Reading time: 5 minutes

Privacy is an essential concern for your customers, so you should reflect this in your business practices. Not only that, if you deal with personal information, the law requires that you handle that information with care. Every person has the right to privacy, and your business needs to do its part to protect that right. There are many tools at your disposal for handling privacy concerns at your business, and one of these is the privacy impact assessment (PIA). However, you may be uncertain as to whether such assessments are a requirement for your business. This article will explain how privacy impact assessments function and whether they are mandatory before beginning a new project.

Privacy Law in New Zealand

If your business handles personal information, then you are an agency under New Zealand law. In particular, this is information that can identify a person, such as their:

  • name;
  • address; 
  • financial details; or
  • image.

As an agency, you must comply with the privacy obligations that New Zealand law sets. You should handle customers’ personal information with due care. In particular, you must ensure that you:

  • only collect the information you need for the set purpose;
  • collect information directly from the source;
  • inform your customers that you collect their information and why;
  • gather information in a legal and unintrusive way;
  • store information securely;
  • let your customers access and correct the personal information you hold;
  • ensure the information you use is accurate;
  • do not hold information for longer than you need;
  • dispose of personal information securely;
  • only use information you collect for the purpose you originally intended;
  • only disclose information where necessary;
  • send personal information overseas only where it meets the necessary standards; and
  • handle unique identifiers with due care.

Conducting a privacy impact assessment can help you meet these privacy law obligations.

What is a Privacy Impact Assessment?

A privacy impact assessment is an evaluative tool you can use to analyse the potential privacy impacts of a new project or proposed change to an existing system. It provides an independent view of the proposal and allows you to identify any potential privacy risks. You then need to implement controls for those risks. When conducting a PIA, you should be able to know how:

  • this project will affect the privacy of your customers and employees; and
  • you can achieve your goals while still protecting privacy.

When you conduct a PIA, you will compare the privacy impacts of your project against the Privacy Act’s principles so that you can determine whether you are complying with your legal obligations. Then, you figure out how you can mitigate these risks and further protect privacy. You should conduct a PIA early on in a project so that it is effective. You can use a PIA as a reference point throughout the project’s life cycle and adapt it as you need.

For example, say that you are developing new software that organises data for your business. You would conduct a PIA before beginning to design the software. Accordingly, you would be able to account for any privacy risks in the product design.

Is a Privacy Impact Assessment Mandatory?

If your project deals with personal information, then you need to conduct a PIA. To comply with the law, you should automatically incorporate a privacy impact assessment as part of any new project or system change. This way, you can demonstrate that you are taking heed of your privacy obligations as a business and identify potential privacy issues before they arise.

However, if your new project does not involve any personal information, you will likely not need to conduct a PIA. The more personal information your project handles, the greater the need for a more complex privacy impact assessment. This is because of the higher privacy risk involved. If something goes wrong and you already conducted a PIA, it will be easier to prove that you took the necessary steps to protect privacy.

There are certain kinds of high-risk decisions or projects that will require a privacy impact assessment, particularly if you need to comply with the GDPR. These are:

  • scoring/profiling;
  • automatic decisions with legal consequences;
  • systematic monitoring;
  • personal information processing;
  • large scale data processing;
  • merging data from multiple sources;
  • projects dealing with information about incapacitated people or minors;
  • use of new or unproven technology;
  • use of biometrics;
  • data transfer outside of New Zealand; and
  • projects that may interfere with your customers’ rights.

Key Takeaways

A privacy impact assessment is an analytical tool that identifies potential privacy risks of a new project and implements security controls to mitigate those risks. Not every new project will require a privacy impact assessment. However, if your project handles personal information in any way, then you should conduct a PIA to comply with your legal obligations as an agency. If you would like more information or help with privacy impact assessments at your business, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

What is a privacy impact assessment?

A privacy impact assessment is an evaluation tool that you can use to identify the impacts a new project or system change can have on privacy. You will identify potential privacy risks, and implement controls to manage those risks while still completing your objective.

Is a privacy impact assessment mandatory?

If your proposal affects privacy and personal information, you should complete a privacy impact assessment. If something goes wrong, then you will be more at fault if you did not conduct such considerations for a project.

When should I do a privacy impact assessment?

Ideally, you should do a privacy impact assessment in the beginning stages of your project or decision-making process. This ensures you can make fully informed decisions that take personal data into account and accordingly can build in privacy protections.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards