A broad assessment of the nature of a project will help an agency to decide on the most appropriate PIA process for that project. Such an assessment will generally include looking at the project's:
A project's scope can be assessed by looking at the extent to which the project demonstrates certain key attributes, such as the:
A project's scope can also broaden, in privacy terms, where it includes features which may tend to increase the risk of adverse privacy impacts. For example, consider whether:
Generally, the greater the scope of the project, the more likely it will be that a PIA will assist in determining and managing the privacy impacts posed by that project, and the more detailed that the PIA is likely to be.
An agency will also find it useful to consider the type of project (e.g. new or incremental?), including the stage of development it has reached (e.g. conceptual or more advanced?).
Generally, an incremental project is one which proposes to add or make changes to an existing program or system, rather than implement a new program or system. If a project is incremental, this Guide should generally be read so as to apply to the new personal information flows, unless the agency is of the view that the existing program or system may also benefit from a PIA. Like all projects, incremental projects can range from being limited in scope through to being quite significant in their scope and privacy implications. If it appears that an incremental project is more significant in scope, a more comprehensive PIA may be required.
It is beyond the scope of this Guide to attempt to recommend an appropriate PIA process for all the various types of projects that might be undertaken. However, a few examples of different project types are provided below, to demonstrate how the PIA process can differ for different project types or projects at various stages. These examples are not intended to be exhaustive.
Where a project is incremental and appears to be relatively limited in scope, a shorter PIA might be all that is required. For example, a project might be considered to be of limited scope if it proposes a relatively minor adjustment to a well-established existing program, or if it involves the collection and use of a very limited amount of personal information (that is not sensitive information) in a secure environment.
Even for projects where a shorter PIA might be found to be appropriate, the PIA process should preferably still address all the key stages (see 11. Key stages of a PIA above). However, in such circumstances it may, for example, eventuate that:
Provided such an outcome is warranted by the nature of the project, this will constitute an adequate PIA in the circumstances.
For projects at the earlier or conceptual stages of development, it might only be possible for the key stages of a PIA (see11. Key stages of a PIA above) to be initially addressed in a preliminary manner. For example, the information flows might only be able to be mapped to the extent of the detail available at the time. This may also mean that only a preliminary analysis of privacy impacts and possible management strategies might be possible.
In these circumstances, the preliminary PIA should be viewed as part of an evolving process. Initially, the PIA can be progressed and documented. As the project develops and the issues become clearer, the PIA can be updated and supplemented, leading to a more comprehensive PIA being completed. In some circumstances (e.g. significant projects), preliminary reports and interim recommendations will be important to ensuring that privacy is built in.
For projects which are at relatively advanced stages of development and which are broad in scope, it is likely that a comprehensive PIA (or, in some circumstances, more than one comprehensive PIA) will be appropriate. A comprehensive PIA will also undertake the key stages of a PIA (see 11. Key stages of a PIA above), but in a more detailed and thorough fashion.