Overview: Planning and implementing new projects

Overview of engaging in direct marketing

In order to mitigate the risk of privacy issues, cyber security threats and achieve data resilience, it is important to take a proactive approach to privacy.

This means thinking critically about privacy during the planning and implementation stages of a project. As discussed in Implementing a privacy by design approach, privacy by design is essential to proactive management of privacy issues.

Conducting a privacy impact assessment

A privacy impact assessment (PIA) is an essential part of implementing new projects in order to achieve privacy by design.

A PIA is a systematic evaluation of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

See Conducting a privacy impact assessment.

Obtaining consent to collect personal information

For any new project where personal information is collected, it is vital to consider the issue of consent. Consent is relevant to the operation of a number of Australian Privacy Principles (APPs). In some APPs, consent is an exception to a general prohibition against personal information being handled in a particular way (for example, an APP entity can only collect “sensitive information” if an individual consents, unless an exception applies. In others, consent provides authority to handle personal information in a particular way (for example, sensitive information cannot be used for marketing with out express consent and obtaining express consent after disclosure that the relevant information will not be protected by APP1 allows disclosure of personal information overseas).

The Information Commissioner has made clear that consent is a particular regulatory focus. She has stated publicly that “The practical application of concepts of fairness and the role of consent will be central to the future of privacy in Australia. It is a key issue that unites my regulatory priorities and, accordingly, I also think it should be a key focus point for every organisation moving forward.”

Given these statements, consent, when relied on as a basis for complying with the Privacy Act needs to be carefully considered by organizations.

Separately, once an APP entity collects personal information from an individual, APP 5 — Notification of the collection of personal information requires that the individual be notified of certain mandatory issues.

See Obtaining consent to collect personal information.

In this subtopic, you will learn:

  • the key elements of a PIA (see Conducting a privacy impact assessment);
  • about planning and conducting a PIA (see Conducting a privacy impact assessment); and
  • key issues to consider regarding obtaining consent (see Obtaining consent to collect personal information).

This subtopic will be useful for in-house and external practitioners:

  • wanting to understand what a PIA is;
  • who are required to conduct and/or draft a PIA;
  • who are required to provide advice on privacy issues for new projects or changes within an organisation;
  • who need to assess issues regarding consent; and
  • who need to draft a collect statement which complies with APP 5 - Notification of the collection of personal information in respect of collecting personal information from individuals.