privacy impact assessment (PIA)
What is a privacy impact assessment?
A privacy impact assessment (PIA) is a method for identifying and assessing privacy risks throughout the development lifecycle of a program or system. These assessments state what personally identifiable information (PII) is collected and explain how that information is maintained, protected and shared.
Regardless of where PII is stored, its privacy must be protected from data breaches and other cyber attacks. Information systems must have safeguards, such as PIAs, in place to protect data from privacy violations, especially in situations where privacy issues can be part of the cyber event.
What's included in a privacy impact assessment?
Privacy impact assessments are mandated for federal government agencies but not usually in the private sector. Industry experts recommend that medium to large organizations that regularly deal in PII conduct regular PIAs as part of their overall data privacy and data governance programs.
A PIA should identify the following:
- Whether the information being collected complies with privacy-related legal and regulatory compliance requirements.
- The risks and effects of collecting, maintaining and disseminating PII.
- Protections and processes involved in information management and data processing to mitigate potential privacy risks.
- Options and methods for individuals to provide consent for the collection of their PII.
How is a PIA performed?
PII and related data are typically implemented on a variety of information systems. As a result, an organization's information technology (IT) department is often the first point of contact for a PIA. Systems in development as well as in production are candidates for PIAs.
Templates and software packages are available to assist in developing PIAs. They generally follow these basic steps:
- Secure approval from management to conduct a PIA.
- Define the purpose and goals of the PIA.
- Establish a PIA team to gather data and perform the assessment.
- Gather data, such as statistics on data protection activities and systems, types of data stored and how privacy is assured.
- Identify the privacy controls to be assessed.
- Determine if the assessment will be performed manually using a template or using software designed to perform assessments.
- Conduct the assessment, ensuring the controls are addressed and evidence of how privacy is maintained is provided.
- Schedule a preliminary review of the draft report with stakeholders.
- Complete the report, updated with amendments from the review process, and present the finished report to management.
Government regulations that require PIAs
Many nations have laws and regulations addressing privacy protections and requiring privacy programs. U.S. government agencies completing PIAs must make the reports available to the public. The following are some significant laws and regulations:
- E-Government Act of 2002. Under Section 208 of the U.S. E-Government Act, federal agencies must conduct PIAs for all government programs and systems that collect personal information online and through electronic systems. Federal agency CIOs, or an equivalent official as determined by the head of the agency, are responsible for ensuring that the PIAs are conducted and reviewed for applicable IT systems. The Act also mandates a PIA be conducted when an IT system is substantially revised. Federal agencies, such as the Department of Homeland Security, the Department of Commerce and the Department of Health and Human Services offer guidance and templates to assist with developing and writing these PIAs.
- Privacy Act of 1974. This law includes a code of fair information practices that govern the collection, maintenance, use and dissemination of information about individuals. The Privacy Act requires Federal agencies to contain personal data in systems of records, a collection of records from which information about an individual can be retrieved by a name or personal identifier. The Act also requires individuals give permission for the release of their information, except in cases where one or more of 12 statutory exceptions is demonstrated.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA). Part 164 of HIPAA addresses data privacy, including the use of PIAs and other assessments. This section is often used in privacy audits.
- General Data Protection Regulation (GDPR). PIAs are helpful when complying with Article 35 of the European Union's GDPR. They provide the evidence GDPR requires that an organization is actively protecting privacy. Significant financial penalties can be assessed for noncompliance of GDPR regulations.
The benefits of conducting PIAs
In addition to demonstrating compliance with privacy laws and regulations, PIAs also help build public trust and confidence in an organization and its business processes. They provide clear evidence of the information being collected, how it's stored, the storage management system used as well as access control.
PIAs are also important evidence in privacy audits and general IT audits. Data from a PIA can provide valuable information on data characteristics. As a result, it can help reduce the likelihood of a data breach.
Privacy impact assessment vs. privacy impact statement
PIAs examine the many aspects of how information is protected and its privacy assured. The results of privacy risk assessments can be presented in a summary report called a privacy impact statement.
Data protection impact assessments are also used to evaluate potential risks to sensitive information. Learn more with these data protection impact assessment tips and templates.