This operational procedure is issued under the authority of the Commissioner and should be read together with the ACNC Policy Framework, which sets out the scope, context and definitions common to our policies.

Operational Procedure Statement

This Operational Procedure sets out how the ACNC will comply with its obligation under the Privacy (Australian Government Agencies – Governance) Australian Privacy Principles Code 2017 (Cth) to conduct a Privacy Impact Assessment for all high privacy risk projects.

Context

  1. It is a legal requirement to complete a Privacy Impact Assessment in certain circumstances.
  1. As a Commonwealth government agency, the ACNC must comply with the Australian Privacy Principles set out in Schedule 1 to the Privacy Act 1988 (Cth) (Privacy Act). The Australian Privacy Principles (APPs) require government agencies to have policies and procedures in place to manage the collection, use, and storage of ‘personal information’.
  1. APP 1 requires government agencies to manage personal information in an open and transparent manner. The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) (Code) sets out specific requirements that agencies must comply with as part of their compliance with APP 1.2.
  1. Section 12 of the Code states that agencies must conduct a Privacy Impact Assessment for all high privacy risk projects. A project will be a high privacy risk project if the agency reasonably considers that the project involves new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.
  1. ACNC staff must follow this procedure to ensure that the ACNC meets its legal obligation to conduct Privacy Impact Assessments.

Overview

  1. This procedure involves the following tasks:
    • First, you determine whether the work you are doing meets the relevant definition of ‘project’ (Step One). If it does not, you do not need to complete this procedure.
    • If the work you are doing is a ‘project’, you complete a short threshold assessment and send it to the Legal team as a legal case for review (Step Two).
    • If a Privacy Impact Assessment is not necessary, the member of the Legal team who assessed your threshold assessment will contact you to let you know. You can proceed with your project, but must remember that another threshold assessment may be necessary if your project changes and will involve collecting, using or storing personal information in a way that you didn’t realise when you conducted the first threshold assessment.
    • If a Privacy Impact Assessment is necessary, the member of the Legal team who assessed your threshold assessment will contact you to let you know. You must complete a full Privacy Impact Assessment, following this operational procedure (Step Three). The Legal team will support you to complete the Privacy Impact Assessment, but you will have primary responsibility for it.

What is personal information?

  1. The Privacy Act provides the following definition of ‘personal information’. Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
    • whether the information or opinion is true or not; and
    • whether the information or opinion is recorded in material form or not.
  1. Examples of personal information include an individual’s name, address, date of birth and email address. The fact that an individual is a responsible person of a charity is also personal information about that individual.

How to undertake a Privacy Impact Assessment

Step One: How to determine whether you are working on a ‘project’

  1. The definition of ‘project’ is broad and does not just refer to large pieces of work that have been formally named ‘projects’. You will be working on a ‘project’ if you are doing any piece of work that is outside of standard ‘business as usual’ tasks, or if your piece of work involves changing or recommending to change the way a piece of ‘business as usual’ work is done.
  1. Common situations in which a piece of work will be regarded as a ‘project’ that may require a Privacy Impact Assessment include:
    • new initiatives that require consultation with and sign-off from one or more of the directors
    • new initiatives that require sign-off from the Executive
    • the development of new approved forms or amendment of existing approved forms
    • changes to IT infrastructure, information processing, or data storage.
  1. If you think the piece of work you are doing may be a ‘project’ within the definition set out above, you will need to conduct a threshold assessment, following Step Two below. If not, you do not need to do anything further.
  1. If you are not sure, please seek guidance from the Privacy Contact Officer or another member of the Legal team.

Step Two: How to conduct a Privacy Impact Threshold Assessment

  1. The purpose of conducting a threshold assessment for your project is to determine whether you need to complete a full Privacy Impact Assessment. In most cases, a full Privacy Impact Assessment will not be necessary, but you need to record the reasons for your decision not to do one.
  1. To complete a threshold assessment:
    • Download a copy of the threshold assessment template from the SharePoint. The threshold assessment form will ask for details about your project and then will ask you to identify the kinds of personal information that will be collected, used and/or stored in the course of carrying out your project.
    • Once you have filled out all the necessary details in the threshold assessment form, save a copy of it to your computer.
    • Next, go into Dynamics and log a Legal case using the ‘Privacy’ request type. In the ‘Description’ section, type in ‘Privacy Impact Assessment threshold assessment’. Remember to upload your completed threshold assessment document before you submit the case.
    • The Privacy Contact Officer will pick up the case and review your threshold assessment. After the Privacy Contact Officer has reviewed your threshold assessment, either:
        • the Privacy Contact Officer will email you to confirm that a Full Privacy Impact Assessment is not required. You can proceed with your project, but will need to complete another threshold assessment if your project changes and will involve collecting, using or storing personal information in a way that you didn’t realise when you conducted the first threshold assessment; or
        • the Privacy Contact Officer will email you to advise you that you need to complete a full Privacy Impact Assessment. You will need to complete Step Three, set out below. Do not do any further work on your project before you have completed your Privacy Impact Assessment.

Step Three: How to conduct a full Privacy Impact Assessment

  1. A full Privacy Impact Assessment must be completed if the Privacy Contact Officer considers that your project is a high privacy risk project, which will be determined on the basis of your Privacy Impact Threshold Assessment. To complete a full Privacy Impact Assessment:
    • Download a copy of the Privacy Impact Assessment template document from the SharePoint. Remember to save the document to your computer and to periodically save your document as you work.
    • Once you have completed and saved your full Privacy Impact Assessment, go into Dynamics and log a Legal case using the ‘Privacy’ request type. In the ‘Description’ section, type in ‘Privacy Impact Assessment’. Remember to upload your completed assessment document before you submit the case.
    • The Privacy Contact Officer will pick up the case and will review your Privacy Impact Assessment.
    • The Privacy Contact Officer will provide a privacy impact statement that must be included in the Executive memo that you prepare regarding your project. The aim of this is to ensure that the privacy considerations are incorporated into the project from the proposal and design stages.

References