A privacy impact assessment (PIA) is a tool for identifying and assessing privacy risks throughout the development life cycle of a program or system.
A privacy impact assessment states what personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected and how it will be shared.
A PIA should identify:
- Whether the information being collected complies with privacy-related legal and regulatory compliance requirements.
- The risks and effects of collecting, maintaining and disseminating PII.
- Protections and processes for handling information to alleviate any potential privacy risks.
- Options and methods for individuals to provide consent for the collection of their PII.
Under the E-Government Act of 2002, federal agencies are required to conduct privacy impact assessments for government programs and systems that collect personal information online. Federal agency CIOs, or an equivalent official as determined by the head of the agency, are responsible for ensuring that the privacy impact assessments are conducted and reviewed for applicable IT systems. The Act also mandates a privacy impact assessment be conducted when an IT system is substantially revised. Federal agencies such as the U.S. Department of Homeland Security and the Department of Health and Human Services offer guidance for writing PIAs, such as providing blank privacy impact assessment templates to assist and facilitate their development.