In effect from: 1 July 2025
What is a Privacy Impact Assessment
Privacy Impact Assessments (PIAs) are an important tool to help Queensland government agencies handle personal information in accordance with the privacy principle requirements in the IP Act.
A PIA is a scalable tool that agencies can use to identify:
- whether a project will involve personal information or sensitive information
- the project's potential impact on individual privacy
- whether the project's proposed collection, use, and disclosure of personal information will comply with the Queensland Privacy Principles (QPPs) and section 33; and
- risks of, and mitigation strategies for, any potential negative impacts.
Project is used broadly to refer to the full range of agency activities and initiatives which could have privacy implications, eg new systems, processes or practices, new legislation or policies, or information sharing initiatives.
The threshold privacy assessment will help agencies decide whether they need to conduct a PIA.
Report template
The OIC has a template PIA report that agencies can download and use to conduct their PIA.
Integrating the PIA with project management
Integrating the PIA process into the agency’s project management systems and processes can create efficiencies and help ensure privacy impacts are considered early on a throughout the life of a project.
This can be done, example, by:
- including resourcing and timeframes for the PIA in the project plan
- including updates on the progress of the PIA in status reports or end stage reports
- using the project’s risk matrix to analyse the likelihood, consequence and rating of privacy impacts
- recording privacy impacts in the project’s risk register/log; and
- capturing the actions that need to be undertaken to implement the recommendations of the PIA in the project plan or stage plan.
Why a PIA is important
The IP Act does not require a PIA, however the Office of the Information Commissioner (OIC) strongly encourages PIAs as part of a privacy by design approach. Including privacy as a key consideration in the early stages of a project and throughout its lifecycle significantly reduces the risk of noncompliance.
A PIA:
- assesses whether a project complies with the QPPs and section 33
- supports good governance and informed decision making
- allows potential problems and risks to be identified early, when addressing the is easier and cheaper; and
- recognises and addresses community privacy concerns, which can build trust in the agency’s information handling practices.
When should the PIA be conducted
A PIA should be undertaken early enough in the development of a project that its findings can influence the design of the project. This will prevent unnecessary effort being expended on noncompliant design options.
PIA checkpoints
Projects are rarely static; specifications are redefined or changed as it progresses. Building one or more PIA checkpoints into the project plan, as a trigger to check whether anything significant has changed since the PIA was first conducted, will help ensure the privacy impacts of project changes are addressed.
How to conduct a PIA
A PIA generally involves the following steps:
- Threshold assessment.
- Plan the PIA.
- Describe the project.
- Identify and consult with stakeholders.
- Map the personal information flow.
- Identify the privacy risks.
- Identify options to address the privacy risks.
- Produce a PIA report; and
- Respond and review.
Step 1: Conduct a threshold assessment
A PIA will be beneficial for any project that involves new or changed ways of handling personal information. However, not every project will need a PIA. For example, a PIA will not be necessary if the project will not involve personal information or does not propose any changes to existing information handling practices (where the privacy impacts of these practices have previously been assessed previously and deemed appropriate).
If the answer to: 'Will any personal information be collected, stored, used or disclosed in the project?’ is yes, some form of PIA will generally be required.
Keeping a record of the threshold assessment is an important part of documenting the PIA decision.
Step 2: Plan the PIA
If the threshold assessment indicates a PIA is required, the next step is to plan the PIA. Consider:
- what aspects of the project will be assessed
- where the PIA will fit in the overall project plan and timeframes
- who will conduct the PIA and what resourcing is available
- the extent and timing of stakeholder consultations; and
- the steps that will need to be taken after the PIA, such as implementation of recommendations and arrangements for ongoing monitoring.
The PIA does not need to be conducted by a privacy specialist, but it is important to seek input from your agency's privacy officer or other officer familiar with the IP Act.
How detailed should the PIA process be?
How detailed a PIA needs to be will depend on the scale and complexity of the project. For simple projects, the PIA process can be quick, and the PIA report may be quite short. Complex projects will involve a more formal and intensive exercise.
The level of detail will be influenced by:
- the nature of the personal information involved in the project
- whether new or innovative technology will be used to collect or store the information
- whether the provision of personal information will be mandatory
- whether the project involves data-matching
- whether information will be shared with another agency; and/or
- the likely community and/or media interest in the project.
Step 3: Describe the project
Having a clear understanding of the project's purpose and outcomes will provide context for the PIA process. There is often more than one way of designing a project to deliver its intended outcome; a PIA will help identify the most privacy compliant way of reaching that outcome.
Relevant information could include:
- who is responsible for the project
- what the project will deliver
- what it will achieve
- the benefits to the agency or the community; and
- whether the project is part of a program of related projects.
This information can typically be sourced from the project’s management documentation, such as the Project Brief or Business Case.
Step 4: Identify and consult with stakeholders
Consultation with stakeholders who will be affected by the project, or who have an interest in the project, is essential to the PIA process. It allows people to identify privacy impacts and solutions based on their experience or expertise.
Who you should consult will depend on the nature of the project, but may include:
- internal stakeholders - such as the information technology, privacy, legal, procurement and records management business areas, customer facing staff who will put the project into practice, and employees whose privacy may be impacted by the project; and
- external stakeholders – such as other government agencies, suppliers, clients, non-government organisations, advocacy groups, and members of the public.
Consultation is not necessarily a separate step; it can be useful to consult throughout the PIA process.
Involving internal stakeholders in the PIA process is critical as these are the people who can answer questions about likely information flows, governance structures, technical architecture, legislation under which the agency operates and recordkeeping requirements. They may also be able to suggest potential actions to address the identified privacy issues or provide advice on what option is the most appropriate.
External consultation often involves seeking the views of the people whose personal information will be affected by the project. There are two main aims: it enables the agency to understand the concerns of those individuals and improves transparency by making people aware of how their personal information will be involved in the project and its outcomes.
Factors that will influence the required extensiveness of consultation include whether there is:
- likely to be concern about actual or perceived impact on privacy
- a large number of people or a particularly vulnerable group whose privacy is affected
- a vulnerability of any personal information holdings to misuse or abuse; and/or
- a need to build trust in a new practice or technology.
Even if a broad public consultation is not warranted, it may be that some form of targeted consultation should be undertaken, such as with relevant government independent statutory bodies, advocacy groups or professional associations.
Encourage meaningful engagement
To gain the most value from consultation, implement strategies that support meaningful stakeholder engagement and which encourage feedback.
The aim is to take reasonable steps to facilitate as much communication about the project as possible so that its privacy impacts and risks can be identified and discussed.
Suggestions to encourage stakeholder engagement include:
- contacting stakeholders early to notify them of the nature of the project and that its privacy impacts are being considered
- providing information about the project to stakeholders
- putting a process in place so stakeholders can clarify questions and communicate their views
- developing a process to manage interactions among stakeholders; and
- communicating a summary of outcomes from the privacy assessment to the persons or groups who were consulted.
At the end of the consultation period and if warranted, the agency should make its PIA publicly available.
Manage any issues about the distribution of project information
Sometimes there may be legitimate resistance to giving certain project information to stakeholders, perhaps for commercial or security reasons.
If so, consider alternatives so that the process of stakeholder engagement remains as open as possible. For example, it may be possible to:
- distribute project information in instalments
- limit its distribution to certain stakeholder groups
- make the distribution of information subject to confidentiality agreements; or
- allow the information to be viewed but not copied or supply summaries of information.
Step 5: Map the personal information flow
The next step is to describe the personal information is involved in the project and how it will flow through the agency’s systems and processes as a result of the project's outcome.
Clearly mapped information flows will assist in identifying privacy impacts in the next step of the PIA process.
The map of personal information flows should include:
- what personal information will be collected, its source, and how and from whom it will be collected
- whether any of the personal information is sensitive information
- how it will be stored, its security safeguards, and who will have access to it
- what the personal information will be used for and by whom
- whether the personal information will be routinely disclosed and if so, to whom will it be given and for what purpose
- whether the personal information will be disclosed out of Australia
- how individuals will be able to access and amend their personal information; and
- how long the information will be retained., and protocols for deidentifying or disposing of personal information consistent with relevant QPPs/statutory retention/public records obligations.
There is no ‘one size fits all’ approach to documenting the flow of information. For example, you could use tables to describe the different kinds of personal information involved in the project and how it will flow. A diagram, business process map, or comparative information map may be effective, especially to show how current processes or systems will be change by the project,
The best method will depend on the complexity of the information flows in your project.
Step 6: Identify the privacy impacts
A privacy impact can be negative (a risk) or positive (an opportunity). While this section focuses on identifying and mitigating risks, a similar analysis can be used to identify and maximise opportunities.
Privacy risks are identified by checking the project’s handling of personal information against the QPPs and section 33. If the project or its outcomes will involve contractors, it must also be checked against the requirement in chapter 2, part 3 to take bind contracted service providers to the IP Act.
Agencies should also ensure that the project allows noncompliance to be identified, in order to meet its mandatory data breach obligations in chapter 3A of the IP Act.
The PIA report template includes questions to help identify potential privacy impacts. Not all questions will be relevant to every project and additional considerations may be required, depending on the nature of your project and your agency.
The following tables outline areas of risk that should be considered and managed during a project or when an agency changes how it operates, and the related legislative sections.
Collection risks | |
|---|---|
QPP 2 | No consideration given to whether it's lawful and practical for people to interact anonymously or pseudonymously with the project. No system in place to facilitate anonymous or pseudonymous interaction. |
QPP 3.1 | Collecting more personal information than needed, e.g. extra information not needed for the project or information which has nothing to do with the agency's functions/activities. |
QPP 3.3 | Collecting sensitive information without consent where QPP 3.4 doesn't apply. |
QPP 3.6 | Collecting personal information from someone other than the individual it is about where QPP 3.6(a) and (b) don't apply. |
QPP 4 | No system in place to identify and assess unsolicited personal information, e.g. included in free text fields or sent by email. |
QPP 5 | Not informing people of all the relevant matters listed in QPP 5.2. |
Use and disclosure risks | |
|---|---|
QPP 6 | Using or disclosing personal information for a secondary purpose (i.e. for something other than why it was collected) without making sure it is permitted by QPP 6.1(a) or QPP 6.2. |
Section 33 | Disclosing personal information out of Australia when not permitted by section 33. |
Chapter 2, part 3 | Not taking reasonable steps to bind contractors involved in the project to comply with the IP Act. |
Security and accuracy risks | |
QPP 10.1 | Not having systems in place to ensure that personal information collected by the project is accurate, up to date and complete. Note: This is primarily a risk when personal information is collected from someone else, instead of from the individual it is about. |
QPP 10.2 | Not having systems in place to ensure that personal information used and disclosed by the project is accurate, up to date, complete and relevant to whatever is being done with it. |
QPP 11.1 | Security, systems, practices and access controls are not appropriate to protect personal information from misuse, interference or loss and from unauthorised access, modification or disclosure. Protections must consider both internal and external actors. |
QPP 11.2 | No systems in place to identify when personal information is no longer needed for any purpose and trigger an assessment about its retention or de-identification. |
Accountability risks | |
|---|---|
QPP 1 | Not assessing whether the project must be included in the agency's QPP privacy policy. |
Chapter 3A | No systems to identify data breaches arising from the project. No systems to inform internal stakeholders of data breaches and undertake mandatory data breach notification. |
Chapter 5 | No processes in place to manage privacy complaints arising out of the project. |
QPP 12&13 | Systems do not support or allow the extraction of personal information into a generic format, for example, a text file or PDF. Systems do not allow personal information to be easily updated by amendment or notation. Note: this is also an important requirement for meeting the agency's obligations under the Right to Information Act 2009 (Qld). |
Confidentiality and human rights obligations
A PIA can also be used to measure the project's compliance with:
- legislative confidentiality or secrecy obligations
- non-legislative confidentiality obligations; and
- the Human Rights Act 2019 (Qld), particularly the right to privacy.
Community expectations of privacy
Even where an act or practice complies with the IP Act, individuals may be uncomfortable with their information being involved in the act or practice. Consultation with the community is a key way to assess whether a project is seen as privacy-intrusive.
Recording privacy risks
Recording privacy risks in the project risk register/log helps ensure accurate reporting to the Project Executive/Steering Committee/senior management. It will also help ensure that actions needed to address the risk can be tracked and prioritised appropriately.
Step 7: Identify options to address the privacy risks
If privacy risks have been identified, they must be addressed. If there are multiple options for addressing the risk, it may be necessary to evaluate the costs, risks and benefits of each option to identify which is the most appropriate.
Options for addressing privacy issues include:
- operational controls – such as policies and procedures, staff training or communication strategies
- technical controls – such as access controls, encryption and design changes; and
- physical controls – such as doors or locks.
Step 8: Produce a PIA report
The next step is to prepare a report for the approval of the Project Executive/Steering Committee/senior management. The report should at a minimum:
- describe the information flows involved in the project
- provide a summary of the analysis against the privacy principles to show what the privacy impacts are (both positive and negative)
- recommendations to remove or mitigate privacy risks
- set out what consultation processes were undertaken; and
- identify whether the PIA should be reviewed during the project.
Easy to understand
The report needs to be easily understood by a broad range of readers, including managers, project team members and, if published, individuals, the public and advocacy groups. Therefore, when writing the report:
- use language that is easily understood with clear terms, avoid using jargon and if it is necessary to use technical terms, define the terms in a glossary
- convey one important idea per sentence for maximum readability
- use headings so the structure of the report is clear to the reader and ensure the report follows a logical order
- include basic information such as the identity of the authors and the date of the report; and
- if applicable, explain any assumptions underlying the assessment process and set out any terms of reference for the assessment.
Describe the project and its scope
Include a description of the project and its scope to contextualise the PIA. If terms of reference were drafted, include those also. Consider:
- describing the organisational need underpinning the project
- explaining any public interest benefit in the project
- setting out what information is used in the project and how
- setting out the scope of the assessment
- if applicable, setting out the terms of reference for the project; and
- including diagrams showing the personal information flows in the project.
Document the assessment process and findings
Explain how the privacy assessment was undertaken and set out the findings of that assessment:
- Set out the impacts that the personal information flows and the project as a whole may have on the privacy of individuals.
- Set out any specific privacy risks that were identified.
- Explain the analysis undertaken so that the nature and categorisation of each privacy risk is properly understood.
- Set out the options considered to lessen or avoid those risks and the recommended avoidance or minimisation strategies for each risk.
- Highlight how recommendations support the goals of the project.
Concluding the report
Conclude by summarising significant findings in relation to privacy risks and benefits. Also, highlight critical recommendations in relation to avoiding or minimising the significant risks.
Step 9: Respond and review
It is important that recommendations made in the report are implemented and that the PIA is updated and reviewed, even after the project’s completion.
The first step is to document what the Project Executive/Steering Committee/senior management agreed to, i.e.:
- what recommendations will be implemented (or are already implemented); and
- any recommendations that will not be implemented, and the rationale for this decision.
It can often be helpful to prepare a plan for implementing the recommendations to record what actions need to be taken, timeframes and responsibilities. Alternatively, they could be integrated into a revised project plan, which will help ensure the activities necessary to implement the recommendations are managed and reported.
A PIA report is a living document. It should be revisited and updated if changes to the design of the project create new privacy impacts that were not previously considered.
Similarly, a PIA does not end on delivery of the project. Reassessing the privacy impacts of the system or process after it is in operation, for example when updates are deployed or new features are released, will help ensure that the agency continues to approach privacy as a ‘design feature’ of its processes and activities.