A privacy impact assessment (PIA) is an essential part of many projects and proposals, and can be used to help agencies identify the potential risks arising from their collection, use or handling of personal information, to find out if they are meeting their legal obligations.
PIA focuses on identifying the ways a new proposal or operating system, or changes to an existing process may affect personal privacy, to help organisations make more informed decisions and better manage privacy risks.
It is important to decide whether to do a PIA early in a proposal's life. If you fail to identify how your project is likely to affect the individuals whose information you are collecting and using, there are real risks for your organisation and for the success of your project.
To make it easier to decide whether to do a PIA, we have produced guidance which will assist in this task. It consists of two parts:
Part 1 - Whether to do a Privacy Impact Assessment - helps you assess whether you need to do a PIA at all and, if you do, whether it will be simple and quick or a more complex exercise.
Part 2 - How to do a Privacy Impact Assessment - a step-by-step guide to completing your PIA successfully.
Templates and checklists are included to help you pull the information together that you need, then present that information in a way that makes it easy to decide what to do.
The templates referred to in both Part 1 and Part 2 of our PIA guidance are available below:
Template 1: Brief Privacy Analysis (from Part 1 Appendix A)
Template 2: Privacy Impact Assessment Report (from Part 2 Appendix A)
Template 3: Risk and Mitigation Table (from Part 2 Appendix B)
We acknowledge the assistance of PriceWaterhouseCoopers, interviewees, those who completed the surveys when the product was being tested, and international agencies in developing this guidance.