Protecting personal and sensitive information

Evinact was engaged by a government department to identify and help mitigate privacy-related risks as they upgrade their digital systems. The department was moving to a modernised system and needed to assess the risks associated with sharing personal information within the products being developed. Evinact was engaged to conduct multiple Privacy Impact Assessments (PIAs) to identify privacy risks and develop a set of recommended actions to mitigate or minimise those risks.

What is a Privacy Impact Assessment?

A PIA helps businesses identify and reduce the privacy risks they face when starting a new project or implementing a new policy. A PIA is also required if the type of information captured or created by an organisation changes, even within an existing system.

A PIA will identify;

• What privacy laws or regulations apply to your organisation
• Whether the information being collected and captured complies with legal and regulatory compliance requirements
• Risks associated with collecting, storing, using and sharing personal information
• Methods to mitigate any potential privacy risks early in a project when it’s cheaper and easier to make changes
• If people’s expectations of privacy are being met
• How well current systems are operating with personal information.

Why do it?

A Privacy Impact Assessment is one way decision-makers can have confidence that they’ve considered which impacts to privacy may occur, have built in mechanisms to mitigate any privacy impacts and ensure compliance with applicable legislation and regulation that cover collecting, using or handling personal information.

When to do it?

The earlier a PIA is done in a project, the sooner its findings can be included in the project design. This prevents the possibility of large changes being introduced later on when it will cost more to do so, and reduces additional effort being wasted on changes.

In the initial stages of a PIA, the project may only be assessed at a high level. As the project specifications become clearer, the PIA should be reviewed periodically to continually assess the privacy risks. Businesses should choose to include PIAs in the project assurance process, during project governance or in project related templates to cement its inclusion within project delivery.

How to do it

Evinact developed eight PIAs for each of the products, as well as a ‘whole of solution’ PIA. Our engagement involved:

• Consultation with stakeholders to understand the personal information exchanged within the department
• Analysis of the personal information to be captured and exchanged
• Document the high-level data flows to enable the identification of risk
• Design a strategy to minimise identified risks

A privacy-by-design approach

As a result of working with Evinact, the department was able to improve its privacy compliance, enhance its risk mitigation strategies and set the basis for a structured approach to handling personal information.

Good privacy practice is a fundamental expectation for businesses. Evinact is proud to have supported our customers to establish robust privacy foundations, adapt to evolving technologies, and protect important and sensitive personal information.

This engagement was originally completed as GWI.