If you’re delivering digital transformation, and haven’t carried out a privacy impact assessment, you may be risking the success of your project.
An example of where things can go wrong, and what you can do about it, is in the finding by the Australian Information Commissioner, against the convenience store 7-Eleven.
7-Eleven, asked customers to complete an in-store survey, using a tablet with a camera. The survey was part of a project implementing systems to understand and improve customers’ experience.
Tablets installed in 700 stores collected customers’ facial images at 2 points during the survey and by March 2021 approximately 1.6 million survey responses had been completed. Facial images were uploaded to a server managed by a third party, as algorithmic representations, or “faceprints”.
The Australian Information Commissioner (OAIC) investigated the activity and found that facial images and faceprints are sensitive biometric information about individuals. OAIC determined that 7-Eleven:
- collected sensitive information in breach of Australian Privacy Principle 3.3, in circumstances where the collection was not reasonably necessary for its functions and activities, and 7-Eleven had not obtained valid consent.
- did not take reasonable steps to notify individuals about the facts and circumstances of collection, or the purpose of collecting their facial images and faceprints through the customer feedback mechanism, in breach of Australian Privacy Principle 5.1.
The OAIC investigation also observed:
- 7-Eleven did not conduct a privacy impact assessment (PIA) in relation to the project, that a PIA would have helped to analyse the possible impacts on individuals’ privacy, and identify options for avoiding, minimising or mitigating adverse privacy impacts,
and - That a PIA would also have assisted in assessing the proportionality of collecting biometrics, for the purpose of understanding customers’ in-store experience.
Where transformation projects involve newer technologies, ie like artificial intelligence (AI), complex privacy issues can occur.
Under the European Union General Data Protection Regulation (GDPR), data protection impact assessments (similar to a PIA) are required for new projects likely to involve a high privacy risk. Data protection impact assessments are mandatory where processing involves large-scale use of sensitive data, systematic and extensive profiling and/or public monitoring.
In the United Kingdom, the privacy regulator’s office has defined other processing operations for which a data protection impact assessment is mandatory; that processing includes the use of AI and “innovative technology”.
The New South Wales Information and Privacy Commission describes a PIA as an important way to address privacy issues throughout a project’s lifecycle and that it can be used to implement ‘privacy by design’. A PIA is also used to assess compliance.
A well developed PIA should be thorough and contain the appropriate level of detail ie the personal information to be collected, how it will be stored, used, disclosed and disposed of.
Conducting a PIA demonstrates the organisation’s commitment to privacy and can build trust with the community, customers, staff, and vendors.
There are comprehensive guides and templates available on OAIC’s website and the Victorian Information Commissioner’s (OVIC) website. The OVIC template contains questions designed to uncover risks in relation to information privacy principles.
You can support the success of your transformation project by analysing privacy risks using a formal privacy impact assessment. Then it’s possible to assess and avoid or mitigate the risks identified, before there’s a privacy breach. Post-project identification of privacy risks can incur unnecessary costs and, in some cases, the actual closure of transformation projects.
So, if you don’t have time to conduct a PIA yourself, or you’re unsure as to whether you need one, contact us on 1300 264 946. Our solutions are designed to support you to manage privacy risks.