scope:

This standard recognizes that a Privacy Impact Assessment (PIA) is an important financial services and banking management tool that should be used within an organization or by "contracted" third parties to identify and mitigate privacy issues and risks associated with processing consumer data using automated, networked information systems. This PIA Standard:
- Describes the privacy impact assessment activity, in general;
- Defines the common and required components of a PIA, regardless of business systems affecting financial institutions; and
- Provides informative guidance to educate the reader on privacy impacts assessments
.
A privacy impact assessment (PIA) is different than a privacy compliance audit. A compliance audit determines an institution's current level of compliance with the law and identifies steps to avoid future non-compliance with the law. While there are similarities between PIAs and privacy compliance audits, in that they use some of the same skills and that they are tools used to avoid breaches of privacy, the primary concern of a compliance audit is to just meet the requirements of the law, whereas a PIA should delve much further to identify ways to optimally safeguard privacy.
This standard recognizes that the choices of financial/banking system development and risk management procedures are business decisions and as such, the business decision makers must be informed in order to make educated decisions for their financial institutions. This standard provides a privacy impact assessment structure (e.g., common PIA components, definitions, and informative annexes) for institutions that handle financial information that are seeking to use a PIA as a tool to plan for and to manage privacy issues within business systems that they consider to be vulnerable.