Skip navigation

Guideline: Privacy Impact Assessment


To provide advice on when to undertake a Privacy Impact Assessment (PIA) and the content of a PIA.


Personal Information has the meaning given it in the Privacy Act 1998 (Cth).

Privacy Act 1988 (Cth) is the Commonwealth Act that applies to the ANU and other Commonwealth agencies.


When developing or reviewing a new or revised project or system, you must consider the need for a privacy impact assessment (PIA).

A PIA is an important component of the University’s protection of privacy and is to be implemented as part of the University’s privacy by design requirement under the Privacy Act.

A PIA identifies how a new or revised project or system can have an impact on an individual’s privacy, and makes recommendations for managing, minimising or eliminating those privacy impacts.

The PIA process should be included as part of the project and system planning processes, and recorded in the project plan and risk reporting. It should be revisited and updated when changes to a project or system are considered.

Determining whether a PIA is required

The first step is determining whether a PIA is required.

A PIA is beneficial for any project or system that involves new or changed ways of handling personal information. If the project or system will not handle any personal information or the project or system does not propose any changes to existing information handling practices (and where the privacy impacts of these practices have been assessed previously and found to be appropriate), no PIA is required.

A PIA is likely to be required if:

  • personal information is collected in a new way;
  • personal information is collected in a way that might be perceived as being intrusive;
  • personal information will be disclosed to another agency, a contractor, the private sector or to the public; or
  • there is a change in the way personal information is stored or secured.

Undertaking a PIA

The Project Manager or Business Owner of the new or revised project or system is responsible for the completion of the PIA.

The steps after identification that a PIA is required are:

  1. Plan: Consider: how detailed the PIA will be, who will conduct it, what is the timeframe, what is the budget, who will be consulted and how will the recommendations be implemented and monitored.

  1. Describe the project or system. To be included in the PIA report. The project description should be brief, but sufficiently detailed to allow all to understand the project. It should be written in plain English, avoiding overly technical language or jargon.

  1. Identify and consult with stakeholders. To be included in the report. Consultation should be on privacy risks and concerns, to understand known risks better, and develop strategies to mitigate all risks.

  1. Map personal information flows. To be included in the PIA report. Describe and map the personal information flows in the project or system. The map should detail what information will be collected, used and disclosed, how it will be held and protected, and who will have access to it. It is not a statement of the stages of the project.

  1. Privacy impact analysis and compliance check. To be included in the PIA report. Analyse how the project or system might impact upon privacy, both positively and negatively. Assessment should be made against relevant Australian Privacy Principles (APP’s)

  1. Privacy management — addressing risks. Consider options for removing, minimising or mitigating any privacy risks identified through the privacy impact analysis. Can be combined in the PIA report with the above item.

  1. Recommendations. Make recommendations that identify avoidable impacts or risks and how they can be removed or reduced. The recommendation should include timeframes for implementation.

  1. Prepare the PIA report. A report template is Attachment 2. Prepare a PIA report that sets out all the information gathered.

  1. Respond and review. The document should be a living document regularly reviewed, perhaps as part of an annual system review process.

PIA report

After the assessment is completed it should be documented in a PIA report. A PIA report template is attached (Attachment 2).

The need for a PIA report is to be reviewed by the Privacy Officer and where it meets the threshold the draft will be reviewed by the Data Governance Committee.

The Office of the Australian Information Commission has guidance at

Attachment 1. Office of the Australian Information Commissioner


Attachment 2. Template for PIA

Project or System name

Prepared by


Executive summary


PIA methodology

Approach taken to undertaking the PIA, including any stakeholder consultation.

Project description

Includes description and map of information flows.

Information Flows

Insert model of information flows


Project manager/System Executive

Privacy Officer/Data Governance Committee



Includes recommendations



Where required


Printable version (PDF)
Title Privacy Impact Assessment Guideline
Document Type Guideline
Document Number ANUP_019407
Version 3
Purpose The Guidelines on Privacy Impact Assessment provide an essential tool to assist projects and services ensure they comply with the Privacy Act 1988 and they assist with the implementation of good privacy practise.
Audience Staff-Academic, Students, Alumni, Staff
Category Administrative
Topic/ SubTopic Information Management - Privacy
Effective Date 1 Jan 2019
Next Review Date 23 May 2023
Responsible Officer: University Librarian and Director, Scholarly Information Services
Approved By: Chief Operating Officer
Contact Area Library, Archives and University Records
Authority: Privacy Act 1988
Archives Act 1983
Delegations 0

Information generated and received by ANU staff in the course of conducting business on behalf of ANU is a record and should be captured by an authorised recordkeeping system. To learn more about University records and recordkeeping practice at ANU, see ANU recordkeeping and Policy: Records and archives management.

Related Content