An evaluation of privacy impact assessment guidance documents

Abstract

† Privacy Impact Assessments (PIAs) have become mainstream in many jurisdictions since the mid-1990s. † Considerable experience has been gained, and the features of effective PIA processes are capable of being described and communicated. † A range of guidance documents have been published, but they vary considerably in their quality. † This paper draws on the literature and the author's professional experience in order to present a list of criteria whereby the quality of a PIA guidance document can be judged. It then applies the criteria to a dozen documents published by government agencies in ten jurisdictions. † Several guidance documents are found to be of high quality, but several others have significant weaknesses and the remainder describe processes that are so deficient that the appropriateness of referring to them as PIAs is in serious doubt.