Privacy impact assessments

Background

47.44 PIAs have been the topic of much discussion in recent reviews of the Privacy Act and in privacy commentary more generally. The term ‘privacy impact assessment’ is not defined in the Privacy Act, nor is there a requirement for the Commissioner, or for an agency or organisation, to undertake a PIA. There is, however, a related function vested in the Commissioner, which is to examine and advise on a proposed enactment.[65] While the Commissioner may produce a PIA as a result of such an examination, the term ‘privacy impact assessment’ has come to refer to a more formalised assessment conducted by the relevant agency or privacy consultant, rather than by the Commissioner.[66]

Definition

47.45 The OPC suggests that a PIA is an assessment tool that ‘tells the story’ of the project from a privacy perspective. It describes the personal information flows in a project and analyses the possible impact on privacy of those flows.[67] Others have suggested a PIA is ‘an assessment of any actual or potential effects that the activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated’.[68]

47.46 It is suggested that PIAs are a form of proactive regulation that can help prevent privacy-intrusive legislation or projects from being implemented. In a principles-based regulatory regime, PIAs also can help ‘marry the discretion allowed under the Act with a degree of accountability to the public where a significant privacy erosion will be caused’.[69] In addition, PIAs also may help ‘tackle wider privacy issues such as intrusion’[70] and are seen by many as one of the key ways to address the possible privacy impact (whether negative or positive) of new or developing uses of technology.[71]

47.47 The most significant benefits of a PIA are achieved when it is integrated into the decision-making process for the project.[72] It has been suggested that the PIA must take place ‘during the development of proposals when there is still an opportunity to influence the proposal’.[73] In this way, a PIA is to be distinguished from a privacy compliance audit. While both are proactive compliance measures, the latter examines the information-handling practices of an auditee ‘that are in place at the time, as opposed to future proposals that the auditee might be contemplating’.[74] A PIA, in contrast, focuses on future projects.

Status in Australia

47.48 As noted above, the Commissioner can prepare a PIA when exercising the function of examining and advising on proposed enactments. While the Commissioner can report to the Minister about a proposed enactment and must report if directed to do so by the Minister,[75] the Minister is not required to obtain the OPC’s advice in relation to proposed legislation or to act on any recommendations made by the OPC in a report to the Minister.[76] Similarly, there are no requirements in the Privacy Act for an agency to undertake a PIA. In the absence of a legislative directive, the OPC has said the incentive for conducting a PIA comes from the fact that ‘the success of an agency’s project will depend in part on it complying with legislative privacy requirements and how well it meets broader community expectations about privacy’.[77]

47.49 To encourage agencies to undertake PIAs, the OPC produced a Privacy Impact Assessment Guide (PIA Guide), which provides detail on the nature, purpose and effect of a PIA. The PIA Guide contains modules for undertaking the PIA process. The PIA Guide notes that, while there is no formal role for the OPC in the development, endorsement or approval of PIAs, the OPC may be able to advise agencies on privacy issues arising throughout the assessment process.[78] The OPC often recommends that a department undertake a PIA as part of its advice on proposed enactments and policy submissions.[79]

47.50 The OPC has not prepared a similar guide for organisations, although the use of PIAs in the private sector was discussed in the OPC Review. It was suggested that organisations should use the PIA process ‘to assess and avoid privacy risks inherent in many large scale projects using new technologies’.[80] Ultimately, the OPC did not recommend that organisations should be required to prepare, or obtain, a PIA. The OPC has subsequently noted that:

it considers that the best way for organisations and government agencies to avoid interferences with privacy is for them to use a [PIA] to analyse the risks to privacy posed by new projects, technologies or rules and to address those risks before problems occur.[81]

47.51 The Senate Committee privacy inquiry went further and recommended that the Privacy Act ‘be amended to include a statutory [PIA] process to be conducted in relation to new projects or developments which may have a significant impact on the collection, use or matching of personal information’.[82] The Australian Government did not agree with the Senate Committee’s recommendation, noting that ‘the Privacy Commissioner is developing a [PIA] process for use by agencies and considers that at this time a statutory process is not appropriate’.[83]

PIAs in other jurisdictions

Requirements imposed on agencies

47.52 A number of jurisdictions require agencies to prepare a PIA in certain circumstances. The Canadian government was the first federal government to make PIAs mandatory.[84]

47.53 Under the Canadian Government’s Privacy Impact Assessment Policy, all federal departments and agencies must conduct a PIA ‘for proposals for all new programs and services that raise privacy issues’.[85] Representatives of the Office of the Privacy Commissioner of Canada (Canadian Privacy Commissioner) must be involved at the earliest possible stage of the development of the PIA, and a copy of the PIA must be provided to the Canadian Privacy Commissioner and published on the internet.[86] The Canadian Privacy Commissioner’s role is not to accept or reject projects, but ‘to assess whether or not departments have done a good job of evaluating the privacy impacts of a project and to provide advice, where appropriate, for further improvement’.[87]

47.54 The Canadian Privacy Commissioner has explained that PIAs are important in the public sector because of the lack of control that individuals exercise over their own personal information. Whereas, in a commercial context, parties are free to enter transactions and define the terms of their exchange according to their respective interests, individuals are rarely in a strong bargaining position when it comes to the collection and use of their personal information by government. Because of this situation,

government has a special trust relationship with citizens—a fiduciary duty to protect personal information under its charge. Performing PIAs constitutes one way that government institutions can honor that public trust, and in so doing earn the confidence of their clients and the public at large.[88]

47.55 Some Canadian provinces also encourage or require PIAs.[89] In addition, the E-Government Act in the United States requires that a PIA be undertaken, reviewed by the Chief Information Officer of the agency and, if practicable, published, before an agency develops or procures a new information system or initiates a new collection of personally identifiable information.[90]

47.56 The Office of the Information Commissioner (UK) (UK Information Commissioner) has recently developed and released a PIA handbook, setting out a framework for conducting PIAs. The PIA process in the United Kingdom is not a legislative requirement, rather the Information Commissioner has noted that taking a ‘proactive approach in the UK offers significant benefits by addressing privacy concerns and inspiring the public’s trust and confidence in what happens to their personal information’.[91] The handbook, which is aimed at corporations and government agencies, states that a PIA should be considered when a proposal may give rise to public concerns about privacy (and those concerns would represent a significant risk for the project). It sets out a plan for conducting a PIA, including when stakeholders should be involved.[92] The handbook also stresses that reports of the PIA process should be open and transparent.

A PIA Report should be written with the expectation that it will be published, or at least be widely distributed. If so, the report can fulfill [its] functions: accountability, post-implementation review, audit, input into future iterations of the PIA, and background information for people conducting PIAs in the future. [93]

Requirements imposed on organisations

47.57 While there are precedents for requiring agencies to conduct PIAs, the ALRC is not aware of any jurisdiction that requires an organisation to conduct a PIA in relation to new projects or developments. There has been discussion, however, about extending a PIA process to the private sector in the UK. The UK Information Commissioner has proposed that PIAs be introduced ‘to ensure public confidence in initiatives and technologies which could otherwise accelerate the growth of a surveillance society’.[94] The UK Information Commissioner argued that the introduction of PIAs would ‘ensure organisations set out how they will minimise the threat to privacy and address all the risks of new surveillance arrangements before their implementation’.[95] As noted above, this process has commenced with the establishment of a PIA handbook, encouraging organisations to undertake PIAs voluntarily as part of their business management and risk assessment processes.

Submissions and consultations

47.58 In DP 72, the ALRC identified support in submissions and consultations for the process and benefits of conducting a PIA. There was disagreement, however, about whether the process should be mandatory or voluntary, and whether it should apply to organisations as well as agencies. In particular, there was a reluctance to introduce a mandatory PIA process, for fear that it would increase the regulatory burden and make a PIA a ‘box-ticking exercise’, rather than a genuine assessment of privacy risks.

47.59 In terms of the process of conducting a PIA, stakeholders generally agreed that the PIA should be undertaken by the relevant agency or organisation itself, as responsibility to ensure that a project complies with the Privacy Act ultimately rests with the agency or organisation undertaking the project. It was suggested, however, that the OPC should have some oversight or monitoring role.

47.60 In DP 72, the ALRC expressed the view that the PIA process should have a statutory underpinning in the Privacy Act. The ALRC suggested that this could either take the form of amending the Act to include a requirement to prepare a PIA for proposed projects and developments that have a significant impact on the handling of personal information, or the current voluntary approach could continue but the Commissioner also given a power to direct that a PIA be undertaken.

47.61 Having regard to the fact that the voluntary process had been in place for agencies for just over a year, and conscious of the regulatory burden that a mandatory requirement would impose, the ALRC proposed that the second option be adopted. That is, that the Privacy Act be amended to empower the Privacy Commissioner to direct an agency or organisation to provide to the Commissioner a PIA in relation to a new project or development that the Commissioner considers may have a significant impact on the handling of personal information, and to report to the Minister on any failure to comply with such a direction.[96] The ALRC also proposed that the OPC produce guidelines on the PIA process tailored to the needs of organisations, as organisations were included in the proposed scope of the power.

47.62 The ALRC received a large number of submissions on this proposal. Strong support was received from the Australian Privacy Foundation;[97] and a number of other stakeholders and interest groups also supported the proposal.[98]

47.63 Medicare Australia submitted that agencies should be encouraged to conduct PIAs for new projects and developments, rather than having a PIA process imposed on them. It argued that a mandatory approach could result in the process being seen as an administrative burden, which would lead to agencies ‘going through the motions’, rather than using it as a genuine opportunity to ensure that best privacy practice is built into the project design.[99]

47.64 The Public Interest Advocacy Centre (PIAC) argued that PIAs are a crucial aspect of proactive privacy regulation and that the ALRC’s proposal did not go far enough.

It should be mandatory for agencies and organisations to provide and publish PIAs for all new projects and developments that have the potential to significantly impact on privacy. It should not be left up to the Privacy Commissioner to ‘direct’ that a PIA be carried out. This assumes that the Commissioner will have some advance knowledge of the proposed project or development. It would not be difficult for an agency or organisation to limit publicity and information about new projects or developments, thus circumventing a PIA direction. Indeed, there will often be circumstances in which an agency or organisation seeks to keep the development confidential for business or political reasons. Moreover, if the Commissioner is poorly resourced or giving priority to other functions such as complaint handling, it is not difficult to imagine the function of directing PIAs falling by the wayside.[100]

47.65 The OPC supported PIAs being undertaken for agency projects that have a significant impact on the handling of personal information, but did not support an explicit power to direct either agencies or organisations to undertake a PIA. In particular, in relation to organisations:

The Office considers that imposing a requirement that PIAs be conducted by organisations at the direction of the Privacy Commissioner may result in a perception of privacy being a burden imposed on an organisation by the regulator, rather than adopted and built in by the organisation in an effort to ensure best practice and consumer confidence. This appears to be a departure from the current model which is underpinned by the concept that organisations are best equipped to undertake risk analysis of their own business, and determine how the principle based law can best be applied in their circumstances.[101]

47.66 A number of private sector organisations opposed the proposal.[102] Most took the view that any power given to the OPC to direct that a PIA be undertaken would be an additional compliance burden, and add increased costs to projects and developments.[103]

47.67 This view was shared by the Department of Broadband, Communications and the Digital Economy, which submitted that the proposal could have a significant impact on an agency’s capability to implement quickly new Government policies, and on the resources available to do so. It argued that the proposal also would place a significant compliance burden on private organisations.[104]

47.68 A number of stakeholders took the view that the proposal was inconsistent with principles-based regulation.[105] Telstra argued that organisations should be free to determine how to comply with the Privacy Act.

It is appropriate for the OPC to issue guidelines on good practice and preparation of PIAs, but the Privacy Commissioner should not be directing how to manage compliance, whether organisations undertake PIAs, or how those PIAs should be carried out. Ultimately, if an organisation fails to comply with the Privacy Act, it will be accountable as there are effective enforcement tools available to the Privacy Commissioner.[106]

47.69 The Australasian Compliance Institute expressed the view that the OPC could achieve the same result through releasing guidelines in relation to when PIAs should be undertaken. It argued that, given the OPC is unlikely to find out about projects or developments until they are well advanced, the value in the OPC being able to direct that a PIA be undertaken at that point in time is questionable, particularly given the cost and time delay that such assessments may generate.[107]

47.70 The National Transport Commission ‘did not disagree’ with the proposal, but expressed concern that the proposal could duplicate what already occurs as part of the regulatory impact statement (RIS) process. Development of an RIS by agencies is mandatory for all reviews of existing regulation and proposals for new or amended regulation.[108] In reforms that have a privacy dimension, the department, agency, or body preparing the RIS is required to canvass such issues with relevant stakeholders, which would include the applicable state and federal Privacy Commissioner, and would have to incorporate their views and any submissions they make in the RIS.[109]

ALRC’s view

47.71 Agencies and organisations should be encouraged to conduct PIAs for new projects and developments, and the OPC should educate agencies and organisations about the value of PIAs and the process involved in conducting a PIA.[110] With the exception of Canada, no other jurisdiction has mandatory PIAs. In the UK and New Zealand, the current approach is to encourage the voluntary use of PIAs and provide clear guidance as to their benefits.

47.72 This encouragement and education should be supported by a power vested in the Privacy Commissioner to direct agencies to prepare a PIA in relation to projects that may have a significant impact on the handling of personal information, and for the Commissioner to report to the Minister on non-compliance with such a direction.

47.73 For the reasons outlined below, however, the power to direct the preparation of a PIA should be limited to agencies and not apply to organisations. In relation to agencies, this proposal was supported by a number of large government departments, such as Centrelink, Medicare and the Department of Human Services.[111]

47.74 A power to direct the preparation of a PIA should not place as large a compliance burden on agencies as a mandatory scheme, but rather strengthen the existing voluntary regime. It is envisaged that the power to direct a PIA would be used primarily in two circumstances. First, it could be used where the OPC currently recommends that a PIA be undertaken, as part of its policy advice on a proposal or bill. Rather than being limited to ‘recommending’, the OPC would have the ability to direct, where appropriate, the agency to prepare the PIA. Secondly, it could be used where there has been some publicity about a project or development, or a complaint, inquiry or tip-off, and the OPC concludes that the project or development may have a significant impact on the handling of personal information.

47.75 Monitoring compliance with a direction to prepare a PIA should be less onerous and more manageable than monitoring compliance with a mandatory scheme, and the power to report non-compliance to the Minister should have a valuable deterrent effect. As part of the Commissioner’s auditing functions, the Commissioner also would be able to assess the extent to which an agency or organisation complies with the voluntary PIA guide. This may prompt the Commissioner to keep a closer watch on agencies or organisations that do not appear to be conducting PIAs where appropriate.[112] If a project raised serious privacy concerns, the Commissioner could apply to the Federal Court or the Federal Magistrates Court for an injunction to stop the agency from implementing the project, pending the preparation of the PIA and the review of that assessment by the OPC.[113]

47.76 The relevant agency should prepare (or obtain) the PIA, as compliance with the Act is its responsibility, and the project or development is its concern. The OPC should continue to review and provide guidance and advice on the PIA process, to ensure it addresses and resolves adequately privacy issues.[114]

47.77 The power to direct a PIA should not, however, replace the role of the existing voluntary guidelines. These guidelines strongly encourage PIAs to be produced in certain circumstances, and agencies should not wait for a direction from the OPC where they believe a PIA is warranted. The power to direct should be required only as a last resort, where the Commissioner feels that a PIA is necessary and is not being considered by the agency.

47.78 As noted above, PIAs are most effective when they are undertaken at the start of a project. Some stakeholders suggested that the Commissioner will not be in a position to know that a project, which requires a PIA, has commenced. Even if a PIA was mandatory, however, there would be no way to ensure that it was being conducted at the commencement of a project, unless it was required to be provided to the OPC. Such a requirement would have considerable resource implications. One way to ameliorate these concerns is to encourage more informal dialogue between agencies and the OPC through the Privacy Contact Officers network, so that the OPC is aware of major projects that are being proposed that may require a PIA.

47.79 The ALRC notes the concern that undertaking a PIA may duplicate the RIS process. While some agencies may consider privacy issues as part of an RIS, it does not appear from submissions and consultations that this is a universal practice. Furthermore, not every project which has a significant impact on the handling of personal information will require an RIS. The purpose of an RIS is to ensure that government policymaking does not lead to unnecessary regulation and compliance burdens. As part of the process, policymakers identify the options (regulatory and non-regulatory) for achieving the desired objective of the policy and assess of the impact (costs and benefits) on consumers, business, government, the environment and the community of each option.[115] The role of a PIA is quite different in that it describes the personal information flows in a project and analyses the possible impact on privacy of those flows, and is not conducted from a cost/benefit perspective. The ALRC, therefore, is of the view that any work done in completion of an RIS could assist the PIA process or vice versa, but the completion of both may be necessary in some instances.

47.80 Private sector stakeholders did not support the proposal to allow the OPC to direct organisations that a PIA must be undertaken where the Commissioner considers that a project may have a significant impact on the handling of personal information. While many new projects or developments undertaken by organisations would benefit from being subject to PIAs to ensure that the privacy risks are assessed and adequately managed, this may also result in a significant compliance burden. If the recommendation to remove the small business exemption from the Privacy Act is implemented,[116] there will already be some additional compliance costs for small businesses.

47.81 There are different policy considerations which favour a power to direct agencies to complete a PIA. PIAs serve an important function in the public sector, because individuals are able to exercise less control over their own personal information. In a commercial context, parties are free to enter and withdraw from transactions according to their own interests.[117]

47.82 The strongest argument in favour of not directing organisations to undertake a PIA is that the OPC has not yet issued voluntary guidelines for private sector PIAs. Given that the private sector has not yet been given the opportunity to adopt the voluntary guidelines, the ALRC does not recommend that the Privacy Commissioner be empowered to direct organisations to undertake a PIA.

47.83 Instead, and consistently with the approach taken to agency PIAs, the ALRC recommends that the OPC produce a PIA guide tailored to the needs of organisations. Such a guide should help to educate organisations on the value of a PIA, the process involved, and the assistance that the OPC can give. The OPC also should include guidance in the respective PIA guides on what constitutes a ‘significant impact on the handling of personal information’. These circumstances could draw on the examples put forward by Blair Stewart,[118] including where: the project or development involves a new technology or the convergence of an existing technology; the use of a known technology in a new privacy-intrusive circumstance; or a major endeavour or change in practice that has obvious privacy risks.[119]

47.84 Once the voluntary guidelines are in place, a review should be undertaken in five years from the commencement of the amended Privacy Act to assess whether the power in Recommendation 474 should be extended to include organisations.[120]

Recommendation 47-4 The Privacy Act should be amended to empower the Privacy Commissioner to:

(a) direct an agency to provide to the Privacy Commissioner a Privacy Impact Assessment in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information; and

(b) report to the ministers responsible for the agency and for administering the Privacy Act on the agency’s failure to comply with such a direction.

Recommendation 47-5 The Office of the Privacy Commissioner should develop and publish Privacy Impact Assessment Guidelines tailored to the needs of organisations. A review should be undertaken in five years from the commencement of the amended Privacy Act to assess whether the power in Recommendation 474 should be extended to include organisations.

[65]Privacy Act 1988 (Cth) s 27(1)(b). Privacy Commissioners in other Australian jurisdictions have similar powers to examine and advise on the privacy impacts of proposed legislation. See, eg, the Information Privacy Act 2000 (Vic) s 58(1); Information Act 2002 (NT) s 86(1)(f); Information Act 2002 (NT) s 86(1)(f). See also Human Rights and Equal Opportunity Act 1986 (Cth) ss 11(1)(e), 46C(1)(d); Disability Discrimination Act 1992 (Cth) s 67(1)(i); Sex Discrimination Act 1984 (Cth) s 48(1)(f).

[66] See, eg, the Office of the Privacy Commissioner, Privacy Impact Assessment Guide (2006); New Zealand Government Privacy Commissioner, Privacy Impact Assessment Handbook (2007); Office of the Victorian Privacy Commissioner, Privacy Impact Assessments—A Guide (2004).

[67] Office of the Privacy Commissioner, Privacy Impact Assessment Guide (2006), 4.

[68] B Stewart, ‘Privacy Impact Assessments’ (1996) 3 Privacy Law and Policy Reporter 61, 62. See also the definitions of PIAs in Surveillance Studies Network, A Report on the Surveillance Society (2006) United Kingdom Government Information Commissioner’s Office, [45.1.1].

[69] B Stewart, ‘Privacy Impact Assessments’ (1996) 3 Privacy Law and Policy Reporter 61, 61.

[70] Ibid, 61.

[71] See, eg, the Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005); Surveillance Studies Network, A Report on the Surveillance Society (2006) United Kingdom Government Information Commissioner’s Office; Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005). See also B Stewart, ‘Privacy Impact Assessment: Towards a Better Informed Process for Evaluating Privacy Issues Arising from New Technologies’ (1999) 5 Privacy Law and Policy Reporter 147.

[72] B Stewart, ‘Privacy Impact Assessments’ (1996) 3 Privacy Law and Policy Reporter 61. See also Surveillance Studies Network, A Report on the Surveillance Society (2006) United Kingdom Government Information Commissioner’s Office, [45.1.3].

[73] United Kingdom Government Information Commissioner’s Office, Evidence Submitted to the Home Affairs Committee Inquiry into ‘The Surveillance Society?’ 23 April 2007, 6.

[74] Office of the Federal Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2003–30 June 2004 (2004), 64. See also Surveillance Studies Network, A Report on the Surveillance Society (2006) United Kingdom Government Information Commissioner’s Office, [45.1.7]; B Stewart, ‘Privacy Impact Assessments’ (1996) 3 Privacy Law and Policy Reporter 61.

[75]Privacy Act 1988 (Cth) s 31. Currently, the minister with responsibility for the Privacy Act is the Cabinet Secretary.

[76] The Australian Government Department of the Prime Minister and Cabinet, Legislation Handbook (1999), [4.7(h)(vi)] provides that, in relation to legislative matters going before Cabinet, it is expected that the relevant department undertake other consultations in preparing the submission, including ‘with the Privacy Commission [sic] if the legislation has implications for the privacy of individuals’.

[77] Office of the Privacy Commissioner, Privacy Impact Assessment Guide (2006), 4.

[78] Ibid, 17.

[79] See, eg, Australian Government Office of the Privacy Commissioner, Submission to the Attorney-General’s Department Consultation on the Second Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Funding Bill 2006, 2; Office of the Privacy Commissioner, Comments to the Attorney-General’s Department on the Review of the Law on Personal Property Securities: Discussion Paper 1 Registration and Search Issues, 1 February 2007, 3.

[80] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 255–256.

[81] S Jenner, ‘The Impact of Computers on Privacy: A Virtual Story’ (Paper presented at Striking A Balance: Computer Audit, Control and Security 2005 Conference, Perth, 23–26 October 2005).

[82] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 5. This recommendation was not limited to agencies.

[83] Australian Government Attorney-General’s Department, Government Response to the Senate Legal and Constitutional References Committee Report: The Real Big Brother: Inquiry into the Privacy Act 1988 (2006), 2–3.

[84] G Greenleaf, ‘Canada Makes Privacy Impact Assessments Compulsory’ (2002) 8 Privacy Law and Policy Reporter 190. This policy took effect on 2 May 2002.

[85] Treasury Board of Canada Secretariat, Privacy Impact Assessment Policy (2002).

[86] Ibid.

[87] S Bloomfield, ‘The Role of the Privacy Impact Assessment’ (Paper presented at Managing Government Information: 2nd Annual Forum, Ottawa, 10 March 2004), 3–4.

[88] Ibid, 2. The PIA Policy also came out of the Canadian Government’s e-government initiatives, with the Policy identified as one of several tools designed to meet the challenge of assisting Canadians in understanding how the government handles their personal information and building trust in the government to handle such information responsibly, regardless of the service-delivery channel they choose to use—see Treasury Board of Canada Secretariat, Privacy Impact Assessment Policy (2002).

[89] See, eg, the Freedom of Information and Protection of Privacy Act 1996 RSBC c165 (British Columbia) s 69(5); Health Information Act 2000 RSA c H–5 (Alberta) ss 46, 64, 70, 71.

[90]E-Government Act of 2002 2458 Stat 803 (US) s 208.

[91] United Kingdom Government Information Commissioner’s Office Privacy Impact Assessment Handbook (2007).

[92] Ibid.

[93] Ibid.

[94] United Kingdom Government Information Commissioner’s Office, ‘Information Commissioner Calls for New Privacy Safeguards to Protect against the Surveillance Society’ (Press Release, 1 May 2007).

[95] Ibid.

[96] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–4.

[97] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[98] Australian Government Centrelink, Submission PR 555, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[99] Medicare Australia, Submission PR 534, 21 December 2007.

[100] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[101] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[102] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Confidential, Submission PR 536, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Financial Planning Association of Australia, Submission PR 496, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.

[103] Australasian Compliance Institute, Submission PR 419, 7 December 2007;

[104] Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[105] Telstra Corporation Limited, Submission PR 459, 11 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Investment and Financial Services Association, Submission PR 538, 21 December 2007.

[106] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[107] Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[108] All Commonwealth policy proposals that have a significant impact on business and individuals or the economy (whether in the form of compliance costs or other impacts) require the preparation of an RIS. Before consideration of the proposal by Cabinet or the relevant Minister, the RIS must be considered by the Office of Best Practice Regulation: see Australian Government Office of Best Practice Regulation, Role of the OBPR <www.obpr.gov.au/role.html> at 15 May 2008.

[109] National Transport Commission, Submission PR 416, 7 December 2007.

[110] In relation to terminology, the ALRC continues to adopt the definition of ‘project’ in the PIA Guide, where it is used to refer to any proposal, review, system, database, program, application, service or initiative that includes the handling of personal information: Office of the Privacy Commissioner, Privacy Impact Assessment Guide (2006), 3. The ALRC notes that a project could be a new development or a new policy proposal, and a project may be implemented by legislation or administratively.

[111] Australian Government Centrelink, Submission PR 555, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[112] The OPC already monitors compliance with voluntary guidelines, such as the Data-Matching Guidelines, even though they are not binding. See Office of the Privacy Commissioner, Privacy Audit Manual—Part I (Information Privacy Principles) (1995), 9.

[113]Privacy Act 1988 (Cth) s 98.

[114] This is consistent with the approach recommended in B Stewart, ‘Privacy Impact Assessments’ (1996) 3 Privacy Law and Policy Reporter 61.

[115] Australian Government Office of Best Practice Regulation Best Practice Regulation Handbook (2006), Part 3.

[116] Rec 39–1.

[117] See S Bloomfield, ‘The Role of the Privacy Impact Assessment’ (Paper presented at Managing Government Information: 2nd Annual Forum, Ottawa, 10 March 2004).

[118] Assistant Commissioner (Policy), Office of the Privacy Commissioner New Zealand.

[119] See B Stewart, ‘Privacy Impact Assessments’ (1996) 3 Privacy Law and Policy Reporter 61.

[120] See also Recs 3–6 and 54–8.