Privacy risk and
opportunity identification
Purpose .............................................................................................................................3
Background .......................................................................................................................3
Definitions .........................................................................................................................4
Further resources ..............................................................................................................4
Privacy risk management process ......................................................................................5
Privacy risk management roles and responsibilities ............................................................6
Risk assessment process ....................................................................................................7
Common privacy risks and staff who should be consulted ................................................ 14
Privacy risk and opportunity identification
2
Purpose
1
This document provides an overview of risk management processes and terminology to
assist privacy officers and other privacy staff to:

Integrate privacy risk management into the wider organisational risk framework

Effectively work and communicate with the agency’s risk function.
This document will help you identify and evaluate privacy risks and opportunities in a
‘business as usual’ environment.
Background
Privacy risks exist wherever agencies collect, use, share and manage personal information
relating to their employees, customers/clients and others. Opportunities will also exist to
improve how agencies collect, use, share and manage personal information.
Risk management takes into account both risks and opportunities, and is vital for the
appropriate management of personal information. Following a risk management approach
will allow your agency to:

Identify risks; meaning these can then be proactively managed

Lessen the impact of an issue once it has occurred

Prioritise scarce resources (time, people and money) so that areas of greater risk
can be dealt with first

Identify opportunities for improvement.
The process outlined in this document aligns with ISO 31000:2009 (Risk Management –
Principles and Guidelines) which is the mandatory risk management standard for all
government agencies. The ISO standard provides organisations with guiding principles, a
generic framework and a process for managing risk.
1 This guidance document forms part of a suite of privacy related guidance developed by the Government Chief
Privacy Officer. Further guidance on privacy risks and opportunities can be found on the Privacy Leadership
Toolkit: https://psi.govt.nz/privacyleadership.
Privacy risk and opportunity identification
3
Definitions
Term
Definition
Consequence
The outcome of an event affecting objectives or an
individual (see also Harm).
Control
A measure to modify risk.
Event
Occurrence of or change in a particular set of
circumstances.
Harm
Loss, detriment, damage or injury to an individual
(including adverse effect on rights, benefits, privileges,
obligations or interests; or significant humiliation,
significant loss of dignity, or significant injury to the
feelings of that individual).
Likelihood
The chance of something happening that could trigger an
event.
Opportunity
The prospect of a favourable situation or outcome, such
as improvements in the management of personal
information.
Management of personal information
How personal information is collected, stored, accessed
and corrected, used, retained and disposed of, as well as
checked for accuracy and disclosed.
Privacy Risk
Risks associated with the collection, use and
management of an agency’s personal information
holdings.
Risk
The effect of uncertainty on the achievement of
objectives (expressed in terms of likelihood and
consequence). Risk is often characterised by reference
to potential events and consequences.
Risk Management
Principles, frameworks and processes for managing risks
effectively.
Further resources
AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines (the joint Australian
and New Zealand adoption of ISO 31000:2009):
http://www.standards.co.nz/news/standards-information/risk-managment/.
Additional guidance in relation to risk management can be found in the Risk Management
Handbook (SA/SNZ HB 436:2013) at the same link as above.
Guidance on undertaking a Privacy Impact Assessment is available from the Office of the
Privacy Commissioner: https://www.privacy.org.nz/news-and-publications/guidanceresources/privacy-impact-assessment-handbook.
Privacy risk and opportunity identification
4
Privacy risk management process
Identifying and managing privacy risks and opportunities is the key to managing personal
information in any agency.
Your agency’s risk framework is likely to be customised for your agency, and may be
different to frameworks in use elsewhere; however the framework will be based on ISO
31000.
To enable privacy officers and other privacy staff to communicate effectively with your risk
professionals, this document introduces some of the key concepts in the ISO Standard
applied in the context of privacy. The following diagram is based on the risk management
process in AS/NZS ISO 31000:2009.
Establish the context
What personal information does
your agency collect/hold?
How does privacy fit into your
business?
Risk Assessment
Identify the risk
What potential events could
affect the achievement of your
business objectives?
Communication and
Consultation
Who are the key
stakeholders?
What business areas
own privacy risks?
Analyse the risks
What is the nature, likelihood and
consequence of the risk?
Identify mitigations/ design
responses
Monitoring and
Review
How often will risks
and effectiveness of
treatment be
reviewed?
Evaluate the risks
What risks or opportunities need
to be prioritised?
Treat the risks
How should the risks be
managed?
Privacy risk and opportunity identification
5
Privacy risk management roles and
responsibilities
In order to effectively manage privacy risks, you will need to work closely with other
business functions in setting up, implementing and monitoring all aspects of privacy risk
management.
Privacy risk assessment processes will be most effective when aligned or integrated with
your agency’s overall risk management approach including input, cooperation and
coordination with other parts of your agency. As the privacy officer, you will have a role in
assisting with risk identification and mitigation, but the privacy risks and issues are best
owned by the business units who manage them as part of their work.
The extent of your involvement as a privacy officer will depend on the size, complexity and
privacy maturity of your agency.
If your agency has an established risk function, you may need to work closely with the staff
within it to ensure privacy is considered as part of business as usual within the risk
management programme.
If your agency does not have an established risk function, you will be more likely to act as a
facilitator and a subject matter expert in support of risk management activities.
Privacy risk and opportunity identification
6
Risk assessment process
1. Establish the privacy context
Ask yourself:

What personal information does your agency collect, use, share and manage, and for
what purposes?

How many individuals does your agency collect information about? (i.e. what is the
population coverage of your information holdings?)

How much personal information does your agency collect etc. about individuals, and how
sensitive in nature is that information (e.g. health information)?

How key is personal information to your business operations and organisational
objectives?

What are your agency’s objectives for privacy (i.e. the management of personal
information)? How do these affect (or are affected by) other organisational objectives?
How important is privacy to your agency?

How is privacy reflected in your agency’s values, culture and policies?
Consult your agency’s risk staff to obtain guidance on existing risk templates and
the policy and risk frameworks within which you should be working, and any existing
organisational risks that may be affected by privacy risk.
Privacy risk and opportunity identification
i
7
2. Assess the risk
2.1 Identify the risk
The first step in managing risks is to identify them. Privacy risks are associated with all
aspects of managing personal information. Privacy risks can have potential consequences for
both the individuals concerned and for agencies. For example, unauthorised access, use and
disclosure can have wide ranging impacts on the people your agency serves, and
consequently for your agency as well.
The risk identification process can also be used to identify opportunities to improve or
enhance how you manage personal information. It allows you to make informed decisions
about how to both protect and gain value from the personal information you hold while also
considering the interests of individuals.
Ask yourself:

Do staff in your agency know what ‘inappropriate management of personal information’
is?

What could cause personal information to be collected or dealt with inappropriately?
Examples include:
○
Lack of, or inappropriate, policy / guidance / understanding /
processes / resources / technology for those dealing with personal
information, across the full information lifecycle (collection, storage, access
and correction, use, disclosure, sharing, retention or disposal)
○
Ineffective or inefficient business processes for dealing with personal information
○
Changes in processes or systems
○
Culture within the agency where staff do not see personal information as important
to the agency and to individuals (e.g. customers/clients, staff)
○
Personal information holdings have not been properly identified and categorised
○
Lack of assurance processes and procedures for privacy and/or security
○
Opportunities not identified for better use of personal information to deliver services
to individuals (e.g. customers/clients, staff).
Note that this is not a comprehensive list and circumstances will be specific to your
agency.
2

Are there risks to the agency or to individuals from not using personal information
appropriately (for example sharing/disclosing information when there is a serious threat
to the life or health of an individual)?

Do any of the risks already identified by your agency include privacy? (Remember, not
using personal information, when appropriate, can also raise potential risks.2)
For example, a health practitioner who doesn’t share a patient’s information as appropriate could
compromise an accurate diagnosis of the individual’s health issues.
Privacy risk and opportunity identification
8
Use a personal information inventory (identifying the nature, extent, sensitivity,
location and format of personal information holdings) to assist with identifying risks
related to that personal information. Inventories can indicate the extent to which
privacy risk should be on your agency’s radar due to the inherent risk of the personal information
holdings (at a strategic or organisation-wide level, as well as reflected in the operational-level risk
registers).
i
Privacy Impact Assessments can provide a comprehensive assessment of privacy risks.
Ideally they should be part of the whole lifecycle of any new processes, systems, or
projects, or when changes are made to existing ones.
i
You can also use a Privacy Impact Assessments to identify opportunities for enhancing privacy
through indicating where changes can be made to improve the management of personal
information. For example, your agency might be considering moving customer information into a
Customer Relationship Management system which has options for more targeted controls for
accessing and using the information.
The Office of the Privacy Commissioner has published a useful Privacy Impact Assessment Toolkit:
https://www.privacy.org.nz/news-and-publications/guidance-resources/privacy-impactassessment/.
Privacy risk and opportunity identification
9
2.2 Analyse the risk
Having identified your privacy risks you will need to analyse them to understand the possible
consequences and the likelihood of each risk occurring.
Your agency will likely have existing definitions of consequence (or impact) and likelihood.
Speak with the risk / assurance function in your organisation for guidance on using these.
Ask yourself:

What is the likelihood that the identified risk will eventuate?
○


Depending on your agency, likelihood might be defined as probability, frequency or a
general description of occurrence.
If the identified risk eventuates and becomes an issue for your agency how could it affect
/ impact your agency's objectives and what consequences could there be to an individual
(including harm)?
○
Harm to an individual can include loss, detriment, damage or injury to an individual
(including adverse effect on rights, benefits, privileges, obligations or interests; or
significant humiliation, significant loss of dignity, or significant injury to the feelings of
that individual).
○
Consequences for your agency may include reputational damage and loss of public
trust and confidence, additional resources required to mitigate against future risks
(e.g. reconfiguration of systems/processes etc.), and possible monetary
compensation.
What information is available to support the answers to these questions? If there’s a lack
of information available, it may be that the risk is greater or that further work needs to
happen to gather that information (e.g. a Personal Information Inventory).
2.3 Evaluate the risk
Using the likelihood of a risk occurring and the potential consequences to individuals and to
your agency, you will need to evaluate the privacy risks and prioritise their treatment. Your
agency will have its own risk evaluation methods which can be applied to privacy risks.
Privacy risk and opportunity identification
10
3
Treat the risk
Use your agency’s risk criteria to determine the appropriate response to a risk or
opportunity. Many agencies will have pre-determined risk criteria that describe who can
accept a risk (i.e. determine that nothing further should be done), appropriate risk responses
and the priority of implementing responses. Appropriate means of treating a risk will depend
on your agency’s risk framework. Common responses include:

Avoid / eliminate – stop or remove the activity or situation that could cause the
risk to occur.

Mitigate – introduce or modify existing controls that may reduce the consequence
or likelihood of the risk.

Accept – agree to accept the risk and its consequences.
In determining the cost of various responses, it will be useful to also consider the cost of
remedying any harm caused to individuals.
Contracting out services is not a risk treatment as your agency will remain responsible and
accountable for personal information is managed.
Privacy risk and opportunity identification
11
4
Monitor and review
It will be important to regularly monitor and review your privacy risks and treatments. The
consequences and/or likelihood of privacy risks may change over time depending on factors
both internal and external to your agency. The effectiveness of controls and treatments of
the risks may also change over time and you may need to reconsider risks which were
previously accepted.
The governance and processes around your agency’s risk frameworks will likely include
regular reporting to senior management.
The success of a risk management process can depend on how well actions are monitored,
followed up and updated. Risk assessments should be updated in response to the
effectiveness of a treatment action, and when other factors (either internal or external to
the agency) change.
Privacy risk and opportunity identification
12
5
Communicate and consult
The communication process forms an important way of raising awareness within your
agency of the risks associated with collecting, using, storing, accessing and sharing
information.
Regular and continuous consultation is essential in ensuring the context and nature of the
risk is understood by staff who are responsible for managing these risks.
Privacy risk and opportunity identification
13
Common privacy risks and staff who
should be consulted
Below are examples of common privacy risks as well as examples of staff in your agency you
may want to communicate and consult with.
Examples of common privacy
risks and risk triggers
Examples of who should be
communicated with during risk
identification, reporting and
management
Staff do not understand their
responsibilities and the actions they need
to take to mitigate privacy risks.





Management does not fully understand
where personal information is stored and
processed.





Privacy risks associated with changes to the 
organisation, including process or system

changes, are not adequately considered.


Personal information is retained longer
than is necessary for the business purpose.



Employees and third parties are unaware
of how they can appropriately collect, use,
retain, share and dispose of personal
information.







Personal information is disclosed to other
parties, or used/processed for purposes to
which the individual has not consented.





Privacy risk and opportunity identification
Risk team
Managers of staff who deal with personal
information
Learning & Development
Front-line staff (those dealing with customers)
HR
Information management team
Front-line/operational staff (those dealing with
customers and processes/systems for
management of personal information)
Managers of staff who deal with personal
information
Information Technology
Records Management
Risk team
Project / programme office
Information Technology
HR, in respect of changes in people resources
Risk team
Records management
Information management
Risk team
Records management
Information management
Procurement,
Contract managers
Internal audit
HR
Risk team
Front-line staff
Managers of staff who deal with personal
information
Internal audit
Legal team
14
Examples of common privacy
risks and risk triggers
Examples of who should be
communicated with during risk
identification, reporting and
management
Privacy-related enquiries are not
responded to thoroughly, in an accurate
and timely manner.





Personal information is not adequately
secured from accidental errors or loss, or
from malicious acts such as hacking or
deliberate theft, disclosure or loss.





The agency’s personal information is
handled inappropriately by third parties.







Privacy processes and controls do not
operate as intended.




Privacy-related incidents are not
responded to appropriately.






The agency does not learn from patterns of
privacy-related incidents.





Privacy risk and opportunity identification
Risk team
Front-line staff
Managers of staff who deal with personal
information
Team/individuals who deal with privacy-related
queries
Legal team
Risk team
Information technology
Security team
Project / programme management
Front-line staff
Risk team
Third parties
Procurement
Contract managers
Assurance, if assurance is undertaken over third
parties’ practices
Contract “owners”
Legal team
Risk team
Internal audit
Front-line staff
Managers of staff who deal with personal
information
Risk team
Front-line staff
Managers of staff who deal with personal
information
Security team
HR, in respect of possible breaches of the code of
conduct
Legal team
Risk team
Business improvement
Managers of staff who deal with personal
information
HR
Senior leadership
15