Privacy Impact Assessment Triggers: When Should You Do a PIA? 

Privacy Impact Assessments are a powerful and often overlooked tool. They’re a compliance requirement, in some cases, but beyond this they also serve as a strategic asset that aligns business objectives with privacy considerations. In summary, they can help organisations adopt a more ethical, responsible, and resilient approach to data management – generating customer trust along the way. But when should you do a PIA? In this post, we outline some scenarios that warrant the initiation of a privacy impact assessment.  

Refresher: What is a Privacy Impact Assessment 

A Privacy Impact Assessment (or PIA) is a tool that can help organisations understand the impact of a project or activity on personal privacy. It facilitates the evaluation of strategies to effectively manage, mitigate, or reduce privacy risks.  PIAs play a pivotal role in risk identification and management, acting as a safeguard against potential loss of trust and reputation. Furthermore, PIAs can help inform the organisation’s communication strategy and ensure compliance with legal requirements. 

Ultimately, privacy impact assessments are a compliance and business tool.  

Why Complete a Privacy Impact Assessment 

To determine when you should complete a PIA, it can be helpful to consider why you’re completing a privacy impact assessment.  

There are three common reasons organisations complete a PIA:  

1. Compliance with privacy laws.  
2. Identifying privacy risks.  
3. Building trust with stakeholders, regulators, and customers.  

Historically, organisations approached PIAs as a checkbox exercise for legal compliance. However, with heightened awareness among customers about the implications of data collection, there is a shift towards using PIAs as a proactive tool. Increasingly, organisations are leveraging PIAs to diligently identify and mitigate privacy risks as early as possible, fostering trust as an integral part of their data management practices.  

Common Privacy Impact Assessment Triggers 

Below is a non-exhaustive list of common scenarios that should prompt the initiation of a PIA: 

Introducing new products or services  

In the realm of PIAs, a “product” is any offering that involves the collection, processing, or handling of personal information. Some practical examples of products and services that should trigger a PIA include:  

• Launching a mobile version of your website.  
• Introducing a loyalty program or an online account option.  
• Creating an app.  
• Switching to a cloud-based document management system.  
• Adding cameras to existing products to gather data (As an aside: The US is currently considering sweeping laws mandating companies to disclose the installation of hidden cameras or audio recorders on devices where such features would not be anticipated.  Additionally, customers are likely to find this invasive, particularly if the products collect ‘unexpected’ data – a concern exemplified by instances such as gig workers analysing data for Roomba, where images of a woman in a compromising position were shared.  

• Introducing employee tracking.  
• Adopting a subscription model for payment (since these involve you storing financial information). 
• Applying new technologies to store, use, share, or otherwise manage data.  
• Introducing user authentication methods, especially when biometrics are involved. 

Introducing new methods of data collection and storage. 

Any new or updated methods you adopt to collect or store personal information should prompt the initiation of a privacy impact assessment. For example: 

• Digitialisation of paper records.  
• Data scraping for additional information  
• Introducing a customer relationship management system.  
• Adding a scheduling tool.  
• Increasing the collection of personal information, such as adding new fields to existing forms.  

Changes to your data sharing practices.  

Any changes to your data-sharing practices should trigger a PIA, for instance:  

• Outsourcing – engaging external entities for data processing or management.  
• Adopting new data analytics technologies.  
• Engaging a direct marketing agency.  

Legal Triggers for a PIA: Compliance in Australia 

Presently, Australian government agencies must undertake PIAs on ‘high privacy risk projects’ under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (AGA Code). However, the Privacy Act 1988 (Cth) does not explicitly require non-government covered entities to undertake PIAs. Despite this, recent determinations by the Information Commissioner have interpreted APP 1.2 as necessitating covered entities to complete a PIA before commencing certain high-privacy-risk activities.  

In context, APP 1.2 requires covered entities to take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs). Supplementary guidance from the OAIC suggests that covered entities should consider implementing PIAs for new projects involving the handling of personal information or when proposing changes to existing information-handling practices.  

As part of proposed reforms to the Privacy Act, there is a recommendation that all covered entities be obliged to conduct a PIA prior to engaging in a ‘high privacy risk activity’. This is likely to be defined as a function or activity with a significant impact on individuals’ privacy. An indicative list of high-privacy-risk activities could include: 

• Collection, use or disclosure of sensitive information on a large scale 
• Collection, use or disclosure of children’s personal information on a large scale 
• Online tracking, profiling and the delivery of personalised content and advertising to individuals  
• Ongoing or real-time tracking of an individual’s geolocation 
• Use of biometric templates or biometric information for the purposes of verification or identification  
• Sale of personal information  
• Collection, use or disclosure of personal information for the purposes of automated decision making with legal or significant effects  

This anticipated reform underscores the importance for pushing a proactive and comprehensive approach to privacy management, particularly in the face of activities with heightened privacy implications.  

Organisations should also consider their obligations outside of Australia too. For instance, if subject to the EU’s GDPR, stringent requirements for data privacy impact assessments apply. 

Learn More About What Goes Wrong If You Don’t Complete a PIA 

We’ve written previously about the Australian Federal Police and their failure to complete a privacy impact assessment, not once (with Clearview AI) – but twice (with their use of Auror). 

If you’re considering the introduction or enhancement of your organisation’s approach to privacy impact assessments, don’t hesitate to reach out to us.  

Our team is dedicated to simplifying the PIA process for you. We offer a range of templates, resources and tools to ensure the delivery of a PIA that aligns with your requirements but also ensures that privacy compliance is ‘built-in’ to your products, services and business processes, rather than being hastily added as an afterthought.