Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Privacy Impact Assessments'

Privacy Impact Assessments

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 19 April 1999, with small revisions subsequently, and progressive enhancements to the Bibliography, most recently 26 May 2003

© Xamax Consultancy Pty Ltd, 1997-2000

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at


Many applications of information technology have substantial implications for privacy. Major projects should be the subject of a privacy impact assessment (PIA), in a manner analogous to the established mechanism of environmental impact statements (EIS).

There is to date only a tiny literature on PIA. In the last six years of the Impact Assessment Journal, for example, not one article-title has included the word 'privacy'.

These notes draw together the material that has been brought to my attention by colleagues, or that my brief research has unearthed. They are a byproduct of a task undertaken as part of a consultancy project for Centrelink, Canberra. The topic deserves much more serious attention than I've been able to give it here.

The Concept
* Origins and Definition

Impact assessment is well known in the environmental area. It has also been applied to particular technologies, and to regulatory schemes. The genesis of privacy impact assessment dates back to the 1970s, and Longworth (1996) refers to usage in 1992. The process and product are, however, only slowly being formalised.

Generally, the International Association for Impact Assessment (IAIA) defines impact assessment as "the identification of future consequences of a current or proposed action".

More specifically, "a privacy impact assessment involves an assessment of the possible effects that a particular activity or proposal may have on privacy ..." (RMMB, 1996, presumably based on Stewart 1996a).

* Justification

The argument for a PIA was put in Clarke (1996b) as follows:

"It is highly desirable that sponsors recognise that their schemes have wide implications and that many different stakeholders are affected. The most effective way to evidence that awareness is to prepare and publish impact statements ... in relation to privacy".

From the perspective of the organisation, a proactive rather than a reactive stance ensures that the cost of compliance is kept as low as practicable, by avoiding expensive re-work and retro-fitting. For an examination of privacy as a strategic consideration for government agencies and corporations alike, see Clarke (1996a).

* Requirements

Important requirements of a PIA are (Stewart 1996a, 1996b) that it:

* Scope

A PIA is quite different from a privacy compliance audit. Such an audit presumes the existence of specific laws and/or standards with which a proposal or project needs to comply. An audit is an appropriate means whereby performance of an operational system can be evaluated.

A PIA adopts a much broader perspective than an audit. It considers the impacts of a proposed action, and is not constrained by questions of whether the action is already authorised by law. Moreover, to the extent that relevant codes or standards exist, it does not merely accept them, but considers whether they address the public's needs.

A PIA can be conceived as addressing only information privacy issues. This is far too limiting, however, and the scope should extend to the full gamut of privacy concerns, including privacy of the person, and privacy of behaviour. See Clarke (1997-) for a discussion of the dimensions of privacy.

A PIA may be undertaken as a segment within a yet broader examination, which might be termed a social impact assessment. In respect of major initaitives, other impacts that need to be considered include those on the job-market, industry structure, geographical regions, consumer rights, and social equity.

Who Does a PIA?

One possibility is that a PIA should be prepared by a privacy watchdog, such as a Privacy or Data Protection Commissioner. In general, however, such agencies are not funded by government to perform such work. Moreover, they may become too deeply involved in particular proposals, to the detriment of their overall responsibilities.

It is therefore much more preferable that the PIA be undertaken by the organisation(s) bringing the proposal forward. The watchdog agency should, however, provide guidance to organisations as to the requirements of the PIA process and product (Stewart 1996a, 1996b).

As the market for information of this nature matures, it is likely that specialist consultants will develop expertise in supporting the development of PIAs.

Sources of Guidance Regarding PIAs

General guidelines are beginning to emerge. See, in particular:

See also documents dealing with the following specific matters:

It's highly likely that a study of the following literatures would yield some valuable principles:

Some General Principles

The following sub-sections suggest a few key points.

* Scope

A PIA needs to address all dimensions of privacy. See

* Fundamentals of the PIA Process

The process needs to be:

* Fundamentals of the PIA Product

The resulting document needs to answer at least the following questions:

* Cost/Benefit Analysis

Simple financial analysis is of course inappropriate for projects that have substantial social impacts. The appropriate evaluation technique is cost/benefit analysis. See Clarke (1995a).


Thanks to the many people who've contributed to the establishment of this document, especially Blair Stewart (NZ), Ann Cavoukian, David Flaherty and Pierrot Peladeau (CA), Nigel Waters, Graham Greenleaf, Philip George and Chris Connolly (AU), and Dave Banisar (US).


Canada (2002) `Privacy Impact Assessment Policy' Treasury Board Secretariat, Government of Canada, April 2002, at

Clarke R. (1995a) 'Computer Matching by Government Agencies: The Failure of Cost/Benefit Analysis as a Control Mechanism', Informatization and the Public Sector (March 1995), at

Clarke R. (1995b) 'A Normative Regulatory Framework For Computer Matching' Computer & Information Law XIII,4 (Summer 1995) 585-633 , at

Clarke R. (1996a) 'Privacy and Dataveillance, and Organisational Strategy', Proc. Conf. I.S. Audit & Control Association (EDPAC'96), Perth, 28 May 1996, at

Clarke R. (1996b) 'Smart Move by the Smart Card Industry' Privacy Law & Policy Reporter 2,10 (January 1996) 189-191, 195, at

Clarke R. (1997-) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms', at

Clarke R. (1998-) `Privacy Impact Assessments' February 1998, at [this document]

Flaherty D.H. (1994) 'Submission to Industry Canada re the Information Highway', December 1994, in particular Appendix A, at

Flaherty D.H. (1995) 'Provincial Identity Cards: A Privacy-Impact Assessment', September, 1995, at

Flaherty D.H. (2000) 'Privacy Impact Assessments: an essential tool for data protection', October 2000, A presentation to a plenary session on "New Technologies, Security and Freedom," at the 22nd Annual Meeting of Privacy and Data Protection Officials held in Venice, September 27-30, 2000. Reprinted in Privacy Law & Policy Reporter 7,5 (2000) 85-90 (November 2000), at

Greenleaf G. (2002) `Canada makes privacy impact assessments compulsory' Privacy Law & Policy Reporter 8, 10 (June 2002) 189-190

HealthBC (1997) 'Sample Privacy Impact Statement' British Columbia Ministry of Health, 1994, 1997, at

HHS (2003) 'Privacy Impact Assessments', HHS Privacy Committee, at

IPCO (1993) 'Smart Cards', Information and Privacy Commissioner/Ontario (April 1993), at

IPCO (1995) 'Eyes on the Road: Intelligent Transportation Systems and Your Privacy', Information and Privacy Commissioner/Ontario (March 1995), at

IPCO (1997) 'Geographic Information Systems', Information and Privacy Commissioner/Ontario (April 1997), at (mirrored below)

Longworth E. (1996) 'Notes on Privacy Impact Assessments' Privacy Issues Forum, Christchurch, NZ, 13 June 1996, in NZPC (1997)

NYS (1998) 'Rules for Real Property Tax Administration', New York State, 19 February 1998, at Privacy impact statement; supplemental statement

NZPC (1997) 'A Compilation of Materials in Relation to Privacy Impact Assessment' New Zealand Privacy Commissioner, 1997

NZPC (2002) `Privacy Impact Assessment Handbook' Office of the New Zealand Privacy Commissioner, March 2002, at

OFPC (2001) `Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to Communicate or Transact with Individuals' Office of the Federal Privacy Commissioner, December 2001, at

OIPC-AB (2002) `Privacy Impact Assessments' Office of the Information Privacy Commissioner of Alberta, at

Ontario (1999, 2001) `Privacy Impact Assessment Guidelines' 1999, re., 2001, Management Board Secretariat, Government of Ontario, at

OTA (1977) 'Technology Assessment in Business and Government' Office of Technology Assessment, document #PB-273164, January 1977, at

PCA (1995) 'Use of Data matching in Commonwealth Administration - Guidelines', Ref. No. GL.5, Privacy Commissioner of Australia, November 1995, via

RMMB (1996) 'The Privacy Act: The honeymoon is over', Intellectual Property & Media Law Update, Russell McVeagh McKenzie Bartleet (October 1996), at

Stewart B. (1996a) 'Privacy impact assessments' Privacy Law & Policy Reporter 3, 4 (July 1996) 61-64, at

Stewart B. (1996b) 'PIAs - an early warning system' Privacy Law & Policy Reporter 3, 7 (October/November 1996) 134-138, at

Stewart B. (1999) 'Privacy impact assessment: towards a better informed process for evaluating privacy issues arising from new technologies' Privacy Law & Policy Reporter 5, 8 (February 1999) 147-149, at

Stewart B. (2002) `Privacy impact assessment roundup' Privacy Law & Policy Reporter 9, 5 (October 2002) 90-91

UK Cabinet Office (2002) `Privacy and data-sharing: The way forward for public services: Annex D: The analytical framework and privacy impact assessments', UK Cabinet Office Strategy Unit, April 2002, at

USDOJ (2000) `Privacy Impact Assessment for Justice Information Systems' Working Paper, , August 2000, at

Mirror of an Appendix to 'Geographic Information Systems', Information and Privacy Commissioner/Ontario (April 1997), at

APPENDIX A - Privacy Impact Assessment

Protection of Privacy

Will the proposed GIS application aggregate or computerize any information, public or personal, that may alter the existing privacy interests of that information? If so, should new or special privacy safeguards be implemented?

Are there less privacy-intrusive alternatives that can produce equivalent results? What other options have been considered, what was their impact on privacy, and why were they not selected?

Personal Information

Will the information to be included in the proposed GIS application fall under the Acts' definition of personal information? If so, is it absolutely necessary to use identifiable information? Why? If not, should the information still be managed in accordance with fair information practices in order to be responsive to the public's concern about use of advanced information technology?

Will the proposed GIS application enhance the privacy of individuals' personal information held by the government organization?

Will the proposed GIS application make available or reveal any previously unavailable personal information? How should this newly available information be protected?

How might the public react if the information to be included in the proposed GIS application was available on the Internet (i.e., the "Internet Challenge")? Would that estimated reaction warrant a re-thinking of the information to be included in the proposed GIS application?

Public Record

Will the proposed GIS database be maintained for the purpose of creating a record that is available to the general public? What is the authority for creating a public record? Even if the records are public in nature, should they be managed in accordance with fair information practices because of potential public privacy concerns relating to that information?


Could there be adverse consequences for the data subject from the collection of personal information? If so, should that information be collected or used? Can the same results be accomplished with anonymized or aggregate information?

What is the minimum information necessary and relevant to the purposes of the proposed application? Why is that information needed? Is any additional information being collected or used? If so, why is it necessary?

Will there be collection of any new personal information? What is the authority for the collection? Is new legislation/regulation/policy required or appropriate? What are the purposes of the collection? Will the information be collected directly from the data subject, if not, why not?

Data Subject Knowledge, Consent and Notice

Will the data subjects know about the existence of the proposed GIS application and if not, why not? What reasons exist for not requiring data subject knowledge and consent for all aspects of the application?

Will the data subjects be notified? If not, why not? If so, what type of notification would be appropriate?

How will the sources of the GIS data be tracked? How will that information be communicated to the data subjects if they request identification of sources?


How long will information be needed to be kept in order to achieve the purpose of the proposed GIS application? What provisions are in place to ensure that information is not retained for too long or disposed of too soon?


What steps will be taken to ensure that the information needed for the proposed GIS application is accurate and up-to-date? What procedures are in place to verify information and to ensure that information will not be used if it is inaccurate or out-of-date?


How will the information to be used in the proposed GIS application be disposed of?


How will the information to be used in the proposed GIS application be secured? What procedures are in place to determine that the proposed methods of security are appropriate for the type of records and the nature of any possible risks?

What safeguards against such risks as unauthorized access, destruction, modification, use, or disclosure are necessary and appropriate? How will these be tested and monitored?


How should the information for the proposed GIS application be used? Who should be using the information? What technological or policy restrictions should be in place to ensure that there are no unrelated or unauthorized uses or users?

Consistent Purpose

Are there any additional purposes for which the information to be included in the proposed GIS application could be used? Are these additional uses absolutely necessary? If yes, should the additional purposes be defined as a primary, rather than as consistent purposes, and the data subjects notified of its existence at the outset?


When and how should the information related to the proposed GIS application be disclosed, and to whom? Will the public have access? If so, should the answers to any of these questions be reconsidered?

What are the official duties or legitimate functions that would need information from the proposed GIS application? Why would the information related to the proposed GIS application be necessary for the performance of that duty or function? What is the minimum amount of information necessary for that performance? Can it be performed with aggregated or anonymized information?

Will the database of the proposed GIS application be sold? Should it be? What steps should be taken to minimize the negative impact on privacy?

Personal Information Bank

Should the information for the proposed GIS application be included in a personal information bank?

Data Subject Right of Access and Correction

Will the proposed GIS application provide individuals with a right of access to their information?

Is there anything in the proposed design of the GIS application that would prevent an individual from being able to access or correct their personal information? If so, how can that access be provided?

Request for Access

Will the design of the proposed GIS application permit access to be provided, within reason, to requesters in a comprehensible form determined by them? Will alternative formats necessitate any additional costs? How can the costs be minimized?

Will the design of the proposed GIS application permit the severance of selective personal information from the database? If not, why not?

Computer Matching

Will the information to be included in the proposed GIS application need to be linked or matched with information from other databases? Why? What steps should be taken to minimize the negative impact on privacy?

Testing and Evaluation

Will there be an opportunity to test the proposed GIS application in order to evaluate the effectiveness of privacy protective measures and to identify and address any problem?


Who will be held accountable for maintaining the proposed GIS application and for complying with the Acts?

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 10 February 1998 - Last Amended: 26 May 2003 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy