A Privacy Impact Assessment (PIA) is a systematic process for identifying and addressing privacy risks in projects, systems, or initiatives that involve personal information. It's not just a compliance checkbox — it's how you protect both your organisation and the people whose information you handle.
Before they become breaches, complaints, or costly rework
To regulators, boards, and the public
Rather than bolting it on at the end
About privacy trade-offs with documented rationale
The Office of the Australian Information Commissioner (OAIC) publishes a PIA framework that forms the basis for privacy assessment in Australia. PIMS implements this framework out of the box.
Different organisations have different obligations under Australian privacy law.
Under the Privacy (Australian Government Agencies — Governance) APP Code 2017, Commonwealth agencies must conduct a written PIA for all "high privacy risk" projects. This includes new data collections, system changes, and initiatives involving sensitive information.
Non-compliance can result in regulatory action by the OAIC.
The OAIC strongly recommends PIAs for any private organisation covered by the Privacy Act (generally those with annual turnover above $3M). The 2024 Privacy Act reforms are expected to make PIAs mandatory for high-risk processing, similar to GDPR's DPIA requirements.
Best practice now, likely mandatory soon.
Health service providers are covered by the Privacy Act regardless of size or turnover. There is no $3M threshold. This includes hospitals, medical practices, allied health, pharmacies, pathology, imaging, and anyone providing a health service.
Health information is "sensitive information" under the Act, attracting additional protections.
State and territory health services (public hospitals, health departments) are covered by their respective state privacy legislation. Most states require or strongly recommend PIAs for new health information systems. Queensland Health, NSW Health, and Victorian DHHS all have PIA requirements.
Check your state's health privacy framework.
$50 Million
Maximum penalty for serious or repeated privacy breaches under the Privacy Act (as amended 2022)
Up to $50M for body corporates, $2.5M for individuals. OAIC now has expanded enforcement powers.
Mandatory notification to affected individuals and OAIC. Public disclosure damages reputation.
Loss of customer/patient trust. Media coverage. Long-term brand impact.
Incident response costs. System shutdowns. Remediation projects.
Class actions from affected individuals. Regulatory investigations.
Personal liability for directors who fail to ensure adequate privacy governance.
Most organisations manage PIAs using one of these methods. All have significant drawbacks.
The most common approach. Download a template, fill it in, save it to SharePoint.
Hire external consultants to conduct PIAs. Great expertise, but...
Excel or Google Sheets for tracking. Better than nothing, but...
PIMS is purpose-built for Privacy Impact Assessments. Not adapted from a GRC platform. Not a document management system. Just PIAs, done right.
Use our OAIC-aligned template out of the box. Covers all 13 Australian Privacy Principles with conditional logic. Get started in minutes.
Clone the default template and customise it to your organisation's needs. Add sections, modify questions, define your risk framework.
Draft → Submit → Review → Approve. Clear status tracking with role-based permissions.
Structured risk register with likelihood/consequence matrix. Link risks to compliance gaps and track treatment actions.
Complete history of who did what and when. Demonstrate your privacy governance to auditors and regulators.
Dashboard visibility for Privacy Officers. Export board-ready reports. Track your privacy posture over time.
Manage PIAs across business units, projects, or clients. Enterprise SSO via Entra ID, or simple email login.
Role-based declarations and approvals. Responsible person, accountable person, and privacy officer sign-offs.
PIMS is designed for organisations that need to manage privacy compliance at scale — without the enterprise price tag.
Hospitals, health services, medical practices, allied health
Residential aged care, home care, retirement living
Childcare centres, early learning, family services
Local councils, state agencies, statutory authorities
Community services, disability services, charities
Privacy consultants, law firms, advisory practices
Pragmatix is a Brisbane-based consultancy specialising in digital health, privacy, and information governance. We've been helping healthcare and government organisations navigate privacy compliance for over 20 years. We built PIMS because we saw firsthand how much time is wasted on Word documents and spreadsheets.
Visit pragmatix.com.au