Privacy Impact Assessment

A privacy impact assessment (PIA) should be completed at the outset of any project, or change to an existing system or process, that involves the collection or handling of personal information.

The Information Commissioner’s Office (ICO) advises that they should be built into an organisation’s processes as an “integral part of taking a privacy by design approach”. PIAs help to identify and remedy privacy and security issues at an early stage as fixing issues reactively further down the line can often be expensive or technically impossible.

From ICO Privacy Impact Assessment Code of Practice:

“The purpose of the PIA is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible. Risks can be identified and addressed at an early stage by analysing how the proposed uses of personal information and technology will work in practice. This analysis can be tested by consulting with people who will be working on, or affected by, the project.”

Download the University's Privacy Impact Assessment form (Office document, 50kB)

Advice and guidance on completing a PIA can be obtained from the Information Rights Officer and/or Information Security Manager and is most useful if all relevant parties are involved in the process. In addition to those roles, the process should include some or all of the below:

For further information on the University's project management processes, please see the Strategic Projects Office website