Cybernion
← Insights

Privacy

How to Conduct a Privacy Impact Assessment: A Practical Walkthrough

3 July 2026 · Updated 3 July 2026

Short answer: A privacy impact assessment identifies how a project affects individuals’ privacy and recommends how to manage or remove those impacts. The OAIC sets out a 10 step process: run a threshold test, plan, describe the project, consult stakeholders, map information flows, analyse impacts against the Australian Privacy Principles, address risks, make recommendations, report, then respond and review.

Most privacy failures are designed in, not bolted on. A privacy impact assessment is the point where you catch them, before the system is built and the exposure is live.

What is a privacy impact assessment?

A privacy impact assessment (PIA) is a systematic assessment of a project that identifies potential privacy impacts and makes recommendations to manage, minimise or eliminate them. The Office of the Australian Information Commissioner (OAIC) recommends conducting one as an integral part of project planning, because it supports a privacy by design approach and helps demonstrate compliance with the Privacy Act.

A PIA is not a compliance form filed at the end of a project. Done properly, it runs alongside design, informing decisions about what information you collect and how you protect it while those decisions are still cheap to change. It also produces evidence. When a regulator, a client or an auditor asks how you considered privacy in a new system, a documented PIA is the answer. For projects handling sensitive information or affecting people’s rights, that record is worth having.

When do you need a privacy impact assessment?

You need a PIA whenever a project will collect, store, use or disclose personal information. That is the outcome of the threshold assessment, the first step in the process. If the answer to whether personal information is involved is yes, a PIA is usually necessary, and you should keep a record of the threshold assessment either way.

Australian Government agencies are required to conduct a PIA for all high privacy risk projects, and to keep a register of them. Private sector organisations are not under the same mandate, but the OAIC recommends PIAs as part of routine risk management, and the case for one strengthens with the sensitivity of the information and the scale of the project. New customer platforms, data sharing arrangements, biometric or facial recognition systems, and anything involving automated decisions are all strong candidates. The tiered penalties introduced by the 2024 Privacy Act reform make the cost of getting this wrong higher than it used to be. If a project does lead to a breach, the Notifiable Data Breaches scheme sets the clock and reporting obligations.

What are the steps in a privacy impact assessment?

The OAIC sets out a 10 step process that takes a project from a threshold test through to ongoing review. Each step builds on the last, and the value is in the sequence, not any single item. The table below sets out the steps and what each produces.

StepWhat you doOutput
1. Threshold assessmentAsk whether personal information is involvedRecorded decision on whether a PIA is needed
2. Plan the PIASet scope, owner, timeframe, budget, who to consultPIA plan
3. Describe the projectWrite a brief but sufficient project descriptionProject description
4. Identify and consult stakeholdersMap and engage those affected or with relevant expertiseStakeholder input
5. Map information flowsDetail what is collected, used, disclosed, held and by whomInformation flow map
6. Privacy impact analysis and compliance checkAnalyse impacts and check against the APPsCompliance and impact analysis
7. Privacy management, considering risksWeigh options to remove, minimise or mitigate risksRisk options
8. RecommendationsMake actionable recommendations with timeframesRecommendations
9. ReportSet out the PIA in a practical, usable documentPIA report
10. Respond and reviewImplement, monitor and update as the project evolvesOngoing management

How do you map information flows in a privacy impact assessment?

You map information flows by describing what personal information the project will collect, how it will be used and disclosed, how it will be held and protected, and who will have access. This is step 5, and it is the analytical core of the PIA. Everything in the compliance check depends on getting this picture accurate.

A good information flow map follows each piece of personal information from the point of collection to eventual destruction. It names the source, the purpose, every system and party that touches it, the retention period and the security controls around it. Gaps in the map are usually gaps in the design: information collected without a clear purpose, held longer than needed, or accessible to people who do not need it. Mapping surfaces those before they become findings. It also feeds directly into obligations under APP 3 on collection, APP 6 on use and disclosure, and APP 11 on security.

Which Australian Privacy Principles does a privacy impact assessment check?

A PIA checks the project against the Australian Privacy Principles (APPs) as a whole, but several carry most of the weight in step 6. APP 1 requires open and transparent management of personal information, including a current privacy policy. APP 3 governs when and how you may collect personal information. APP 5 requires you to notify individuals about the collection at or before the time it happens. APP 6 limits how you may use or disclose the information. APP 11 requires reasonable steps to protect it from misuse, interference, loss and unauthorised access.

The compliance check should not stop at the headline APPs. Depending on the project, cross border disclosure under APP 8, direct marketing under APP 7, or the handling of government related identifiers under APP 9 may all apply. The point is to test the whole design against every principle that is relevant, then record where it complies and where it needs work. APP 11 in particular links privacy to security practice, which is where a structured control set such as ISO 27001 or the Essential Eight supports the reasonable steps you are expected to take. Where personal information misuse is serious, it can also give rise to a claim under the statutory tort for invasions of privacy. If you need ongoing guidance running PIAs and managing privacy risk, a virtual CISO can own that program.

Frequently asked questions

What is a privacy impact assessment?

A privacy impact assessment (PIA) is a systematic assessment of a project that identifies its potential impacts on individuals’ privacy and makes recommendations to manage, minimise or eliminate them. The OAIC recommends running a PIA as part of project planning to support a privacy by design approach and to help demonstrate compliance with the Privacy Act.

When do you need a privacy impact assessment?

You need a PIA whenever a project will collect, store, use or disclose personal information. The first step is a threshold assessment, and if personal information is involved a PIA is usually necessary. Australian Government agencies are required to conduct a PIA for all high privacy risk projects, and the OAIC recommends organisations do the same as part of routine risk management.

What are the steps in a privacy impact assessment?

The OAIC’s 10 step process runs from threshold assessment, planning the PIA, describing the project, identifying and consulting stakeholders, mapping information flows, privacy impact analysis and compliance check, considering risks, making recommendations, reporting, through to responding and reviewing. A PIA is an ongoing process rather than a one off document.

Which Australian Privacy Principles does a privacy impact assessment check?

A PIA checks a project against the Australian Privacy Principles as a whole, but several are central. APP 1 requires open and transparent handling, APP 3 governs collection of personal information, APP 5 requires notice at the point of collection, APP 6 governs use and disclosure, and APP 11 requires reasonable steps to secure the information. The compliance check should cover all APPs that apply to the project.


Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us.

Sources:

  1. 10 steps to undertaking a privacy impact assessment, OAIC, updated September 2024
  2. Privacy impact assessments, OAIC
  3. APP 1 Open and transparent management of personal information, OAIC

Last updated: 3 July, 2026

Talk to us about your engagement

A scoped proposal within one business day.