Overview of the Privacy Impact Assessment (PIA) process

A PIA is a tool that agencies can use to assess the privacy impacts of a new project and where necessary, identify ways in which the obligations set out in the Information Privacy Act 2009 (Qld) (IP Act) can be met.The full process is outlined in OIC’s Guideline: Undertaking a Privacy Impact Assessment (PIA Guideline), which is available on the OIC website, along with supporting resources, such as the threshold privacy assessment tool and PIA report template. While each project is different, a PIA should generally include the following steps:

1. Conduct a threshold assessment

2. Plan the PIA

3. Describe the project

Determine whether a PIA is needed. A PIA is beneficial for projects that will deliver a new or changed way of handling personal information.

Use the threshold privacy assessment tool if you are unsure whether to conduct a PIA.
Consider who will conduct the PIA and how detailed it needs to be. When will it need to be delivered? Who are the (internal and external stakeholders) and what amount and timing of consultation will be needed?Document what the project will deliver and what it will achieve, why it is needed, and whether it is part of a larger program.

A PIA report template is
available for you to capture
information gathered throughout the
PIA process.

4. Identify and consult with stakeholders

5. Map the personal information flow

6. Identify the privacy impacts

Identify who is affected by or has an interest in the project, how extensive the consultation needs to be and how and when the consultation will be undertaken.

Tip: Consultation may need to occur throughout the PIA process rather than at a single point.
Describe what personal information will be involved and how it will be collected, used and disclosed, including how it will be stored and protected.
Tip: Consider using a diagram or
table to set out the key information
for the different types of personal
information involved in the project.
Analyse the project’s personal information handling practices against the privacy obligations set out in the IP Act to identify any privacy impacts.

The PIA report template has questions to help you identify potential privacy impacts. Your analysis should also include any stakeholder consultation results.

7. Identify options to address the privacy impacts

8. Produce a PIA report

9. Respond and review

Consider what options will address the privacy impacts. If there are multiple options, evaluate the cost, risk and benefit of each option to identify the most appropriate one.

Tip: Options may include operational
controls (such as training), technical
controls (such as passwords) and
communication strategies.

Prepare a report for approval by the Project Executive, Steering Committee or senior management.

Tip: Publishing a PIA report can
demonstrate a commitment to
openness and transparency and
show that the project has been
designed with privacy in mind.

Take action to implement the agreed recommendations, either by preparing an implementation plan or by integrating the agreed actions into the project plan.

Tip: A PIA is a living document. It should be updated as changes are made to the design or implementation of the project.

Current as at: July 25, 2018