Privacy impacts assessments - tips for PIA report drafting

This is a companion to, and intended to be read in conjunction with, the Undertaking a Privacy Impact Assessment (PIA) guideline. It is not a comprehensive guide to drafting a PIA report, but it provides tips intended to assist agencies. There is also a PIA report template available.

Make the report easy to understand

The report needs to be easily understood by a broad range of readers, including managers, project team members and, if published, individuals, the public and advocacy groups. Therefore, when writing the report:

  • use language that is easily understood with clear terms, avoid using jargon and if it is necessary to use technical terms, define the terms in a glossary
  • convey one important idea per sentence for maximum readability
  • use headings so the structure of the report is clear to the reader and ensure the report follows a logical order
  • include basic information such as the identity of the authors and the date of the report; and
  • if applicable, explain any assumptions underlying the assessment process and set out any terms of reference for the assessment.

Describe the project and its scope

Include a description of the project and its scope to contextualise the PIA. If terms of reference were drafted, include those also. Consider:

  • describing the organisational need underpinning the project
  • explaining any public interest benefit in the project
  • setting out what information is used in the project and how
  • setting out the scope of the assessment
  • if applicable, setting out the terms of reference for the project; and
  • including diagrams showing the personal information flows in the project.

Document the privacy assessment process and its findings

Explain how the privacy assessment was undertaken and set out the findings of that assessment:

  • Set out the impacts that the personal information flows and the project as a whole may have on the privacy of individuals.
  • Set out any specific privacy risks that were identified.
  • Explain the analysis undertaken so that the nature and categorisation of each privacy risk is properly understood.
  • Set out the options considered to lessen or avoid those risks and the recommended avoidance or minimisation strategies for each risk.
  • Highlight how recommendations support the goals of the project.

Concluding the report

Conclude by summarising significant findings in relation to privacy risks and benefits. Also, highlight critical recommendations in relation to avoiding or minimising the significant risks.

Current as at: July 1, 2025