Skip to content

How to carry out a privacy impact assessment on your dataset

A privacy impact assessment (PIA) is a tool used by agencies to help them identify and assess the privacy risks arising from their collection, use or handling of personal information. A PIA will also propose ways to mitigate or minimise these risks.

Learning outcomes

  • Know whether or not you need to carry out a Privacy Impact Assessment
  • Understand how to do a Privacy Impact Assessment

The Office of the Privacy Commissioner provides agencies with a Privacy Impact Assessment Toolkit.

There are two parts to the toolkit.

Part one

First, there is guidance on how to assess whether or not you need to do a PIA and, if you do, how in-depth the assessment may need to be.

If the assessment will turn out to be complex, you may want to think about getting help from an external privacy expert. If you might not need to do a full PIA, you can also do a brief privacy analysis. This will be a helpful record of your decision and a reference to the basic details of the data you have gathered and why.

Part two

There is then a step-by-step guide on how to successfully complete a PIA, including:

  1. Gather all the information you need (the personal information involved, and why it has been collected)
  2. Check against the privacy principals (see: What is Personal Identifiable Information and the Privacy Act)
  3. Identify any real privacy risks and how to mitigate them (this is where it is helpful to have someone familiar with privacy helping with your PIA. The Office of the Privacy Commissioner can always help with advice)
  4. Produce a PIA report
  5. Take action
  6. Review the PIA and use it as a checkpoint once things are in operation (are problems starting to emerge and further changes needed?)

Detailed Guidance


Top