling’ together multiple requests for an individual’s consent to a wider range of collections, uses and disclosures of personal information, without giving the individual the opportunity to choose which collections, uses and disclosure they agree to and which they do not, and may not meet the criteria of valid consent (reference Information and Privacy Commission Fact Sheet - Consent and Bundled Consent)
  2. digital services has the same meaning as defined in the University's Digital Services Implementation Policy
  3. healthcare identifiers and individual healthcare identifiers (IHIs) have the same meaning as in the Healthcare Identifiers Act 2010 (Cth)
  4. Health Information has the same meaning as in Health Records and Information Privacy Act 2002 (NSW)
  5. HRIP Act (or HRIPA) means Health Records and Information Privacy Act 2002 (NSW)
  6. Personal Information has the same meaning as in the Privacy and Personal Information Protection Act 1998 (NSW) and is defined in the Privacy Policy
  7. PIA means Privacy Impact Assessment
  8. PPIP Act (or PPIPA) means Privacy and Personal Information Protection Act 1998 (NSW)
  9. Privacy Impact Assessment means a systematic assessment of an undertaking to identify the impact on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating those privacy impacts
  10. privacy law means:
    1. in New South Wales for Public Sector Agencies:
      1. Privacy and Personal Information Protection Act 1998 (NSW), also called PPIP Act or PPIPA, and
      2. Health Records and Information Privacy Act 2002 (NSW), also called HRIP Act or HRIPA
    2. in the Federal context:
      1. Privacy Act 1988 (Cth)
    3. in the international context, privacy laws include but are not limited to the European Union General Data Protection Regulation (GDPR)
  11. RCD means Risk and Compliance Determination
  12. Risk and Compliance Determination means the tool used to ensure Information Technology risks and compliance issues are given due consideration when implementing new digital services, or changing existing ones. The RCD provides a general overview of the Digital Service, which is used by the University's Digital Strategy, Security and Risk staff to create a tabulated evaluation of IT risks and compliance issues identified, and develop some recommendations on how any identified risks can be addressed. The PIA threshold assessment is included in the RCD review.
  13. sensitive information means a subset of personal information which is given a higher level of protection under privacy laws than other personal information. It is information or an opinion about an individual’s:
    1. ethnic or racial origin, or
    2. political opinions, or
    3. religious or philosophical beliefs, or
    4. trade union membership or
    5. sexual activities
  14. tax file number has the same meaning as in Part 2 Division 1 of the Privacy Act 1988 (Cth)
  15. threshold assessment means an early assessment to identify whether an undertaking may attract a significant risk in respect of personal information, health information and/or sensitive information, and therefore a full PIA is required
  16. undertaking means new or revised projects, technology and digital systems, products, services, programs and/or initiatives, that involve the collection, use, access, disclosure or sharing of, or storage or destruction of personal, health or sensitive information
Top of Page

Section 3 - Policy Statement

(6) These procedures should be read in conjunction with the University's:

  1. Privacy Policy and
  2. Privacy Management Plan (PMP)
Top of Page

Section 4 - Threshold Assessments

(7) Threshold assessments are used to determine if there is a potentially significant impact or risk in respect of personal information, health information or sensitive information. If there is a potentially significant impact or risk, this will trigger a requirement for a PIA.

(8) A threshold assessment must be done for any of the following new or changed activities that involve personal, health or sensitive information on the following undertakings:

  1. projects
  2. technology and digital systems
  3. products
  4. services
  5. programs and/or
  6. initiatives

(9) Where the activity involves a new or changed digital service, the Digital Strategy, Security and Risk team in ITDS will conduct a threshold assessment as part of the Risk and Compliance Determination (RCD). 

(10) Occasionally, an RCD is not part of the required process, for example, if the undertaking is not a digital service, process or project that is being managed through Procurement Services or ITDS. If this is the case, then the staff member or project manager facilitating the undertaking must complete a “threshold assessment form”, available from the Western Sydney University Privacy website.

Top of Page

Section 5 - Privacy Impact Assessments (PIAs)

When is a PIA Required?

(11) There are three instances when a PIA may be required:

  1. upon the advice from a completed RCD
  2. upon the determination of a threshold assessment, or
  3. upon the determination of the Privacy Officer or the Chief Audit and Risk Officer

(12) Examples of where a threshold assessment may trigger a PIA include:

  1. collecting personal information in a new way, or from a new demographic, such as a new digital service or a current digital service collecting new data points
  2. disclosing personal information to a third party such as a company, government agency, or a contractor
  3. sharing personal information, which had been collected by the University for a specific purpose, with another Western Sydney University service or department for a new or secondary purpose (see also definition on bundled consent)
  4. collecting sensitive information
  5. an RCD, if there is a change in the way personal information is stored or secured in digital format, such as a change to hosting vendor, or change to data centre hosting location, or change to security controls

(13) If the University determines that a PIA is required, the staff member or project manager facilitating the undertaking will be advised of the requirement and a copy of the notification will be sent to the Privacy Officer.

When is a PIA not Required?

(14) A PIA is not required if the threshold assessment on the undertaking has determined that it is not necessary.

(15) A PIA is not required for ethics approved research. Research projects and contracts are managed by Research Services as part of the process of obtaining human ethics approval and the preparation of Data Management Plans. Processes for obtaining informed consent of participants and managing data in research projects are part of those processes.

Completing a PIA

(16) The PIA must be undertaken early in the process, to ensure that privacy is embedded into the design (known as ‘privacy by design’), rather than retrospectively after the undertaking is developed or deployed.

(17) A PIA includes the following key elements:

  1. positive and adverse privacy impacts including community reaction
  2. how compliance with privacy laws and other relevant legislation will be ensured, and
  3. any measures to reduce any identified risks to personal information

(18) A guide on how to complete the PIA is available from the Western Sydney University Privacy website. Staff should also consult with the Privacy Officer, who can provide advice and guidance on how to complete a PIA.

PIA Report

(19) The staff member or project manager responsible for the undertaking must create a PIA Report which summarises the findings of the PIA. A report template is available from the Western Sydney University Privacy website.

(20) The PIA report must be approved by the Executive Sponsor of the undertaking.

(21) The completed PIA report must be lodged in the University's Compliance Management System.

(22) Any additional risk mitigations identified in the PIA must be considered and responded to before the undertaking commences.

(23) The PIA should be updated and revised as necessary throughout the lifetime of the process or digital service.

Top of Page

Section 6 - Guidelines

(24) Threshold Privacy Assessment Questions

(25) How to Complete a Privacy Impact Assessment

(26) Privacy Impact Assessment Report – Template