Discussion Board

Welcome to the AvePoint Privacy Impact Assessment Forum!

This is a space where you can connect with the privacy subject matter experts at AvePoint and the IAPP as well as with fellow APIA users to contribute questions and share best practices with one another in order to build a repository of knowledge and generally accepted questions for commissioning PIAs.

Please note this discussion board is not intended for technical support. If you have a support issue, please visit our support site to contact the AvePoint Technical Support Team.

APIA Fast Facts

APIA Quick Start Guide

APIA User Guide

APIA Frequently Asked Questions

When to conduct a PIA

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Ralph O. Ralph O. 4 years, 4 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #3011
    Profile photo of Ralph O.
    Ralph O.

    Extract from the UK ICO Code of Practice for PIA – can you think of other uses?

    A new IT system for storing and accessing personal data.

    A data sharing initiative where two or more organisations seek to pool or link sets of personal data.

    A proposal to identify people in a particular group or demographic and initiate a course of action.

    Using existing data for a new and unexpected or more intrusive purpose.

    A new surveillance system (especially one which monitors members of the public) or the application of new technology to an existing system (for example adding Automatic number plate recognition capabilities to existing CCTV).

    A new database which consolidates information held by separate parts of an organisation.

    Legislation, policy or strategies which will impact on privacy through the collection of use of information, or through
    surveillance or other monitoring.

    Profile photo of Shelley A.
    Shelley A.

    Does anyone have a template policy and procedure they could share that shows when and how PIAs are required during the development process? Is it just required once or throughout the process? Trying to figure out the best way to review changes that may occur during the development process without becoming a complete roadblock.

    Profile photo of Ralph O.
    Ralph O.

    Hi Shelley

    Great question. CHapter 4 of the UK ICO’s PIA guidance addresses this really well.


    However in my experience this is a due diligence risk based activity a(t present new regulations may change this). So I would go with (1) at system creation (it may also help to inform functional/security design), (2) perhaps an annual (or greater) review if it is a high risk system, and (3) when changes are carried out that would affect the way personal data is processed.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply. Log in or register now!

Simple Share Buttons
Simple Share Buttons