Privacy Impact Assessment for the IPC GIPA Tool

Before public sector agencies can assess the privacy impacts of new projects or proposed new legislation, they first need to be able to quickly identify whether the proposal is likely to raise any privacy issues. This task can be daunting for staff who are not privacy specialists.

The Identifying Privacy Issues early Checklist (PDF) is designed to assist staff to identify the things that should trigger their consultation with their Privacy Contact Officer (or with the NSW Privacy Commissioner) early in the project or legislation's design stage.

In addition to the initial checklist, a Privacy Impact Assessment (PIA) can be undertaken. A PIA involves a comprehensive analysis of the likely impacts of a project upon the privacy rights of individuals. A thorough assessment can ensure that any problems are identified and resolved at the design stage of the project.’

A PIA is not only about ensuring compliance with the relevant information privacy laws such as the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act), but can also help to minimise the risk of reputational damage by identifying broader privacy concerns.

The Privacy Commissioner has also developed a guidance on PIAs  – Guide to Privacy Impact Assessments

Privacy Impact assessment of the IPC GIPA Tool

In 2016 the IPC conducted a privacy impact assessment of the GIPA Tool. The assessment is available here.

The recommendations of the assessment have been considered and addressed as part of further development of the Tool and associated IPC procedures.

New government initiatives

When examining new proposals or laws, the following questions may help point out whether the proposals or the laws comply with the privacy principles:

  • Is it likely to increase the amount of personal information collected by government/business?
  • Does it propose a new use for an existing source of personal information?
  • Does it propose sharing, linking or matching personal information between different organisations?
  • Does it propose new powers of entry, search or seizure?
  • Does it propose surveillance as a method of achieving a policy or law enforcement objective?
  • Does it create an identification system or require a new use of existing forms of ID?
  • Is it being proposed by the makers or sellers of a new technology, looking for a market?