Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Privacy impact assessments

The acronym ‘PIA’ – which stands for Privacy Impact Assessment – will be one you use regularly in your privacy career.

If a colleague asks you whether a proposed project will comply with privacy law or will carry any privacy risks, your answer will often be: carry out a PIA to find out.

What is a PIA?

A PIA is a process that helps identify, assess, and mitigate the impact a program may have on the privacy of individuals. It helps organisations consider the different elements of the proposed program, how it may involve the handling of personal information, and any inherent privacy risks.

As a privacy officer, it’s likely that you play a leading role in:

  • encouraging colleagues to carry out PIAs
  • keeping copies of completed PIAs
  • either working with the program team that carries out a PIA or completing a PIA on their behalf; and
  • reviewing completed PIAs to make sure they have been conducted appropriately and have identified risks and mitigation strategies.

When is a PIA required?

You should encourage your colleagues to conduct a PIA on any program that will involve handling personal information. You should think of the word ‘program’ as referring to a wide variety of activities. These might include a new project, process, technology, or assessing if existing programs comply with privacy obligations.

Below are two examples which set out when and why PIAs may be useful.

Example 1

A local Council wants to implement a new human resources software solution which will assist with the recruitment of new staff. There are three software solutions to choose from: A, B and C.

Council decides to undertake a PIA on all three software solutions. It identifies that:

  • software solution A is cloud based with applicants’ personal information being sent to a jurisdiction with limited privacy protections;
  • in the terms and conditions of software solution B, the service provider is permitted to sell applicants’ personal information to third parties for marketing purposes; and
  • software solution C is cloud based however, applicant’s personal information is stored in Victoria and the terms and conditions express restrictions on when the vendor may use and disclose the personal information.

By undertaking the PIA before making a decision on a software solution, Council is able to identify that there are privacy risks with both software solution A and B. In deciding which system to choose, Council’s decision maker is fully informed when deciding which option to select.

Example 2

The Department for Recovery (Department) is responsible for carrying out disaster recovery operations. It was established quickly following a natural disaster, and a PIA was not completed initially. For 12 months, the Department has been collecting and disclosing personal information with local and regional authorities about residents.

The Department performs a PIA on its information handling process and identifies that:

  • it does not provide a collection notice to residents when collecting their personal information from local and regional authorities; and
  • the information it holds about residents was not stored securely.

Although a PIA was not completed when the Department was first established or before the information sharing program began, by undertaking a PIA subsequently, the Department was still able to identify privacy risks with its information handling practices and develop measures to overcome these such as:

  • working with local and regional authorities to provide collection notices to residents; and
  • relocating the information to a more secure facility.

Although it would have been preferable if the Department had conducted a PIA before the program commenced, doing the PIA late was better than not doing it at all.

Why conduct a PIA?

Convincing the program team that conducting a PIA is worth the time and effort is often the hardest part. When advocating why they should conduct a PIA, point out:

  • PIAs help identify privacy risks before they materialise.
    Mitigating privacy risks upfront is easier and less damaging than trying to recover from harm caused.
  • PIAs demonstrate an organisation’s privacy by design approach.
    This can improve your organisation’s information handling practices and build public trust.

How to do a PIA?

Our PIA template sets out a four-part structure prompting the drafter for the required information and key considerations.  The PIA guide explains the process and answers common questions.

Resources

PIA template

PIA guide

Getting executive buy-in for privacy impact assessments

Privacy Impact Assessment (PIA) eLearning module

Back to the Privacy Officer Toolkit

Contents

Back to Index
Back to top
Back to Top