Privacy Impact Assessment Policy¶
| Code | PRI-005 |
| Domain | Privacy & Data Rights |
| Owner | Privacy Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: Privacy Act 2020 · Privacy Act 1988¶
Purpose¶
Govern the platform's obligation to conduct Privacy Impact Assessments (PIAs) for new and changed data processing activities, ensuring privacy risks are identified and mitigated before implementation.
Scope¶
All new products, services, system changes, and processing activities that involve personal information, initiated by any function of the platform in NZ and AU.
Policy statements¶
A Privacy Impact Assessment SHALL be conducted for all new or materially changed data processing activities before implementation. A PIA is required when the activity involves: a new type of personal information collection, a new purpose or use for existing personal information, a new technology for collecting or processing personal information, a new third-party data sharing arrangement, or a significant expansion of an existing processing activity.
The PIA process SHALL identify: the personal information involved, the privacy risks arising from the activity, the impact on individuals' privacy interests, and the measures proposed to mitigate the risks.
PIAs SHALL be completed before the activity commences. No new personal information processing activity SHALL proceed if the PIA identifies a high or critical residual privacy risk that has not been accepted by the Privacy Officer.
The Privacy Officer SHALL review and sign off all PIAs that identify a medium or higher residual privacy risk. PIAs for low-risk activities may be approved by the relevant business unit head.
PIA outcomes SHALL be documented and retained. Where a PIA recommends mitigations, those mitigations SHALL be tracked to implementation before the activity commences.
The PIA process SHALL be reviewed annually by the Privacy Officer. The review SHALL include an assessment of completion rates and the adequacy of the PIA methodology.
All completed PIAs SHALL be available for review by the Privacy Commissioner (NZ) or OAIC (AU) on request.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-012 | KYC audit trail store | LOG |
PIA evidence trail maintained — data collected for KYC is documented and bounded |
Part of Privacy & Data Rights · Governance overview
Compiled 2026-05-22 from source/entities/policies/PRI-005.yaml