Privacy Impact Assessments

Practice Ide -7

Summary

The Division of Technology Services (DTS) Information Security Policy 5000-0002 is being updated to make the Privacy Impact Assessment (PIA) a mandatory document for all IT systems that process Personal Data. This requirement applies to every State of Utah agency, regardless of system size or complexity, and covers any technology solution that processes Personal Data, whether directly or indirectly.

In alignment with the Utah Government Data Privacy Act (GDPA) and related administrative rules, the PIA serves as a structured method for identifying, evaluating, and mitigating privacy risks in systems before they process Personal Data. This proactive approach ensures compliance with legal mandates and strengthens the protection of Utah residents’ information.

Current PIA Version

The current official version of the PIA is Version 1.1.

Executive Branch Agencies should use Version 1.1 as their primary PIA to remain compliant with state requirements for evaluating privacy risks.
Version 1.1 incorporates updates to align with existing laws, administrative rules, and best practices for the protection of Personal Data.

Completed PIAs must be retained for at least four years or for the duration of processing, whichever is longer, as accountability documentation.

Authority

Utah Code § 63A-12 -103opens in a new tab and Utah Admin R895-8.opens in a new tab

Privacy Impact Assessment - Work in Progress

The Office of Data Privacy is committed to continuous improvement of the PIA process. Current initiatives include:

Version 1.1 Released – The comprehensive PIA template has been formally issued as Version 1.1 and is the required version for all new and updated IT systems processing Personal Data.
Subcommittee for Expansion – A Privacy Commission subcommittee is actively refining the PIA to address additional use scenarios not covered in Version 1.1, including emerging technologies, interagency data sharing, and high-risk processing activities.
Scenario-Specific Guidance – Development of supplemental modules for unique system types (e.g., AI-enabled applications, large-scale public-facing platforms, sensitive data handling environments) is an ongoing effort driven from needs communicated to the Office of Data Privacy.
Integrated Security Alignment – The revised DTS Security Policy 5000-0002 now explicitly links system security reviews with the PIA process, ensuring a single, coordinated compliance workflow.
Monthly Live Training – An online live training session is available once per month, covering the completion process, interpretation of PIA questions, and real-world examples of privacy risk mitigation.

On-Demand Resources – Additional training videos, templates, and step-by-step guides will be available on this site to assist agencies in preparing complete, accurate PIAs before the end of 2025.

blue shield with explanation point in the middle

Virtual Workshop

These slides are part of the monthly virtual workshop for Privacy Impact Assessments. Download PowerPointopens in a new tab

Maturity Model

A stylized illustration of a mountain and trees and the words "coming soon"