Step-by-step guide to Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is a tool that agencies can use to assess the privacy impacts of a new project and where necessary, identify ways in which the obligations set out in the Information Privacy Act 2009 (Qld) (IP Act) can be met.

While each project is different, a PIA should generally include the following steps:

1. Identify the need for a PIA

2. Plan the PIA

3. Describe the project

A PIA will usually be necessary for projects where personal information is collected, stored, used, disclosed or transferred overseas. Use Threshold Privacy Assessment Tool (DOTX, 63.08 KB) to inform whether a PIA is needed. Consider the scope of the PIA, who will conduct it, the timeframe, stakeholders (internal and external) and how much consultation may be needed. Use the PIA Report Template to document what the project will deliver, what it will achieve, why it is needed, and whether it is part of a larger program.

4. Identify and consult with stakeholders

5. Map the personal information flow

6. Identify the privacy impacts

Identify who is affected by or has an interest in the project, how extensive the consultation needs to be and how and when the consultation will be undertaken. Consultation may need to occur throughout the PIA process rather than at a single point. Describe what personal information will be involved and how it will be collected, used and disclosed, including how it will be stored and protected.
Consider using a diagram or table to set out the key information for the different types of personal information involved in the project.
Analyse the project’s handling of personal information against the privacy obligations in the relevant privacy principles in the IP Act to identify any privacy impacts. The PIA Report Template has questions to help you identify potential privacy impacts. Your analysis should also include any stakeholder consultation results.

7. Identify options to address the privacy impacts

8. Produce a PIA report

9. Respond and review

Consider options for removing, minimising or mitigating any identified privacy risks. Options may include operational controls (such as training), technical controls (such as passwords) and communication strategies.

Prepare a report for approval by the Project Executive, Steering Committee or senior management. OIC encourages the publication of PIA reports – this can demonstrate a commitment to openness and transparency and
shows the project has been designed with privacy in mind.

Monitor the implementation of the PIA recommendations, either by preparing an implementation plan or by integrating the agreed actions into the project plan. A PIA is a living document. It should be updated as changes are made to the design or implementation of the project.

Current as at: July 13, 2021