Commissioner may direct an agency to give a privacy impact assessment
(a) an agency proposes to engage in an activity or function involving the handling of personal information about individuals; and
(b) the Commissioner considers that the activity or function might have a significant impact on the privacy of individuals;
the Commissioner may, in writing, direct the agency to give the Commissioner, within a specified period, a privacy impact assessment about the activity or function.
(2) A direction under subsection (1) is not a legislative instrument.
Privacy impact assessment
(3) A privacy impact assessment is a written assessment of an activity or function that:
(a) identifies the impact that the activity or function might have on the privacy of individuals; and
(b) sets out recommendations for managing, minimising or eliminating that impact.
(4) Subsection (3) does not limit the matters that the privacy impact assessment may deal with.
(5) A privacy impact assessment is not a legislative instrument.
Failure to comply with a direction
(6) If an agency does not comply with a direction under subsection (1), the Commissioner must advise both of the following of the failure:
(b) if another Minister is responsible for the agency—that other Minister.
(7) Before the fifth anniversary of the commencement of this section, the Minister must cause a review to be undertaken of whether this section should apply in relation to organisations.