PART 2:

HOW TO DO
A PRIVACY
IMPACT
ASSESSMENT
(PIA)
Part 2: Contents

A step-by-step guide to doing a PIA 3

Questions to answer before you start 4

Steps that feature in every PIA 8

Other steps that may be useful 16

Part 2: Appendices 18

Appendix A: Template – Privacy Impact Assessment Report

Appendix B: Template – Risk and Mitigation Table

Appendix C: Privacy Risks and Mitigations – Examples

Appendix D: Other Resources

ISBN No. 978-0-478-11743-1 Privacy Impact Assessment Toolkit 2

A step-by-step guide
to doing a PIA

What’s included in this part Steps that feature in every PIA

of the toolkit The basic steps in every PIA are:
1. Gather all the information you need to do the PIA
This second part of the toolkit sets out:
and sketch out the information flows
• questions to answer before you start any Privacy
2. Check against the privacy principles
Impact Assessment
3. Identify any real privacy risks and how to mitigate them
• key steps involved in any PIA and what each of those
steps involves 4. Produce a report (use our report template to help)
• further steps to consider if your project is more complex 5. Take action
or the risks are more significant. 6. Review and adjust the PIA as necessary as the
project develops.
We’ve also included other tools in the appendices:
• a PIA report template to record the information you See page 8 for more detail.
gather and make decisions based on that information
• a risk management template to record any risks you Other steps that may be useful
identify and what you can do to mitigate them. If your project is more complex, you may need to add
various other steps into your planning. These can include:
Deciding what steps you’ll need • Get an external view of your PIA
to work through • Consult with stakeholders

The scale and complexity of your PIA will depend on the • Establish better governance structures to manage
scale and complexity of your project. Only go as far as you personal information
need to for your particular project. For simple projects, • Manage any risks with using third-party contractors
the PIA process may be very quick and the PIA report may • Align the PIA with the organisation’s existing
end up being only a couple of pages long. If your project project-management methodologies
is more complex, the resulting PIA report may be long,
• Publish your PIA.
detailed and highly technical – but if that’s the tool you
need to do the job successfully, then it’s likely to be worth See page 16 for more detail.
the investment.

There are a number of steps that need to be a feature of

every thorough PIA. Then there are some other steps that
may also be useful, depending on the size and complexity
of your project.

Privacy Impact Assessment Toolkit 3

Questions to answer
before you start

This section sets out some basic questions to answer

before you start doing your PIA: EXAMPLE
• At what point in my project will a PIA be most helpful?
• How long do I need, and how detailed should the PIA as part of the design of a new IT system
PIA be? If your project is a new IT system that collects, stores
• Who should do the PIA? or processes personal information, it will be risky to
• Who do I need to talk to as part of the PIA? put off doing a Privacy Impact Assessment until after
you’ve already tendered for and designed the system.
• Do I need to involve the Privacy Commissioner?
The PIA will help you design the system to manage
And if so:
that personal information well. You’ll find it much
– At what stage? harder and a lot more expensive to redesign or
– What can they do to help? rebuild the system later to address any risks that
the PIA exposes.
At what point in my project will
a PIA be most helpful? Building PIA checkpoints into your project plan
A Privacy Impact Assessment isn’t a last-minute legal Inevitably, projects change during their lifetimes. You may
compliance checklist – rather it’s an active tool to help not be able to answer every question in an early PIA – more
inform the major decisions involved in planning and information may come to light later. This is normal.
implementing your project. Therefore doing a PIA early
in a project’s life is going to be most useful. To manage this, build one or more PIA checkpoints into
your project plan, where you’ll ask whether anything
The PIA will help you get the system and operation design significant has changed since you did the PIA. If it has,
right, and avoid expensive and time-consuming pitfalls then slot that information into a new version of the PIA,
further down the road. Flushing out the potential issues and go back through the steps to check that there are
at the conceptual stage of the project will show you what no new privacy risks or, if there are, that the new risks are
implementation details you’re going to need to address. clearly identified and managed.
It will help you craft a more accurate project plan, as well
as providing greater assurance that the project will
be successful.

Privacy Impact Assessment Toolkit 4

This diagram shows how a PIA fits into the life of a project.

Privacy Impact Assessment throughout an initiative

IDEA

Decide whether
to do a PIA

DEFINITION

DESIGN

PIA and ongoing

updates
ACTION (FOR EXAMPLE SOFTWARE DEVELOPMENT,
with change
PURCHASE, CONTRACT, POLICY DRAFTING)

TEST

USE Review

Privacy Impact Assessment Toolkit 5

How long will I need, and how detailed Who should do the PIA?
should the PIA be? You don’t need to be a privacy specialist to put together
The information you gathered when you decided you a straightforward PIA. It doesn’t have to be done by
needed a PIA should give you a good indication of the your organisation’s privacy officer, or a lawyer. However,
likely size and scope of the PIA process. Now it’s time it’s useful if the project team includes someone who is
to ask further questions – this will check that you know reasonably familiar with privacy – someone who is able to
exactly what the PIA will involve, what resources it’s going advise you about the privacy principles and the potential
to consume, and where it fits in the overall project plan. privacy impacts of the project.

Developing clear terms of reference for the PIA is a useful If the PIA will be particularly complex, or particularly
way to tease out the scope of the PIA. central to the success of the project, it’s worth thinking
about hiring an external expert. Even where an external
Here are some of the key questions you’ll probably need specialist is brought in, though, it’s good practice to involve
to answer about the size and scope of the PIA: internal staff as well – this builds knowledge inside the
organisation, and will make it easier to do future PIAs
without outside help.

SIZE AND SCOPE OF THE PIA

Key questions to answer
• What will the PIA cover? “PIAs are a practical tool for making data
protection part of an organisation’s culture, so
• What areas are outside scope?
that in time it becomes a more automatic and
• Is this just a “desk-top” information gathering exercise, reflex action.” (Privacy Victoria)
or do I have to get information from a wide variety
of sources?
• Who needs to be involved and when will they
be available? Whoever you use to do the PIA, it’s important that they
• Where does the PIA need to fit in the overall project have access to all the people who can give them the
plan and timelines? information that’s needed.
• Who will make decisions about the issues identified
by the PIA? What information do they need and how
long will it take to get sign-off from them?
• Do I need to consult with anyone (for instance the
individuals whose personal information the project
will involve)? When and how should this happen?
• Are there any third parties involved and how long
do I need to allow for them to play their part?

Privacy Impact Assessment Toolkit 6

Who do I need to talk to as part Do I need to involve the Privacy
of the PIA? Commissioner?
Most of the people with the information you need for Are you required to talk to us?
the PIA are going to be involved in the project. However, If your project involves draft legislation that affects personal
there may be some external stakeholders you also need information, or an authorised information-sharing or
to talk to. information-matching programme, or if a statute says the
Make sure you’re aware of who has the information Privacy Commissioner has to be involved, then the lead
you need, and when they’re going to be available. Government agency is required to consult us.1

If you’re a small organisation, there will only be a few Otherwise, it’s not compulsory to come and talk to us.
people in the organisation you’ll need to look to – the However, many organisations find it useful to use us as a
information might even all sit on one person’s desk. In sounding board for projects that are larger, or that could
these cases, think about whether there are people outside result in serious harm to individuals if not done properly,
your organisation who you can get some advice from – or that use technology to collect or use of large quantities
for example, business colleagues, the local Chamber of personal information.
of Commerce or the Privacy Commissioner. We won’t do the PIA for you, but we can give you some
basic advice and point out possible misconceptions or
danger areas.
PEOPLE WHO MIGHT NEED TO BE
At what stage should you talk to us?
INVOLVED OR WHO CAN PROVIDE ADVICE:
It’s best if you start your PIA early on the life of your project,
• People who are familiar with privacy, particularly the and then consult with us as soon as you’ve completed a
organisation’s privacy officer reasonably full draft PIA report, but while the project is still
• People who deal with security in your organisation – at the concept stage.
they’re likely to be familiar with what you’re trying
In this way we may be able to give you a heads-up early
to achieve
on about some potential areas that tend to raise concerns
• Business analysts and other project staff who will
with the public, or that lead to complaints, or that we, as
understand the business aims, what’s being put in
the regulator, may have a problem with later on.
place, and when various steps need to be taken
• IT advisers who’ll be able to provide information on Having a reasonably full draft PIA report to look at will give
the systems being used, how the personal information us a clearer view about what your project will do and why,
will flow through the system (including how it will and what personal information is involved. We can then
be stored and processed), and whether there are any discuss whether the project looks like it will comply with
security implications the privacy principles, or whether there are other resources
or examples that you might be able to refer to for help.
• Marketing and communications advisers who will
help in understanding how the organisation uses By doing your PIA early in your project, you’ll be able to
information and can help coordinate any consultation consider whether you should adjust your project based on
needed for the PIA the advice we provide. If we hear about your project only
• Risk and assurance people who can help you identify at the last minute, we can still give you advice – but your
risks, controls and other actions ability to act on it may be more limited, especially if there
• Specialist staff groups who are affected by any are already a lot of sunk costs in the system.
proposals for handling personal information, such as call
centre staff, information management staff, or human
resources – they can give you the best information about
how things will work on the ground
• Customer or consumer groups.

1.  The Cabinet Manual requires government agencies to consult with the Privacy Commissioner when putting forward policy proposals or draft legislation that affects
personal information. Part 9A of the Privacy Act (approved information-sharing agreements) and Part 10 (authorised information-matching programmes) specify when and
how the Privacy Commissioner has to be consulted.

Privacy Impact Assessment Toolkit 7

Steps that feature
in every PIA

As you complete each of those tasks, add the information

IT’S ABOUT COVERING ALL THE BASES to a draft report. You can use our “Privacy impact
– NOT THE ORDER OF THE STEPS assessment report” template (see Appendix A, at page 18)
as the basis for the report (adjust it as necessary to fit your
As you work through the key PIA steps we discuss in organisation and project).
this section, remember that it’s the content of each
You can use the report either as a briefing document for
step that matters – not the order you do them in.
managers or other decision-makers, or – if the decision is
A Privacy Impact Assessment often won’t be a linear your own – as a record of what you decided to do and why.
process. For instance, checking against the privacy
principles may make you realise you need more Describe the project – especially the purpose
information. Or you may realise you don’t know how of changing what happens with personal
to take action because you haven’t identified the risks information
sufficiently. Or sometimes once you start thinking A PIA is a tool to help you achieve the aims of your project
about the PIA, a key problem may become evident – or your organisation more generally while also protecting
you may find that if you fix that straight away, the rest personal information. There is often more than one way
of the project will fall into focus. of designing a project to accomplish what is intended – a
So don’t be concerned if you find yourself doing things PIA will help to identify the least intrusive way of achieving
in a slightly different order from how we’ve set out the that aim.
steps below. A major key to success is having a clear understanding
of what the change is aiming to achieve, and how it will
support your organisation’s work.

Step 1. Gather all the information

you need
KEY POINTS TO COVER
The information you put together when you were deciding
whether to do the PIA will be a good start for doing the • Describe the project briefly
PIA itself. Now is the time to gather together all the details • Describe the purpose of changing what happens with
about what personal information the proposal involves and personal information – what is the business aim in
what is going to happen to it. making the change?
The key tasks here are: • Is the project a one-off activity, or does it involve
• Describe the project – especially the purpose of a change to your ongoing information-management
changing what happens with personal information systems?

• Describe the personal information involved and

what will happen with it
• Describe the organisational context.

Privacy Impact Assessment Toolkit 8

Describe the personal information involved
and what will happen with it DESCRIBE THE FLOW OF PERSONAL
The focus of any PIA is the personal information involved in INFORMATION THROUGH ITS LIFECYCLE
the project and the positive or negative effects that the project IN YOUR ORGANISATION
may have on the privacy of the individuals affected by it.
Key questions to answer
It’s important to think about the whole lifecycle of the • What personal information is currently collected
personal information. For instance, the PIA will need to and used? How does it flow through your
consider how that information is going to be stored, who’s organisation’s systems?
going to use it and why, how it’s going to be kept up to
• How will your project change the information flow?
date, how long it will be kept for, and what will happen
if the individual whose information it is asks to see it. • Describe all the changes to personal information
Without considering the whole lifecycle of the information, involved in the project. For instance:
you won’t be able to spot where the problems or the – Is new personal information being collected?
opportunities occur. If so, where is it coming from?

You’ll also need to consider a broader range of – If the project involves information your organisation
information-management questions if, for example, already holds, will you be using the information for
your project involves sharing information with another a different purpose? If so, why and how?
organisation so that the individuals can receive a service – What measures are in place to ensure the information
more efficiently. You’ll need to consider whether the is accurate and up to date?
sharing of information will take the individual by surprise – – Will your organisation tell the individuals what’s
perhaps because it’s different from what they were told happening to their information? If so, how will
when you collected the information from them? If so, will it tell them?
you need to tell them what’s going on? Also, how will you
– Who will have access to the information inside your
make sure the information is kept secure when it’s being
organisation? Who will have access to it outside the
sent to the other agency, and that it won’t be accessible
organisation?
to people who could misuse it?
– How long will the information be kept for? How will
it be disposed of?

Privacy Impact Assessment Toolkit 9

 INDIVIDUAL

FRONT-LINE INDIVIDUAL’S EXTERNAL AGENCIES

ADMINISTRATION STAFF CASE MANAGER ACTING AS SERVICE
(e.g. people responsible for PROVIDERS TO THE
sending out communications INDIVIDUAL
about agency practice)

AGENCY INTERNAL EXTERNAL AGENCIES

BUSINESS GROUPS AGENCY ADMINISTRATION WITH SECONDARY PURPOSES
(e.g. agency staff who (e.g. people responsible (e.g. agencies with mandates
provide support through legal for keeping client and agency to collect information, under
or business services) records accurate and up to date) statute or through an information
sharing arrangement)

AGENCIES WITH EXTERNAL

GOVERNANCE ROLES
(e.g. outside agencies that report
on and/or audit the agency)

Using information flow diagrams Types of background information to include

There are many ways in which you can set out the lifecycle Bring together the necessary background information
of the personal information. However, an information flow about your project and organisation. This might include:
diagram – or a series of diagrams – can be a particularly • Governance, management and roles and responsibilities
clear and simple way of showing exactly where personal describing privacy in your organisation (your privacy
information is coming from, where it’s going, how it’s officer or legal team should be able to help you
going to be used, and who it’s going to be used by (see with this)
example above). This can help you identify measures that • Policies, standards and procedures relating to personal
can improve information security and reduce privacy risks. information (such as privacy statements, and retention
Describe the organisational context or security policies)

It’s important to consider privacy implications in the • How privacy fits in with risk management in your
context of the project as a whole, and in light of how your organisation (for example, does your risk management
organisation works – particularly its existing approach to framework consider risks to the people whose
handling personal information. For example, you’ll need to information you hold, rather than just risks to
know whether any risk mitigation or other change that you the organisation?)
recommend for the project is likely to be workable in the • Overall processes and controls that affect privacy,
context of the organisation as a whole. such as disposal processes
• Security controls, such as how access to your
Considering the organisational context will also help you
information systems is managed
be aware of the likely downstream effect of the project in
your organisation and enable you to predict and address • Training and awareness programmes on privacy
potential privacy risks. For example, if your project involves and security
one division of your organisation collecting a new piece of • Monitoring and auditing of any incidents that occur,
personal information for a particular purpose, how long will and how these are dealt with.
it be before another division decides they could use it too?
Anticipating this kind of potential “scope creep” is an
important part of any PIA.

Privacy Impact Assessment Toolkit 10

Step 2. Check against
EXAMPLE
the privacy principles
As well as providing the legal framework that your A new mobile app
organisation will need to comply with, the principles
A business develops a mobile app that will collect
in the Privacy Act also provide a useful practical checklist
various items of information about users, including
for handling personal information properly throughout
information about their location. Questions the
its entire lifecycle. This includes:
company will need to ask about that location
• collecting the information information include:
• storing it and keeping it secure • Why is it necessary to collect information about
• checking the accuracy of the information location? Is it a “need to know” or just a “nice
• letting people have access to it so they can see what to have”?
you know about them • What exactly will the business use the location
• using or disclosing the information information for?

• destroying the information. • Will anyone else have access to the information?
• Will it be shared with third-party providers to run
A summary of the privacy principles is included in the
ads in the app, for instance?
template for a Privacy Impact Assessment Report at
• How will users know the information is being
Appendix A (see page 18), and more information about
collected and why?
common risks relevant to each of the principles is included
in Appendix C (page 18). The full text of the principles is • What will happen if users don’t agree to provide
section 6 of the Privacy Act. More detailed advice about the information? Do they have to consent in order
what the privacy principles entail is available on our website. to download the app? If so, is this reasonable?
Can the user opt out (even if at the cost of some
of the functionality)?
• Can the user change their mind and opt out of
CONSIDER THE PERSONAL INFORMATION sharing location later? What will happen to the
INVOLVED IN THE PROJECT AND HOW THE information the agency has collected if they do so?
PRIVACY PRINCIPLES APPLY. • Is the user specifically and clearly asked for
Key points to cover permission? How clear is the privacy statement?
For each privacy principle: • How long is user location information kept for?
Is it aggregated, or linked to the user by information
• Is it relevant? (if not, simply note that it is not relevant
obtained from elsewhere or from the user?
and why)
• How is the information going to be protected
• Identify the personal information that is relevant
against misuse and loss?
to that principle
• Is the change consistent with the privacy principle? It’s important that the PIA take a critical and
If so, how? Or will it enhance compliance? independent approach to these types of questions,
• Does the change create more risks of harm to the as they will drive the design choices the business
individual? If so, how might it adversely affect the makes. It’s easy to get enthusiastic about the business
individual? Or does the change eliminate risks in opportunities resulting from collecting and using
the existing system? personal information, but consideration of how the
individual concerned could be affected leads to better

design in the long run – and a greater chance that the
product will succeed and not be scuppered by
concerns over privacy.2

2.  If your organisation is developing an app, you should look at our guidance for app development. It covers many of the privacy issues specific to the mobile environment: see
www.privacy.org.nz/news-and-publications/guidance-resources/apps-guidance/

Privacy Impact Assessment Toolkit 11

Step 3. Identify any real privacy risks How to identify the risks
and how to mitigate them If your organisation is large, there may also be a specialist
team (perhaps Risk and Assurance, Internal Audit, or
Corporate Compliance) that can help you with how the
Ideally, a PIA will identify both risks for the individual, organisation generally approaches the issue of identifying
and opportunities to benefit the organisation by and managing risk. There may well be a specific format
protecting privacy better. While this section focuses on that it is best for you to use.
identifying and mitigating risks, you could use a similar
For organisations without specialist risk frameworks, we
analysis to identify and maximise opportunities.
have provided a template for a risk and mitigation table
at Appendix B (see page 18).

What is a privacy risk? Populate your risk table with the risks you already know
A “privacy risk” is the risk that a proposal will fail to meet about from step 2 (see page 11), and identify the likely
individuals’ reasonable expectations of privacy – for impact on the individuals. You can then use that as a basis
instance because it breaches the Privacy Act, or for a more thorough analysis. Make sure you talk to other
unreasonably intrudes into their personal space and people involved in the project, or get a view from an
personal affairs, or runs contrary to what your relationship external person who may be able to see risks that you have
with your clients suggests should happen. missed. Other possible steps, depending on your project,
could be:
Calculating risk is not simply about assessing whether the
• a workshop including the key people involved
project will be legally compliant. It’s possible to comply
with the law and for the behaviour still to affect whether • a further desk-top review of documentation
your particular clients’ reasonable privacy expectations • interviews with key people involved.
are met. The nature of your relationship with them may
suggest that you should give even better protection than Common examples of mitigations include:
the law requires. The privacy principles provide a good • minimising the amount of personal information
framework for asking yourself the right questions – both collected
legal and non-legal – about the impact on your clients. • better and clearer communication with the individuals

Risks to an individual will often directly equate to risks • allowing individuals to opt in instead or making it easy
for your organisation. Privacy breaches will have a direct to opt out
impact on the organisation’s reputation, and loss of trust • designing the system to provide better security
can make it harder and more expensive to meet the aims • providing training and support for staff to help them
of the project. get it right.
Consider not only the direct risks from the proposal, but Try to ensure that your mitigation solution is practical and
also any knock-on effects. If you take too narrow a lens, sustainable. Reviewing the project once it is operating will
you may miss an important, wider effect on the individuals help to identify whether the mitigations are actually
you deal with. working as you’ve planned.

How far do I have to go?

A PIA doesn’t set out to identify and eliminate every
possible risk to an individual from using their personal “Consider what will actually work. There is
information or otherwise impacting on their privacy. little point developing a system that your staff
However, it should: cannot operate.” (survey respondent)
• identify any genuine risks to the individual (that is,
risks that aren’t unrealistically remote or trivial)
• assess how serious those risks are.

Next: The following page has an example of how a few lines

• identify how to mitigate serious or medium-level risks on this risk table might look, using the earlier example
• determine your organisation’s attitude to risk in the of a mobile app:
context of this project. Sometimes an agency may have
a very low tolerance to risk – for instance where its
relationships with its customers or clients are so
important that it can’t afford even relatively minor risks
to eventuate.
• identify any serious or medium-level risks that the
organisation decides it is not going to mitigate.

Privacy Impact Assessment Toolkit 12

REFERENCE NUMBER R-001 R-002

ASPECTS OF INFORMATION What information the app collects Third party providing advertising
ASSESSED through the app needs access to
information (age, gender)

DESCRIPTION OF THE RISK The app will collect more information Third parties may misuse this
than specified in the privacy information for their own purposes
statement (spamming, hacking, etc)

RATIONALE AND The app will have greater functionality Data is never truly de-identified so
CONSEQUENCES FOR THE and lead to increased monetisation, may be misused exposing individuals
AGENCY OR INDIVIDUAL but app users may object to collection to unexpected impacts. Individuals
beyond the current privacy statement distrust unexpected disclosures to
third parties

Third party access to user information

is a source of revenue.

EXISTING CONTROLS The business has a clear purpose for De-identify data as much as
THAT CONTRIBUTE TO collecting the personal information possible. Contract with third party also
MANAGE RISKS IDENTIFIED (but app policy does not currently specifies what can and can’t be done
reflect it) with information

ASSESSMENT OF RESIDUAL Medium/possible Medium/possible

CURRENT RISK
Moderate harm Moderate harm

RECOMMENDED Put a process in place to manage clear Extend contract with third party
ADDITIONAL ACTIONS TO notification and consent for additional to disallow re-identification or reuse
REDUCE OR MITIGATE RISK collection by the app in line with the of data for different purposes
new purpose

RESIDUAL RISK REMAINING Low/unlikely Low/unlikely

DESPITE NEW SAFEGUARDS
Minimal harm Minimal harm

Privacy Impact Assessment Toolkit 13

REFERENCE NUMBER R-003 R-004

ASPECTS OF INFORMATION To function the app requires Username and password are collected
ASSESSED a persistent account, tied to by the app
an individual

DESCRIPTION OF THE RISK Behavioural information is collected Some users use one password
over time, in addition to personal across multiple accounts, which
information collected at download/ could reduce the security of the
registration system elsewhere

RATIONALE AND There is an administrative need, as the Hard to prevent people from recycling
CONSEQUENCES FOR THE app won’t work without a persistent passwords. If an external account is
AGENCY OR INDIVIDUAL account. But app users might object compromised, all other accounts using
to more behavioural information being the same username and password are
collected, and might abandon it for vulnerable, including the app
this reason

EXISTING CONTROLS Privacy notice clearly outlines what Credential information is encrypted;
THAT CONTRIBUTE TO information can be used for (e.g. process to change/reset passwords
MANAGE RISKS IDENTIFIED account persistence, and customer is secure; hashed passwords are
service – which covers targeted salted, but this won’t prevent use
advertising) of recycled passwords

ASSESSMENT OF RESIDUAL Low/unlikely Medium/possible

CURRENT RISK
Minimal harm Moderate harm

People often do not read the privacy

policy – system design should still
protect them as much as possible

RECOMMENDED Amend retention policy to ensure that Require users to create a unique
ADDITIONAL ACTIONS TO app user logs are deleted when they password for the app, changed
REDUCE OR MITIGATE RISK are no longer needed (easy additional regularly, using criteria unlikely to have
protection) been demanded by other accounts

RESIDUAL RISK REMAINING Low/unlikely Low/unlikely

DESPITE NEW SAFEGUARDS
Minimal harm Minimal harm

Privacy Impact Assessment Toolkit 14

Step 4. Produce a PIA report Step 6. Review the PIA and use it as a
The PIA report is a major reference point for you and for checkpoint once things are in operation
your organisation. It should at least: Projects are rarely static. Even small projects can morph
• include all relevant information about the project and as they progress. The PIA that was produced early on is
what it is intended to achieve unlikely to reflect the current state of a project.
• describe how information flows through the system
Use your Step 4 report and your Step 5 action plan as a
• include analysis against the privacy principles and other baseline for considering the project as it progresses. If there
relevant material to show what the privacy impacts are have been changes that have an impact on privacy, do
(both positive and negative) quick updates of the report and action plan that record:
• identify key risks and how to mitigate any negative • what’s changed
impacts
• what the new impact is
• recommend any necessary changes
• how to address any new risk (or take advantage of any
• identify whether the PIA should be reviewed during new opportunity).
the project, and/or once the new system is operating.
This will ensure your PIA continues to be used as a tool
See the report template at Appendix A (page 18). to check that the project does what it is meant to do.

Once the changes are up and running, it is also worth

Step 5. Take action using the PIA as a checkpoint for how the new process
There’s little point investing even modest amounts is operating. Is it working as anticipated, or are problems
of time or resources in a PIA and then failing to take action. starting to emerge and further changes needed?
An action list can help you track and manage the decisions Again, using the PIA as a reference point can save you
you take as a result of the PIA. time and trouble.

The action list may contain items to be completed as part

of the project itself, or it can be integrated into normal
operations (such as maintaining a risk register, or as part
of a security action plan).

Make sure that the action list clearly identifies who’s

responsible for doing what. Also make sure that it notes
any relevant timelines and contingencies (for example,
Action A needs to be completed by date B so that
Stage C of the project can start).

In large or complex projects, there might be several

versions of a PIA. It’s important that any actions or
recommendations from each update of the PIA are
considered throughout the project. This may require
designating someone in the project to take ownership
of the action plan and report on progress, either within
the project or within the organisation’s existing
governance framework.

The PIA may identify wider opportunities for action,

so you can make privacy-enhancing changes throughout
your organisation. For instance, it may show that there are
other parts of your business where you might also achieve
better security, better accuracy of information, and more
effective business processes for managing personal
information. If you spot an opportunity, take it – it’s likely
to make your business better.

Privacy Impact Assessment Toolkit 15

Other steps that
may be useful

Get an external view of your PIA Establish better governance structures

If your project is a substantial one, or the potential for managing personal information
impacts on privacy are particularly significant, it will be Protecting privacy is an ongoing responsibility, not
worthwhile getting someone outside your organisation something that your organisation should only consider
to check your PIA. They may identify something you’ve as part of a change process.
missed. They may have a better idea of how people
who are not close to the project may react to what your Writing a PIA might be the first time your organisation
organisation is doing – particularly the individuals has had to think about privacy issues. If so, use it as an
who will be affected by the project. opportunity to get people thinking about how to manage
privacy better across the organisation.
Examples of people who can give you an external view
might be: In particular, make sure someone in the organisation is
• colleagues within your industry tagged with responsibility for managing privacy. Ensure
• an industry association, Chamber of Commerce or privacy is one issue that’s considered at the top table – solid
representative group leadership will make it far more likely that the organisation
will get privacy right.
• the Privacy Commissioner’s Office
• a lawyer or a specialist in privacy law or information
management Manage any risks with using
• IT specialists, systems architects, security consultant third-party contractors
and so on. If your project involves passing personal information
to third-party contractors, this is a good opportunity
Consult with stakeholders to consider how to manage wider privacy issues relating
to third parties who may have different standards from
Some projects will benefit from very wide consultation
your organisation.
with stakeholders, both inside the organisation and
externally. In particular, some projects will benefit from Questions to ask include:
consultation with the individuals whose information • What privacy standards will you be holding the
you are using, or who will be affected by your project. contractors to?
As part of your initial analysis, or your information- • Are they capable of meeting your expectations?
gathering exercise, consider who will have the best • How will you know whether they are competent?
information to contribute or who might best flush out
• How will you know if something goes wrong?
the risks posed by the project. If the answer is that your
customers, or your staff, or external stakeholders might You may be able to rework your standard contracts, or
give you valuable information that you can’t get elsewhere, other documentation, so that it makes it easier and quicker
then think about consulting with them. to think about these issues when you engage a third party
Identify: contractor to do work for you in future.
• who can give you the information
• when consultation is needed and how long it will take
(so that you have the information in time to use it)
• how far you need to go for it to be useful
• what you will ask them
• what method you will use to get information from them
(for example, a targeted survey, an email request to an
external agency, or an online opportunity to respond).

Privacy Impact Assessment Toolkit 16

Align the PIA with the organisation’s
existing project-management
methodologies
Large organisations tend to have in-house project-
management tools. It’s important for the PIA to fit with the
way your organisation usually does things so that it has the
best possible chance of being integrated into your business
systems and of being effective.

For instance, for very large projects, or projects using “Agile”,

or Agile-like methodologies, approaching PIA as a series of
linked assessments may help the PIA and the principal
project align better.

Publish your PIA

One of the benefits of doing a PIA is that it can increase
the trust people have in your organisation and their
willingness to work with you. If they’re aware of what
you have done to manage privacy, they may have more
confidence in you. Publishing the PIA demonstrates that
you take privacy issues seriously and that you do your
best to manage them. If you’re a small firm, for instance,
publishing your PIAs may demonstrate that you’re a cut
above your competitors.

Public-sector agencies in particular should seriously

consider publishing their PIAs to demonstrate
accountability, and as a proactive release of
official information.

Of course, a PIA report may need to be reworked to protect

interests such as commercial confidentiality, client privacy,
security of information or legal privilege. Publication is not
an “all or nothing” exercise – it is better to take out certain
elements of the report and publish the rest, rather than
not publishing at all.

Privacy Impact Assessment Toolkit 17

Part 2: Appendices

Appendix A: Template – Privacy Impact Assessment Report Download here 

Appendix B: Template – Risk and Mitigation Table Download here 

Appendix C: Examples – Privacy risks and mitigations 19

Appendix D: Other resources 35

Privacy Impact Assessment Toolkit 18

Appendix C:
Examples – Privacy risks
and mitigations

This appendix: Types of mitigations and safeguards

• gives some examples of common mitigations you Strategies to enhance privacy, or to reduce or mitigate
could consider to address identified privacy risks privacy risks, can include:
• poses some questions to help assess and understand • technical controls – such as access control mechanisms,
potential privacy impacts. encryption, and design changes

Using the privacy principles to follow the • operational controls – such as organisational policies
or procedures, staff training, and oversight and
information lifecycle
accountability measures
Each privacy principle deals with a different aspect of
• communication strategies – such as privacy notices,
information management. Addressing each principle in
and consent-based collection processes.
turn will therefore help your organisation make sure it takes
proper care of the information entrusted to it.
Examples of risk and mitigation
However, the principles are best viewed as an integrated
The following pages provide some examples of strategies
whole rather than a set of separate rules.
you may want to use to address and mitigate common
Each principle links with the others. For example: privacy risks. It is arranged by privacy principle.
• disclosure by one agency often involves collection
by another agency
• unnecessary collection increases risks of unwarranted
use or access
• poor security or unjustified retention of information
creates risks of having inaccurate or outdated records.

On the other hand, use of privacy enhancing technology

or techniques in one area can free you up in other areas.
For example, if you anonymise information, it will be harder
to link information to individuals. You are therefore less
likely to need to restrict access so tightly.

Privacy Impact Assessment Toolkit 19

 • Will anonymous information do? If you don’t need to
PRINCIPLE 1 – COLLECTION collect someone’s identity to deal with them, then don’t
– it makes the privacy risks a lot lower.
OF INFORMATION
• Are you collecting information as a proxy for a different
Personal information shall not be collected or less specific piece of information? For example,
by any agency unless: if you’re proposing to collect people’s dates of birth,
a) the information is collected for a lawful purpose do you in fact only need their age or age band?
connected with a function or activity of the agency; and
Common risk examples (Collection)
b) the collection of the information is necessary for
that purpose. • Personal information is collected without a clear
purpose or without clear legal authority
• Information collected is either unnecessary or excessive
• Decisions affecting the individual concerned may
What Principle 1 means in practice be made using irrelevant information
Be focused – only collect personal information • The purpose of collecting the information may
if you need to be unclear, leading to possible misuse
The most effective privacy safeguard is not to collect • The individual concerned may feel a loss of control over
information in the first place if you don’t need it. what information is collected.
Good overall information management often stems from Possible mitigations to better protect privacy
being clear about your purpose at the start. For instance,
(Collection)
if your organisation isn’t clear about why it needs the
information, it’s not going to know who needs to see it, or Establish the need for collection
whether it’s being used properly, or how to explain to the • Clearly state your purpose for collecting the
individuals concerned what it’s doing with the information. personal information
• Limit the information you collect to what is truly
It’s not enough simply to say that you might need the
necessary for that purpose
information sometime, or that it’s easy to collect.
• Consider whether you can use information that doesn’t
identify the individual

Limit unnecessary collection

Key questions to ask (Collection)
• If you only need to verify identity, use accredited identity
• What personal information is your organisation currently verification systems (such as RealMe)
using? Will your proposal change what’s collected?
• If you want to keep track of the numbers of visitors
• Why are you currently collecting the information? to a website, keep a count of visits, but don’t keep
Will your proposal change that purpose? IP addresses
• What business process is enabled by having the • Use pseudonyms to distinguish people, instead
information? Why is the information needed for of personal information that identifies them
that process?
• Constrain your IT systems so that unnecessary
• If you’re collecting new information, why do you need it? information can’t be stored in databases
• Are there specific laws or regulations allowing you to • Ensure that application forms ask only for the necessary
collect the information? information, and only have room for that information
• Are there specific laws or regulations prohibiting you • When using or installing security cameras or CCTV,
from collecting the information? (If so, the Privacy Act use masking or pixilation technologies
won’t help you because the other laws will override the
• Only record images where there is a potential security
Privacy Act. Change your proposal to fit with what the
risk, and delete records promptly
law allows. Or, if you’re an agency that can influence
legislation, consider what options you have to initiate • Clearly identify where optional information can be
a law change). provided, and explain the implications of not providing
that information (this links with principle 3)
• Is all of the information a genuine “need to have” –
or is it just a “nice to have”? What information can you • Provide opt-ins for additional services (and easy opt-outs
do without? for services that people no longer require).

Privacy Impact Assessment Toolkit 20

 Key questions to ask (Source)
PRINCIPLE 2 – SOURCE OF INFORMATION Defining the source of information

Where an agency collects personal information, • Who will you collect the information from – directly from
the agency shall collect the information directly the person concerned or indirectly from a third party?
from the individual concerned, unless one of the If a third party, then who?
listed exceptions applies. • If you’re collecting it from a third party, why won’t
it work to get it directly from the individual?
• Will this differ from the way you already collect
information? If so, how?
What Principle 2 means in practice
• Do you need to positively identify the individual
Be direct – get it from the people concerned, concerned, to check it’s the individual who’s entitled
wherever possible to deal with you?
When you collect information about someone, you should
get it from them directly wherever possible, and you Common risk examples (Source)
should tell them why you need it and what it will be used • Individuals may not be aware that information is being
for. Then what you do after that won’t be a surprise to collected, who will use it or what it’s being used for. If
them. Also, it’s often the people themselves who are best they become aware only later, they may be surprised
placed to provide accurate information. and upset
• Collecting the information from a third party could
You can collect information from another source if you
perpetuate and compound any errors that are already
believe that one of the exceptions to the principle applies.
in the data
These include:
• if the individual concerned has authorised you to collect • Information may be out of date or irrelevant for the
the information from someone else intended purposes if it’s used outside the original
context in which it was collected
• if the information is already publicly available
• Individuals won’t be able to update their information
• if getting it from another source wouldn’t prejudice
if they don’t know you have it.
the individual’s interests
• if the information won’t be used in a way that identifies Possible mitigations to enhance privacy (Source)
the individual concerned (including where it will only • Change your system to collect information directly from
be used for statistical or research purposes and the the individual, unless you have a good reason not to do
individual won’t be identified) so. It’s much better customer service to let the individual
• if collecting it from another source is necessary to know what’s going on
enforce the law, or for court proceedings, or to protect • If you’re collecting information from a third party,
public revenue, or make sure the individual that the information relates
• if collecting it from the individual concerned isn’t to knows you’re going to do that, unless there’s a good
reasonably practicable in the circumstances. reason not to
• Have a clear privacy statement saying where you get
personal information from
• Provide people with a way to see the information you
hold about them (like a dashboard) and give them the
opportunity to correct it if it’s wrong
• Include a check box as a quick way for an individual
to confirm their identity or to give authority for you to
act on their behalf
• If you’re getting only verbal consent, make sure you have
a good system to record or document that consent.

Privacy Impact Assessment Toolkit 21

 Key questions to ask
PRINCIPLE 3 – COLLECTION OF (Collection from the individual)
INFORMATION FROM THE INDIVIDUAL • Are your privacy statements easy to understand and
access? (Bear in mind the device or format that people
Where an agency collects personal information
will be using to read it)
directly from the individual concerned, the
agency shall take such steps (if any) as are, • Will you have to change your privacy statements
as a result of the change that your project involves?
in the circumstances, reasonable to ensure
that the individual concerned is aware of: • Do individuals need to acknowledge that they
understand what information is being collected?
a) the fact that the information is being collected; and
• If any new or additional information is being collected,
b) the purpose for which the information is being
has the purpose been defined?
collected; and
• If you’re telling the individual they have to provide
c) the intended recipients of the information
the information, do they genuinely have to provide
d) the consequences (if any) for that individual if all it or are you just hoping they’re happy to provide it?
or part of that information is not provided
• If you’re not spelling out the matters listed in
e) the rights of access to, and correction of, personal principle 3, will these matters be obvious to the
information provided by these principles. individual? If they’re not obvious, do you have a
These steps shall be taken before the information good reason for not telling people?
is collected or, if that is not practicable, as soon Common risk examples (Collection from the
as practicable after the information is collected. individual)
• Privacy statements may not be easily accessible –
for example, on a mobile device with a small screen, or
What Principle 3 means in practice: for individuals for whom English is a second language

Be open – tell people why you need it and • People often don’t read privacy statements – if your
what you’ll do with it organisation acts on the basis that the individual has
knowingly consented, this could lead to clients losing
When you collect information from an individual, whether
trust in you
this is voluntary or compulsory, you should tell them what
you need it for, and what you’re going to do with it. If they • The individual’s consent for collection may not be
don’t have a choice about giving information to you, spell supported by a valid, clearly explained purpose
out what statutory provisions require them to do this, and • Individuals may be surprised by information being
any limits on how those provisions can apply. collected that wasn’t required previously
• If they’re not given advance notice, individuals may feel
As with principle 2, there are some exceptions that allow
a loss of control over their information
you to not spell out what you’re doing – for instance
because it: • The individual may lose trust in dealing with your
• would frustrate the lawful purpose of collecting the organisation, ultimately leading to a lack of engagement
information that may affect your ability to meet your objectives.

• could prejudice a criminal investigation

• is not reasonably practicable in the circumstances.

Privacy Impact Assessment Toolkit 22

Possible mitigations to enhance privacy
(Collection from the individual)
• Make sure your privacy notice is in plain language.
Provide brief, key information first, and put explanations
and details later (for instance, provide a link that people
can click on for more information)
• Allow people to opt in if that’s feasible. If it isn’t possible,
make sure people can clearly opt out
• Make it clear to the individual whether providing
the information is compulsory or voluntary. If it’s
voluntary, explain why it would be beneficial to
have the information
• Ensure your privacy notices are consistent and
accessible in hard-copy and online
• Review your consent process to ensure that consent
will be informed, current and specific, and given by
someone with the capacity to provide consent
(eg a parent)
• Provide a privacy notice after collecting the information
if it’s not practicable to do so in advance
• Publish privacy notices in formats and languages
appropriate for the target group
• Design privacy notices for use with adaptive technology
such as screen readers
• Update your application forms and enrolment forms
to explain clearly why information is needed
• When collecting data electronically, use the technology
to your advantage (for example, highlighting updates to
privacy policies; using different levels of web pages for
different layers of details)
• Require positive confirmation for actions by
the organisation that could lead to adverse effects
for the individual
• Change preference formats to yes/no options, rather
than ambiguous check boxes
• Set privacy-protective options as the default
wherever possible
• Use appropriate signage to ensure people are aware
if CCTV surveillance is taking place
• Publish PIA reports so individuals know how their
personal information will be managed.

Privacy Impact Assessment Toolkit 23

 Common risk examples (Manner of collection)
PRINCIPLE 4 – MANNER OF COLLECTION • Collection methods may be unjustifiably intrusive
OF INFORMATION (for example, if biometric information is collected
unnecessarily, or drug testing is conducted unjustifiably,
Personal information shall not be collected or audio or video recording or location-tracking
by an agency: technology is used without adequate reason)
a) by unlawful means; or • Recording equipment is badly located or improperly
b) by means that, in the circumstances of the case, adjusted, resulting in an over-collection of information,
i) are unfair; or or an unjustified intrusion
ii) intrude to an unreasonable extent upon the personal • The physical and mental health and well-being
affairs of the individual concerned. of an individual could be damaged through breach
of trust and a sense of loss of control over the use of
their information
• Information is collected unfairly by using duress,
What Principle 4 means in practice coercion or deception
Be considerate, be fair and don’t be • Information is collected from individuals who believe
unreasonably intrusive mistakenly that they have to provide it because the
Even where you’re required to collect information, you statutory limits haven’t been clearly explained to them.
often will have choices about how you collect it. Design
your system so you collect information by the least Possible mitigations to enhance privacy
intrusive method available, bearing in mind the purpose (Manner of collection)
you’re trying to fulfil. • Use masking technology to avoid having CCTV
overlooking neighbouring properties
• Think carefully about the different options available
for collecting the information, and choose the least
Key questions to ask (Manner of collection) intrusive option that still achieves the purpose
• How are you collecting the personal information? • Check that every item of information on your form
• Is the collection overt or covert? If it’s covert, why? or your website log-in is necessary
(Covert collection is less likely to be fair – there needs • Test whether people will really see and understand
to be a clear justification) your privacy notices
• Do you have to collect information that way, or do you • If providing the information is optional, say so
have other options that would be as efficient or that
• Make sure you’re not going to collect additional
might bring different benefits?
information by accident (such as audio material
• Is the individual likely to be upset by the fact you’re as well as video, where only the video is needed
collecting in this way? for the purpose)
• Are you legally required to collect information • Don’t drug test employees if they’re not working
in this way? in safety-sensitive positions

Privacy Impact Assessment Toolkit 24

 • Do contracts with third-party providers include
PRINCIPLE 5 – STORAGE AND SECURITY appropriate privacy clauses and safeguards? Will you
know if something goes wrong when the information
OF INFORMATION
is in the third party’s hands? Who from their staff will
An agency that holds personal information be able to see the information, and are they trained to
shall ensure: handle it well?
a) that the information is protected, by such security • What policies, standards and procedures relating
safeguards as it is reasonable in the circumstances to storage will need to be taken into account (such
to take, against as requirements for disposal; obligations to disclose
i) loss; and to other agencies)?

ii) access, use, modification, or disclosure, except Common risk examples (Storage and security)
with the authority of the agency that holds the
Electronic and technical security measures
information; and
• Failing to limit edit-access to data, or to limit or monitor
iii) other misuse; and
access or enforce access controls, can lead to misuse
b) that if it is necessary for the information to be given or unauthorised disclosure
to a person in connection with the provision of a service
• Devices in shared work areas, or portable devices, can
to the agency, everything reasonably within the power
provide for inappropriate access
of the agency is done to prevent unauthorised use or
unauthorised disclosure of the information. • Providing online log-in access to client records raises
the risk of session cross-overs, or automated scams
• The system can’t trace who has accessed a file –
so you can’t tell whether there are problems with
What Principle 5 means in practice unauthorised access
Take care – keep it safe • Unwarranted access to personal information may
You need to ensure that personal information is lead to identity theft
protected against misuse, loss or theft. Security is going • The organisation doesn’t comply with basic
to be relevant to you whether you’re maintaining or standards and expectations for information security
upgrading an existing database of client information, and records management.
moving information into a new application or other system,
Physical and operational security measures
or developing a new business process or access model that
changes how personal information is used or who has • Staff are unaware of their obligations, leading
access to information. to accidents, careless actions or mishandling
of information, which in turn results in
There are some additional things to consider if you’re using unauthorised disclosures
a third party to support IT systems or business processes
• Co-located offices, shared workstations, uncontrolled
and giving them access to the system that holds the
building access and offices open to the public can pose
information. You’ll need to check that the third party has
a risk of unauthorised access to personal information
reasonable security safeguards in place.
• Failing to recognise the high-risk nature of information,
including the need to implement a higher degree of
security to protect particularly sensitive financial or
Key questions to ask (Storage and security) health information

• What personal information will be stored by the • Failing to include contracted service providers in
organisation and how will that change? an agency’s data-management strategy, elevating the
risk of external breaches of data security, in particular,
• What format will the personal information be stored
where contracted service providers are located outside
in (paper, or electronic), where will it be stored, and
New Zealand giving rise to jurisdictional issues
who will be responsible for its safe-keeping?
• Allowing workplace use of portable storage devices
• What security and access controls will protect personal
(such as USB sticks, mobile phones, personal laptops)
information against misuse, accidental loss, unauthorised
without proper security protections
use or disclosure – whether in transit or when the
information is stored and used? • Using regular post to send highly sensitive personal
information may raise the risks that it could be sent
• Who can access the information now, and how will
to the wrong address or go missing
that change?
• Testing and training environments may expose personal
• Are you using a different contractor from before?
information to risk
• When did you last look at your security controls?
• Hacking, system failures, data compromise or breaches
Do they need updating?
result in unauthorised access.

Privacy Impact Assessment Toolkit 25

Possible mitigations to enhance privacy Physical and operational security measures
(Storage and security) • Ensure “sign-in” procedures don’t unnecessarily reveal
Electronic and technical security measures information about previous visitors
• Limit the use of portable storage devices through • Develop plain language usage policies to supplement
operational policies and technical controls your other data security measures
• Use registered post to send particularly sensitive • Ensure your projects include ongoing staff training
information, rather than regular post that’s relevant to the jobs people do
• Use window envelopes to avoid mis-matching labelled • Ensure physical security prevents unwarranted access
envelopes and their intended contents for bulk to areas where sensitive data is stored
mail-outs, but ensure that no information, beyond • Ensure your records practices comply with recognised
the name and address, is visible through the window best-practice guidelines or standards
• Ensure any remote access to your data, whether by staff • Ensure that particularly sensitive personal information,
or clients, is to encrypted data, or is unencrypted data such as biometric information and health or financial
that travels only via encrypted transmission records, attract the highest levels of security
• Use technologies such as CAPTCHA to differentiate • Examine your data flows to identify any weak spots that
between human and computer users of your site need further security measures
• Consider two-factor authentication rather than just • Ensure your data security strategy is appropriate to the
username and password, and build-in a “time out” limit type of data stored
on access • Ensure that service providers are contractually bound
• Provide for degrees of anonymity (such as by using to comply with specific privacy safeguards
pseudonyms, anonymisers or anonymous data credentials) • Conduct a threat and risk assessment of your database
to minimise the amount of data provided, allowing and network security
customers to reveal only so much personal information
• Engage someone to conduct an ethical hacking exercise
as is necessary in order to complete a transaction
to test system vulnerabilities
• Provide a degree of “unlinkability” (for example,
• Use only dummy data in testing and training
by using multiple virtual identities and communication
environments
anonymisers) to hide real online identities (email
address, IP address, and so on) • Allocate a needs-based, unique identity to each
authorised user
• Replace identifying details with non-traceable,
disposable identities not readily associated with • Take appropriate measures to identify and punish
other identities used by the individual (for example, employee browsing.
pseudonyms, one-time emails)
• Mitigate against loss or theft of sensitive information
by protecting it in storage, in transit and in use with
strong authentication
• Encrypt confidential data when it is stored or relocated
to data repositories or archival warehouses, providing for
decryption keys based on data receivers’ credentials
• Keep processed data in a form that permits identification
of data subjects for no longer than is necessary for the
purposes for which the data were originally collected
• Ensure access and handling protocols define who has
the authority and ability to add, amend or delete data
and to assign, change or revoke access privileges
• Provide in-house users with delay-send options and
pop-up reminders to check attachments before sending
to outside recipients, and disable auto-complete for
external emails
• Embed technically feasible default privacy settings into
the systems supporting the initiative
• Use cryptographic tokens or credentials issued by
organisations to allow individuals to anonymously prove
statements about themselves and their relationships
with public and private organisations

Privacy Impact Assessment Toolkit 26

 Common risk examples (Access)
PRINCIPLE 6 – ACCESS TO INFORMATION • Changes to database structures affect the location
and retrieval of information
Where an agency holds personal information in
such a way that it can readily be retrieved, the • Backup changes alter how information is retained
individual concerned shall be entitled: and whether it can be readily identified and attributed

a) to obtain from the agency confirmation of whether or • Individuals aren’t able to easily access their personal
not the agency holds such personal information; and information

b) to have access to that information. • Lack of access to personal information increases

the risk of poor-quality, out-dated data
• Access may be hampered if the data is held by
contracted third-party service providers – there could
What Principle 6 means in practice be time delays to factor in
Keep people informed – tell them what • Information may be stored in a different format from
information you hold the one that you can use now
In most cases, people have a right to access the personal • Failure to file information properly leads to inefficiencies
information you hold about them. That means you need (for example, having to search through email boxes
a system that enables you to find information about rather than retrieving the information directly from
people when they ask, and provide it to them. There are the filing system).
some exceptions, though, and it’s important to know what
they are. Possible mitigations to enhance privacy (Access)
• Make it easy for people to access their information by
Records-management systems must take into account
setting up a process for them that suits the way your
the fact that individuals may wish to access the
organisation works
information an agency holds about them. Shoddy
information-management practices are not an excuse. • Make sure you keep accurate track of requests
Most organisations don’t have to hold on to information for personal information (whether they’re verbal
forever, but while you do have it you should be able to or written requests)
find it – wherever it is (onsite, in archives, offshore, in • Consider providing individuals with routine access
people’s inboxes – or even in their heads). to their personal information, or direct access – for
example, through online accounts
The clock will be ticking too – you have to provide a
• Ensure that stored information is readily identifiable
decision about access as soon as reasonably practicable,
and retrievable
and not more than 20 working days after the request
comes in (unless you have a valid reason to extend this • Ensure that contracts with external third-party service
time limit). You also have to provide the information providers include provisions guaranteeing speedy
itself without undue delay. retrieval of personal information when your organisation
wants it
• Increase the control that users have over their personal
data by allowing them to look up past transactions
Key questions to ask (Access) using their personal information, including what data
• How is personal information currently being stored has been transferred or disclosed to third parties, when,
and how will this change? to whom, and under what conditions

• What metadata is kept to allow personal information • Inform users of their data access and correction rights,
to be readily identified and located? and who to contact if they want to request access

• Will all of the information about an individual be in one • Have a standard process for people to use
place or clearly linked to ensure a complete record can to demonstrate that they have authorisation
be identified? to get information on someone else’s behalf.

• If you get a request for the information, how would

you respond and how long would it take you to make
a decision about the request?
• Who is responsible for handling information requests?
How will you make sure the request gets to them?
• If information is held in third-party storage (in the cloud
for example) have you made sure you can get it back
when you need it? Will it be in a format that you can
use, and that you can easily supply to the requester?

Privacy Impact Assessment Toolkit 27

 Common risk examples (Correction)
PRINCIPLE 7 – CORRECTION • Poorly managed correction requests can lead
OF INFORMATION to poor-quality data

Where an agency holds personal information, • Correction may be hampered if the data is held
by contracted service providers
the individual concerned shall be entitled:
• Failing to correct personal information that has been
a) to request correction of the information; and
disclosed in the past can lead to inaccurate information,
b) to request that there be attached to the information affecting the individual and the organisation’s services
a statement of the correction sought but not made.
• Computer systems aren’t built to allow statements
of correction to be added, or for a flag to signal that
there is further information a decision-maker needs
What Principle 7 means in practice to consider

Make it right – let them correct it if you have got it wrong • Poor quality information is passed to other
agencies, compounding the errors and the problems
If you hold information about an individual that they think
for the individual
is wrong, they’re entitled to ask you to correct it. If it really
is wrong, it’s in everyone’s interests to get it right. • Information is duplicated in different parts of the
organisation, but corrected only in one.
Sometimes, the person’s opinion of what is right may differ
from your own. In that case, you don’t have to delete or Possible mitigations to enhance privacy
correct the information. However, if the person wants you (Correction)
to, you have to add a statement of what the person thinks • Ensure there’s a clearly defined process by which an
is correct to your file, in such a way that anyone reading it individual can discuss or dispute the accuracy of the
later will know what that person’s view of the information personal information you hold about them
is, as well as your own. • Ensure you have policies setting out how your
If you correct information, but you’ve already passed organisation can action routine or simple correction
the original information on to another organisation, requests (such as a client’s formally notified change
you should, if possible, notify the other organisation of address), and who can determine more complex
that the information has been changed. requests (for example, when a client disputes your
decision on their eligibility for services)
• Design your system to allow a statement of correction
to appear beside the original information – or at the
Key questions to ask (Correction) least for the system to display a clear flag showing that
• How do you accommodate individuals who believe there is other relevant information to consider
that the information you hold is inaccurate? • Ensure a record is kept of correction requests, and the
• Does your system or process allow information decisions on those requests
to be modified if it’s wrong? • If you have to keep the original information (for example
• How do you verify the accuracy of information before because of statutory or record-keeping obligations),
you change it? design your system to do so

• How do you monitor changes to ensure • Where services are contracted out, consider which
they’re authorised? organisation will have the most current and accurate
data, and how any corrections will be communicated
• If information can’t be changed or appended,
to the other organisation
what mechanism is in place to attach a statement
of correction? • Specify whether correction requests are to be mediated
by your organisation, or handled directly by the
• Will your system track who you’ve sent information to,
contracted service provider
so that you can let them know if the information was
inaccurate and had to be changed? • Let users know about their access and correction
rights, and ensure they know who to contact if they
have a request.

Privacy Impact Assessment Toolkit 28

 Common risk examples (Accuracy)
PRINCIPLE 8 – ACCURACY OF INFORMATION • Poor-quality information may lead to decisions
that impact negatively on individuals
An agency that holds personal information
shall not use that information without taking • Incomplete or incorrect information can lead
such steps (if any) as are, in the circumstances, to incorrectly informed decisions
reasonable to ensure that, having regard to the • Incomplete or inaccurate information may lead
purpose for which the information is proposed to to financial or professional loss if used as a basis for
be used, the information is accurate, up to date, decisions on whether an individual is eligible for a
complete, relevant, and not misleading. grant or benefit, or has obligations
• Information kept too long can be out of date
• Information in misplaced files or that is positioned
wrongly in databases can cause information to be
What Principle 8 means in practice attributed wrongly, while at the same time being
Keep on the mark – ensure it’s correct and relevant dis-associated from the person concerned
before you use it • Migrating paper records to a digital format by re-keying
Poor-quality information leads to poor decision-making, data risks introducing errors
which in turn may lead to unfair and inappropriate • Inaccurate data can increase the risk of inappropriate
practices and unwarranted adverse effects on the use and unwarranted disclosure
individuals concerned.
• Updating personal information without creating and
Poor data may also make it harder for agencies to perform maintaining audit trails of the updates increases the risk
their functions efficiently and effectively and meet their of unauthorised changes going undetected
objectives. Inaccurate or outdated information can be • Failing to update personal information that has been
particularly problematic, both for agencies and the disclosed in the past or that is held by contracted
individuals concerned, if agencies can’t get in touch service providers can lead to poor data quality and
with individuals when they need to in order to verify inconsistent actions.
their details and circumstances.
Possible mitigations to enhance privacy
(Accuracy)
• Regularly check the reliability of equipment used
Key questions to ask (Accuracy) to collect, process or test information or samples to
• What processes do you have in place to ensure minimise errors and detect unauthorised changes
the information you hold is attributed to the correct • Before you take adverse action against someone
person (and not someone with a similar name or based on the information, give them the opportunity
the same address)? to question or refute its accuracy
• What mechanisms are in place to ensure that • If information was collected some time ago, review your
information is accurate, complete and up to date policies and practices to ensure it’s still required for the
before it’s used or disclosed? purpose it was initially collected for and that your
• What opportunities are provided to individuals to continued use of it is justified
routinely correct or update their personal information, • Take care when engaging in data matching or cleansing
or to verify its accuracy before it’s used or disclosed? – the data may already be out of date
• Is this information that’s likely to change over time • Allow individuals to opt out easily for services they no
(such as address, marital status, financial or health longer require so you don’t keep information on their
status) or information that is static (birth name, date current file longer than needed
or place of birth)?
• Where information disclosed to another party is found
to be inaccurate, let them know
• Periodically assess the accuracy and currency of the
information you hold.

Privacy Impact Assessment Toolkit 29

 Common risk examples (Deletion)
PRINCIPLE 9 – DELETION OF INFORMATION • Keeping data longer than necessary increases the risk of
a data security breach or unauthorised use or disclosure
An agency that holds personal information
shall not keep that information for longer than • Keeping information too long increases the risk it will be
is required for the purposes for which the out of date, misleading and inaccurate
information may lawfully be used. • The careless or ineffective disposal of files may lead to
unauthorised access or disclosure
• Destroying information when you still need it creates
problems of its own – if you don’t have a plan, you’re
What Principle 9 means in practice likely to make mistakes.
Don’t be a hoarder – get rid of it if you don’t
need it anymore Possible mitigations to enhance privacy
(Deletion)
Think about what you really need the information for.
If you have no real reason to keep it, securely destroy it • Have clear retention policies and disposal schedules,
(“just in case” is not a good enough reason). and monitor their use to ensure they can be updated
as the need to keep information changes with time
Obviously, you can’t destroy documents that must be
• Where you no longer need information for the purpose
retained under other laws (for instance, to comply with the
you collected it for, but you need to retain documents
Public Records Act or Tax Administration Act). However,
to comply with specific legislation (such as the Public
you need to make sure that any historical documents
Records Act or Tax Administration Act), add safeguards
retained for those purposes are kept secure and can’t be
to remove it from view and prevent access except by
accessed by staff who don’t need to see them. Consider
properly authorised staff
whether, and when, the organisation should destroy any
copies of documents that have been transferred elsewhere • Destroy transactional data when the transaction
for permanent archiving. Also, consider de-identifying the is complete and keep only metadata
information if it is to be retained for future business • Ensure personal information is disposed of promptly
planning or research purposes. once the minimum retention period specified has
expired, unless you have a legitimate purpose for
retaining it for longer
• Design your database to include a facility to flag records
Key questions to ask (Deletion) for review or deletion when the minimum retention
• How long do you need to keep the information for? period expires
• Do you have a system saying when it’s time to dispose • Ensure hard disks are entirely wiped or encrypted
of it, and how to dispose of it? before disposing of computers. Use a shredder or secure
• How long have you already held the information, and disposal bins for disposing of paper records
if it’s new, how long will you hold it? • Minimise the amount of information that needs to be
• Is the information covered by the Public Records disposed of by minimising the amount of information
archiving requirements? If so, what protocols are you collected in the first place.
suggesting should be applied to protect the information
once it’s archived?
• Are there legislative requirements that mean you need
to keep the information (for example, to comply with
tax obligations)?
• Are there business reasons for keeping the information
indefinitely (for example, to provide proof of a
qualification from an educational institute)?
• Do you need to keep information with identifiers
attached, or can you reduce it to anonymised or
aggregated data and still get the job done?

Privacy Impact Assessment Toolkit 30

 Common risk examples (Use)
PRINCIPLE 10 – USE OF INFORMATION • Information provided for one purpose may be
used inappropriately
An agency that holds personal information that
was obtained in connection with one purpose • Individuals may be surprised or upset by an
shall not use the information for any other unanticipated secondary use and any implied “consent”
purpose unless the agency believes, on reasonable to a secondary use may not be valid
grounds, the specified exceptions apply. • Ill-defined purposes result in ad-hoc use in a manner
unrelated to the original intended use
• Personal information collected on behalf of another
agency is used without legal authority.
What Principle 10 means in practice
Stick to the plan – only use it for the purpose you Possible mitigations to enhance privacy (Use)
initially collected it for • Clearly define the proposed information use and convey
Use information for the purpose you initially collected it for that to the individuals concerned
unless additional permissions and safeguards are in effect. • Check that any proposed uses won’t breach contractual
or implied confidentiality undertakings
When information is going to be used for a different
purpose that isn’t directly related to the original one, • Develop robust access control protocols that limit access
you may sometimes need to notify the individuals in the to a “need to know” basis so that users can access only
same manner as if the information was new or additional the information they need for their legitimate functions
information. There are exceptions – for instance, if the • Ensure that access controls are updated constantly and
information is only being used for research or statistical quickly, to accommodate departing staff, changes in
purposes, and the individuals will not be identifiable in any roles, and the expiry of contractors’ terms
material published at the end. • Provide for regular auditing of access by both authorised
and unauthorised users
Other exceptions may also apply on a case-by-case basis:
for instance where the individual concerned has authorised • For voluntary secondary uses, consider seeking consent
you to use the information for another purpose, where you first. Ensure that the voluntary nature of any choices is
took the information originally from a publicly available clearly communicated by providing opt-in rather than
publication, or where it is necessary to enforce the law or opt-out mechanisms
for court proceedings, or to protect public revenue. You can • When relying on consent to a secondary use, ensure
also use information for a purpose other than your original there is a workable mechanism by which a person who
one if you consider it’s necessary to protect public health or refuses consent, or provides conditional consent, can be
safety or the life or health of the individual concerned or recognised
another individual. • Ensure that secondary uses are provided for by statutory
authority or contractual terms
• Ensure that you have included all routine uses in an
appropriate privacy notice
Key questions to ask (Use)
• Make it easy for people to see what you’re doing with
• What personal information will be used and for
their information – make it easily available to them and
what purposes?
invite their comments.
• Is the purpose the information is to be used for directly
related to the purpose for which it was collected
initially? In other words, would the individual concerned
expect that this was what you would do with it?
• Are there any controls or systems in place to restrict how
information can be used?
• Are you using information for a new purpose. or is what
you’re doing within the scope of the original purpose?
• Will the intended use be communicated to the
individuals concerned? If not, why not?
• Is the use of the personal information authorised,
enabled or required by legislation?
• What training has been provided to staff on the use
of information?
• Can you achieve what you need to do with
anonymised information?

Privacy Impact Assessment Toolkit 31

 Key questions to ask (Disclosure)
PRINCIPLE 11 – DISCLOSURE • Are you creating or changing any information-sharing
OF INFORMATION arrangements with other organisations?

An agency that holds personal information • Is the purpose of disclosure directly related to the
original purpose of collection?
shall not disclose the information to a person
or body or agency unless the agency believes, • Will information be disclosed as individual records,
on reasonable grounds, the specified or in bulk files or aggregated?
exceptions apply. • Will personal information be disclosed routinely?
For what purpose?
• Is that purpose required, enabled or authorised
by any law?
What Principle 11 means in practice
• Whose information will be disclosed or exchanged,
Keep the control – only share information and how might that affect them?
if that’s why you got it
• Will the subject be aware their personal information
You can disclose information for a particular purpose if will be disclosed for this purpose?
that’s one of the purposes you originally collected it for.
• Would other disclosures also be contemplated from
However, if you’re being asked to disclose for a different
time to time?
purpose, check that you have a good reason and legal
authority to do so. • How will information be exchanged, and what security
measures will ensure it’s transferred safely?
Nobody can use principle 11 to force you to disclose
• If information matching may be required, what
information. Only other statutes or court orders (such
databases would be involved?
as warrants) can make you give information to anybody
other than the individual whose information it is. However, • What information will be retained in the system once
principle 11 allows you to disclose information to other it’s transferred?
organisations if one of the exceptions applies. Common risk examples (Disclosure)
The exceptions include: • Incorrect or inaccurate information is shared with
• where you need to disclose information to an other agencies
appropriate authority to protect someone (for instance • Non-compliance with statutory or contractual
a child who may be at risk) obligations or implied confidentiality undertakings
• where the individual concerned has authorised you results in breach of trust
to disclose the information to someone else (or you’re • De-identification of personal information before
disclosing it to them) disclosure doesn’t prevent re-identification
• where the original source of the information is already • Information with negative connotations is shared
publicly available with another party leading to embarrassment, stigma,
• where it is for statistical or research purposes and the or damage to a person’s reputation
individual concerned won’t be identified • Risk aversion means you don’t share information
• where disclosing the information is necessary to that you should be sharing, for instance to protect
enforce the law or for court proceedings, or to protect someone’s safety
public revenue. • Concerns over personal safety arise if sensitive
information about a person’s activities or whereabouts
However, as with the use of information (principle 10),
could fall into the wrong hands
these exceptions should be applied on a case-by-case
basis and shouldn’t be used to justify bulk or regular • Secondary disclosure is not necessary or
information-sharing. legally justifiable
• Individuals don’t have an opportunity to question the
manner in which data received from another agency
has been processed to arrive at an adverse decision
• People are unaware of, or have failed to opt out
of a voluntary secondary disclosure
• Information is disclosed for a use not directly related
to the primary purpose of collection
• Individuals may be surprised or upset by an
unanticipated disclosure for secondary use.

Privacy Impact Assessment Toolkit 32

Possible mitigations to enhance privacy
(Disclosure)
• Ensure that appropriate privacy protections are
transferred along with the information you’re disclosing,
through contractual arrangements or terms and
conditions in sharing agreements or MoUs
• Ensure that secondary uses have appropriate statutory
authority or contractual terms
• If you’re transferring data to another agency, ensure
that its records-management processes have levels of
protection that are similar to or greater than what your
own organisation requires
• Remove unnecessary identifying details before releasing
the information to ensure that it can’t be matched to
other information that could establish an individual’s
identity
• Put clauses in contracts prohibiting use of anonymised
information in a way that could re-identify someone
• Ensure that each participating organisation has a lawful
authority to collect and/or disclose the information, and
check that proposed disclosures won’t breach secrecy
provisions or other restrictions in governing legislation
• Be open with individuals (in advance, if possible) about
information-sharing arrangements, and where possible,
make secondary disclosures to third parties voluntary –
that is, seek consent first
• For voluntary secondary disclosures, provide
opt-in rather than opt-out mechanisms and ensure
that the voluntary nature of any optional choices is
clearly communicated
• Ensure you’ve included all foreseen routine disclosures
in an appropriate privacy notice
• Use stakeholder consultation to test community
expectations about proposed disclosures.

Privacy Impact Assessment Toolkit 33

 Common risk examples (Unique identifiers)
PRINCIPLE 12 – USE OF UNIQUE • Service provision is conditional on supply of a unique
IDENTIFIERS identifier assigned by another agency

An agency shall not assign a unique identifier • Unrelated information about an individual can be linked
by association through the use of another agency’s
to an individual unless the assignment of that
unique identifier
identifier is necessary to enable the agency to
carry out any 1 or more of its functions efficiently. • Use of the same unique identifier by different agencies
Where a unique identifier is to be assigned it must creates a de-facto universal unique identifier.
comply with specific conditions. Possible mitigations to enhance privacy
(Unique identifiers)
• Only collect a unique identifier provided by another
What Principle 12 means in practice organisation if you have specific legal authority to
collect it and you need a record of the number to
Be unique – don’t use other agencies’ personal identifiers
perform your functions
A unique identifier (usually a number) is a record assigned
• Check that the unique identifier has been designed
by an organisation to uniquely identify an individual in
with your intended purposes in mind – is it fit for the
their interactions with the organisation. You should only
purpose to which you’re putting it?
assign unique identifiers where this is expressly permitted
and necessary for you to carry out your functions efficiently. • If you need to verify eligibility by using identifiers issued
You should not use unique identifiers that have been by another organisation, note that the identification has
developed by another organisation, or for another purpose, been sighted but do not assign the number to the
unless there is an explicit authority to do this and it’s individual for your own use
necessary for the purpose of your project. • Ensure that your records-management systems
are not designed to use unique identifiers issued
Limiting the use of unique identifiers reduces the risk that
by another organisation as the primary means of
a universal identifier will be established that could be used
identifying the individual (for example, as part of
to link a wide range of information about an individual
an a matching algorithm)
without their knowledge or control. It also decreases the
risk of identity fraud. • Use agency-specific unique identifiers when working
across different business units within an organisation
to minimise the use of identifying personal information
• Minimise the amount of human-readable or attributable
Key questions to ask (Unique identifiers) information by use of unique identifiers and other
identification methods such as bar codes
• How will individuals be identified? Will a unique number
or other identification device be used? • If using another agency’s unique identifier to match
data, use it as an attribute, not as your primary identifier
• Could the method of identifying individuals result
for your organisation’s processes.
in more than one person being assigned the same
information (for example, through information on
identities being inappropriately merged)?
• Are you using the same unique identifier as another
organisation, such as a tax number, or student number?
If so, where is your authority to do so?
• Will any identifying number create a unique record
across the population that could be used to link
other unrelated personal information to expand
an individual’s visible profile?

Privacy Impact Assessment Toolkit 34

Appendix D:
Other resources

Information about the Privacy Act Examples of PIAs

and the privacy principles New Zealand
Privacy Act and codes – Introduction Immigration New Zealand Identity and Biometrics
Programme
Privacy Act and codes – Privacy principles
Human Rights Review Tribunal of New Zealand Department of Statistics, Integrated Data Infrastructure
(the Human Rights Review Tribunal privacy Health Practitioner Index
cases since 2002 are all available free online)
Australia
International resources Extension of Document Verification Service to private
sector organisations
Privacy Victoria Privacy Impact Assessments
Guide (2009) United States
Information Commissioner’s Office Conducting privacy Department of Homeland Security inventory of privacy
impact assessments Code of Practice (2014) impact assessments
Office of the Australian Information
Commissioner Guide to undertaking privacy
impact assessments (2014)

Office of the Privacy Commissioner of Canada

Privacy Impact Assessments

Pacific Privacy Consulting

ISBN No. 978-0-478-11743-1 Privacy Impact Assessment Toolkit 35