Professional Documents
Culture Documents
Name of Program,
Process or Measure:
Date:
PIA Drafter:
Email: Phone:
Program Manager:
Email: Phone:
[For the rest of the document, please delete the italicised descriptive text and, when necessary, replace it with your
own.]
The PIA should consider compliance with privacy obligations from the perspective of the organisation completing it.
Where more than one organisation is involved, each party should undertake a PIA with respect to its own obligations
and authorities. If multiple organisations decide to complete a joint PIA, separate privacy assessments will need to be
undertaken for each party. In this case the PIA should clearly distinguish between the assessments for each
organisation.
1
DRAFT PIA Template v2
2
DRAFT PIA Template v2
The threshold analysis will be in two parts. The firs is the identification of personal information that is currently or will
be used in the project.
The program will collect, use, retain, disclose, dispose the following personal Information.
(Please check the appropriate box)
Personal Information Y N
1 Name
2 Home Address
3 Business Address
4 Email Address
7 Age
8 Date of Birth
9 Marital Status
12 Education
13 Photo
14 Biometrics
15 Political Association
15 Philosophical Beliefs/Orientation
16 Health
3
DRAFT PIA Template v2
17 Sexual life/preference/practice
Y/N Explanation/Comments
4
DRAFT PIA Template v2
If this program will not collect, use or disclose any of the above information, please proceed to Part 5 Summary of
Assessment and Sign Off
N.B. Not using personal information, when warranted, can also raise potential risks. Please make sure that you are
not sim[ly trying to avoid doing a full-blown PIA when you declare that the project is not using personal
information.
5
DRAFT PIA Template v2
1 1
2 2
3 3
4 4
6
DRAFT PIA Template v2
7
DRAFT PIA Template v2
Yes No
Transparency
1 Are data subjects aware of the nature, purpose, and extent of the processing of his or
her personal data?
2 Are data subjects aware of the risks and safeguards involved in the processing of his or
her personal data?
3 Are data subjects aware of his or her rights as a data subject and how these can be
exercised?
4 Is there a document available for public review that sets out the policies for the
management of personal information?
Please identify document(s) and provide link where available
________________________________
________________________________
5 Are there steps in place to allow an individual to know what personal information it
holds about them and for what purposes it collects, uses and discloses it?
8
DRAFT PIA Template v2
Yes No
Proportionality
2 Is personal information being processed because the purpose of the processing could
not be reasonably fulfilled by other means?
Collection Yes No
2 Is individual consent secured prior to the collection and processing of personal data?
6 Is it not possible for the individual to remain anonymous for the purpose of the
program?
9
DRAFT PIA Template v2
Yes No
Use and Disclosure
1 Personal information will only be used or disclosed for the primary purpose
identified?
3 If using personal information for a secondary purpose, which of the following applies?
The individual has consented to the use or disclosure
The secondary purpose is related to the primary purpose,
The individual would reasonably expect the organisation to use or disclose
the information for the secondary purpose
Necessary for research, or the compilation or analysis of statistics in the
public interest. If yes, please explain
_____________________________________________________
_____________________________________________________
_____________________________________________________
To lessen or prevent a serious and imminent threat to an individuals life,
health, safety or welfare;
To lessen a serious threat to public health, public safety or public welfare
On suspicion or unlawful activity as part of reporting its concerns to relevant
persons or authorities
As required or authorised by law Please site the relevant law:
_________________________________________________
1 Please identify all steps taken to ensure that all data that is collected, used or
disclosed will be accurate, complete and up to date.
10
DRAFT PIA Template v2
1 The program has taken reasonable steps to protect the personal information it holds
from misuse and loss and from unauthorised access, modification or disclosure?
2 If yes, which of the following has the program undertaken to protect personal
information across the information lifecycle:
identifying and understanding information types
assessing and determining the value of the information
identifying the security risks to the information
applying security measures to protect the information
managing the information risks.
1 The program will take reasonable steps to destroy or de-identify personal information
if it is no longer needed for any purpose.
If YES, please list the steps
_______________________________________
_______________________________________
Yes No
Cross-border Data Flows (optional)
11
DRAFT PIA Template v2
3 The organisation has taken reasonable steps so that the information transferred will
be held, used and disclosed consistently with the DPA of 2012
If YES, please describe steps:
12
DRAFT PIA Template v2
For the purpose of this section, a risk is something that could lead to the unauthorised collection, use, disclosure or
access to personal information.
The first step in managing risks is to identify them by identifying threats and vulnerabilities and evaluating Impact and
likelihood and providing a risk rating for each phase of the information life cycle.
Threat "a potential cause of an unwanted incident, which may result in harm to a system or organization;
Vulnerability a weakness of an asset or group of assets that can be exploited by one or more threats;
Impact - severity of the injuries that might arise if the event does occur (can be ranked from trivial injuries to
major injuries); and
Collection 1
Use 1
Retention 1
13
DRAFT PIA Template v2
Disclosure/ 1
Data Sharing
2
Disposal 1
The next step is Risk Treatment or the process of selection and implementation of measures to modify risk.
From the risks identified in the previous section, list existing controls to treat the risks, if any, identify proposed
mitigation measures
14
DRAFT PIA Template v2
(H/M/L
)
15
DRAFT PIA Template v2
Summary
Insert a summary or overview of the most significant findings in relation to both identified privacy risks and identified
privacy-enhancing features. Where appropriate also include critical recommendations. The summary should include an
overview of which privacy risks cannot be mitigated, the likely public reaction to such risks, and whether the risks are
outweighed by the public benefit in the project proceeding.
Signatures
16