In which situation would a Privacy Impact Assessment (PIA) be the least likely to be required?

In which situation would a Privacy Impact Assessment (PIA) be the least likely to be required?
A . If a company created a credit-scoring platform five years ago.
B . If a health-care professional or lawyer processed personal data from a patient’s file.
C . If a social media company created a new product compiling personal data to generate user profiles.
D . If an after-school club processed children’s data to determine which children might have food allergies.

View Answer

Answer: A

Explanation:

A Privacy Impact Assessment (PIA) is a process that helps to identify and mitigate the privacy risks of a project or activity that involves personal data. A PIA is usually required when there is a new or significant change in the way personal data is collected, used, or disclosed. Therefore, a PIA would be the least likely to be required if a company created a credit-scoring platform five years ago, as this would not be a new or significant change. The other situations involve new or changed processing of personal data that could have privacy impacts, such as sensitive data (health or children’s data), profiling data (user profiles), or large-scale data (patient’s file).

Reference: CIPM Study Guide, page 30; Guide to undertaking privacy impact assessments.