This obligation is in respect of proposed projects of business organisation that feature large personal information processing component. Examples include where the nature of business requires the processing of personal information of large number of people, or the personal information involve the class of information classified as sensitive personal information such as biometric information, health information, information of minors or financial information. In such circumstances, the organisation is required to carry out a Privacy Impact Assessment (PIA) prior to collection and use of the personal information involved. 

The PIA has the objective of ensuring that the organisation understands the risks involved with the processing activities to be embarked upon, and that measures are taken to mitigate the risks.