How to carry out a privacy impact assessment on your dataset

A privacy impact assessment (PIA) is a tool used by agencies to help them identify and assess the privacy risks arising from their collection, use or handling of personal information. A PIA will also propose ways to mitigate or minimise these risks.

Privacy impact assessment toolkit

The Office of the Privacy Commissioner provides agencies with a Privacy Impact Assessment Toolkit.

There are two parts to the toolkit.

Part one

First, there is guidance on how to assess whether or not you need to do a PIA and, if you do, how in-depth the assessment may need to be.

If the assessment will turn out to be complex, you may want to think about getting help from an external privacy expert. If you might not need to do a full PIA, you can also do a brief privacy analysis. This will be a helpful record of your decision and a reference to the basic details of the data you have gathered and why.

Part two

There is then a step-by-step guide on how to successfully complete a PIA, including:

  1. Gather all the information you need (the personal information involved, and why it has been collected)
  2. Check against the privacy principals (see: What is Personal Identifiable Information and the Privacy Act)
  3. Identify any real privacy risks and how to mitigate them (this is where it is helpful to have someone familiar with privacy helping with your PIA. The Office of the Privacy Commissioner can always help with advice)
  4. Produce a PIA report
  5. Take action
  6. Review the PIA and use it as a checkpoint once things are in operation (are problems starting to emerge and further changes needed?)

Detailed Guidance

Do I need to do a PIA when releasing open data?

Open data does not generally include personal data. However, this doesn’t mean that personal information cannot be inferred from datasets released as open data. Always consider whether you need to do a privacy impact assessment. You may not need to if the data is something like the location of road signs, but it's a good habit to always think about whether there might be privacy concerns.  

Top