Privacy Impact Assessment Toolkit 1

Contents
Overview ................................................................................................................................................. 3
The basic steps in every PIA: ............................................................................................................... 3
Other steps that may be useful ........................................................................................................... 3
Ques�ons to answer before you start..................................................................................................... 3
When to do a PIA ................................................................................................................................ 3
Build checkpoints into your project plan ........................................................................................ 3
Who do I need to talk to? ................................................................................................................... 5
People who might need to be involved: ......................................................................................... 5
Who should do the PIA?...................................................................................................................... 5
Do I need to involve the Privacy Commissioner? ................................................................................ 5
A step-by-step guide to comple�ng a PIA ............................................................................................... 6
Step 1. Gather all the informa�on you need ...................................................................................... 6
Describe the project – especially the purpose of changing what happens with personal
informa�on ..................................................................................................................................... 6
Describe the personal informa�on involved and what will happen with it .................................... 6
Describe the flow of personal informa�on through its lifecycle in your organisa�on.................... 6
Describe the organisa�onal context ............................................................................................... 7
Step 2. Check against the privacy principles ....................................................................................... 8
Consider the personal informa�on involved in the project and how the privacy principles apply. 8
Step 3. Iden�fy any real privacy risks and how to mi�gate them ....................................................... 9
What is a privacy risk?..................................................................................................................... 9
How far do I have to go? ................................................................................................................. 9
How to iden�fy the risks ................................................................................................................. 9
Step 4. Produce a PIA report ............................................................................................................. 13
Step 5. Take ac�on ............................................................................................................................ 14
Step 6. Review the PIA and use it as a checkpoint once things are in opera�on ............................. 15
Other steps that may be useful ............................................................................................................. 16
Get an external view of your PIA ...................................................................................................... 16
Consult with stakeholders ................................................................................................................. 16
Establish beter governance structures for managing personal informa�on ................................... 16
Manage any risks with using third-party contractors ....................................................................... 16
Align the PIA with the organisa�on’s exis�ng project-management methodologies ....................... 17
Publish your PIA ................................................................................................................................ 17

Privacy Impact Assessment Toolkit 2

Overview Ques�ons to answer before you start
The basic steps in every PIA: When to do a PIA
1. Gather all the informa�on you need to do the A Privacy Impact Assessment isn’t a last-minute legal
PIA and sketch out how and where the compliance checklist – rather it’s an ac�ve tool to help
informa�on you intend to gather will go. inform the major decisions involved in planning and
2. Check this against the informa�on privacy implemen�ng your project. Therefore, doing a PIA
principles (IPPs). early in a project’s life is going to be most useful.
3. Iden�fy any real privacy risks and how to The PIA will help you get the system and opera�on
mi�gate them. design right and avoid expensive and �me-consuming
4. Produce a Privacy Impact Assessment report pi�alls further down the road. Flushing out the
(use our report template to help). poten�al issues at the conceptual stage of the project
5. Take ac�on. will show you what implementa�on details you’re
6. Review and adjust the PIA as necessary as the going to need to address. It will help you cra� a more
project develops. accurate project plan, as well as providing greater
See page 6 for a step-by-step guide on how to create a assurance that the project will be successful.
PIA.

Build checkpoints into your project plan

Other steps that may be useful Inevitably, projects change during their life�me. You
Depending on the complexity of your project, you may may not be able to answer every ques�on in an early
need to add various other steps into your planning. PIA – more informa�on may come to light later. This is
These can include: normal.

To manage this, build one or more PIA checkpoints

• Get an external view of your PIA.
into your project plan, where you’ll ask whether
• Consult with stakeholders.
anything significant has changed since you did the PIA.
• Establish beter governance structures to
If it has, then slot that informa�on into a new version
manage personal informa�on.
of the PIA and go back through the steps to check that
• Manage any risks by using third-party
there are no new privacy risks or, if there are, that the
contractors.
new risks are clearly iden�fied and managed.
• Align the PIA with the organisa�on’s exis�ng
project-management methodologies.
• Publish your PIA.
Example
For simple projects, the PIA process may be very A PIA as part of the design of a new IT system
quick, and the PIA may end up being only a couple of
If your project is a new IT system that collects, stores
pages long. If your project is more complex, the
or processes personal informa�on, it will be risky to
resul�ng PIA may be long, detailed and highly
put off doing a Privacy Impact Assessment un�l a�er
technical – but if that’s the tool you need to do the job
you’ve tendered for and designed the system. The PIA
successfully, then it’s likely to be worth the
will help you design the system to manage that
investment.
personal informa�on well. You’ll find it much harder
There are several steps that need to be a feature of and a lot more expensive to redesign or rebuild the
every thorough PIA. Then there are some other steps system later to address any risks that the PIA exposes.
that may also be useful, depending on the size and
complexity of your project.

Privacy Impact Assessment Toolkit 3

This diagram shows how a PIA fits into the life of a
project.

Privacy Impact Assessment Toolkit 4

Who do I need to talk to? • Customer or consumer groups.
Most of the people you will need to engage with are
internal stakeholders. However, there may be some
Who should do the PIA?
You don’t need to be a privacy specialist to put
external stakeholders you also need to talk to.
together a straigh�orward PIA. It doesn’t have to be
Make sure you’re aware of who has the informa�on done by your organisa�on’s privacy officer, or a lawyer.
you need, and when they’re going to be available. However, it’s useful if the project team includes
someone who is reasonably familiar with privacy and
If you’re a small organisa�on, there will only be a few
able to advise you about the privacy principles and the
people in the organisa�on you’ll need to look to – the
poten�al privacy impacts of the project.
informa�on might even all sit on one person’s desk. In
these cases, think about whether there are people If the PIA will be par�cularly complex, or par�cularly
outside your organisa�on who you can get some central to the success of the project, it’s worth
advice from – for example, business colleagues, the thinking about hiring an external expert.
local Chamber of Commerce, or the Privacy
Commissioner’s website. Do I need to involve the Privacy
Commissioner?
People who might need to be involved: If your project involves:
• People who are familiar with privacy,
par�cularly the organisa�on’s privacy officer. • policy proposals or dra� legisla�on that
• People who deal with security in your affects personal informa�on or individual
organisa�on – they’re likely to be familiar with privacy
what you’re trying to achieve. • an authorised informa�on-sharing or
• Business analysts and other project staff who informa�on-matching programme
will understand the business aims, what’s • or if a statute says the Privacy Commissioner
being put in place, and when various steps must be involved
need to be taken.
then the lead government agency is required to
• IT advisers who’ll be able to provide
consult us.
informa�on on the systems being used, how
the personal informa�on will flow through the The Cabinet Manual 1 requires government agencies to
system (including how it will be stored and consult with the Privacy Commissioner when pu�ng
processed), and whether there are any forward policy proposals or dra� legisla�on that
security implica�ons. affects personal informa�on.
• Marke�ng and communica�ons advisers who
Part 7 Subpart 1 of the Privacy Act (approved
will help in understanding how the
informa�on-sharing agreements) and Part 7 Subpart 4
organisa�on uses informa�on and can help
(authorised informa�on-matching programmes)
coordinate any consulta�on needed for the
specify when and how the Privacy Commissioner must
PIA.
be consulted.
• Risk and assurance people who can help you
iden�fy risks, controls, and other ac�ons.
• Specialist staff groups who are affected by any
proposals for handling personal informa�on,
such as call centre staff, informa�on
management staff, or human resources – they
can give you the best informa�on about how
things will work on the ground.

1
At paragraphs 5.19, 7.68, 8.6, 8.72--78 and 8.86-89of
the Cabinet Manual.
Privacy Impact Assessment Toolkit 5
A step-by-step guide to comple�ng a A major key to success is having a clear understanding
of what the change is aiming to achieve, and how it
PIA will support your organisa�on’s work.
It’s about covering all the bases – not the order of
the steps. Key points to cover

As you work through the key PIA steps we discuss in • Describe the project briefly.
this sec�on, remember that it’s the content of each • Describe the purpose of changing what
step that maters – not the order you do them in. happens with personal informa�on – what is
the business aim in making the change?
So don’t be concerned if you find yourself doing things • Is the project a one-off ac�vity, or does it
in a slightly different order from how we’ve set out the involve a change to your ongoing informa�on-
steps below. management systems?
1. Gather all the informa�on you need Describe the personal informa�on involved and
The informa�on you put together when you were what will happen with it
deciding whether to do the PIA will be a good start for The focus of any PIA is the personal informa�on
doing the PIA itself. Now is the �me to gather all the involved in the project and the posi�ve or nega�ve
details about what personal informa�on the proposal effects that the project may have on the privacy of the
involves and what is going to happen to it. individuals affected by it.
The key tasks here are: It’s important to think about the whole lifecycle of the
personal informa�on. For instance, the PIA will need
• Describe the project – focus on what happens
to consider how that informa�on is going to be stored,
with personal informa�on.
who’s going to use it and why, how it’s going to be
• Describe the personal informa�on involved
kept up to date, how long it will be kept for, and what
and what will happen with it.
will happen if the individual whose informa�on it is
• Describe the organisa�onal context.
asks to see it. Without considering the whole lifecycle
As you complete each of those tasks, add the of the informa�on, you won’t be able to spot where
informa�on to a dra� Privacy impact assessment the problems or the opportuni�es occur.
report. You can use our “Privacy impact assessment
You’ll also need to consider a broader range of
report” template on our website as the basis for the
informa�on-management ques�ons if, for example,
report (adjust it as necessary to fit your organisa�on
your project involves sharing informa�on with another
and project).
organisa�on so that the individuals can receive a
You can use the report either as a briefing document service more efficiently. You’ll need to consider
for managers or other decision-makers, or – if the whether the sharing of informa�on will take the
decision is your own – as a record of what you decided individual by surprise – perhaps because it’s different
to do and why. from what they were told when you collected the
informa�on from them? If so, will you need to tell
Describe the project – especially the purpose of them what’s going on? Also, how will you make sure
changing what happens with personal the informa�on is kept secure when it’s being sent to
informa�on the other agency, and that it won’t be accessible to
A PIA is a tool to help you achieve the aims of your people who could misuse it?
project or your organisa�on more generally while also
protec�ng personal informa�on. There is o�en more Describe the flow of personal informa�on
than one way of designing a project to accomplish through its lifecycle in your organisa�on
what is intended – a PIA will help to iden�fy the least Key ques�ons to answer:
intrusive way of achieving that aim.

Privacy Impact Assessment Toolkit 6

 • What personal informa�on is currently and address poten�al privacy risks. For example, if
collected and used? How does it flow through your project involves one division of your organisa�on
your organisa�on’s systems? collec�ng a new piece of personal informa�on for a
• How will your project change the informa�on par�cular purpose, how long will it be before another
flow? division decides they could use it too? An�cipa�ng
• Describe all the changes to personal this kind of poten�al “scope creep” is an important
informa�on involved in the project. For part of any PIA.
instance:
Types of background informa�on to include
– Is new personal informa�on being
Bring together the necessary background informa�on
collected? If so, where is it coming from?
about your project and organisa�on. This might
– If the project involves informa�on your
include:
organisa�on already holds, will you be
using the informa�on for a different Governance, management and roles and
purpose? If so, why, and how? responsibili�es describing privacy in your organisa�on
– What measures are in place to ensure the (your privacy officer or legal team should be able to
informa�on is accurate and up to date? help you with this).
– Will your organisa�on tell the individuals
what’s happening to their informa�on? If • Policies, standards, and procedures rela�ng to
so, how will it tell them? personal informa�on (such as privacy
– Who will have access to the informa�on statements, and reten�on or security
inside your organisa�on? Who will have policies).
access to it outside the organisa�on? • How privacy fits in with risk management in
– How long will the informa�on be kept for? your organisa�on (for example, does your risk
How will it be disposed of? management framework consider risks to the
people whose informa�on you hold, rather
Using informa�on flow diagrams than just risks to the organisa�on?)
There are many ways in which you can set out the • Overall processes and controls that affect
lifecycle of personal informa�on. However, an privacy, such as disposal processes.
informa�on flow diagram – or a series of diagrams – • Security controls, such as how access to your
can be a par�cularly clear and simple way of showing informa�on systems is managed.
exactly where personal informa�on is coming from, • Training and awareness programmes on
where it’s going, how it’s going to be used, and who privacy and security.
it’s going to be used by (see example above). This can • Monitoring and audi�ng of any incidents that
help you iden�fy measures that can improve occur, and how these are dealt with.
informa�on security and reduce privacy risks.

Describe the organisa�onal context

It’s important to consider privacy implica�ons in the
context of the project, and in light of how your
organisa�on works – par�cularly its exis�ng approach
to handling personal informa�on. For example, you’ll
need to know whether any risk mi�ga�on or other
change that you recommend for the project is likely to
be workable in the context of the en�re organisa�on.

Considering the organisa�onal context will also help

you to be aware of the likely downstream effect of the
project in your organisa�on and enable you to predict

Privacy Impact Assessment Toolkit 7

2. Check against the privacy principles • Why is it necessary to collect informa�on
As well as providing the legal framework that your about loca�on? Is it a “need to know” or just a
organisa�on will need to comply with, the principles in “nice to have”?
the Privacy Act also provide a useful prac�cal checklist • What exactly will the business use the loca�on
for handling personal informa�on properly throughout informa�on for?
its en�re lifecycle. This includes: • Will anyone else have access to the
informa�on?
• collec�ng the informa�on
• Will it be shared with third-party providers to
• storing it and keeping it secure run ads in the app, for instance?
• checking the accuracy of the informa�on • How will users know the informa�on is being
• le�ng people have access to it so they can see collected and why?
what you know about them • What will happen if users don’t agree to
• using or disclosing the informa�on provide the informa�on? Do they have to
• destroying the informa�on. consent to download the app? If so, is this
The next sec�on contains a summary of the privacy reasonable? Can the user opt out (even if at
principles and informa�on about the risks and the cost of some of the func�onality)?
mi�ga�ons to help you complete your PIA. The full • Can the user change their mind and opt out of
text of the principles is sec�on 22 of the Privacy Act. sharing loca�on later? What will happen to
More detailed advice about what the privacy the informa�on the agency has collected if
principles entail is available on our website they do so?
privacy.org.nz. • Is the user specifically and clearly asked for
permission? How clear is the privacy
Consider the personal informa�on involved in the statement?
project and how the privacy principles apply. • How long is user loca�on informa�on kept
for? Is it aggregated, or linked to the user by
informa�on obtained from elsewhere or from
Key points to cover
the user?
For each privacy principle: • How is the informa�on going to be protected
against misuse and loss?
• Is it relevant? (if not, simply note that it is not
relevant and why). It’s important that the PIA take a cri�cal and impar�al
• Iden�fy the personal informa�on that is approach to these types of ques�ons, as they will
relevant to that principle. drive the design choices the business makes. It’s easy
• Is the change consistent with the privacy to get enthusias�c about the business opportuni�es
principle? If so, how? Or will it enhance resul�ng from collec�ng and using personal
compliance?. informa�on, but considera�on of how the individual
• Does the change create more risks of harm to concerned could be affected leads to beter design in
the individual? If so, how might it adversely the long run – and a greater chance that the product
affect the individual? Or does the change will succeed.
eliminate risks in the exis�ng system?

Example
A new mobile app

A business develops a mobile app that will collect

various items of informa�on about users, including
informa�on about their loca�on. Ques�ons the
company will need to ask about that loca�on
informa�on include:

Privacy Impact Assessment Toolkit 8

3. Iden�fy any privacy risks and how to • iden�fy how to mi�gate serious or medium-
mi�gate them level risks
Ideally, a PIA will iden�fy both risks for the individual, • determine your organisa�on’s a�tude to risk
and opportuni�es to benefit the organisa�on by in the context of this project. Some�mes an
protec�ng privacy beter. While this sec�on focuses on agency may have a very low tolerance to risk –
iden�fying and mi�ga�ng risks, you could use a similar for instance where its rela�onships with its
analysis to iden�fy and maximise opportuni�es. customers or clients are so important that it
can’t afford even rela�vely minor risks to
What is a privacy risk? eventuate.
A “privacy risk” is the risk that a proposal will fail to • iden�fy any serious or medium-level risks that
meet individuals’ reasonable expecta�ons of privacy – the organisa�on decides it is not going to
for instance because it breaches the Privacy Act, or mi�gate.
unreasonably intrudes into their personal space and
personal affairs or runs contrary to what your How to iden�fy the risks
rela�onship with your clients suggests should happen. If your organisa�on is large, there may also be a
specialist team (perhaps Risk and Assurance, Internal
Calcula�ng risk is not simply about assessing whether Audit, or Corporate Compliance) that can help you
the project will be legally compliant. It’s possible to with how the organisa�on generally approaches the
comply with the law and for the behaviour s�ll to issue of iden�fying and managing risk. There may well
affect whether your clients’ reasonable privacy be a specific format that it is best for you to use.
expecta�ons are met. The nature of your rela�onship
with them may suggest that you should give even For organisa�ons without specialist risk frameworks,
beter protec�on than the law requires. The privacy we have provided a template for a risk and mi�ga�on.
principles provide a good framework for asking Populate your risk table with the risks you already
yourself the right ques�ons – both legal and non-legal know about from step 2 and iden�fy the likely impact
– about the impact on your clients. on the individuals. You can then use that as a basis for
Risks to an individual will o�en directly equate to risks a more thorough analysis. Make sure you talk to other
for your organisa�on. Privacy breaches will have a people involved in the project or get a view from an
direct impact on the organisa�on’s reputa�on, and external person who may be able to see risks that you
loss of trust can make it harder and more expensive to have missed. Other possible steps, depending on your
meet the aims of the project. project, could be:

Consider not only the direct risks from the proposal, • a workshop including the key people involved
but also any knock-on effects. If you take too narrow a • a further desk-top review of documenta�on
lens, you may miss an important, wider effect on the • interviews with key people involved.
individuals you deal with.
Common examples of mi�ga�ons include:
How far do I have to go? • minimising the amount of personal
A PIA doesn’t set out to iden�fy and eliminate every informa�on collected
possible risk to an individual from using their personal
• beter and clearer communica�on with the
informa�on or impac�ng on their privacy. However, it
individuals
should:
• allowing individuals to opt in instead or
• iden�fy any genuine risks to the individual making it easy to opt out
(that is, risks that aren’t unrealis�cally remote • designing the system to provide beter
or trivial) security
• assess how serious those risks are. • providing training and support for staff to help
them get it right.
Next:

Privacy Impact Assessment Toolkit 9

Try to ensure that your mi�ga�on solu�on is prac�cal
and sustainable. Reviewing the project once it’s
opera�ng will help to iden�fy whether the mi�ga�ons
are actually working as you’ve planned.

The following page has an example of how a few lines

on this risk table might look, using the earlier example
of a mobile app:

Privacy Impact Assessment Toolkit 10

Reference number R-001 R-002

Aspects of informa�on What informa�on the app collects Third party providing adver�sing through
assessed the app needs access to informa�on (age,
gender)

Descrip�on of the risk The app will collect more Third par�es may misuse this informa�on
informa�on than specified in the for their own purposes (spamming,
privacy statement hacking, etc)

Ra�onale and The app will have greater Data is never truly de-iden�fied so may
consequences for the func�onality and lead to increased be misused exposing individuals to
agency or individual mone�sa�on, but app users may unexpected impacts. Individuals distrust
object to collec�on beyond the unexpected disclosures to third par�es.
current privacy statement
Third party access to user informa�on is a
source of revenue.

Exis�ng controls that The business has a clear purpose De-iden�fy data as much as
contribute to manage for collec�ng the personal possible. Contract with third party also
risks iden�fied informa�on (but app policy does specifies what can and can’t be done with
not currently reflect it) informa�on

Assessment of residual Medium/possible Medium/possible

current risk Moderate harm Moderate harm

Recommended addi�onal Put a process in place to manage Extend contract with third party
ac�on reduce or mi�gate clear no�fica�on and consent for to disallow re-iden�fica�on or reuse of
risk addi�onal collec�on by the app in data for different purposes
line with the new purpose

Residual risk remaining Low/unlikely Low/unlikely

despite new safeguards Minimal harm Minimal harm

Privacy Impact Assessment Toolkit 11

Reference number R-003 R-004
Aspects of informa�on To func�on the app requires a Username and password are collected by
assessed persistent account, �ed to an the app
individual

Descrip�on of the risk Behavioural informa�on is Some users use one password across
collected over �me, in addi�on to mul�ple accounts, which could reduce
personal informa�on collected at the security of the system elsewhere
download/ registra�on

Ra�onale and There is an administra�ve need, as Hard to prevent people from recycling
consequences for the the app won’t work without a passwords. If an external account is
agency or individual persistent account. But app users compromised, all other accounts using
might object to more behavioural the same username and password are
informa�on being collected, and vulnerable, including the app
might abandon it for this reason

Exis�ng controls that Privacy no�ce clearly outlines what Creden�al informa�on is encrypted;
contribute to manage informa�on can be used for (e.g. process to change/reset passwords is
risks iden�fied account persistence, and customer secure; hashed passwords are salted, but
service – which covers targeted this won’t prevent use
adver�sing)

Assessment of residual Low/unlikely Medium/possible

current risk Minimal harm Moderate harm

People o�en do not read the

privacy policy – system design
should s�ll protect them as much
as possible

Recommended addi�onal Amend reten�on policy to ensure Require users to create a unique
ac�on reduce or mi�gate that app user logs are deleted password for the app, changed regularly,
risk when they are no longer needed using criteria unlikely to have been
(easy addi�onal protec�on) demanded by other accounts

Residual risk remaining Low/unlikely Low/unlikely

despite new safeguards Minimal harm Minimal harm

Privacy Impact Assessment Toolkit 12

4. Produce a PIA
The PIA is a major reference point for you and for your
organisa�on. It should at least:

• include all relevant informa�on about the

project and what it is intended to achieve
• describe how informa�on flows through the
system
• include analysis against the privacy principles
and other relevant material to show what the
privacy impacts are (both posi�ve and
nega�ve)
• iden�fy key risks and how to mi�gate any
nega�ve impacts
• recommend any necessary changes
• iden�fy whether the PIA should be reviewed
during the project, and/or once the new
system is opera�ng.

Privacy Impact Assessment Toolkit 13

5. Take ac�on
There’s litle point inves�ng even modest amounts of
�me or resources in a PIA and then failing to take
ac�on. An ac�on list can help you track and manage
the decisions you take because of the PIA.

The ac�on list may contain items to be completed as

part of the project itself, or it can be integrated into
normal opera�ons (such as maintaining a risk register,
or as part of a security ac�on plan).

Make sure that the ac�on list clearly iden�fies who’s

responsible for doing what. Also make sure that it
notes any relevant �melines and con�ngencies (for
example, Ac�on A needs to be completed by date B so
that Stage C of the project can start).

In large or complex projects, there might be several

versions of a PIA. It’s important that any ac�ons or
recommenda�ons from each update of the PIA are
considered throughout the project. This may require
designa�ng someone in the project to take ownership
of the ac�on plan and report on progress, either
within the project or within the organisa�on’s exis�ng
governance framework.

The PIA may iden�fy wider opportuni�es for ac�on, so

you can make privacy-enhancing changes throughout
your organisa�on. For instance, it may show that there
are other parts of your business where you might also
achieve beter security, beter accuracy of
informa�on, and more effec�ve business processes for
managing personal informa�on. If you spot an
opportunity, take it – it’s likely to make your business
beter.

Privacy Impact Assessment Toolkit 14

6. Review the PIA and use it as a checkpoint
once things are in opera�on
Projects are rarely sta�c. Even small projects can
morph as they progress. A PIA that was produced
early in a project’s lifecycle is unlikely to reflect the
current state of a project.

Use your Step 4 report and your Step 5 ac�on plan as

a baseline for considering the project as it progresses.
If there have been changes that have an impact on
privacy, do quick updates of the report and ac�on plan
that record:

• what’s changed
• what the new impact is
• how to address any new risk (or take
advantage of any new opportunity).

This will ensure your PIA con�nues to be used as a

tool to check that the project does what it is meant to
do.

Once the changes are up and running, it is also worth

using the PIA as a checkpoint for how the new process
is opera�ng. Is it working as an�cipated, or are
problems star�ng to emerge and further changes
needed?

Again, using the PIA as a reference point can save you

�me and trouble.

Privacy Impact Assessment Toolkit 15

Other steps that may be useful email request to an external agency, or an
online opportunity to respond).
Get an external view of your PIA
If your project is a substan�al one, or the poten�al
impacts on privacy are par�cularly significant, it will
Establish beter governance structures for
be worthwhile ge�ng someone outside your
organisa�on to check your PIA. They may iden�fy managing personal informa�on
something you’ve missed. They may have a beter idea Protec�ng privacy is an ongoing responsibility, not
of how people who are not close to the project may something that your organisa�on should only consider
react to what your organisa�on is doing – par�cularly as part of a change process.
the individuals who will be affected by the project. Wri�ng a PIA might be the first �me your organisa�on
Examples of people who can give you an external view has had to think about privacy issues. If so, use it as an
might be: opportunity to get people thinking about how to
manage privacy beter across the organisa�on.
• colleagues within your industry
In par�cular, make sure someone in the organisa�on is
• an industry associa�on, Chamber of
tagged with responsibility for managing privacy.
Commerce or representa�ve group
Ensure privacy is one issue that’s considered at the
• Office of the Privacy Commissioner
top table – solid leadership will make it far more likely
• a lawyer or a specialist in privacy law or
that the organisa�on will get privacy right.
informa�on management
• IT specialists, systems architects, security
consultant and so on.
Manage any risks with using third-party
contractors
Consult with stakeholders If your project involves passing personal informa�on
Some projects will benefit from very wide consulta�on to third-party contractors, this is a good opportunity
with stakeholders, both inside the organisa�on and to consider how to manage wider privacy issues
externally. In par�cular, some projects will benefit rela�ng to third par�es who may have different
from consulta�on with the individuals whose standards from your organisa�on.
informa�on you are using, or who will be affected by Ques�ons to ask include:
your project.
• What privacy standards will you be holding
As part of your ini�al analysis, or your informa�on- the contractors to?
gathering exercise, consider who will have the best • Are they capable of mee�ng your
informa�on to contribute or who might best flush out expecta�ons?
the risks posed by the project. If the answer is that • How will you know whether they are
your customers, or your staff, or external stakeholders competent?
might give you valuable informa�on that you can’t get
• How will you know if something goes wrong?
elsewhere, then think about consul�ng with them.
You may be able to rework your standard contracts, or
Iden�fy:
other documenta�on, so that it makes it easier and
• who can give you the informa�on? quicker to think about these issues when you engage a
• when consulta�on is needed and how long it third-party contractor to do work for you in future.
will take (so that you have the informa�on in
�me to use it)
• how far you need to go for it to be useful
• what you will ask them?
• what method you will use to get informa�on
from them (for example, a targeted survey, an
Privacy Impact Assessment Toolkit 16
Align the PIA with the organisa�on’s exis�ng
project-management methodologies
Large organisa�ons tend to have in-house project
management tools. It’s important for the PIA to fit
with the way your organisa�on usually does things so
that it has the best possible chance of being
integrated into your business systems and of being
effec�ve.

For instance, for very large projects, or projects using

“Agile”, or Agile-like methodologies, approaching a PIA
as a series of linked assessments may help the PIA and
the principal project align beter.

Publish your PIA

One of the benefits of doing a PIA is that it can
increase the trust people have in your organisa�on
and their willingness to work with you. If they’re
aware of what you’ve done to manage privacy, they
may have more confidence in you. Publishing the PIA
demonstrates that you take privacy issues seriously
and that you do your best to manage them. If you’re a
small firm, for instance, publishing your PIAs may
demonstrate that you’re a cut above your
compe�tors.

Public-sector agencies should seriously consider

publishing their PIAs to demonstrate accountability,
and as a proac�ve release of official informa�on.

Of course, a PIA may need to be reworked to protect

interests such as commercial confiden�ality, client
privacy, security of informa�on or legal privilege.
Publica�on is not an “all or nothing” exercise – it is
beter to take out certain elements of the report and
publish the rest, rather than not publishing at all.

Privacy Impact Assessment Toolkit 17