Privacy Impact Assessment Guide
A Privacy Impact Assessment (PIA) is a tool used to assess the impact and risks to the privacy of personally identifiable information (PII) stored, used and exchanged by information systems. The Office of Management and Budget (OMB) defines the PIA as:
an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
The HIMSS Privacy Impact Assessment Work Group has developed a guidance white paper that addresses the Privacy Impact Assessment (PIA) process for use by healthcare provider organizations. This process can be leveraged when the storage and processing of individually identifiable health information needs to be evaluated for privacy and security impact throughout the life cycle of a system, product or project, or when a privacy–focused risk assessment is needed for sharing or exchanging information with other organizations or agencies.
Please send us your comments on the PIA Guide.
ISO Financial Services Industry – Privacy Impact Assessment (ISO/WD NP 22307, dated 2005-12-12). ISO 22307:2008 available at: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=40897
HHS Information Security Program, Privacy Impact Assessment Guide, 2007, available at: http://oma.od.nih.gov/ms/privacy/PIA_Guide.doc
Department of Defense (DOD), Department of Defense (DoD) Privacy Impact Assessment (PIA) Guidance, 2005, available at: http://www.dla.mil/public_info/efoia/DODPIAGuidance.pdf
Internal Revenue Service (IRS), Model Information Technology Privacy Impact Assessment, 1996, available at: http://www.cio.gov/Documents/pia_for_it_irs_model.pdf