Draft privacy resource: When do agencies need to conduct a privacy impact assessment?

11 May 2020
Tags: Closed

This consultation is closed. The deadline for submissions was 19 June 2020.

The Office of the Australian Information Commissioner (OAIC) is seeking your views on its draft privacy resource: When do agencies need to conduct a privacy impact assessment?

The main purpose of the resource is to help agencies determine when a privacy impact assessment (PIA) is required under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code).

Although the resource is primarily aimed at Australian Government agencies subject to the Privacy Act, we welcome comments by other interested stakeholders and members of the community.

Download the draft resource (DOCX, 209 KB)


The Code commenced on 1 July 2018 and applies to all Australian Government agencies subject to the Privacy Act 1988 (except for Ministers). It is a binding legislative instrument.

The Code sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle (APP) 1.2. This includes a requirement to undertake a written PIA for all ‘high privacy risk’ projects or initiatives that involve new or changed ways of handling personal information.

Section 12.2 of the Code states that a project ‘may be a high privacy risk project if the agency reasonably considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.’

About the draft resource

The purpose of the draft resource is to:

  • provide guidance to agencies on how to screen for high privacy risk projects by completing a threshold assessment to determine whether a PIA is required
  • set out the benefits of conducting a PIA, even when a project does not meet the ‘high privacy risk’ threshold

The draft resource includes a template to help agencies complete a threshold assessment. The template features a non-exhaustive list of factors that indicate whether a project may be ‘high privacy risk’ and will require a PIA to be conducted under the Code.

The resource is intended to be read in conjunction with the OAIC’s Guide to undertaking a privacy impact assessment (PIA Guide) and PIA e-learning course.

Consultation questions

To assist you in preparing comments for this consultation, we have suggested some questions to stimulate comments and reflections on the draft resource.

They are not intended to limit the issues that may be raised. You may wish to respond to some or all questions, or to raise other issues related to the draft guide.

  • Is the draft resource clear, relevant and practical?
  • Does the draft resource help agencies understand when they need to conduct a PIA under the Code?
  • Are there any topics or issues that you believe the draft resource should cover that have not been covered, or should be covered in greater detail?
  • Are there any practical examples you could share to help inform the resource?
  • Do you think the resource would benefit from visual aids such as flow charts or diagrams?
  • Are there any other ways in which the draft resource could be enhanced?

How to make comments

Comments can be made by:

Email consultation@oaic.gov.au
Post GPO Box 5218
Sydney NSW 2001

The closing date for comments is 19 June 2020.

Although you may send your comments electronically or by post, electronic lodgment is preferred.

Requests for access to comments will be determined in accordance with the Freedom of Information Act 1982 (FOI Act).

Privacy Collection statement

The OAIC will use the personal information it collects during this consultation for the purpose of finalising the draft privacy resource and our ongoing engagement with you.