A Privacy Impact Assessment (PIA) is an important component of the University's protection of privacy and is to be implemented as part of the University's privacy by design requirement under the Privacy Act 1988 (Cth).
A PIA identifies how a new or revised project or system can have an impact on an individual's privacy, and makes recommendations for managing, minimising or eliminating those privacy impacts.
The PIA process should be included as part of the project and system planning processes, and recorded in the project plan and risk reporting. It should be revisited and updated when changes to a project or system are considered.
The first step is determining whether a PIA is required.
A PIA is beneficial for any project or system that involves new or changed ways of handling personal information. If the project or system will not handle any personal information or the project or system does not propose any changes to existing information handling practices (and where the privacy impacts of these practices have been assessed previously and found to be appropriate), no PIA is required.
A PIA is likely to be required if:
- personal information is collected in a new way;
- personal information is collected in a way that might be perceived as being intrusive;
- personal information will be disclosed to another agency, a contractor, the private sector or to the public; or
- there is a change in the way personal information is collected, disclosed, retained, stored or secured or "handled".
The Privacy Impact Assessment Guideline provides detailed advice.
Examples of PIAs are available:
For more information or assistance contact the ANU Privacy Officer by email at firstname.lastname@example.org