User:ChristopherLKunin/Privacy Impact assessment

Privacy Impact Assessment (PIA) is a method of assessment used to identify the privacy risk of a corporation or organization. It is a tool for evaluating how a corporation handles consumer and employee information. According to the Department of Homeland Security a successful Privacy Impact Assessment (PIA) should accomplish three goals: (1) Ensure conformance with applicable legal, regulatory, and policy requirements for privacy, (2) Determine the risks and effects of the system under assessment, and (3) Evaluate protections and alternative processes to mitigate potential privacy risks.

Purpose
Since PIAs are a measure of an organization's ability to keep private information safe a PIA should be conducted whenever said organization is in possession of the personal information of employees and/or clients, this can include but is not limited to, name, age, phone numbers, emails, etc. A PIA should also be conducted in any instance in which the business or organization in question is in possession of information that is otherwise sensitive, or in cases when the security systems for private or sensitive information of organizations are undergoing changes that could lead to risk of privacy leaks.

History
In the 1970s the Technology Assessment (TA) was created by the United States Office of Technology Assessment. A TA was used to determine the societal and social repercussions of new technologies. Similarly at around this time came the Environmental Impact Assessments (EIA), a reaction to the social push from the sixties Green movements, the methodology of both of these impact assessments acted as precursors to the creation of the PIA. The Privacy Impact Statement was a much less Extensive version of the PIA that came about in the late eighties. During the 1990s there became a need to measure the effectiveness of a company or organization's data security, especially with most data now being stored on computers or other electronic platforms. More extensive PIAs started to be used more frequently by corporations and governments in the mid 1990s, and now are used by organizations all around the world, and by several governments including, New Zealand, Canada, Australia, and the United States Department of Homeland security to assess privacy risk of their systems. In addition several other countries and corporations use assessment systems similar to PIAs for data risk analysis.

Implementation
Privacy Impact Assessments can be summed up in a four step process

Step 1: Project Initiation; This step is where you define the scope of the PIA process (which varies by organization), if the project they are running is in early stages and detailed information is unknown the organization may choose to do a Preliminary PIA, and then a full PIA once it gets off the ground.

Step 2: Data Flow Analysis; This step involves mapping out the proposed business process as it regards personal information, identifying clusters of personal information, and creating a diagram of how the personal information flows through the organization as a result of the business activities in question.

Step 3: Privacy Analysis; This step requires all personnel involved with the movement of private information to complete privacy analysis questionnaires, as well as secondary check-ins on the answers to the questionnaires which require more detail, and discussion of the privacy issues and implications brought up as a result of the questionnaires.

Step 4: Privacy Impact Assessment Report; This step requires the organization to create a documented evaluation of the privacy risks and potential implications of said risks brought up by the outcomes of the previous steps, as well as a discussion of possible efforts that could be made in order to mitigate or remedy the risks.