These events constitute triggers for an organization to conduct a privacy impact assessment: Conversion of records from paper-based to electronic form; Conversion of information from anonymous to identifiable form; System management changes involving significant new uses and/or application of new technologies; Significant merging, matching or other manipulation of multiple databases containing PII; Application of user-authenticating technology to a system accessed by members of the public; Incorporation into existing databases of PII obtained from commercial or public sources; Significant new inter-agency exchanges or uses of PII; Alteration of a business process resulting in significant new collection, use and/or disclosure of PII; Alteration of the character of PII due to the addition of qualitatively new types of PII.

Associated law(s): FISMA