- A Personal Information Impact Assessment (PIIA) is a process to help you identify and minimise the data protection risks from processing personal information.
- POPIA regulation 4(b) requires that you do PIIAs for all processing of personal information.
- You should start with doing PIIAs for processing that is likely to result in a high risk to data subjects.
- Your PIIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to data subjects; and
- identify any additional measures to mitigate those risks.
- To assess the level of risk, you must consider both the likelihood and the severity of any impact on data subjects. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
- You should consult your information officer and, where appropriate, data subjects and relevant experts. Any operators may also need to assist you.
- If you identify a high risk that you cannot mitigate, you must request prior authorisation from the Information Regulator before starting the processing.
- The Information Regulator will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the Information Regulator may issue a formal warning not to process the information, or ban the processing altogether.
PIIA awareness checklist
☐ We provide training so that our staff understand the need to consider a PIIA at the early stages of any plan involving personal information.
☐ Our existing policies, processes and procedures include references to PIIA requirements.
☐ We understand the types of processing that require a PIIA, and use the screening checklist to identify the need for a PIIA, where necessary.
☐ We have created and documented a PIIA process.
☐ We provide training for relevant staff on how to carry out a PIIA.
PIIA screening checklist
☐ We consider carrying out a PIIA in any major project involving the use of personal information.
☐ We consider whether to do a PIIA if we plan to carry out any other:
☐ evaluation or scoring;
☐ automated decision-making with significant effects;
☐ systematic monitoring;
☐ processing of sensitive information or information of a highly personal nature;
☐ processing on a large scale;
☐ processing of information concerning vulnerable data subjects;
☐ innovative technological or organisational solutions;
☐ processing that involves preventing data subjects from exercising a right or using a service or contract.
☐ We always carry out a PIIA if we plan to:
☐ use systematic and extensive profiling or automated decision-making to make significant decisions about data subjects;
☐ process special-category data or criminal-offence information on a large scale;
☐ systematically monitor a publicly accessible place on a large scale;
☐ use innovative technology;
☐ use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
☐ carry out profiling on a large scale;
☐ process biometric or genetic data;
☐ combine, compare or match data from multiple sources;
☐ process personal information without providing a privacy notice directly to the data subjects;
☐ process personal information in a way that involves tracking individuals’ online or offline location or behaviour;
☐ process children’s personal information for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
☐ process personal information that could result in a risk of physical harm in the event of a security breach.
☐ We carry out a new PIIA if there is a change to the nature, scope, context or purposes of our processing.
☐ If we decide not to carry out a PIIA, we document our reasons.
PIIA process checklist
☐ We describe the nature, scope, context and purposes of the processing.
☐ We ask our operators to help us understand and document their processing activities and identify any associated risks.
☐ We consider how best to consult data subjects (or their representatives) and other relevant stakeholders.
☐ We ask for the advice of our information officer.
☐ We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure compliance with the conditions for the lawful processing of personal information.
☐ We do an objective assessment of the likelihood and severity of any risks to data subjects’ rights.
☐ We identify measures we can put in place to eliminate or reduce high risks.
☐ We record our decision-making in the outcome of the PIIA, including any difference of opinion with our information officer or data subjects consulted.
☐ We implement the measures we identified, and integrate them into our project plan.
☐ We consult the Information Regulator before processing, if we cannot mitigate high risks.
☐ We keep our PIIAs under review and revisit them when necessary.
Have we written a good PIIA?
A good PIIA helps you to obtain evidence that:
- you have considered the risks related to your intended processing; and
- you have met your broader data protection obligations.
This checklist will help ensure you have written a good PIIA.
☐ explained why we needed a PIIA, detailing the types of intended processing that made it necessary;
☐ structured the document clearly, systematically and logically;
☐ written the PIIA in plain English, with a non-specialist audience in mind, explaining any technical terms and acronyms we have used;
☐ set out clearly the relationships between responsible parties, operators, data subjects and systems, using both text and data-flow diagrams where appropriate;
☐ ensured that the specifics of any flows of personal information between data subjects, systems, organisations and countries have been clearly explained and presented;
☐ explicitly stated how we are complying with each of the data protection conditions under POPIA and clearly explained our lawful basis for processing (and special category conditions if relevant);
☐ explained how we plan to support the relevant information rights of our data subjects;
☐ identified all relevant risks to data subjects’ rights, assessed their likelihood and severity, and detailed all relevant mitigations;
☐ explained sufficiently how any proposed mitigation reduces the identified risk in question;
☐ evidenced our consideration of any less risky alternatives to achieving the same purposes of the processing, and why we didn’t choose them;
☐ given details of stakeholder consultation (e.g. data subjects, representative bodies) and included summaries of findings;
☐ attached any relevant additional documents we reference in our PIIA, e.g. privacy notices, consent documents;
☐ recorded the advice and recommendations of our information officer and ensured the PIIA is signed off by the appropriate people;
☐ agreed and documented a schedule for reviewing the PIIA regularly or when we change the nature, scope, context or purposes of the processing;
☐ consulted the Information Regulator if there are residual high risks we cannot mitigate.
- What’s needed under POPIA?
- What is a PIIA?
- When do we need a PIIA?
- How do we carry out a PIIA?
- Do we need to consult the Information Regulator?
POPIA introduces an obligation to do a PIIA before carrying out types of processing likely to result in risk to data subjects’ rights. If your PIIA identifies certain types of risks, you must request prior authorisation from the Information Regulator. This is a key part of the focus on accountability and the protection of the rights of data subjects.
PIIAs are now mandatory - POPIA regulation 4(b).
You need to design a PIIA process and embed it into your project management methodology and procurement procedures.
You also need to review your existing processing operations and decide whether you need to do a PIIA for anything that is likely to be high risk. You need to repeat the PIIA if there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.
A PIIA is a way for you to systematically and comprehensively analyse your processing. It helps you identify and minimise data protection risks.
PIIAs should consider the risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to data subjects or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a PIIA must consider both the likelihood and the severity of any impact on data subjects.
A PIIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether or not any remaining risks are justified.
PIIAs are a legal requirement for processing personal information. An effective PIIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with data subjects.
A PIIA may cover a single processing operation or a group of similar processing operations. A group of responsible parties can do a joint PIIA.
It’s important to embed PIIAs into your organisational processes and ensure the outcome can influence your plans. A PIIA is not a one-off exercise. You should see it as an ongoing process that is subject to regular review.
POPIA regulation 4(b) require you to do a PIIA before you begin any type of processing of personal information.
You should do a PIIA if you plan to:
- use innovative technology;
- use profiling or special category data to decide on access to services;
- profile data subjects on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal information from a source other than the data subject without providing them with a privacy notice (‘invisible processing’);
- track data subjects’ location or behaviour;
- profile children or target marketing or online services at them; or
- process data that might endanger the data subject’s physical health or safety in the event of a security breach.
You should also conduct a PIIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
It is good practice to do a PIIA for any new project involving the use of personal information.
A PIIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process.
You must seek the advice of your information officer. You should also consult with data subjects and other stakeholders throughout this process.
The process is designed to be flexible and scalable.
Although publishing a PIIA is not a requirement of POPIA, you should actively consider the benefits of publication. As well as demonstrating compliance, publication can help engender trust and confidence. We would therefore recommend that you publish your PIIAs, where possible, removing sensitive details if necessary.
You don’t need to send every PIIA to the Information Regulator. But you must consult the Information Regulator if your processing requires prior authorisation from the Information Regulator.
If you want your project to proceed effectively then investing time in producing a comprehensive PIIA may prevent any delays later, if you have to consult with the Information Regulator.
The Information Regulator will generally respond within four weeks (although it can extend this by a further nine weeks in complex cases).
The Information Regulator will provide you with a written response advising you whether the risks are acceptable, or whether you need to take further action. In some cases the regulator may advise you not to carry out the processing because it considers it would be in breach of POPIA. In appropriate cases we may issue a formal warning or take action to ban the processing altogether.