Privacy risk and

opportunity identification

Privacy risk and opportunity identification 2

Purpose .............................................................................................................................3

Background .......................................................................................................................3

Definitions .........................................................................................................................4

Further resources ..............................................................................................................4

Privacy risk management process ......................................................................................5

Privacy risk management roles and responsibilities ............................................................6

Risk assessment process ....................................................................................................7

Common privacy risks and staff who should be consulted ................................................ 14

Privacy risk and opportunity identification 3

Purpose1 This document provides an overview of risk management processes and terminology to assist privacy officers and other privacy staff to:

Integrate privacy risk management into the wider organisational risk framework

Effectively work and communicate with the agency’s risk function.

This document will help you identify and evaluate privacy risks and opportunities in a ‘business as usual’ environment.

Background Privacy risks exist wherever agencies collect, use, share and manage personal information relating to their employees, customers/clients and others. Opportunities will also exist to improve how agencies collect, use, share and manage personal information.

Risk management takes into account both risks and opportunities, and is vital for the appropriate management of personal information. Following a risk management approach will allow your agency to:

Identify risks; meaning these can then be proactively managed

Lessen the impact of an issue once it has occurred

Prioritise scarce resources (time, people and money) so that areas of greater risk can be dealt with first

Identify opportunities for improvement.

The process outlined in this document aligns with ISO 31000:2009 (Risk Management – Principles and Guidelines) which is the mandatory risk management standard for all government agencies. The ISO standard provides organisations with guiding principles, a generic framework and a process for managing risk.

1 This guidance document forms part of a suite of privacy related guidance developed by the Government Chief Privacy Officer. Further guidance on privacy risks and opportunities can be found on the Privacy Leadership Toolkit: https://psi.govt.nz/privacyleadership.

Privacy risk and opportunity identification 4

Definitions Term Definition

Consequence The outcome of an event affecting objectives or an individual (see also Harm).

Control A measure to modify risk.

Event Occurrence of or change in a particular set of circumstances.

Harm Loss, detriment, damage or injury to an individual (including adverse effect on rights, benefits, privileges, obligations or interests; or significant humiliation, significant loss of dignity, or significant injury to the feelings of that individual).

Likelihood The chance of something happening that could trigger an event.

Opportunity The prospect of a favourable situation or outcome, such as improvements in the management of personal information.

Management of personal information How personal information is collected, stored, accessed and corrected, used, retained and disposed of, as well as checked for accuracy and disclosed.

Privacy Risk Risks associated with the collection, use and management of an agency’s personal information holdings.

Risk The effect of uncertainty on the achievement of objectives (expressed in terms of likelihood and consequence). Risk is often characterised by reference to potential events and consequences.

Risk Management Principles, frameworks and processes for managing risks effectively.

Further resources AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines (the joint Australian and New Zealand adoption of ISO 31000:2009): http://www.standards.co.nz/news/standards-information/risk-managment/.

Additional guidance in relation to risk management can be found in the Risk Management Handbook (SA/SNZ HB 436:2013) at the same link as above.

Guidance on undertaking a Privacy Impact Assessment is available from the Office of the Privacy Commissioner: https://www.privacy.org.nz/news-and-publications/guidance-resources/privacy-impact-assessment-handbook.

Privacy risk and opportunity identification 5

Privacy risk management process Identifying and managing privacy risks and opportunities is the key to managing personal information in any agency.

Your agency’s risk framework is likely to be customised for your agency, and may be different to frameworks in use elsewhere; however the framework will be based on ISO 31000.

To enable privacy officers and other privacy staff to communicate effectively with your risk professionals, this document introduces some of the key concepts in the ISO Standard applied in the context of privacy. The following diagram is based on the risk management process in AS/NZS ISO 31000:2009.

Identify the riskWhat potential events could

affect the achievement of your business objectives?

Analyse the risksWhat is the nature, likelihood and

consequence of the risk?Identify mitigations/ design

responses

Evaluate the risksWhat risks or opportunities need

to be prioritised?

Treat the risksHow should the risks be

managed?

Communication and Consultation

Who are the key stakeholders?

What business areas own privacy risks?

Monitoring and Review

How often will risks and effectiveness of

treatment be reviewed?

Risk Assessment

Establish the contextWhat personal information does

your agency collect/hold?How does privacy fit into your

business?

Privacy risk and opportunity identification 6

Privacy risk management roles and responsibilities In order to effectively manage privacy risks, you will need to work closely with other business functions in setting up, implementing and monitoring all aspects of privacy risk management.

Privacy risk assessment processes will be most effective when aligned or integrated with your agency’s overall risk management approach including input, cooperation and coordination with other parts of your agency. As the privacy officer, you will have a role in assisting with risk identification and mitigation, but the privacy risks and issues are best owned by the business units who manage them as part of their work.

The extent of your involvement as a privacy officer will depend on the size, complexity and privacy maturity of your agency.

If your agency has an established risk function, you may need to work closely with the staff within it to ensure privacy is considered as part of business as usual within the risk management programme.

If your agency does not have an established risk function, you will be more likely to act as a facilitator and a subject matter expert in support of risk management activities.

Privacy risk and opportunity identification 7

Risk assessment process

1. Establish the privacy context

Ask yourself:

What personal information does your agency collect, use, share and manage, and for what purposes?

How many individuals does your agency collect information about? (i.e. what is the population coverage of your information holdings?)

How much personal information does your agency collect etc. about individuals, and how sensitive in nature is that information (e.g. health information)?

How key is personal information to your business operations and organisational objectives?

What are your agency’s objectives for privacy (i.e. the management of personal information)? How do these affect (or are affected by) other organisational objectives? How important is privacy to your agency?

How is privacy reflected in your agency’s values, culture and policies?

Consult your agency’s risk staff to obtain guidance on existing risk templates and the policy and risk frameworks within which you should be working, and any existing organisational risks that may be affected by privacy risk.

i

Privacy risk and opportunity identification 8

2. Assess the risk

2.1 Identify the risk

The first step in managing risks is to identify them. Privacy risks are associated with all aspects of managing personal information. Privacy risks can have potential consequences for both the individuals concerned and for agencies. For example, unauthorised access, use and disclosure can have wide ranging impacts on the people your agency serves, and consequently for your agency as well.

The risk identification process can also be used to identify opportunities to improve or enhance how you manage personal information. It allows you to make informed decisions about how to both protect and gain value from the personal information you hold while also considering the interests of individuals.

Ask yourself:

Do staff in your agency know what ‘inappropriate management of personal information’ is?

What could cause personal information to be collected or dealt with inappropriately? Examples include:

○ Lack of, or inappropriate, policy / guidance / understanding / processes / resources / technology for those dealing with personal information, across the full information lifecycle (collection, storage, access and correction, use, disclosure, sharing, retention or disposal)

○ Ineffective or inefficient business processes for dealing with personal information

○ Changes in processes or systems

○ Culture within the agency where staff do not see personal information as important to the agency and to individuals (e.g. customers/clients, staff)

○ Personal information holdings have not been properly identified and categorised

○ Lack of assurance processes and procedures for privacy and/or security

○ Opportunities not identified for better use of personal information to deliver services to individuals (e.g. customers/clients, staff).

Note that this is not a comprehensive list and circumstances will be specific to your agency.

Are there risks to the agency or to individuals from not using personal information appropriately (for example sharing/disclosing information when there is a serious threat to the life or health of an individual)?

Do any of the risks already identified by your agency include privacy? (Remember, not

using personal information, when appropriate, can also raise potential risks.2)

2 For example, a health practitioner who doesn’t share a patient’s information as appropriate could compromise an accurate diagnosis of the individual’s health issues.

Privacy risk and opportunity identification 9

Use a personal information inventory (identifying the nature, extent, sensitivity, location and format of personal information holdings) to assist with identifying risks related to that personal information. Inventories can indicate the extent to which privacy risk should be on your agency’s radar due to the inherent risk of the personal information holdings (at a strategic or organisation-wide level, as well as reflected in the operational-level risk registers).

Privacy Impact Assessments can provide a comprehensive assessment of privacy risks. Ideally they should be part of the whole lifecycle of any new processes, systems, or projects, or when changes are made to existing ones.

You can also use a Privacy Impact Assessments to identify opportunities for enhancing privacy through indicating where changes can be made to improve the management of personal information. For example, your agency might be considering moving customer information into a Customer Relationship Management system which has options for more targeted controls for accessing and using the information.

The Office of the Privacy Commissioner has published a useful Privacy Impact Assessment Toolkit: https://www.privacy.org.nz/news-and-publications/guidance-resources/privacy-impact-assessment/.

i

i

Privacy risk and opportunity identification 10

2.2 Analyse the risk

Having identified your privacy risks you will need to analyse them to understand the possible consequences and the likelihood of each risk occurring.

Your agency will likely have existing definitions of consequence (or impact) and likelihood. Speak with the risk / assurance function in your organisation for guidance on using these.

Ask yourself:

What is the likelihood that the identified risk will eventuate?

○ Depending on your agency, likelihood might be defined as probability, frequency or a general description of occurrence.

If the identified risk eventuates and becomes an issue for your agency how could it affect / impact your agency's objectives and what consequences could there be to an individual (including harm)?

○ Harm to an individual can include loss, detriment, damage or injury to an individual (including adverse effect on rights, benefits, privileges, obligations or interests; or significant humiliation, significant loss of dignity, or significant injury to the feelings of that individual).

○ Consequences for your agency may include reputational damage and loss of public trust and confidence, additional resources required to mitigate against future risks (e.g. reconfiguration of systems/processes etc.), and possible monetary compensation.

What information is available to support the answers to these questions? If there’s a lack of information available, it may be that the risk is greater or that further work needs to happen to gather that information (e.g. a Personal Information Inventory).

2.3 Evaluate the risk

Using the likelihood of a risk occurring and the potential consequences to individuals and to your agency, you will need to evaluate the privacy risks and prioritise their treatment. Your agency will have its own risk evaluation methods which can be applied to privacy risks.

Privacy risk and opportunity identification 11

3 Treat the risk Use your agency’s risk criteria to determine the appropriate response to a risk or opportunity. Many agencies will have pre-determined risk criteria that describe who can accept a risk (i.e. determine that nothing further should be done), appropriate risk responses and the priority of implementing responses. Appropriate means of treating a risk will depend on your agency’s risk framework. Common responses include:

Avoid / eliminate – stop or remove the activity or situation that could cause the risk to occur.

Mitigate – introduce or modify existing controls that may reduce the consequence or likelihood of the risk.

Accept – agree to accept the risk and its consequences.

In determining the cost of various responses, it will be useful to also consider the cost of remedying any harm caused to individuals.

Contracting out services is not a risk treatment as your agency will remain responsible and accountable for personal information is managed.

Privacy risk and opportunity identification 12

4 Monitor and review It will be important to regularly monitor and review your privacy risks and treatments. The consequences and/or likelihood of privacy risks may change over time depending on factors both internal and external to your agency. The effectiveness of controls and treatments of the risks may also change over time and you may need to reconsider risks which were previously accepted.

The governance and processes around your agency’s risk frameworks will likely include regular reporting to senior management.

The success of a risk management process can depend on how well actions are monitored, followed up and updated. Risk assessments should be updated in response to the effectiveness of a treatment action, and when other factors (either internal or external to the agency) change.

Privacy risk and opportunity identification 13

5 Communicate and consult The communication process forms an important way of raising awareness within your agency of the risks associated with collecting, using, storing, accessing and sharing information.

Regular and continuous consultation is essential in ensuring the context and nature of the risk is understood by staff who are responsible for managing these risks.

Privacy risk and opportunity identification 14

Common privacy risks and staff who should be consulted Below are examples of common privacy risks as well as examples of staff in your agency you may want to communicate and consult with.

Examples of common privacy risks and risk triggers

Examples of who should be communicated with during risk identification, reporting and management

Staff do not understand their responsibilities and the actions they need to take to mitigate privacy risks.

Risk team

Managers of staff who deal with personal information

Learning & Development

Front-line staff (those dealing with customers)

HR

Management does not fully understand where personal information is stored and processed.

Information management team

Front-line/operational staff (those dealing with customers and processes/systems for management of personal information)

Managers of staff who deal with personal information

Information Technology

Records Management

Privacy risks associated with changes to the organisation, including process or system changes, are not adequately considered.

Risk team

Project / programme office

Information Technology

HR, in respect of changes in people resources

Personal information is retained longer than is necessary for the business purpose.

Risk team

Records management

Information management

Employees and third parties are unaware of how they can appropriately collect, use, retain, share and dispose of personal information.

Risk team

Records management

Information management

Procurement,

Contract managers

Internal audit

HR

Personal information is disclosed to other parties, or used/processed for purposes to which the individual has not consented.

Risk team

Front-line staff

Managers of staff who deal with personal information

Internal audit

Legal team

Privacy risk and opportunity identification 15

Examples of common privacy risks and risk triggers

Examples of who should be communicated with during risk identification, reporting and management

Privacy-related enquiries are not responded to thoroughly, in an accurate and timely manner.

Risk team

Front-line staff

Managers of staff who deal with personal information

Team/individuals who deal with privacy-related queries

Legal team

Personal information is not adequately secured from accidental errors or loss, or from malicious acts such as hacking or deliberate theft, disclosure or loss.

Risk team

Information technology

Security team

Project / programme management

Front-line staff

The agency’s personal information is handled inappropriately by third parties.

Risk team

Third parties

Procurement

Contract managers

Assurance, if assurance is undertaken over third parties’ practices

Contract “owners”

Legal team

Privacy processes and controls do not operate as intended.

Risk team

Internal audit

Front-line staff

Managers of staff who deal with personal information

Privacy-related incidents are not responded to appropriately.

Risk team

Front-line staff

Managers of staff who deal with personal information

Security team

HR, in respect of possible breaches of the code of conduct

Legal team

The agency does not learn from patterns of privacy-related incidents.

Risk team

Business improvement

Managers of staff who deal with personal information

HR

Senior leadership