Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) is a structured analysis that identifies and evaluates how a system, process, or records collection gathers, uses, stores, shares, and disposes of personally identifiable information, and documents the controls that mitigate privacy risks.
Privacy Impact Assessment (PIA) is a documented review conducted before or during the deployment of a system or program that handles personal data, examining what information is collected, why it is needed, how long it is kept, who can access it, and how it is ultimately disposed of. In recordkeeping, the PIA is itself a record, often subject to retention and version control, and it directly informs retention schedules, access restrictions, and disposition decisions for the data it covers. It matters because privacy obligations cut across the entire records lifecycle: a collection of PII that lingers past its authorized retention period becomes a liability rather than an asset. A PIA differs from a System of Records Notice, which publicly announces a covered records system, in that the PIA is the underlying risk analysis behind such notices. For example, before launching an online intake form that captures Social Security numbers, an organization would complete a PIA to confirm a lawful basis, minimize fields collected, and define a defensible disposition timeline.