Privacy impact assessments (PIAs) are a way of measuring the privacy impacts of a program across its lifecycle. A PIA was conducted in 2020 for the Lumos program by Salinger Privacy, a firm that specialises in evaluating privacy.
Salinger Privacy carried out a detailed assessment of privacy and security protections in the Lumos program including assessing the data extraction, linkage, storage, governance and communications processes. During the extensive evaluation process, Lumos team members and external partners were interviewed, project documentation and data flows were examined, and the program was assessed in relation to relevant privacy laws.
Salinger Privacy provided a report of its findings to the Lumos team and Data Governance Committee which identified any potential risks in the Lumos program. Mitigations strategies for each risk were recommended based on best practice and relevant legislation.
The review commended the Lumos program's privacy impacts. Here are some excerpts:
"We believe that the Lumos program deserves to enjoy a high degree of social licence, given the significant public benefits expected to accrue from the operationalisation of insights derived from the Lumos Data Asset, and the very low privacy risks posed to individual patients."
"We also note that the Lumos program has the potential to have positive impacts on individuals' privacy, to the extent that its use of innovative privacy-preserving linkage techniques such as bloom filters could drive the broader uptake of such practices within the medical software sector."
"In our view, the Lumos program has been well designed to protect patient privacy to a very high degree, and does not give rise to any likely negative impacts on individuals during the data extraction, data linkage or data analysis stages." Anna Johnston, Principal of Salinger Privacy and former NSW Deputy Privacy Commissioner, September 2020.
"In our view, the Lumos program has been well designed to protect patient privacy to a very high degree, and does not give rise to any likely negative impacts on individuals during the data extraction, data linkage or data analysis stages."
To ensure that Lumos maintains this favourable assessment, Salinger Privacy made thirteen recommendations that covered:
Many of these recommendations were implemented by the end of 2020, with plans under development in consultation with the Data Governance Committee to address the remaining recommendations.