Professional Documents
Culture Documents
Prioritising risks
A risk and mitigation table helps you to prioritise risks according to how likely it is that threats
to privacy will materialise, and to gauge the severity of their potential impacts. You can then
decide which controls are most needed.
This exercise will help you sort out what you should do now, what you should do soon, and
what you could do later if resources allow it.
Identifying safeguards
You may be able to identify areas in which adding privacy safeguards will help your project
or organisation to function more efficiently and win greater trust from your clients. The
appropriate use of privacy-enhancing tools and technologies may help to reduce the
potential adverse effects of your initiative on privacy in a number of ways, and may reduce or
eliminate the need for other safeguards.
Page 1 of 9
Description of risk: Identify each vulnerability (in the project’s current design)
relating to that aspect of information-management – for example, new information
requirements, system design needs that underpin the initiative, or other design
decisions that could upset the project if not properly addressed
Rationale and consequences: Why do these things matter – how could individuals
or the agency be harmed? Also note where there are benefits that you want to
maximise or ensure are maintained
Existing controls: What current safeguards will help to minimise or manage the
risks identified?
Residual current risk: If the system is unchanged, what is the level of the risk?
Recommended mitigations or enhancements: What additional measures can be
used to remove, manage or mitigate the residual risk, or to enhance privacy
safeguards?
Residual risk remaining: What risk will remain even if new safeguards are put in
place?
You may also wish to include a summary of each column of the table as an introduction for
people reading your risk and mitigation table, to help them understand the different
components.
Page 2 of 9
Assessment of potential risks and possible mitigations
Ref. no. Purpose of Description of the Rationale and Existing controls Assessment of residual Recommended Residual risk
collecting the risk consequences that contribute to current risk mitigations or remaining despite
information for the agency manage risks privacy new safeguards
or individual identified enhancements
Identify each Describe any Explain why Document the Assess the likelihood of Include Detail any
aspect of the vulnerability and this is an systems and the risk eventuating recommendations remaining
project that the risk identified issue; the safeguards (high, medium or low) for how these vulnerabilities in the
raises privacy (that is, that could potential currently in place and how severe the residual risks can design that need to
issues upset the project) adverse that act to minimise harm would be with no be removed, be managed.
noting any impact on these identified new protections (serious managed, or
relevant legal individuals (or risks to minimal) mitigated, or further Note risk level
rules and system the agency) privacy safeguards (high, medium or
design needs and the benefit to ensure the low) and the likely
that you wish individual is severity of harm
to continue to protected without any new
achieve safeguards.
Page 3 of 9
EXAMPLE ONLY - See “How to do a PIA” for more information
Ref. no. Purpose of Description of the Rationale and Existing controls Assessment of residual Recommended Residual risk
collecting the risk consequences that contribute to current risk mitigations or remaining despite
information for the agency manage risks privacy new safeguards
or individual identified enhancements
R-001 What personal The app will collect App will have Business has a clear Medium/Moderate Put in place a Low / Minimal
information the more information greater purpose for collecting process to manage
app collects than is specified in functionality and the further personal clear notification and Some existing
the privacy lead to information but app consent for greater customers may still
statement increased policy does not collection by app not realise the
monetisation, currently reflect it once purposes change has occurred
but app users change
may object to
collection
beyond current
privacy policy
and collection
may breach law
Page 4 of 9
Privacy Impact Assessment – Risk and Mitigation Table
Assessment of potential risks and possible mitigations to reduce or manage adverse effects
Ref. no. Purpose of Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
collecting the the risk consequences for that contribute to residual current risk additional actions to despite new safeguards
information the agency or manage risks reduce or mitigate
individual identified risk
Ref. no. Source of Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
personal the risk consequences for that contribute to residual current risk additional actions to despite new safeguards
information identified the agency or manage risks reduce or mitigate
individual identified risk
Page 5 of 9
Principle 3: Collection of personal information from the subject
Ref. no. Telling the Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
individual what the risk consequences for that contribute to residual current risk additional actions to despite new safeguards
you’re doing identified the agency or manage risks recognising current reduce or mitigate
individual identified measures risk
Ref. no. How you are Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
collecting the risk consequences for that contribute to residual (current) risk additional actions to despite new safeguards
personal identified the agency or manage risks recognising current reduce or mitigate
information individual identified measures risk
Ref. no. How you are Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
storing and the risk consequences for that contribute to residual (current) risk additional actions despite new safeguards
securing identified the agency or manage risks recognising current to reduce or
personal individual identified measures mitigate risk
information
Page 6 of 9
Principles 6 and 7: Access to and correction of information
Ref. no. Responding to Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
people’s the risk consequences that contribute to residual (current) risk additional actions despite new safeguards
requests for identified for the agency manage risks recognising current to reduce or
information or individual identified measures mitigate risk
about
themselves, or
requests to
correct
information
about
themselves
Ref. no. What steps do Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
you take to the risk consequences for that contribute to residual (current) risk additional actions despite new safeguards
check the identified the agency or manage risks recognising current to reduce or
accuracy, individual identified measures mitigate risk
relevance etc
of personal
information
before you use
it?
Page 7 of 9
Principle 9: Agency not to keep personal information for longer than necessary
Ref. no. How long do Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
you keep the risk consequences for that contribute to residual (current) risk additional actions despite new safeguards
personal identified the agency or manage risks recognising current to reduce or
information individual identified measures mitigate risk
and why?
Ref. no. What are you Description of Rationale and Existing controls Assessment of Recommended Residual risk remaining
going to use the risk consequences for that contribute to residual (current) risk additional actions despite new safeguards
the personal identified the agency or manage risks recognising current to reduce or
information individual identified measures mitigate risk
for?
Ref. no. Who are you Description Rationale and Existing controls Assessment of Recommended Residual risk remaining
going to of the risk consequences for that contribute to residual (current) risk additional actions despite new safeguards
disclose the identified the agency or manage risks recognising current to reduce or
personal individual identified measures mitigate risk
information to (if
anyone) and
why?
Page 8 of 9
Principle 12: Use of Unique Identifiers
Ref. no. Why do you need Description Rationale and Existing controls Assessment of Recommended Residual risk remaining
a unique of the risk consequences for that contribute to residual (current) risk additional actions despite new safeguards
identifier, and are identified the agency or manage risks recognising current to reduce or
you allowed to individual identified measures mitigate risk
use this one?
Page 9 of 9