This operational procedure is issued under the authority of the Commissioner and should be read together with the ACNC Policy Framework, which sets out the scope, context and definitions common to our policies.

Operational Procedure Statement

This Operational Procedure sets out how the ACNC will comply with its obligation under the Privacy (Australian Government Agencies – Governance) Australian Privacy Principles Code 2017 (Cth) to conduct a Privacy Impact Assessment for all high privacy risk projects.

Context

  1. It is a legal requirement to complete a Privacy Impact Assessment in certain circumstances. ACNC staff must follow this procedure to ensure that the ACNC meets its legal obligation to conduct Privacy Impact Assessments.
  1. As a Commonwealth government agency, the ACNC must comply with the Australian Privacy Principles set out in Schedule 1 to the Privacy Act 1988 (Cth) (Privacy Act). The Australian Privacy Principles (APPs) require government agencies to have policies and procedures in place to manage the collection, use, and storage of ‘personal information’.
  1. APP 1 requires government agencies to manage personal information in an open and transparent manner. The Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth) (Code) sets out specific requirements that agencies must comply with as part of their compliance with APP 1.2.
  1. Section 12 of the Code states that agencies must conduct a Privacy Impact Assessment for all high privacy risk projects. A project will be a high privacy risk project if the agency reasonably considers that the project involves new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.
  1. ACNC staff must follow this procedure to ensure that the ACNC meets its legal obligation to conduct Privacy Impact Assessments.

Overview

  1. This procedure involves the following tasks:
    • Determine whether the work meets the relevant definition of ‘project’.
    • If the work is a ‘project’, complete a Privacy Impact Threshold Assessment (PITA). Completed PITAs should be reviewed by the Privacy Officer, and will determine whether a full Privacy Impact Assessment (PIA) is necessary.
    • If a PIA is not necessary, the project can proceed, but staff must remember that a new PITA may be necessary if the project changes and will involve collecting, using, or storing personal information in a way that wasn’t anticipated when the initial PITA was completed.
    • If a PIA is necessary, the team responsible for the project must complete a full PIA, following this operational procedure (Step Three). The Privacy Officer will support teams to complete PIAs.

What is personal information?

  1. The Privacy Act provides the following definition of ‘personal information’: personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
    • whether the information or opinion is true or not; and
    • whether the information or opinion is recorded in material form or not.
  1. Examples of personal information include an individual’s name, address, date of birth and email address. The fact that an individual is a responsible person of a charity is also personal information about that individual.

How to undertake a Privacy Impact Assessment

Step One: Determine whether a piece of work is a 'project'

  1. The definition of ‘project’ is broad and does not only include large pieces of work that have been formally named ‘projects’. You will be working on a ‘project’ if you are doing any piece of work that is outside of standard ‘business as usual’ tasks, or if your piece of work involves changing, or recommending to change, the way ‘business as usual’ work is done.
  1. Common situations in which a piece of work will be regarded as a ‘project’ that may require a PIA include:
    • new initiatives that require consultation with, and sign-off from, one or more of the directors
    • new initiatives that require sign-off from the Executive
    • the development of new approved forms or amendment of existing approved forms, and
    • changes to IT infrastructure, information processing, or data storage.
  1. If a piece of work might reasonably be considered a ‘project’ within the definition set out above, staff must complete a PITA, following Step Two below. Nothing further needs to be done if the piece of work cannot reasonably be considered to be a project. The Privacy Officer and the Legal Team can assist where it is still not clear if the piece of work is a project or not.

Step Two: Conduct a Privacy Impact Threshold Assessment

  1. The purpose of conducting a PITA for a project is to determine whether a full PIA is required. In most cases, a PIA will not be necessary, but the reasons for the decision not to proceed with a PIA must be recorded.
  1. To complete a PITA:
    • Download a copy of the PITA template from the ACNC SharePoint. The PITA template will ask for details about the project and the kind of personal information that will be collected, used and/or stored to carry out your project.
    • Save a copy of the completed PITA, and then refer it to the Privacy Officer for consideration. Logging a case on Dynamics is the preferred means of bringing this to the attention of the Privacy Officer.
    • The Privacy Officer will review the PITA and, either:
      • confirm that a full PIA is not required. The project can proceed, but project owners should be aware that a new PITA will be required if the project changes and will involve collecting, using, or storing personal information in a way that wasn’t anticipated when the original PITA was completed; or
      • the Privacy Officer will advise that a full PIA is needed. The process for this is outlined at Step Three of this procedure. No further work on the project should be undertaken until a PIA is completed.

Step Three: Conduct a full Privacy Impact Assessment

  1. A full PIA must be completed if, after completing a PIA, the Privacy Officer considers that a project is a high privacy risk project. To complete a full PIA:
    • Download a copy of the PIA template document from the ACNC SharePoint. Remember to save the document.
  1. Once the PIA has been completed and saved, it must be reviewed by the Privacy Officer. Dynamics is the preferred means of bringing this to the attention of the Privacy Officer.
  1. The Privacy Officer will provide a privacy impact statement that must be included in the Executive memo for the project. This means that the Executive will be informed of the privacy risks and mitigation strategies when it decides whether or not to endorse the project.
  1. The PIA itself, is not subject to approval. It is a living document that must be revisited as the project evolves, and new privacy risks and ways of handling personal information emerge.

Step Four: Publishing details on the PIA Register

  1. The ACNC must maintain a PIA Register on the ACNC website. The Privacy Officer will liaise with EPA to ensure each PIA is added to the register as soon as possible after it is completed.
  1. The ACNC has some discretion around how much detail to include on the PIA Register. At a minimum, we will publish the name of the project, the title of the PIA, and the date it was finalised. We will only redact, or substitute, any part of that information (such as the name of a project) if it is sensitive and there are serious risks involved in disclosing it. More detailed information can be published where is its appropriate to do so.
  1. We will not publish PIAs as a matter of practice unless there are special reasons to do so.

References

Version Control

VersionDate of effectBrief summary of change
Version 120/08/2019Original document
Version 214/09/2021Refined process, to refer to align with Code. Privacy Officer, rather than Legal Team, is primary source of assistance. Minor style changes. New template.