Privacy Impact Assessment

Practice #10

Privacy Logo

Summary

A privacy impact assessment (PIA) is an analysis of how personally identifiable information is processed in a system to ensure that processing conforms with applicable privacy requirements and assists in identifying privacy risks that may need to be mitigated. A PIA is both an analysis and a formal document that details the process and outcome of the analysis. Under DTS Information Security Policy 5000-0002, state agencies are required to complete a PIA for all IT systems that may process personal data prior to processing personal data in the IT system. Pursuant to the DTS Information Security Policy the CPO will create and maintain a standard privacy impact assessment template that is approved by the Chief Information Officer.

Although Utah law may not explicitly require completion of a PIA, administrative rule does require state agencies to complete a “Privacy Risk Assessment” for all online applications. Privacy Risk Assessment is defined to mean: “… a series of questions approved by the Chief Information Officer that are designed to:

    (a) assist agencies in identifying and reducing potential levels of risk to the privacy of individuals using an online government service through state of Utah Websites;

    (b) provide information to assist in determining different levels of security;

    (c) collect information needed to determine, and if necessary, create an agency privacy policy if one is needed in addition to the State Policy.

Additionally, a state agency may not collect personal data related to a user of the agency's governmental website unless the agency has taken reasonable steps to ensure that on the day on which the personal data is collected the agency's governmental website complies with a compliant privacy policy statement in accordance with Utah Code § 63D-2-103. As such, agencies should complete a Privacy Risk Assessment prior to collection of personal data on an agency’s website. The agency must maintain a copy of each completed assessment for four years to provide audit documentation.

Authority

Utah Code § 63A-12 -103 and Utah Admin R895-8.

Maturity Model

Image

Privacy Impact Assessment - Work in Progress

The Office of Data Privacy is developing two comprehensive Privacy Impact Assessments for use by governmental agencies as follows:

  • Develop a comprehensive PIA process designed to assist state agencies to meet their legal obligations associated with the processing of Utah resident personal information, which includes the ODP Maturity Model Assessment.
  • Develop a comprehensive PIA process to be used as a tool by all entities to identify high risk processing of personal information, which includes a High Risk Assessment tool based on Utah and other applicable sectoral laws.
  • Develop guidance documents and training materials to assist with the use of both PIAs.
  • Make the PIA templates and guidance available to all governmental entities via the privacy.utah.gov website.

Security Icon

Beta Project

We are currently running a Beta Program to test the templates and gather feedback to ensure our objectives are met. If you would like to join the Beta Project please contact: Denise Farnsworth at [email protected].