TEMPLATE – RISK AND MITIGATION

TABLE
This risk and mitigation table aims to help you to identify, describe and manage potential
privacy risks involved in your project.

Prioritising risks

A risk and mitigation table helps you to prioritise risks according to how likely it is that threats
to privacy will materialise, and to gauge the severity of their potential impacts. You can then
decide which controls are most needed.

This exercise will help you sort out what you should do now, what you should do soon, and
what you could do later if resources allow it.

Identifying safeguards

You may be able to identify areas in which adding privacy safeguards will help your project
or organisation to function more efficiently and win greater trust from your clients. The
appropriate use of privacy-enhancing tools and technologies may help to reduce the
potential adverse effects of your initiative on privacy in a number of ways, and may reduce or
eliminate the need for other safeguards.

See some common examples of privacy risks in the “How to do a PIA” guidance on
our website.

How this table is organised

This risk/mitigation table uses the privacy principles in the Privacy Act as a framework for
working through the whole lifecycle of the personal information. Listing the risks you have
identified in an orderly way, principle by principle, helps you make sure you’ve covered all
the bases.

The table includes eight different categories:

 Reference number: Listing each risk with a separate reference number lets you
record separate decisions about separate matters, and it will translate readily into
your action plan. It also provides a useful short-hand reference for this particular risk
in other supporting paperwork or discussions. Proposed safeguards and mitigations
can also be numbered for ease of reference later on.
 Aspects of information management: identify each separate information-
management aspect or phase that the project involves (such as collection, retention
and disclosure)

Page 1 of 8
  Description of risk: Identify each vulnerability (in the project’s current design)
relating to that aspect of information-management – for example, new information
requirements, system design needs that underpin the initiative, or other design
decisions that could upset the project if not properly addressed
 Rationale and consequences: Why do these things matter – how could individuals
or the agency be harmed? Also note where there are benefits that you want to
maximise or ensure are maintained
 Existing controls: What current safeguards will help to minimise or manage the
risks identified?
 Residual current risk: If the system is unchanged, what is the level of the risk?
 Recommended mitigations or enhancements: What additional measures can be
used to remove, manage or mitigate the residual risk, or to enhance privacy
safeguards?
 Residual risk remaining: What risk will remain even if new safeguards are put in
place?

Adapt this template to your needs

Adapt this risk mitigation template to suit your own purposes. You can use the template in a
variety of ways. You can either include it in the PIA report, or you can cut and paste
information from it to suit your own report style. It can double as a “privacy risk register” for
your project, which you can then refer to as the project develops. You can produce new
versions as proposals develop over time.

You may also wish to include a summary of each column of the table as an introduction for
people reading your risk and mitigation table, to help them understand the different
components.

Page 2 of 8
Assessment of potential risks and possible mitigations
Principle 1: Purpose of collection of personal information

Ref. no. Purpose of Description of the Rationale and Existing controls Assessment of residual Recommended
collecting the risk consequences that contribute to current risk mitigations or
information for the agency manage risks privacy
or individual identified enhancements

Identify each Describe any Explain why Document the Assess the likelihood of Include
aspect of the vulnerability and this is an systems and the risk eventuating recommendation
project that the risk identified issue; the safeguards (high, medium or low) for how these
raises privacy (that is, that could potential currently in place and how severe the residual risks can
issues upset the project) adverse that act to minimise harm would be with no be removed,
noting any impact on these identified new protections (serious managed, or
relevant legal individuals (or risks to minimal) mitigated, or furth
rules and system the agency) privacy safeguard
design needs and the benefit to ensure the
that you wish individual is
to continue to protected
achieve

EXAMPLE ONLY – See “How to do a PIA” for more information

Ref. no. Purpose of Description of the Rationale and Existing controls Assessment of residual Recommended
collecting the risk consequences that contribute to current risk mitigations or
information for the agency manage risks privacy
or individual identified enhancements

R-001 What personal The app will collect App will have Business has a clear Medium/Moderate Put in place a
information the more information greater purpose for collecting process to manage
app collects than is specified in functionality and the further personal clear notification an
the privacy lead to information but app consent for greater
statement increased policy does not collection by app
monetisation, currently reflect it once purposes
but app users change
may object to
collection
beyond current
privacy policy
and collection
may breach law

Page 3 of 8
Privacy Impact Assessment – Risk
and Mitigation Table

[Insert a PROJECT TITLE or description of your

project or proposal here]
Note: See, “Privacy Risks and Mitigations – Examples” to help you complete this table

Assessment of potential risks and possible mitigations to reduce or manage ad

Principle 1: Purpose of collection of personal information

Ref. no. Purpose of Description of Rationale and Existing controls Assessment of Recom
collecting the the risk consequences for that contribute to residual current risk additio
information the agency or manage risks reduce
individual identified risk

Principle 2: Source of personal information

Ref. no. Source of Description of Rationale and Existing controls Assessment of Recom
personal the risk consequences for that contribute to residual current risk additio
information identified the agency or manage risks reduce
individual identified risk

Principle 3: Collection of personal information from the subject

Ref. no. Telling the Description of Rationale and Existing controls Assessment of Recom
individual what the risk consequences for that contribute to residual current risk additio
you’re doing identified the agency or manage risks recognising current reduce
individual identified measures risk

Page 4 of 8
Principle 4: Manner of collection of personal information

Ref. no. How you are Description of Rationale and Existing controls Assessment of Recom
collecting the risk consequences for that contribute to residual (current) risk additio
personal identified the agency or manage risks recognising current reduce
information individual identified measures risk

Principle 5: Storage and Security of personal information

Ref. no. How you are Description of Rationale and Existing controls Assessment of Reco
storing and the risk consequences for that contribute to residual (current) risk additi
securing identified the agency or manage risks recognising current to red
personal individual identified measures mitiga
information

Page 5 of 8
Principles 6 and 7: Access to and correction of information

Ref. no. Responding to Description of Rationale and Existing controls Assessment of Reco
people’s the risk consequences that contribute to residual (current) risk additi
requests for identified for the agency manage risks recognising current to red
information or individual identified measures mitiga
about
themselves, or
requests to
correct
information
about
themselves

Principle 8: Accuracy etc. of personal information to be checked before use

Ref. no. What steps do Description of Rationale and Existing controls Assessment of Reco
you take to the risk consequences for that contribute to residual (current) risk additi
check the identified the agency or manage risks recognising current to red
accuracy, individual identified measures mitiga
relevance etc
of personal
information
before you use
it?

Page 6 of 8
Principle 9: Agency not to keep personal information for longer than necessary

Ref. no. How long do Description of Rationale and Existing controls Assessment of Reco
you keep the risk consequences for that contribute to residual (current) risk additi
personal identified the agency or manage risks recognising current to red
information individual identified measures mitiga
and why?

Principle 10: Use of information

Ref. no. What are you Description of Rationale and Existing controls Assessment of Reco
going to use the risk consequences for that contribute to residual (current) risk additi
the personal identified the agency or manage risks recognising current to red
information individual identified measures mitiga
for?

Principle 11: Disclosure of information

Ref. no. Who are you Description Rationale and Existing controls Assessment of Reco
going to of the risk consequences for that contribute to residual (current) risk additi
disclose the identified the agency or manage risks recognising current to red
personal individual identified measures mitiga
information to (if
anyone) and
why?

Principle 12: Cross-border disclosure of information

Ref. no. Are you sending Description Rationale and Existing controls Assessment of Reco
personal of the risk consequences for that contribute to residual (current) risk additi
information identified the agency or manage risks recognising current to red
overseas and is individual identified measures mitiga
the information
going to be
adequately
protected?

Principle 13: Use of Unique Identifiers

Page 7 of 8
Ref. no. Why do you need Description Rationale and Existing controls Assessment of Reco
a unique of the risk consequences for that contribute to residual (current) risk additi
identifier, and are identified the agency or manage risks recognising current to red
you allowed to individual identified measures mitiga
use this one?

Page 8 of 8