How Do Privacy Impact Assessments Work?

Discover what privacy impact assessments are, how they work, and if your organization needs them.

colleagues discussing about privacy impact assessment

What is Privacy Impact Assessment?

Privacy Impact Assessments (PIA) are increasingly important when considering the handling of sensitive data. A PIA is an evaluation process that identifies and addresses potential privacy concerns related to a system, project, or unique data handling. It involves understanding the scope of a project or design; collecting information about the expected use of any personal or sensitive data; verifying that necessary technical and organizational measures are in place, and entitling individuals to their rights regarding the collected data.

A comprehensive program helps organizations ensure compliance with current state, federal and international legislations and maintain trust between employers, employees, customers, and vendors. It’s not enough to store data securely – companies must be able to explain to everyone affected how their private information is being used. Taking such considerations into account gives organizations a competitive edge and ensures the ethical treatment of all involved parties.

How are PIA and DPIA Different?

A Privacy Impact Assessment (PIA) helps organizations prioritize privacy from the beginning when launching a new business, introducing a new product, or acquiring an existing one. 

Similarly, with personal data processing taking place all the time within an organization and risks continually evolving due to changes in technology and other factors — Data Protection Impact Assessments (DPIAs) must be conducted on an ongoing basis. In addition to being essential for businesses’ own risk management strategies, DPIA completion is also mandatory according to the European Union General Data Protection Regulation (GDPR).

What is Not a PIA?

Here are some of the misconceptions about PIAs:

  • A superficial checklist of legal requirements
  • A one-time event
  • A marketing tool that only shows a project’s benefits
  • Justification for existing policies or practices
  • A lengthy, complicated, and resource-intensive process

When is a PIA Required?

The Directive on Privacy Impact Assessment mandates that organizations complete PIA’s whenever an individual’s personal information is at risk of being affected by a program or activity. Here are some activities that would require a PIA:

  • Using individuals’ data in a decision-making process that directly impacts them
  • A significant change to existing services or activities that involve the use of personal data for administrative purposes (which essentially means that it is part of a decision-making process with direct implications on the individual)
  • Substantive modifications whenever the government wants to transfer programs or activities to other levels of government or private entities

What Should a PIA Include?

To generate a comprehensive PIA report, consider including the following:

  • A description of the planned program or activity and its goals
  • An assessment of your program’s privacy compliance and potential privacy impacts
  • Compliance with the Privacy Act, applicable policies, directives, and guidelines, as well as best practices for minimizing impacts

How to Do a PIA

Follow these steps for an efficient PIA process:

Step 1: Conduct a Threshold Assessment

The first step of the PIA process is a threshold assessment wherein organizations determine if their program or activity falls within the scope of the Privacy Act and requires conducting a PIA.

Create Your Own Privacy Impact Assessment Checklist

Eliminate manual tasks and streamline your operations.

Get started for FREE

Step 2: Plan the PIA

Once you have finished your threshold assessment, it’s time to organize how you will conduct your PIA. As you devise the plan for this vital task, consider the following:

  • What are the evaluation criteria for the project?
  • Where will the PIA fit in the project plan and timeframes?
  • What resources are available for the PIA, and who will conduct it?
  • What will be the timing and extent of stakeholder consultations?
  • What steps will be taken after the PIA, including implementing recommendations and maintaining monitoring?

Step 3: Describe the Project

A distinct comprehension of the project’s purpose is a crucial foundation for everything else in the PIA procedure. Conducting a privacy impact assessment will help you identify the most privacy-sensitive way to design a project that achieves its goals. Here is the different information to include:

  • The person responsible for the project
  • Deliverables of the project
  • Its objectives
  • Benefits to the agency or community
  • A program’s involvement in the project

Step 4: Identify and Consult With Stakeholders

It’s important to talk to stakeholders who will be affected by the project or are interested in it. Through their experience and expertise, they’ll be able to identify privacy impacts and solutions. Depending on the project, you may consult the following:

  • Internal stakeholders – From the IT sector and data security to legal staff and procurement teams, as well as employees who will directly interact with customers while utilizing the new system or policy
  • External stakeholders – From government agencies, suppliers, clients, and non-government organizations to advocacy groups and members of the public

Step 5: Map the Personal Information Flow

Identifying the types of personal information involved and handling is essential to the success of this project. It should include the following:

  • What information will be collected, where will it come from, and how will it be collected?
  • Who will have access to it, how will it be stored, and what safeguards will be in place?
  • Who will use the personal information, and for what purposes?
  • What is the purpose of routinely disclosing personal information, and to whom is it directed?
  • How can individuals access and amend their personal information?
  • What is the retention period of the information?

Step 6: Identify the Privacy Impacts

To determine if there are any privacy risks, you need to check how the project deals with personal information. It includes checking if the project follows privacy principles.

  • Non-Health Agencies: Information Privacy Principles
  • Health Agencies: National Privacy Principles (e.g., Health Insurance Portability & Accountability Act)
  • All agencies must abide by the stringent regulations regarding the export of personal data outside Australia.
  • All agencies must take all necessary measures to ensure that privacy principles bind their contracted service providers.

Step 7: Identify Privacy Risks and Options to Address Them

After identifying the privacy risks, deciding which action should be taken to mitigate them is essential. In some situations, there will be multiple solutions; for these cases, you may need to evaluate the costs associated with each option along with their benefits and risks to determine which one would work best.

Below are options that can help address privacy issues:

  • Operational controls – policies and procedures, staff training, or communication strategies (e.g., collection notices)
  • Technical controls – such as access controls, encryption, and design modifications
  • Physical controls – such as doors or locks

Step 8: Produce a PIA Report

Prepare the report containing the following details:

  • Describe the project’s information flows
  • Provide a summary of the privacy impacts (both positive and negative) based on the privacy principles
  • Give recommendations for removing or mitigating privacy risks
  • Describe the consultation processes undertaken
  • Determine whether the PIA requires reviewing during the project

Step 9: Respond and Review

Stakeholders should review and endorse the completed PIA. The project team needs to develop an action plan and timeline to address any risks or recommendations. It could involve further consultation with stakeholders, training of staff, revising procedures, or implementing additional privacy controls.

The PIA should be reviewed regularly during the project to ensure that it reflects any changes regarding privacy issues. PIAs should be updated if the project undergoes any significant changes.

FAQs on Privacy Impact Assessment

Before processing anything that suggests a “high risk,” you must conduct a Privacy Impact Assessment (PIA). Even if the actual level of danger is not yet known, it’s still necessary to look for elements that may lead to serious repercussions or harm individuals on a large scale.

A Privacy Impact Assessment should be triggered whenever there is a proposal to collect, use, store or unusually disclose personal information that could risk an individual’s privacy. It usually occurs when an organization introduces or changes processes, systems, technology, or practices involving personal data.

Under the General Data Protection Regulation (GDPR), PIA must prioritize an individual’s data rights and freedom. To ensure these are being met, it’s vital to consider involving PIA during the entire project lifecycle—from beginning to end—as this allows for potential privacy risks to be identified early on and addressed before releasing or setting out a project into production.

Ideally, a system should be audited once every three years without any changes to ensure accuracy and security. However, when significant modifications are made to a system, its associated PIA must also be adjusted to ensure that any information is not compromised.

Rob Paredes
Article by
Rob Paredes
SafetyCulture Content Contributor
Rob Paredes is a content contributor for SafetyCulture. Before joining SafetyCulture, he worked as a financial advisor, a freelance copywriter, and a Network Engineer for more than a decade. Rob's diverse professional background allows him to provide well-rounded, engaging content that can help businesses transform the way they work.