Privacy impact assessments

A PIA should ideally be conducted during the preliminary or conceptual phase of a project. Identifying any potential privacy risks or barriers at this stage allows ample time and flexibility to address these issues prior to rollout.

A PIA may also be revisited at a later stage prior to a program’s implementation to ensure that the issues originally raised have been addressed, and that any changes that have been made to the program as it is developed comply with privacy obligations. For larger projects, several PIAs may be conducted to address different aspects or stages of a project.

Organisations can undertake the PIA process themselves, using either our template or their own. Our template has been designed for anybody to use, even those who don’t already have a privacy background. Your organisation’s Privacy Officer will be able to assist if you have any questions.

In some cases, organisations may choose to engage a consultant to complete the PIA for them. Using an external party can be a good option if the project is particularly large or complex, or where it is important to show that the assessment has been done by an independent person who is not affiliated with the organisation.

We have prepared a template to assist organisations with their assessment of information privacy compliance. Please contact us if you have any questions about this PIA template.

Though we are unable to endorse any project or privacy protections in place, we can review PIAs to offer recommendations and guidance to further improve privacy protection.

The Office of the Australian Information Commissioner also has a number of useful resources to assist with PIAs, including online modules and a guide. This information can be found on their website here.