<Li> Determine the risks and effects; and </Li> <Li> Evaluate protections and alternative processes to mitigate potential privacy risks . </Li> <P> A privacy impact report seeks to identify and record the essential components of any proposed system containing significant amounts of personal information and to establish how the privacy risks associated with that system can be managed . A PIA will sometimes go beyond an assessment of a "system" and consider critical "downstream" effects on people who are affected in some way by the proposal . </P> <P> Since PIAs are a measure of an organization's ability to keep private information safe a PIA should be conducted whenever said organization is in possession of the personal information of employees and / or clients, this can include but is not limited to, name, age, phone numbers, emails, etc . A PIA should also be conducted in any instance in which the business or organization in question is in possession of information that is otherwise sensitive, or in cases when the security systems for private or sensitive information of organizations are undergoing changes that could lead to risk of privacy leaks . </P>

What is the purpose of a privacy impact assessment