(1) As a New South Wales (NSW) public sector agency, the University must comply with NSW privacy laws. (2) There is some personal information, including Tax File Numbers and Individual Healthcare Identifiers, for which the University must also comply with Federal privacy laws. (3) There are also limited circumstances in which the University may be subject to foreign privacy regulations, such as the European Union General Data Protection Regulation (GDPR). (4) To support the University's compliance with privacy laws, staff who manage new or revised projects, technology and digital systems, products, services, programs and/or initiatives, that involve the collection, use, access, disclosure or sharing of, or storage or destruction of personal, health or sensitive information, or staff who are responsible for making decisions about how that is handled, must ensure that potential privacy impacts are considered throughout the entire undertaking concerned. Therefore, it is the responsibility of those staff to comply with these Procedures. (5) For the purposes of these Procedures, the following definitions apply: (6) These procedures should be read in conjunction with the University's: (7) Threshold assessments are used to determine if there is a potentially significant impact or risk in respect of personal information, health information or sensitive information. If there is a potentially significant impact or risk, this will trigger a requirement for a PIA. (8) A threshold assessment must be done for any of the following new or changed activities that involve personal, health or sensitive information on the following undertakings: (9) Where the activity involves a new or changed digital service, the Digital Strategy, Security and Risk team in ITDS will conduct a threshold assessment as part of the Risk and Compliance Determination (RCD). (10) Occasionally, an RCD is not part of the required process, for example, if the undertaking is not a digital service, process or project that is being managed through Procurement Services or ITDS. If this is the case, then the staff member or project manager facilitating the undertaking must complete a “threshold assessment form”, available from the Western Sydney University Privacy website. (11) There are three instances when a PIA may be required: (12) Examples of where a threshold assessment may trigger a PIA include: (13) If the University determines that a PIA is required, the staff member or project manager facilitating the undertaking will be advised of the requirement and a copy of the notification will be sent to the Privacy Officer. (14) A PIA is not required if the threshold assessment on the undertaking has determined that it is not necessary. (15) A PIA is not required for ethics approved research. Research projects and contracts are managed by Research Services as part of the process of obtaining human ethics approval and the preparation of Data Management Plans. Processes for obtaining informed consent of participants and managing data in research projects are part of those processes. (16) The PIA must be undertaken early in the process, to ensure that privacy is embedded into the design (known as ‘privacy by design’), rather than retrospectively after the undertaking is developed or deployed. (17) A PIA includes the following key elements: (18) A guide on how to complete the PIA is available from the Western Sydney University Privacy website. Staff should also consult with the Privacy Officer, who can provide advice and guidance on how to complete a PIA. (19) The staff member or project manager responsible for the undertaking must create a PIA Report which summarises the findings of the PIA. A report template is available from the Western Sydney University Privacy website. (20) The PIA report must be approved by the Executive Sponsor of the undertaking. (21) The completed PIA report must be lodged in the University's Compliance Management System. (22) Any additional risk mitigations identified in the PIA must be considered and responded to before the undertaking commences. (23) The PIA should be updated and revised as necessary throughout the lifetime of the process or digital service. (24) Threshold Privacy Assessment QuestionsPrivacy Impact Assessment Procedures
Section 1 - Purpose and Context
Section 2 - Definitions
Top of Page
Section 3 - Policy Statement
Top of PageSection 4 - Threshold Assessments
Section 5 - Privacy Impact Assessments (PIAs)
When is a PIA Required?
When is a PIA not Required?
Completing a PIA
PIA Report
Section 6 - Guidelines
View Current
This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.