Privacy Impact Assessment

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

A Privacy Impact Assessment (PIA) is a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies.[1]


A Privacy Impact Assessment is a type of impact assessment conducted by an organization (typically, a government agency or corporation with access to a large amount of sensitive, private data about individuals in or flowing through its system). The organization audits its own processes and sees how these processes affect or might compromise the privacy of the individuals whose data it holds, collects, or processes. PIAs have been conducted by various sub-agencies of the U.S. Department of Homeland Security (DHS),[2][3] and by many others.

A PIA is designed to accomplish three goals:

  • Ensure conformance with applicable legal, regulatory, and policy requirements for privacy;
  • Determine the risks and effects; and
  • Evaluate protections and alternative processes to mitigate potential privacy risks.

A privacy impact report seeks to identify and record the essential components of any proposed system containing significant amounts of personal information and to establish how the privacy risks associated with that system can be managed. A PIA will sometimes go beyond an assessment of a "system" and consider critical "downstream" effects on people who are affected in some way by the proposal.[4]


Since PIAs are a measure of an organization's ability to keep private information safe a PIA should be conducted whenever said organization is in possession of the personal information of employees and/or clients, this can include but is not limited to, name, age, phone numbers, emails, etc. A PIA should also be conducted in any instance in which the business or organization in question is in possession of information that is otherwise sensitive, or in cases when the security systems for private or sensitive information of organizations are undergoing changes that could lead to risk of privacy leaks.[5][6]


According to a presentation at the International Association of Privacy Professionals Congress, PIAs have the following benefits:[7]

  • Provides an early warning system, a way to detect privacy problems, build safeguards before, not after, heavy investment –Fix privacy problems now, not later
  • Avoids costly or embarrassing privacy mistakes
  • Provides evidence that an organization attempted to prevent privacy risks (reduce liability, negative publicity, damage to reputation)
  • Enhances informed decision-making
  • Helps the organization gain the public's trust and confidence
  • Demonstrates to employees, contractors, customers, citizens that the organization takes privacy seriously


Privacy Impact Assessments can be summed up in a four step process:[5][6]

  1. Project Initiation; This step is where you define the scope of the PIA process (which varies by organization), if the project they are running is in early stages and detailed information is unknown the organization may choose to do a Preliminary PIA, and then a full PIA once it gets off the ground.
  2. Data Flow Analysis; This step involves mapping out the proposed business process as it regards personal information, identifying clusters of personal information, and creating a diagram of how the personal information flows through the organization as a result of the business activities in question.
  3. Privacy Analysis; This step requires all personnel involved with the movement of private information to complete privacy analysis questionnaires, as well as secondary check-ins on the answers to the questionnaires which require more detail, and discussion of the privacy issues and implications brought up as a result of the questionnaires.
  4. Privacy Impact Assessment Report; This step requires the organization to create a documented evaluation of the privacy risks and potential implications of said risks brought up by the outcomes of the previous steps, as well as a discussion of possible efforts that could be made in order to mitigate or remedy the risks.


In the 1970s the Technology Assessment (TA) was created by the United States Office of Technology Assessment. A TA was used to determine the societal and social repercussions of new technologies. Similarly at around this time came the Environmental Impact Assessments (EIA), a reaction to the social push from the sixties Green movements. The methodology of both of these impact assessments acted as precursors to the creation of the PIA. The Privacy Impact Statement was a much less extensive version of the PIA that came about in the late eighties. During the 1990s there became a need to measure the effectiveness of a company or organization's data security, especially with most data now being stored on computers or other electronic platforms. More extensive PIAs started to be used more frequently by corporations and governments in the mid 1990s, and now are used by organizations all around the world, and by several governments including, New Zealand, Canada, Australia, and the United States Department of Homeland Security to assess privacy risk of their systems. In addition several other countries and corporations use assessment systems similar to PIAs for data risk analysis.[8][9]

PIA Worldwide[edit]


The E-Government Act of 2002, Section 208, establishes the requirement for agencies to conduct privacy impact assessments (PIAs) for electronic information systems and collections. The assessment is a practical method of evaluating privacy in information systems and collections, and documented assurance that privacy issues have been identified and adequately addressed. The process is designed to guide SEC system owners and developers in assessing privacy during the early stages of development and throughout the systems development life cycle (SDLC), to determine how their project will affect the privacy of individuals and whether the project objectives can be met while also protecting privacy.[10]


The General Data Protection Regulation (GDPR) states that a data protection impact assessment (DPIA) is mandatory in some cases.

PIAF Project[edit]

PIAF (A Privacy Impact Assessment Framework for data protection and privacy rights) is a European Commission co-funded project that aims to encourage the EU and its Member States to adopt a progressive privacy impact assessment policy as a means of addressing needs and challenges related to privacy and to the processing of personal data.[11]

See also[edit]


  1. ^ "Conducting privacy impact assessments code of practice" (PDF). Information Commissioner's Office. February 2014. Retrieved July 20, 2016.
  2. ^ Jackson, Janice; Hawkins, Donald; Callahan, Mary Ellen (August 26, 2011). "Privacy Impact Assessment for the Systematic Alien Verification for Entitlements (SAVE) Program" (PDF). U.S. Department of Homeland Security. Retrieved May 13, 2016.
  3. ^ Gaffin, Elizabeth; Teufel III, Hugo (April 1, 2007). "Privacy Impact Assessment for the Verification Information System Supporting Verification Programs" (PDF). U.S. Department of Homeland Security. Retrieved May 13, 2016.
  4. ^ "Privacy Impact Assessment Handbook" (PDF). Retrieved January 6, 2017.
  5. ^ a b "Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks Guidelines". Government of Canada. Retrieved 8 July 2016.
  6. ^ a b "PRIVACY IMPACT ASSESSMENT (PIA) GUIDE" (PDF). U.S. Securities and Exchange Commission. Retrieved 8 July 2016.
  7. ^ David Wright (November 14, 2012). "The state of the art in privacy impact assessment" (PDF).
  8. ^ Clarke, Roger. "A History of Privacy Impact Assessments". Roger Clarke's Web-Site. Retrieved 8 July 2016.
  9. ^ Pearson, Tancock, Charlesworth, Siani, David, Andrew. "The Emergence of Privacy Impact Assessments" (PDF). HP. Retrieved 8 July 2016.CS1 maint: Multiple names: authors list (link)
  10. ^ "U.S. Securities and Exchange Commission" (PDF).
  11. ^ "PIAF".