A privacy impact assessment (PIA) is a tool for identifying and assessing privacy risks throughout the development life cycle of a program or system.
A privacy impact assessment states what personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected, and how it will be shared.
Under the E-Government Act of 2002, federal agencies are required to conduct privacy impact assessments for government programs and systems that collect personal information online. Federal agency CIOs, or an equivalent official as determined by the head of the agency, are responsible for ensuring that the privacy impact assessments are conducted and reviewed for applicable IT systems. The Act also mandates a privacy impact assessment be conducted when an IT system is substantially revised. Federal agencies such as the U.S. Department of homeland security and the Department of Health and Human Services offer guidance for writing PIAs, such as providing blank privacy impact assessment templates to assist and facilitate their development.