Privacy Impact Assessment

Executive Summary

Key Questions: What is a Privacy Impact Assessment? How would my organization go about conducting and using one?

This article serves as an overview of a Privacy Impact Assessment and the elements involved in conducting one. Additional resources for conducting a Privacy Impact Assessment are provided throughout. 

A Privacy Impact Assessment (PIA) is a structured risk management methodology that helps organizations to identify and manage the privacy risks associated with new information systems and programs. It is a tool to be used by system developers and program managers to identify and resolve privacy issues before they become problems. Additionally, the PIA report provides evidence to regulators, customers, and other stakeholders that the organization has undertaken appropriate due diligence with respect to privacy.1

For a high-level overview of how to conduct a PIA, see the Privacy Impact Assesment Methodology. To determine whether conducting a PIA is necessary, consult the Privacy Impact Assessment Threshold Assessment.

We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation. 


Privacy Impact Assessment Components

  • Executive Summary
    • The Executive Summary provides a brief description of the initiative and a summary of the principal findings of the PIA including safeguards, residual risks and recommendations. The Executive Summary is often released to regulators, customers and auditors as evidence of privacy due diligence.
  • Background and Context
    • The Background and Context section describes the initiative at a high level including a description of the system, benefits to customers and consumers, and the external regulatory, business, and economic environments.
  • Regulatory and Legislative Analysis
    • The Regulatory and Legislative Analysis is a survey of privacy laws and regulations for each government jurisdiction in which the system or program will operate. The analysis identifies applicable regulatory requirements and provides a current assessment of compliance with those requirements. Recommendations for bringing the initiative into compliance are included.
  • Organizational Privacy Assessment
    • The Organizational Privacy Assessment considers the adequacy of organizational privacy controls mandated by legislation and regulatory authorities. This includes information governance, policies and procedures, contracts with 3rd parties, privacy and security training, monitoring and audit, breach management and notification protocols.
  • Solution Privacy Assessment
    • The Solution Privacy Assessment considers the adequacy of privacy and security controls associated with the technical and business solution. This includes a detailed review of the solution architecture, development of a data inventory and a detailed mapping of data flows for each business process. The assessment also considers the adequacy of mandated privacy requirements such as data residency, consent management, patient access to personal information, and audit functionality.
  • Privacy Risk Assessment
    • The Privacy Risk Assessment will consider the impact and likelihood of various threat scenarios associated with the solution. The analysis will determine the severity of the risks and make recommendations to manage those risks accordingly.
  • Conclusions and Recommendations
    • The Conclusions and Recommendations section will summarize the findings of the PIA including observations, risks and recommendation and will prioritize the recommendations.1