PTA overview
Privacy Impact Assessments/Analyses (PTAs) are an important aspect of privacy compliance documentation, but aren’t the only evaluations necessary for an organization.
Privacy teams also create PTAs to preemptively detect an organization’s PII use, which, if identified, would require subsequent PIAs.
Typical PTAs include the following information:
- Description of the system
- What PII, if any, is collected or used
- From whom is the PII is collected
The purpose of the Privacy Threshold Analysis (PTA) is to help a company’s departments gauge their system’s information, and determine how to appropriately treat data that has been acquired by the organization.
PTAs primarily focus on two main areas:
- Business data and business processes within each business unit
- Potential connections with individuals including the use of PII – any use of social security numbers must be specifically identified
Why do we need PTAs?
PTAs are useful for initiating communication and collaboration between a company’s departments, including: the CPO, information security officer, CIO, and even heads of the HR, marketing, IT, and operations teams.
It’s an effective tool that helps organizations analyze and record the potential privacy documentation requirements of corporate activities.
As recommended in National Institute of Standards and Technology (NIST) Special Publication 800-122:
“PTAs are used to determine if a system contains PII, whether a Privacy Impact Assessment is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system. PTAs should be submitted to an organization’s privacy office for review and approval. PTAs are often comprised of simple questionnaires that are completed by the system owner.”
