Before introducing a new product or service to the market which involves the handling of personal information, organisations should consider undertaking a Privacy Impact Assessment (PIA).
PIAs detail a project with a privacy focus, and involve a comprehensive analysis of the likely impact of a project on the privacy rights of individuals.
In addition to ensuring that an organisation is complying with its statutory obligations under the Privacy Act, undertaking a PIA will force an organisation to address privacy concerns from the start, rather than in a reactionary manner following a privacy breach, which will involve greater expenditure for the entity involved.
Westfield learnt the hard way
Westfield’s ticketless parking system scanned car number plates upon entering and exiting four Westfield car parks.
- SMS notifications were sent to registered parkers recording their entry time, with a further alert when the free parking time was nearly up.
- To register for the service, users merely provided a name, licence plate number and phone number. No verification was required.
- Privacy experts flagged that there was no need for a user to prove that the licence place was their own. This meant that an individual could enter any licence plate number and receive notifications when the vehicle entered a specific Westfield centre, providing its physical location. Imagine the consequences for stalking or domestic violence victims?
Westfield suspended this SMS service pending an “internal investigation”. The company confirmed it had not undertaken a privacy impact assessment prior to releasing the service.
The need for PIAs
Although each organisation’s PIA will be different, all PIAs should involve stakeholder consultation to understand the flow of personal information and the risks of inadvertent disclosures. Once the flow of personal information is identified and privacy issues noted, those conducting the PIA should consider what action to take to address privacy issues. This could include conducting staff training, making design changes and implementing physical controls, including limiting physical access to information. This should all be captured in a PIA report, which, subject to confidentiality concerns, should be accessible to all relevant stakeholders. Recommended actions should be implemented into project plans.