Privacy impact assessment is a process which helps an organisation to identify and reduce the privacy risks of a project. An effective PIA will be used throughout the development and implementation of a project, using existing project management processes.A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.
The ICO uses the term project in a broad and flexible way it means any plan or proposal in an organisation, and does not need to meet an organisation´s formal or technical definition of a project, for example set out in a project management methodology.
PIAs are often applied to new projects, because this allows greater scope for influencing how the project will be implemented. A PIA can also be useful when an organisation is planning changes to an existing system. A PIA can be used to review an existing system, but the organisation needs to ensure that there is a realistic opportunity for the process to implement necessary changes to the system.
The purpose of the PIA is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible. Risks can be identified and addressed at an early stage by analysing how the proposed uses of personal information nd technology will work in practice. This analysis can be tested by consulting with people who will be working on, or affected by, the project.