PL-5 — Privacy Impact Assessment

A Privacy Impact Assessment (PIA) evaluates how your system collects, stores, uses, and shares personally identifiable information (PII). It identifies privacy risks and documents how you mitigate them.

Example 1: Conduct a PIA for each system that processes PII. Document: what PII is collected, why it is needed, how it is stored and protected, who has access, how long it is retained, and how it is disposed of. Use your agency's PIA template if one exists, or create one based on OMB guidance.

Example 2: Publish completed PIAs on your organization's website or make them available upon request, as required by policy. Review PIAs when system changes affect PII processing — new data fields, new sharing agreements, or changes in retention periods should trigger a PIA update.