Skip to content

Importance of a Privacy Impact Assessment

Consumers are increasingly concerned about their personal data and what happens to their personal information. Therefore, businesses need to consider their privacy obligations. By regularly performing compliance checks, businesses ensure they understand the impact of their privacy practices and meet their legal obligations. One such compliance check is a privacy impact assessment. This article will explore what a privacy impact assessment is, when it is required and how it should be conducted. 

What is a Privacy Impact Assessment?

A privacy impact assessment (PIA) is a voluntary task undertaken by a business to analyse its organisational processes. Importantly, the analysis should ensure the business meets its obligations under the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles (APPs). Under APP 1, when handling personal information, organisations must take reasonable steps to implement procedures and systems that comply with the APP. 

Conducted on a project basis, a PIA involves an assessment to identify the impact that a particular project will have on the privacy of individuals. It will set out recommendations and actions for managing, minimising or eliminating that impact. 

PIA vs Privacy Policy?

If you already have a privacy policy on your website, you may be wondering why you also need to conduct a PIA. In addition to a privacy policy, a PIA serves two key functions:

  1. It identifies and evaluates the potential effects that a project or proposal may have on data privacy; and
  2. It explores how to mitigate any adverse effects on privacy.

A privacy policy communicates how and what your organisation will do with private information, whereas a PIA focuses on internal compliance with Australian Privacy Law obligations. 

Continue reading this article below the form
Loading form

How to Undertake a PIA

Who?

The project manager responsible for the project should conduct the PIA, liaising with the relevant stakeholders, including customers and senior management. 

When?

Ideally, you should conduct the PIA before the project commences. This ensures that the privacy risks in a project can be mitigated before they arise. Conducting a PIA early will ensure that you can stay on top of your obligations and potentially avoid a privacy breach from occurring. 

How Often? 

Your project will develop and evolve as it comes to fruition. Therefore, you may find that your PIA will also develop and evolve over the project’s life. You should revisit the PIA as the project progresses and update it when it changes. If there are substantial changes to the personal information that will be collected or handled during the project, it may be necessary to undertake a new PIA altogether.

Further Considerations

The following table summarises each step of developing a PIA as described by the Office of the Australian Information Commissioner. 

Stage

PIA Process

1

Threshold Test

  • Identify whether your business requires a PIA
  • Things to consider:
    • Will any personal information be collected, stored, used or disclosed in the project?
    • Does the Privacy Act apply to your business? 
    • Are there already current privacy controls in place, and are they working well?

2

Plan the PIA

  • Who will conduct the PIA?
  • When does the PIA need to be conducted, and what is the timeline for its completion?
  • What external stakeholders should be consulted and when?
  • What budget and other resources are allocated for conducting the PIA?
  • Who will implement and manage the PIA?

3

Describe the Project

  • Identify the project – a big-picture analysis is required to understand the project’s scope and identify key privacy concerns.
  • Is this project similar to an existing project?

4

Identify and Consult with Stakeholders

  • Stakeholders should include anyone who is or might be interested in or affected by the project.
  • The stakeholders involved in the project can be internal or external — e.g. employees, regulatory bodies, clients, organisations, etc. 

5

Map Information Flows

This step complements the project outline and requires you to describe and map how personal information will flow for the purpose of the project. Key areas to consider include:

  • the nature of the information collected (e.g. is the information de-identified or does it clearly identify individuals);
  • the collection process
  • how the business intends to use the information; 
  • who is the information disclosed to; 
  • the quality of the information; 
  • security of the data; 
  • how is data retained and destroyed; and
  • access and collection of information.

6

Privacy Impact Analysis and Compliance Check

  • This is an important assessment where the business evaluates risks (severe and minor) and strengths of internal processes. 
  • The end goal is to determine whether the project offers acceptable privacy outcomes or if the personal information is handled appropriately. 
  • Consider APPs 1-13 to guide your judgement on acceptable privacy outcomes.

7

Privacy Management – Addressing Risks

You should have a mitigation strategy for each possible risk factor. For example:

  • Risk: Information to be collected does not have a clear or defined purpose.
  • Mitigation: Clearly identify and define the purpose for which the business is collecting the data.

8

Recommendations

  • After conducting the PIA, several changes or recommendations to internal processes may present themselves. 
  • This may assist with achieving better compliance for future projects. 
  • E.g. the project’s goals may need to be altered to reflect the interests of the affected individuals. 

9

Report

A PIA report should be collated to reflect the results of the assessment, setting out:

  • Executive Summary
  • PIA methodology
  • Project description
  • Analysis
  • Conclusions
  • Detailed appendices

10

Review and Respond

It is important to consider and reflect on the report to learn and correct behaviour based on results. 

 

Key Takeaways

In new projects involving the collection and handling of personal information, privacy impact assessments can be key to ensuring that your business is meeting its privacy obligations and mitigating any potential privacy risks before they arise. Your privacy impact assessment can also help build community trust in your business, showing that you are meeting legal obligations and your organisation is proactive about privacy. 

If you need help with your privacy policy, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What is a privacy impact assessment?

A privacy impact assessment is a compliance check that allows you to assess the privacy related risks when handling personal information as part of a particular project. It allows you to develop strategies to minimise risk, and to assess your current privacy practices to determine their suitability.

Who needs to conduct a privacy impact assessment?

Whether a privacy impact assessment is necessary will depend on a number of factors, including whether personal information is being collected, what type of personal information is being collected, and whether you currently have privacy processes in place. Whether your business is subject to the Privacy Act will also be an important factor. 

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Harmanjot Kaur

Harmanjot Kaur

Read all articles by Harmanjot

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards