Privacy impact assessment preparation checklist
A PIA identifies privacy risks before a project launches, saving the cost and reputational harm of retrofitting compliance. The OAIC recommends PIAs for any project involving new or changed handling of personal information.
This is a 12-step checklist for preparing a privacy impact assessment (PIA) following the OAIC PIA Guide and the Australian Privacy Principles under the Privacy Act 1988 (Cth).
The checklist
Define the project scope
Describe the project, system, or initiative being assessed, its objectives, and the personal information it will handle.
Map data flows
Document how personal information will be collected, used, disclosed, stored, and destroyed throughout the project lifecycle.
Identify legal authority
Confirm the legal basis for collecting and using the personal information, including any consent requirements under APP 3.
Assess necessity and proportionality
Evaluate whether the collection is limited to what is reasonably necessary for the project's purpose under APP 3.2.
Review notice requirements
Confirm that a compliant APP 5 collection notice will be provided at or before the time of collection.
Evaluate use and disclosure
Assess whether proposed uses and disclosures are within the primary purpose or fall within an APP 6 exception.
Assess cross-border disclosure
Identify any offshore data transfers and confirm APP 8 requirements are met, including reasonable steps to ensure overseas compliance.
Evaluate security measures
Assess whether the project implements reasonable security safeguards under APP 11.1, including encryption, access controls, and monitoring.
Plan data retention and destruction
Define retention periods and destruction or de-identification procedures in line with APP 11.2.
Assess individual rights
Confirm the project supports APP 12 access and APP 13 correction rights, including response processes and timeframes.
Identify and rate privacy risks
List each identified privacy risk, rate its likelihood and impact, and propose mitigation measures.
Prepare PIA report and recommendations
Compile findings into a PIA report with risk ratings, recommended mitigations, and an implementation timeline for stakeholder approval.
When this checklist applies
Use before launching new systems, products, or services that collect, use, or disclose personal information.
Common pitfalls
- Conducting the PIA after the system is built, limiting the ability to change design
- Not mapping data flows to third-party sub-processors
- Overlooking sensitive information (health, biometric) that triggers stricter obligations
- Treating the PIA as a compliance checkbox rather than a risk management tool
- Failing to revisit the PIA when the project scope changes significantly
Run this checklist on a real matter
Quillio can map project data flows against each APP, generate risk matrices, and draft PIA report sections. See /practice-areas/privacy-lawyers or start a free trial.
General PIA guidance based on the OAIC PIA Guide. Complex projects involving sensitive information, government agencies, or health records may require additional assessment — obtain specialist privacy advice.
Use this checklist on your matter.
Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no credit card.
Start your free trial