What is a Privacy Impact Assessment
Privacy is often confused with confidentiality or secrecy. However, privacy considerations are much broader than just ensuring information is not disclosed without authority. Privacy impacts can occur any time ‘Personal Information’ is collected, stored, processed, or disclosed. (Personal Information means any information about an identified individual, or an individual who is reasonably identifiable.)
The Australian Privacy Principles (APP) apply across the life cycle of Personal Information as it is collected by an organisation, held, processed, and eventually disposed of. Each point in the information life cycle can pose challenges and risks. Privacy risks can arise at any point in the life cycle of the Personal Information and can result from internal or external sources. Our privacy services are designed to pragmatically bolster your ability to prevent, and respond to, privacy risks and legal obligations effectively and efficiently.
A PIA report should describe and de-mystify the initiative, identify and analyse the privacy implications, and make clear recommendations, in plain English, for minimising privacy risks while maximising data utility ensuring your business objectives are met. We report conformity to the APPs on a three point scale outlined below:
Privacy risk management activities are conform to APPs and applicable privacy laws.
Activities are partially compliant to APPs or applicable privacy laws with some non-conformity identified.
Activities are wholly or materially not compliant with the APPs or applicable laws.
A Privacy Impact Assessment can also be scoped to include exposure and impacts arising under foreign privacy regimes such as the EU General Data Protection Regulation (GDPR) and to cover international data transfer risks through a Transfer Impact Assessment (TIA).
The engagement workflow will follow a defined process outlined below:
Our team begins each engagement by gaining a deep understanding of your organisational structure, people, processes, technologies, and privacy obligations.
Understanding the strengths and weaknesses of your current privacy management practices in terms of related business activities is critical. To achieve this objective, our team will conduct interviews with your key personnel and collect copies of your current cyber and privacy policies.
Our privacy lawyers will assess your current privacy notices, uses of personally identifiable information, storage and security infrastructure, and disclosures and ability to respond to privacy enquiries and complaints efficiently navigating key response activities, identifying strengths and weaknesses and areas for improvement.
We will review your existing privacy policies, applicable legislation, regulatory environment, and your existing workflows from data collection through de-identification and destruction.
The report will be distributed to you and then discussed in an in-depth workshop, up to 2hrs in length.
If additional information is needed, a second round 1hr workshop may be scheduled, free of charge, within 10 business days of the first round workshop.
You are welcome to invite any relevant personnel or external parties, such as IT providers, to attend these workshops at your discretion.
Following completion of the workshops, we will provide a discounted proposal for any additional services or assistance you may require to implement the recommendations.
Get a no obligation consultation
At Albrecht Burrows, we understand the complexity and urgency of cyber and privacy risks facing businesses today. Get a no obligation consultation with our experts to better understand how your business can increase your resilience to cyber and privacy threats and regulatory risks. Our team of experienced multidisciplinary professionals will work closely with you to create personalised risk management solutions tailored to your business' unique needs needs and budget. Don't wait until it's too late – schedule your no-obligation consultation today and take proactive steps towards protecting your business from cyber threats and privacy breaches.
AB is an outstanding firm that delivers practical and innovative solutions for our business. Their experienced lawyers take a strategic and proactive approach while always trying to minimise costs - plus they explain scenarios in plain English so we know exactly what the outcomes might be."
Murray Liston
Managing Director, Civic MJD
Meet the Team
Our cyber and privacy services are delivered by our team of highly qualified professionals with decades of experience across all areas of cyber security and law, as well as law enforcement, artificial intelligence, privacy and data protection, risk management, business resilience, disaster recovery, crisis management, insurance and more.
James A. Cole
Partner | Head of Cyber & Privacy
My passion is helping our clients to implement holistic and commercial technology, privacy, and governance strategies that are aligned to their business objectives and risk appetite. I enjoy holistically applying my expertise across technology, business, and law enabling me to get to the heart of the issues and achieve positive, long-term results for clients.
James has spent more than two decades specialising in information security, strategic operations, and Governance, Risk & Compliance helping businesses and government seamlessly integrate privacy, technology, security, and compliance with business objectives.
James’ success as a computer scientist and lawyer has been centred on his core belief that privacy, security, and compliance do not have to be onerous activities that hinder business.
James’ expertise is wide ranging on every axis. He has advised organisations across both private and public sectors, as well as a broad range of industries including financial services, insurance, technology, healthcare, and government.
His advice spans across:
- international commercial expansions and regulatory compliance
- international privacy regimes including GDPR, CCPA, HIPPA, PIPEDA, UK PECR, ePrivacy Directive
- Access to Information / Freedom of Information
- multi-jurisdictional privacy and data protection
- artificial intelligence (AI) and facial recognition technology including ISO 42001
- cyber resiliency and preparation & prevention of cybercrime
- cyber governance, risk and compliance including ISO 27001 & NIST 800-53
- contractual liability in cyber & technology, and privacy & data protection
- misleading and deceptive conduct in financial services including AFSL compliance and breach investigation & reporting
- data breach incident response and remediation
Academic Credentials
- Bachelor of Laws (Honours) - Queensland University of Technology
- Bachelor of Computer Science - University of Calgary
- Bachelor of Arts (English Literature and Philosophy) - Trent University
- Postgraduate Studies (Law) - University of British Columbia
- Diploma in Insurance Law - Law Society of Ireland
- Masters of International Security Studies (Distinction)- Macquarie University
- Masters of Policing, Intelligence & Counter Terrorism (Distinction) - Macquarie University
Certifications
- Certified Information Privacy Professional / Europe (CIPM/E) - International Association of Privacy Professionals (IAPP)
- Certified Information Privacy Manager (CIPM) - International Association of Privacy Professionals (IAPP)
- Certificate in Data Protection Practice - Law Society of Ireland
- Certificate in General Data Protection Regulation (GDPR) - Law Society of Ireland
- Security+, Computer Technology Industry Association (CompTIA)
- Canadian Securities Course (CSC) - Canadian Securities Institute
- Australia - New South Wales - Lawyer
- Australia - High Court of Australia - Solicitor
- New Zealand - Barrister and Solicitor (inactive)
- England & Wales - Registered Foreign Lawyer
- Privacy and Data Protection
- Cyber and Technology
- Insurance
- Artificial intelligence (AI)
- International Private
- Corporate and Commercial
- Administrative and Regulatory
2024
- Member of Law Society of NSW Taskforce on AI & other tools and trends shaping the legal profession
2023
- UNSW Edge Seminar - Cyber Security & Data Breaches: the new governance frontier
- Gartner Security & Risk Summit - CISO Masterclass on the Ins & Outs of Cyber Insurance
- AISA CyberCon Canberra - Ask an Expert - Ask a cyber insurance breach coach about prevention and incident response planning
2022
- Tenable on Tour - Managing data risks and the role of legal teams
- Law Society of NSW Annual Conference The value of data, what you can do with it and what you can't (Moderator)
- Young Lawyers Criminal Law Sub-Committee, Law Society of NSW - The challenges of responding to cybercrime
- Albrecht Burrows & Law Squared webinar - Privacy: a whole of enterprise risk
- Law Society of NSW CPD webinar - Risk management as a strategic business tool: why legal is so much more than a dustpan and brush
2021
- Pemba Capital Partners Lunch and Learn - Cybersecurity in financial services
Mark Anderson
Legal Consultant, Lawyer (NZ)
Managing risk with both technical precision and pragmatism is critical in the modern environment. Properly understanding your business needs and then delivering that advice together with integrity, trust and loyalty are fundamental to ensuring your most optimal outcomes.
Mark is a highly awarded legal risk adviser and barrister to New Zealand and international business, governmental entities and public bodies. He has more than 20 years experience advising on risk including cyber risks and breach responses, technology contract liability, security and governance, health and safety, environmental, competition and other regulatory investigations.
He has provided incident response advice globally to clients in need, including those in Europe, Australia, New Zealand and across APAC, after developing global incident response panels drawing together legal, IT, Forensic and PR professions to manage cyber crises. He has managed some of the highest profile cyber breaches in Australasia.
Mark is a trusted leader with a high level of integrity, professionalism, and discretion. An exceptional strategist committed to minimising current and perceived risks while providing innovative, future focused and pragmatic legal strategies to achieve your objectives.
Recognised by peers for tenacity and a proven ability to direct technology and cyber risk/data breach incident responses, regulatory notifications, and insurance operations during business interruptions following a cyber incident. Mark has been ranked as a leading lawyer in the Legal 500 (2020&2021) and top lawyer privacy by Best Lawyers (2017-2023).
LLB (Otago University)
BA (Hons - International Relations & Politics)
- New Zealand - Barrister and Solicitor. Currently registered Barrister
Technology
Cyber Incident Response
Privacy
Insurance
Litigation
Board Risk and Governance Advisory
Administrative and Regulatory
Regulatory Investigation Response
Aviation and Marine Risks
Health and Safety
Environmental / Climate Change Risk
Data subject rights: The real risk of privacy and security for business 2022
Ransomware - the mechanics of ransom payments - Seminar Insurance industry 2021
The Globalisation of Privacy Breach Law – European developments and impact on Australasia - New Zealand Insurance Law Assocation – March 2020.
Cyber, conflict and cover: time for a re-think? 2018 Seminar and publication
Connected and Autonomous Vehicles: The future? Oral and written evidence 2016
Case Study
Case Study
Mapping Privacy Compliance across a Government Agency
A Commonwealth Agency was undergoing substantial IT modernisation projects that included changing the manner in which they collect, process, store, and disclose personally identifiable information.
They were concerned about potential compliance issues that might arise under the privacy laws and needed to conduct a Privacy Impact Assessment of the business processes and third-party SaaS applications that were being deployed as part of their IT modernisation program.
We were engaged to provide privacy and data protection services including:
- Review of the SaaS infrastructure design considering applicable privacy laws.
- Review of SaaS contracts with a large, international IT vendor for compliance with privacy laws and data protection best practice.
- Draft updates to privacy policies and notices reflecting changes to IT infrastructure and business processes impacting on privacy-related information.
- Conduct a Privacy Impact Assessment covering the end-to-end lifecycle of the personally identifiable information, and sensitive data, across the Agency's environment covering business processes and IT systems.
- Advise legal, risk, and IT teams on privacy compliance issues and best practice and assist the IT modernisation project team leaders on changes to systems structure and deployment to align with privacy compliance obligations under the APPs.
We helped the client successfully navigate the complexities of data protection and privacy laws as they apply to complex SaaS applications utilised across the Agency minimising their overall privacy and data protection risks.
We produced a comprehensive Privacy Impact Assessment allowing the Agency to comply with their obligations under the Privacy Act and the Commonwealth Privacy Code. The PIA gave the Agency, other Government Departments & Agencies, and the general public assurance that privacy is taken seriously and considered as a part of the Agency-wide risk management program.
- Privacy and Data Protection Advising
- Privacy Impact Assessment (PIA)
- Privacy Contract Review
- Privacy-by-Design Advising
Data breach emergencies
If you have experienced a data breach, whether unintential employee errors, employee data theft, or you’ve been the victim of a cyber-attack, the first 48 hours is crucial. So don’t waste any time, just get in touch.
Reach out, day or night.
If you don’t reach us straight away, we will get in touch ASAP!
Email us on [email protected]
Breach emergency Line: 02 8318 5980
Smart Commercial Lawyers
Delivering emotionally intelligent legal solutions
ablaw.com.au | [email protected]
Reception 02 8014 2511
Level 12, 111 Elizabeth Street
Sydney NSW 2000
Level 11, 456 Lonsdale Street
Melbourne VIC 3000
Rahiri Chambers
Level 10, Britomart Place
Auckland CBD