Anytown Marketing as an IT Consultant

Instructions and tips for completing the report are provided in red text. Please delete/reword/edit this text as you complete each section or before submitting your work. Again, there should be no red text when you submit your body of work. Ensure to use the provided training material within your Connect shell along with external research you conduct.
This template is an example of content included in a Privacy Impact Assessment (PIA) Report. Adapt the template to meet Anytown Marketing’s needs, use the following documents for more assistance:
1) ICT30120_BSBXCS303_LHO_AnytownMarketingPolicies and,
2) ICT30120_BSBXCS303_LHO_StaffInformation.
This template is based on the Information Privacy Principles (IPPs), use this to assist you. For any area in the PIA template, you’re unsure of, cross-reference with the included documents to check for examples. Please also include your research in the report where you can.

You are employed by Anytown Marketing as an IT Consultant to assist in implementing their data security and privacy handling policies and procedures.
You’re tasked to complete the first draft of this PIA report which will help your company Anytown Marketing. Currently, they do not have any policy around the use of their user’s data. This is a major concern for both company clients and employees.
The goal of this report is to fix this major security issue and to avoid potential data breaches or information mishandling.
Anytown Marketing Privacy Impact Assessment Report
Document Information:
Date (today):
Status: ☒ New PIA

Prepared by (you):
Your Position:
Endorsement and approval, Project Manager (Information Technology Officer):
Project Executive/Steering Committee/senior management (General Manager):
The following officer has endorsed this document (You):

1 Introduction
1.1 Purpose
This Privacy Impact Assessment (PIA) Report:
• identifies possible impacts on the privacy of individuals’ personal information; and
• recommends options for mitigating or minimising any negative impacts.

1.2 Applicable Legislation
This PIA analyses the privacy impacts of collecting, storing, using and disclosing personal information for the Anytown Marketing Privacy Impact Assessment Report against the privacy principles set out in the Information Privacy Act 2009 (Qld) (IP Act).

1.3 Project Description

You are required to explain (~50 words) of the project and what it intends to achieve. Remember, this company does not have adequate data privacy, this project will solve that issue. Ensure to include that the project must satisfy the requirements of the Privacy Act 1988 with Australian Privacy Principles. Also, touch on what the project will deliver, why the project is needed, and the benefits to the company. The term ‘project’ is used broadly in this context. It is intended to cover the full range of activities and initiatives that may have privacy implications, such as new systems, processes, or practices for handling personal information, new legislation or policies, or an information-sharing initiative.

1.4 Scope of the PIA

You are required to provide a short explanation (~30 words) to explain that the PIA covers the entire company and ends when the project finishes. Also, what part or stage of the project the PIA covers and, if necessary, what it does not cover.

1.5 Review

You are required to provide a short explanation (~30 words) of the PIA review process. Include the PIA needs to be reviewed in 12 months or as the Privacy Act 1988 is updated. Also, in the case of a large or complex project, the PIA may need to be reviewed several times throughout the project’s lifecycle to ensure that its findings continue to be relevant. If applicable, outline any dates or milestones that will be used as a checkpoint to review whether anything significant has changed since this PIA was completed.

2 Personal Information Flows
This section explains how personal information will flow through the company’s systems and processes because of this project. It describes what personal information will be collected and how it will be used and disclosed, who will have access to it; and how it will be stored and protected.
Review: You are required to explain (~50 words) what personal information is involved and document how this information will flow through the proposed new system or process. For example: What is the nature of the information being collected and who is it collected from? How will the information be collected? How will it be stored and what safeguards will be put in place to protect it? Who will have access to the information? How can individuals seek access or amendment to their personal information? How long will the information need to be retained? Keep in mind that personal information includes any information or opinion about a living individual who is or can reasonably be identified. There is no ‘one size fits all approach to documenting the flow of information. The following table is one example of how you could describe the information flows. You may prefer to use a diagram or business process map. The approach will depend on the complexity of the project’s information flows.
# Business Activity Components of PI Collection Storage Use Disclosure
1 For example, an individual applies for a permit or licence For example, name, date of birth, address From? By whom? How? Lawful authority, if any? How? Where? By whom? For how long? By whom? Why? When? How? Lawful authority, if any? By whom? To? Why? When? How? Lawful authority, if any?

3 Risk Analysis
3.1 Privacy Risks
The following table summarises the key requirements of each privacy principle and outlines key questions to help you to identify potential privacy risks. This list is not exhaustive but indicates the types of questions you could consider. Include one or more identified risks per privacy principle.
Privacy principles Proposed information handling practices Identified risks
Collection (IPPs 1 to 3)
• Collect only that personal information necessary for or required to fulfil a purpose that is directly related to a function or activity of your agency.
• Obtain it lawfully and fairly and in a way that is not unreasonably intrusive into an individual’s personal affairs.
• Inform the individual of what you are going to do with their information, of any applicable law and of any third parties the information will be given.
• Take reasonable steps to ensure the information is complete and up to date. For example:
• What business process or function is enabled by collecting this information?
• How is the collection of each piece of personal information necessary or directly related to this purpose?
• Are there any laws that require or authorise the agency to collect this information? If so, include details of the legislation and the relevant section and a description of the information to be collected. Include only those laws that create an explicit authority or obligation for your agency to collect personal information, rather than legislation that broadly details the nature and extent of the agency’s responsibilities and powers.
• Will personal information be collected directly from the individual it is about? If not, why is it being collected from a third party? Common risks may include:
• Personal information is collected without a clear purpose, which could increase the risk of scope creep or unauthorised use.
• Information collected is either unnecessary or excessive.
• Individuals are not aware of how their personal information will be used, or to whom it will be routinely disclosed, which can lead to a lack of trust.
• Collection notices are not consistently provided, for example, across all communication channels.
• Information is collected unfairly because the individual provides information that they would not have, had they known they had a choice not to provide it.
• Collection methods may be unjustifiably intrusive.
• Personal information collected from a third party may be of poor quality, as the affected person does not have the opportunity to check the data for accuracy.
Storage and security (IPP 4)
• Make sure personal information is protected by appropriate security safeguards to prevent it from being lost, accessed improperly, misused, modified or disclosed.
• If giving the information to a third party, take reasonable steps to prevent its unauthorised use or disclosure. For example:
• What controls will be in place to protect the personal information from loss, unauthorised access, use, modification, disclosure or another misuse – while in transit and at rest? Has the project considered operational (e.g. policies or training), technical (e.g. access controls or encryption) and physical controls (e.g. doors or locks)? Are these safeguards adequate to provide the level of protection that can reasonably be expected to be provided? Can you reference any standards or documents that support the chosen controls?
• How will access be controlled? Who will authorise access? What process will be used to grant access? How will access be changed or revoked when the user leaves or their role changes? Will access be audited regularly?
• What measures will be in place to prevent and detect misuse or unauthorised access? For example – will audit logs enable actions to be linked to individuals and will these logs be reviewed on an ongoing basis?
• What training and awareness are necessary to ensure that staff are aware of their privacy obligations, as well as the agency’s security policies and practices?
• Can the personal information be accessed remotely? Can users access or save their personal information to their devices? If yes, what controls will be in place?
Common risks may include:
• Access is not limited to the ‘need-to-know’ requirement.
• System users with administrative privileges are not limited to staff requiring those privileges.
• Access is not revoked promptly when no longer required.
• The system does not log who has accessed a file, making it difficult to detect or investigate unauthorised access or misuse.
• Staff are unaware of their privacy and security obligations.
• Information is saved onto privately-owned storage devices, increasing the risk of loss, unauthorised access, use, modification or disclosure or another misuse.
• Personal information is kept for longer than required under approved retention and disposal schedule/s.
Openness, access and amendment (IPPs 5 to 7)
• Inform the public about what types of personal information you hold and how it is used and how to request access to or amendment of documents containing their personal information. For example:
• Will requests from individuals for access to, or amendment of, documents containing their personal information be handled as a formal application under the IP Act or can the request be handled administratively?
• Will the project allows information to be altered if it is inaccurate, incomplete, out of date or misleading? If information cannot be altered, what mechanism will be in place for a notation to be attached? Common risks may include:
• Individuals are not able to easily access or amend their personal information.
• Access may be hampered if the data is held by a contracted service provider.
• An individual’s lack of access to their personal information increases the risk of inaccurate or outdated information.
Use and disclosure (IPPs 8 to 11)
• Use the information only for the purpose for which it was collected unless one of the exemptions in the IP Act permits it.
• Take reasonable steps to make sure the information is accurate, complete and up to date before you use it.
• Only use the parts of the personal information that are necessary to fulfil the purpose.
• Do not disclose personal information to anyone other than the individual who is the subject of it, unless one of the exemptions in the IP Act permits it.
For example:
• What reasonable steps will be taken to ensure the information is accurate, complete and up to date before it is used?
– How will you know when the personal information was last updated?
– Has the information been supplied by the individual directly? If not, can it be checked with the individual directly?
– Is it information that is likely to change over time (such as an address) or information that is static (such as date of birth)?
– How damaging will it be to the individual if information that is inaccurate, incomplete or out of date is acted upon? (The more damaging it will be, the more rigorous the steps should be to check its accuracy.)
• If you intend to seek agreement from the individual concerned, how will you ensure their agreement is valid, i.e. that it is voluntary, informed, specific and current? Common risks may include:
• Incomplete, inaccurate or outdated information lead to incorrectly informed decisions, which in turn may hurt the individual concerned.
• Function creeps – information collected for one purpose is then used for another purpose.
• Information is disclosed in circumstances not permitted under the IP Act. If found to be in breach of the IP Act, there is the capacity for an individual to be awarded up to a maximum of $100,000 in compensatory damages.
• Individuals are surprised or upset by a secondary use, which can lead to a privacy complaint, a lack of trust or negative publicity.
• An individual’s refusal of consent, or conditional consent, is not respected.

Transfer of personal information outside Australia (section 33)
Do not transfer personal information outside Australia unless:
• the individual agrees to the transfer
• there is the legal authority for the transfer
• it is necessary to prevent or lessen a serious threat to life, health, safety or welfare; or
• at least two of the criteria in section 33(d) of the IP Act are satisfied. For example:
• Will personal information be transferred outside Australia? For example – collected using an online survey tool or stored (including back-ups) with a cloud-based service or that uses servers physically located overseas? Or, could information potentially be accessed from outside Australia, for example, where information is posted on a website or social media site? If so, what provision in section 33 of the IP Act will be relied upon to permit this transfer? Common risks may include:
• Personal information transferred outside Australia is not afforded the same privacy protections as are in Queensland’s IP Act.
• Individual does not wish for their information to be transferred outside Australia.
• An individual’s refusal of consent, or conditional consent, is not respected.
• Relying on a ‘collection notice’ to obtain an individual’s agreement to transfer their personal information outside Australia where the individual has no choice in whether to participate.
Use of contracted service providers (chapter 2, part 4)
• Take all reasonable steps to bind a contracted service provider to comply with the privacy principles.
For example:
• Will the project involve contracting an external service provider to provide a service to perform a function of the agency? And is this service provided directly to the agency or a third party on behalf of the agency? If so, will the provision of services under the contract or arrangement involve the exchange or handling of personal information in any way? If yes:
– What steps will your agency take to ensure that the service provider is bound to comply with the privacy principles? Note – even if the service provider is subject to the Commonwealth Privacy Act 1988 you must still take all reasonable steps to bind them to Queensland’s IP Act as the obligations in the Commonwealth legislation do not apply to a contracted service provider for any acts or practices it undertakes about a State Government contract.
– Have you considered additional contractual provisions, such as limiting secondary use, placing conditions on the use of sub-contractors or mandatory reporting of any breaches?
It is recommended that you contact your procurement unit and/or legal services unit to ensure the contract includes clauses/provisions to bind the service provider appropriately. Common risks may include:
• Existing Government Information Technology Contracting (GITC) framework contracts may not adequately address the privacy risks of this particular project.
• The standardised contracts in the Queensland Information Technology Contracting (QITC) framework may not adequately address the privacy risks of this particular project.
• If the contractor has not been appropriately bound to comply with the IP Act and HHB Act, the contracting health agency will be liable for any breaches arising from the actions of the service provider.

3.2 Risk Ratings
Rating each risk can help you to prioritize your responses according to how likely it is that the privacy risk will materialise and the severity of its consequences. You should refer to your agency’s risk management framework for guidance on the descriptors for risk likelihood and consequences and definitions of the overall ratings. You should also record all privacy risks in the project’s risk register/log.
# Identified privacy risk Consequences for the individual or agency Likelihood Risk rating
1 Copy your list of identified risks from section 3.1, and add more rows to the table if needed. E.g. Minor, Moderate, Significant E.g. Unlikely, Possible, Likely E.g. Low, Medium, High

4 Actions To Address the Identified Privacy Risks
Describe the strategies or actions that will mitigate or minimise the identified risks. Note: While a PIA does not set out to eliminate every possible privacy risk; risk management does not provide an alternative to compliance with the privacy principles. Privacy needs to be incorporated with other project goals such as functionality; not balanced against them. Adapt this table to suit the nature of the project and the needs of your agency, particularly as large or complex projects may require more complex risk analysis. For example, an assessment of any residual risk, or a more detailed analysis of the costs, strengths and weaknesses of all potential actions that could address the risks.

# Identified privacy risk Existing controls for managing identified risk Recommended actions Comments
1 Copy your list of identified risks from section 3.1, and add more rows to the table if needed. What current safeguards help mitigate or minimise the identified risks? What additional measures can be implemented to mitigate or minimise the risk? If other strategies could address the risk, provide comments about why the recommended action is the preferred option.

5 Stakeholder Consultation
Consultation with key stakeholders is essential to the PIA process. It helps to ensure that key privacy issues are identified, addressed and communicated. Provide details of who you consulted with, how you engaged with them, what you asked them and what information was gathered.
The following stakeholders were consulted in undertaking this PIA:
# Stakeholder Internal/External Scope of consultation Method Results
1 Name of stakeholders or group of stakeholders Are the stakeholders internal to the agency or external? What did you ask the stakeholder? How did you engage with the stakeholders? For example, meetings, emails, etc. What input did the stakeholder provide?

5.1 Contact Point for Future Enquiries
File Name: