Privacy Impact Assessment



What is PIA 私隱風險評估(PIA)是甚麼 ?


PIA is a terminology adopted by privacy authorities or regulations such as the followings:


General Data Protection Regulations (GDPR) from European Union (EU),

Personal Data Privacy Ordinance (PDPO) Hong Kong’s Office of the Privacy Commissioner for Personal Dat (PCPD).


It is generally regarded as a privacy risk assessment process that evaluates an implementation or an operation involving personal data, in term of its impact upon personal data privacy with the objective of avoiding or minimizing adverse impacts.


PCPD proposes a full set of guidelines in privacy assessment. Organizations including HKSARG Departments are required to adhere to PDPO and to conduct privacy assessment if information processing project has significant privacy implications. Assessment includes the followings:


Privacy Impact Assessment (PIA) aims to identify the level of privacy impact of an existing operation or implementation. It consists of the following components:


- Data Processing Cycle Analysis

- Privacy Risk Analysis

- Risk Mitigation Recommendation

- PIA Reporting


Privacy Compliance Assessment (PCA) aims at assessing and evaluating the level of privacy compliance with the PDPO, in particular the Six Data Protection Principles (DPP)s:


- DPP1 Purpose and Manner of Collection

- DPP2 Accuracy and Duration of Retention

- DPP3 Use of Data

- DPP4 Data Security

- DPP5 Openness and Transparency

- DPP 6 Access and Correction



Our PIA Services 我們的 PIA 服務


We offer both Privacy Impact Assessment (PIA) and Privacy Compliance Assessment (PCA) as 3rd party independent assessor / auditor to fulfill PCPD requirements on PIA.


Although methodology is standardized, scale & scope / target varies in different types of projects. The following catalogue lists out samples of our offerings:


Platform Design & Implementation specific

– Students / Patients / Hotel Residents management system

– Customer Information & Orders management system

– CRM system and Loyalty program

– CCTV surveillance monitoring system

– Portal / CMS based (e-Learning / e-Leave ) system


Application specific

– Web based Application

– Mobile App (Android or IOS, or both)

– Legacy Client / Server based

– IOT device


Network specific

– Public Cloud infra-structure (Azure, AWS, etc.)

– On-Premises External Network (Internet Facing)

– On-Premises Internal Network

– On-Premises Wi-Fi Network

– Hybrid Network including On-Premises Network & external IOT Device




Assessment Methodology 評估方法


(1) Data processing cycle analysis

identify and describe the handling of data processing cycles and information flows of the personal information in information system / process implementation / operation, covering aspects including –


- Purpose and manner of collection;

- Accuracy and duration of retention;

- Use, disclose and transfer of personal data;

- Security and safeguards of personal data to prevent unauthorized or accidental access, use, modification or loss of data;

- Policy transparency to the access and correction of the personal data;

- Access and correction; and

- Destruction;


(2) Privacy risks analysis

- analyze the compliance level of assessed object, in terms of each aspect of the data processing cycles, with the personal data privacy requirements under the Personal Data (Privacy) Ordinance in detail, especially the Data Protection Principles under such Ordinance;

- analyze and identify the potential privacy risks on each aspect of the data processing cycles involved in assessed object and the related work flow;

- define the impact level and nature of each identified privacy risk;

- identify any privacy standards and rules prescribed under applicable codes of practices, guidelines, policies and regulations that the data users shall observe;


(3) Recommendations or measures in avoiding or mitigating privacy risks;

- recommend safeguard measures based on the results of privacy impact analysis in order to reduce the likelihood of the identified issues and minimize the impact to an acceptable level;

- recommend possible options and handling approaches in terms of administrative procedures and system functions to mitigate or eradicate the identified privacy risks, so that assessed object can fully comply with the Personal Data (Privacy) Ordinance;


(4) Compiling PIA report

- compile PIA report to document all findings, recommendations and improvement areas in detail;

- conduct PIA presentations, discussion session, walk-through, review, etc. will be delivered on need basis;


(5) Performing PCA (upon client remediation complete)

perform PCA to review the system and to verify the status after implementation of recommended safeguards to ensure that all risks identified have been eradicated or mitigated or reduced to an acceptable level with regard to the recommendations provided in the PIA Report;


- compile PCA report to document remediation progress and verification results;

- conduct PCA presentations, discussion session, etc. will be delivered on need basis;




Further Reading 延伸閱讀


Personal Data (Privacy) Ordinance & 6 Data Protection Principles at a glance


- Web Link : Personal Data (Privacy) Ordinance at a glance

Personal Data (Privacy) Ordinance – an overview