What is a Privacy Impact Assessment (PIA)?
A PIA is a tool used to assess the privacy impact and risks to the personally identifiable information (PII) stored, used, and exchanged by information systems. A PIA evaluates privacy implications when information systems are created, when existing systems are significantly modified, or new technology is purchased.
Here are just a few benefits of a PIA:
+ It provides a proactive approach to privacy management.
+ It evaluates whether appropriate privacy protections and necessary mitigation or safeguards are present.
+ It applies privacy requirements, complementing organization-wide compliance activities (e.g. HIPAA privacy, etc.)
+ It enhances current data inventories of information collected, used, stored, and exchanged by systems.
+ It provides opportunity for additional education and awareness about privacy.
When should a PIA be conducted?
To be effective, a PIA should be an integral part of the project planning process. It should be conducted to evaluate information privacy and security throughout the lifecycle of a system, product or project, or when sharing or exchanging PII with other organizations or Departments.
A Department should:
+ Start early to ensure that project risks are identified and appreciated before the problems become embedded in the design.
+ Incorporate a PIA into the project initiation phase
+ Start today if the project is already underway, so that any major issues are identified with the minimum possible delay.
The Privacy Impact Assessment is a new program. We welcome your feedback and suggestions for improvement.
Privacy Impact Assessment Guidance
Privacy Impact Assessment Tool
Please contact Lori Tarr for information on completing the PIA. (firstname.lastname@example.org)
Privacy Impact Assessment Training
Power Point Slides: Part 1 - Part 2
Test your knowledge! Privacy Quiz