Privacy impact assessments
A Privacy impact assessment (PIA) is a tool that can assist you to understand and evaluate your organisation’s compliance with the Information Privacy Principles (IPPs) in the Privacy and Data Protection Act 2014 (PDP Act). A PIA can help to identify any potential privacy risks and develop risk mitigation strategies to address these privacy impacts before a project or initiative commences.
Using a PIA helps organisations to build good practices by highlighting the privacy elements that need to be considered for every project. PIAs also assist with embedding a positive privacy culture, promoting privacy awareness and encouraging all members of the organisation to consider potential risks before a project begins.
- We have developed a PIA template for organisations to download and use.
- To assist with completing the PIA template we have also developed a PIA accompanying guide.
- We have also developed a short guide with tips for advocating the benefits of privacy impact assessments to get executive buy-in.
Frequently asked questions
When should a PIA be conducted?
A PIA should ideally be conducted during the preliminary or conceptual phase of a project. Identifying any potential privacy risks or barriers at this stage allows ample time and flexibility to address these issues prior to rollout.
A PIA may also be revisited at a later stage prior to a program’s implementation to ensure that the issues originally raised have been addressed, and that any changes that have been made to the program as it is developed comply with privacy obligations. For larger projects, several PIAs may be conducted to address different aspects or stages of a project.
Who should do a PIA?
Organisations can undertake the PIA process themselves, using either our template or their own. Our template has been designed for anybody to use, even those who don’t already have a privacy background. Your organisation’s Privacy Officer will be able to assist if you have any questions.
In some cases, organisations may choose to engage a consultant to complete the PIA for them. Using an external party can be a good option if the project is particularly large or complex, or where it is important to show that the assessment has been done by an independent person who is not affiliated with the organisation.
Completing a PIA
Though we are unable to endorse any project or privacy protections in place, we can review PIAs to offer recommendations and guidance to further improve privacy protection.
The Office of the Australian Information Commissioner also has a number of useful resources to assist with PIAs, including online modules and a guide. This information can be found on their website here.