Start your 7-day free trial - Full platform access
Privacy Impact Assessment

Privacy impact assessment.
Before you build, not after.

New system. New data flow. New vendor. If personal information is involved, a privacy impact assessment should happen before go-live - not when the OAIC comes calling. Kontractually reviews your privacy documentation against Australian Privacy Principles at every stage.

Run a privacy reviewAPP compliance

No credit card required. First 3 reviews free.

Before vs. after

What changes when you assess privacy before launch.

Before

Your team launches a new customer portal that collects health information. Six months later, the OAIC opens an investigation because the collection wasn't reasonably necessary under APP 3 and no explicit consent was obtained for sensitive information under APP 3.3.

With Kontractually

Kontractually reviews the portal's privacy documentation before launch. Flags that health data collection requires explicit consent under APP 3.3 and that the stated purpose doesn't satisfy the 'reasonably necessary' test. You fix consent flows before go-live.

OAIC investigation avoided before launch
Before

A new SaaS vendor stores customer data in the US. Nobody checks whether the vendor's privacy practices meet APP 8 cross-border disclosure requirements. A data incident occurs and you discover the vendor has no comparable privacy protections.

With Kontractually

Kontractually flags the cross-border transfer in the vendor agreement. APP 8 requires reasonable steps to ensure overseas recipients comply with the APPs. You negotiate contractual protections before onboarding the vendor.

Cross-border compliance risk caught upfront
Before

Your data retention policy says 'data is kept as long as necessary.' The OAIC asks for specific retention periods and deletion procedures under APP 11.2. You don't have them documented anywhere.

With Kontractually

Kontractually reviews your privacy policy and flags vague retention language. Recommends specific retention periods by data category and documented deletion procedures to satisfy APP 11.2 requirements.

APP 11.2 compliance documented and defensible
PIA checklist

6 elements of every privacy impact assessment.

1
Data collection and purpose identification
What personal information will be collected? For what purpose? Is collection necessary? APP 3 requires that an APP entity must not collect personal information unless it is reasonably necessary for its functions or activities.
2
Lawful basis and consent mechanisms
On what legal basis is the data collected? For sensitive information (health, financial, biometric), explicit consent is required under APP 3.3. Consent must be voluntary, informed, and current. What process will you use to obtain and record it?
3
Data retention and deletion
How long will personal information be held? APP 11.2 requires destruction or de-identification when no longer needed for the purpose it was collected. Retention schedules, deletion procedures, and archival policies must be documented.
4
Cross-border disclosure obligations
Will personal information be transferred overseas? APP 8 requires that before doing so, the entity must take reasonable steps to ensure the overseas recipient complies with the APPs. This includes cloud providers, SaaS tools, and offshore teams.
5
Security safeguards
What technical and organisational security measures protect the data? APP 11 requires entities to take active steps to protect personal information from misuse, interference, loss, and unauthorised access. Document specific controls (encryption, access controls, audit logs).
6
Access, correction, and complaint rights
How will individuals exercise their rights to access and correct their information (APP 12 and 13)? How will complaints be handled? Is there a clear process for OAIC escalation? These rights must be practically available, not just stated in a privacy policy.
FAQ

PIA questions.

More questions? Email us.

The OAIC recommends privacy impact assessments (PIAs) for any project that involves new or changed collection, use, or disclosure of personal information - particularly for new systems, new data flows, or significant changes to existing processes. For government agencies, PIAs are mandatory for high privacy risk projects. For private sector organisations, PIAs are a best practice requirement under APP 1 (open and transparent management of personal information) and are increasingly expected by regulators and clients. The Privacy Act reforms also increase PIA expectations for large organisations.

A PIA systematically identifies: what personal information is involved, why it's being collected, how it will be used and protected, who will have access, how long it will be kept, and what the risks are to individuals' privacy. The output is a risk register with mitigation recommendations. Kontractually can review your existing privacy documentation (privacy policy, DPAs, vendor contracts) against APP requirements as part of a broader PIA process.

Sensitive information (health, biometric, genetic, criminal record, racial or ethnic origin) receives heightened protection under the APPs. APP 3.3 requires explicit consent before collecting sensitive information, and collection must be reasonably necessary for functions or activities. A PIA involving sensitive information must assess whether consent mechanisms are adequate, whether the information can be de-identified for secondary uses, and whether storage and access controls meet the higher security threshold the OAIC expects for sensitive data categories.

Yes. If your organisation processes personal data of EU residents, GDPR applies alongside the Australian Privacy Act. A PIA should assess both frameworks in parallel. Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is mandatory for processing that is likely to result in high risk to individuals - including large-scale processing of sensitive data, systematic monitoring, and automated decision-making. The GDPR DPIA requirements are more prescriptive than the OAIC's PIA guidance, so covering GDPR typically satisfies Australian requirements as well.

The OAIC publishes the Guide to undertaking privacy impact assessments, which outlines the recommended PIA methodology for Australian organisations. While PIAs are not mandatory for most private sector entities, the OAIC has stated that conducting PIAs demonstrates compliance with APP 1.2 (taking reasonable steps to implement practices, procedures, and systems to ensure APP compliance). In enforcement actions, the OAIC considers whether an organisation conducted a PIA as evidence of proactive privacy management. The OAIC can also be consulted during a PIA for complex projects, though this is more common for government agencies.

Also useful

Privacy policy compliance
Privacy policies reviewed against Australian Privacy Principles and GDPR.
Privacy policy review
AI-powered review of privacy policies against APP and GDPR requirements.
GDPR compliance check
GDPR compliance check for Australian businesses with EU customers.

Review your privacy documentation before go-live.

Start free trial