Why Manual Processes Fail
Australian organisations are expected to conduct Privacy Impact Assessments — and government agencies are required to. But most still manage PIAs using methods that create risk, not reduce it.
Word Documents
No visibility across the organisation. No workflow. No audit trail. Documents get lost, versions conflict, and there's no central view of your privacy compliance posture.
Spreadsheets
Manual data entry leads to errors. No proper risk matrices. No treatment tracking. Difficult to report on, impossible to audit, and doesn't scale as requirements grow.
Confused Project Teams
PIAs get assigned to project managers who aren't privacy specialists. They struggle with what's required, chase approvals via email, and have no way to track progress. When audit time comes, nobody can find the completed assessments or prove who signed off.
No Data Visibility
Most organisations can't answer basic questions: What personal information do we hold? Which systems process it? Where does it flow? Without systematic data mapping, privacy risks — and actual breaches — go undetected.
No Privacy Program Visibility
Privacy obligations are scattered across intranet pages, shared drives, and people's inboxes. There's no single place to see your regulatory framework, who your privacy officer is, when your policies were last reviewed, or whether staff have completed training. When the OAIC asks, you're scrambling.
No Staff Awareness
Staff handle personal information daily but don't understand their obligations. There's no structured training, no way to track who's completed it, and no evidence for auditors that your people know the rules.
No AI Governance
Your organisation is adopting AI tools, but nobody is assessing the risks. There's no process for evaluating whether an AI system makes decisions that affect people, whether it's biased, or whether it complies with emerging regulation. The EU AI Act takes full effect in August 2026. Australia's automated decision-making transparency obligations commence in December 2026. If you're not assessing AI risks now, you're already behind.
The Pragmatic Governance Platform for Australia and New Zealand
PIMS is a pragmatic governance platform for managing your privacy program, AI governance, and security assessments — in one place. Privacy doesn't exist in a vacuum. Neither does AI governance or cyber security. PIMS connects them. Aligned to Australian and New Zealand privacy law, the EU AI Act, and Australia's AI governance framework.
Purpose-built for Australian and New Zealand regulatory requirements — at a price point accessible to mid-market organisations and the consultancies that serve them. No enterprise implementation project required. Structured workflows for the APPs, Queensland Privacy Principles, and NZ Privacy Act 2020 — ready to use from day one.
Run Your Privacy Program
Establish and manage your organisation's privacy program from a single hub.
Privacy Program Overview
Your organisation's privacy command centre. See your program summary, regulatory framework, program contacts, key dates, and quick stats at a glance. OrgAdmins configure the program; everyone else has visibility.
Regulatory Framework
Select your operating countries and jurisdictions — PIMS automatically identifies the applicable legislation and privacy principles. Supports Commonwealth, all Australian states and territories, and New Zealand. From the Privacy Act 1988 to the Queensland Privacy Principles to the NZ Privacy Act 2020 — PIMS knows what applies to you.
Policies & Procedures
Document your data breach response process, link to key resources, and manage governance documents. A central home for the policies that underpin your privacy program.
Privacy Training
Interactive training modules covering the privacy laws relevant to your organisation. Content is filtered to your configured jurisdictions — if you operate in Queensland and New Zealand, you see federal, Queensland, and NZ training. Covers legislation, privacy principles, PIA requirements, and regulator guidance for each jurisdiction.
Manage Your PIAs
Structured workflows to assess, track, and approve Privacy Impact Assessments.
OAIC-Aligned Templates
Start with the official OAIC template covering all 13 Australian Privacy Principles. Conditional logic guides assessors through relevant sections based on their project.
Customisable Templates
Create organisation-specific templates, add custom questions, and tailor frameworks to your governance requirements. Support for multiple active templates.
Simple or Tiered Workflows
Choose a simple workflow where threshold questions determine whether a full PIA is needed, or opt into tiered assessments where screening questions route initiatives to the right level of PIA based on complexity and risk.
Initiative-Based Governance New
Group related assessments under a single Initiative — a project, program, new service, or product. Business context flows automatically to every linked PIA, AI Assessment, and security assessment. Raise assessments from the Initiative, or link existing ones later. Either way works.
Workflow & Approvals
Track every PIA from Draft through Submission, Review, and Approval. Role-based sign-offs ensure the right people review at each stage. Complete audit trail of every action.
Risk & Action Tracking
Identify privacy risks with likelihood and consequence scoring. Document treatment plans, assign actions with due dates, and track resolution. Risks and actions flow across your entire program — not siloed per assessment.
Govern Your AI New
Assess, track, and manage AI risks with the same structured workflows you use for privacy.
AI Program Overview
Your organisation's AI governance hub — mirroring the Privacy Program. See your AI program summary, applicable regulatory frameworks, responsible AI contacts, and assessment stats at a glance. Establish governance before regulators require it.
AI Threshold Assessments
Not every AI initiative needs a full assessment. PIMS uses a quick threshold survey — 10 minutes, yes/no questions drawn from the EU AI Act, Privacy Act ADM obligations, and Australia's Guidance for AI Adoption — to determine whether a full AI Assessment is warranted. If it is, escalate directly with one click. If not, record the decision and move on.
Full AI Assessments
For AI systems that warrant deeper scrutiny, the Full AI Assessment covers system description, data governance, transparency and explainability, human oversight, fairness and bias, accuracy and robustness, accountability, contestability, environmental impact, and regulatory alignment. Built-in compliance alerts flag issues as you go — including EU AI Act risk classification and prohibited practices.
Same Workflows, Same Infrastructure
AI Assessments use the same workflow engine as PIAs — Draft, Submit, Review, Approve. Same role-based sign-offs. Same risk register. Same action tracking. Same audit trail. No separate system to learn. If your team can run a PIA in PIMS, they can run an AIA.
Privacy and AI Together
Most AI systems that need an AI Assessment also need a PIA — because they handle personal information. PIMS connects them through Initiatives. A single Initiative links your PIA, AI Assessment, and security assessment for the same project — shared business context, shared ownership, one governance view across all three. No separate systems. No duplicated effort. No gaps.
Regulatory Coverage
PIMS AI Assessments are built against three regulatory layers: the EU AI Act (risk classification, prohibited practices, high-risk system requirements — fully applicable August 2026 with extraterritorial reach), Privacy Act ADM obligations (automated decision-making transparency under APP 1.7–1.9, commencing December 2026), and Australia's Guidance for AI Adoption (AI6) — six essential practices published October 2025.
Manage Your Security Assessments New
Assess supplier and vendor risk with the same structured workflows you use for privacy and AI.
Supplier Risk Assessments
When a supplier or vendor handles personal information on your behalf, you need to assess their security posture before you engage them — and periodically after. PIMS includes a structured Supplier Risk Assessment template covering identity and access management, data protection, incident response, business continuity, and privacy obligations. Aligned to AICPA TSC, CSA CAIQ v4.1, ACSC Essential Eight, and the Privacy Act 1988.
Assess the Full Vendor Ecosystem
Supplier risk doesn't stop at the contract boundary. Your vendor's sub-processors, cloud providers, and integration partners are all part of the risk picture. PIMS Supplier Risk Assessments are designed to surface the full data flow — not just the directly contracted party — so your assessment reflects the real risk exposure.
Same Workflows, Same Infrastructure
Security assessments use the same workflow engine as PIAs and AI Assessments — Draft, Submit, Review, Approve. Same role-based sign-offs. Same risk register. Same action tracking. Same audit trail. Link a Supplier Risk Assessment to the same Initiative as the related PIA and AI Assessment for a complete governance view of any project involving a third-party vendor.
Map Your Personal Information
Understand what personal information you hold, where it lives, and how it flows.
Information Asset Register
Catalogue the systems and applications that process personal information. Track data holdings, flows, ownership, and licensing. A living record connected to your PIAs.
Data Dictionary
Define and classify the personal information elements your organisation collects. Create a shared vocabulary for consistency across assessments, asset records, and reporting.
Personal Information Maps
Visualise how personal information flows through your organisation with interactive diagrams linking data elements to systems to PIAs. The OAIC template requires you to map information flows — PIMS makes it systematic.
Report and Demonstrate Compliance
Generate evidence your privacy program is working — for regulators, boards, and auditors.
Dashboards
Real-time visibility into your privacy posture. PIA status breakdown, risk heatmaps, overdue actions, and compliance metrics at a glance.
Stakeholder Reports
Reports designed for the audience that needs them — Privacy Officers, Executives, Auditors, and Consultants. Each perspective answers a different question about your program's health.
Audit-Ready Evidence
Complete audit trail of every assessment, decision, and sign-off. When the OAIC or an auditor asks how you manage privacy, log them in and show them.
Enterprise Ready
Built for organisations that need security, scale, and control.
Multi-Tenant Architecture
Support multiple business units, subsidiaries, or clients from a single platform. Perfect for large organisations or consultancies managing compliance for multiple entities.
Enterprise SSO
Integrate with Microsoft Entra ID (Azure AD) for seamless single sign-on. Alternative email-based authentication available for organisations without enterprise identity.
Complete Audit Trail
Every action is logged. Document who did what and when with tamper-proof records that satisfy regulatory and audit requirements.
Role-Based Access Control
Control who can do what across your organisation. Assign User, Auditor, and OrgAdmin roles to ensure the right people create, review, and approve assessments. Permissions are enforced at every level.
Who Needs to Assess Privacy and AI Risks?
PIA and AI assessment requirements vary by sector, but the direction is clear: privacy and AI accountability is becoming mandatory across Australia. Is your organisation ready?
Australian Government Agencies
Required under the Privacy (Australian Government Agencies — Governance) APP Code 2017 for all high-privacy-risk projects.
Private Sector Organisations
Organisations with annual turnover above $3 million are APP entities under the Privacy Act. The Privacy Act Amendment (Tranche 1), passed December 2024, strengthens accountability obligations. The statutory tort of privacy commenced June 2025, creating new avenues for enforcement.
Health Service Providers
Health service providers handle sensitive information under the Privacy Act regardless of size. PIAs are essential for any system or project involving patient data.
State & Territory Government
Queensland agencies must comply with the Information Privacy Act 2009 and the new Queensland Privacy Principles (effective July 2025). Similar requirements exist across NSW, Victoria, ACT, Tasmania, and NT under their respective legislation.
New Zealand Organisations
The Privacy Act 2020 (NZ) applies broadly to agencies handling personal information. The NZ Privacy Commissioner provides PIA guidance and tools.
AI Systems — All Sectors
If your organisation deploys, develops, or imports AI systems, governance requirements are arriving fast. The EU AI Act takes full effect in August 2026 and applies extraterritorially — if the output of your AI system is used in the EU, you're in scope regardless of where you're headquartered. In Australia, the Privacy Act amendments require organisations to disclose automated decision-making that significantly affects individuals from December 2026. Whether mandatory or not yet, AI assessments are rapidly becoming a baseline expectation for responsible organisations.
The Cost of Getting Privacy Wrong
Privacy breaches aren't just embarrassing — they're expensive. The amended Privacy Act has significantly increased penalties, and regulators are taking enforcement seriously.
Individual penalties can reach $2.5 million
Beyond financial penalties:
- Mandatory breach notification to affected individuals and the OAIC
- Reputational damage and loss of customer trust
- Operational disruption during incident response
- New statutory tort of privacy allows individuals to sue for serious invasions of privacy (commenced June 2025)
- Potential director liability for governance failures
The AI governance gap
Privacy isn't the only compliance frontier. The EU AI Act introduces penalties of up to €35 million or 7% of global annual turnover for prohibited AI practices — whichever is higher. In Australia, automated decisions made using personal information already fall under existing Privacy Act penalties. Organisations that fail to assess AI risks face regulatory action, reputational damage, and loss of trust from customers who increasingly expect transparency about how AI affects them.
PIAs and AI Assessments help you catch problems early — before they become costly breaches.
Who Uses PIMS?
PIMS is designed for any organisation handling personal information in Australia or New Zealand — including foreign companies with Australian operations. Our platform serves organisations across diverse sectors.
Healthcare
Aged Care
Early Childhood
Government
Not-for-Profits
Consultancies
Education
Financial Services
Built by Pragmatix
Pragmatix is a Brisbane-based consultancy helping organisations align technology with business strategy — pragmatically. Our team has led digital transformation programs worth over $300 million across healthcare, government, financial services, and not-for-profit sectors.
PIMS was born from our consulting work. We saw too many organisations struggling with privacy compliance using inadequate tools, so we built the platform we wished existed.
Queensland organisations — see how PIMS supports QLD privacy requirements including the IPOLA reforms and Queensland Privacy Principles.
New Zealand organisations — see how PIMS supports NZ Privacy Act 2020 compliance and trans-Tasman operations.
Frequently Asked Questions
Common questions about Privacy Impact Assessments, AI Assessments, Security Assessments, and PIMS.
What is a Privacy Impact Assessment (PIA)?
A Privacy Impact Assessment (PIA) is a systematic process for evaluating how a project, system, or initiative will affect the privacy of individuals. It identifies privacy risks and proposes measures to mitigate them. In Australia, the OAIC provides guidance on conducting PIAs aligned with the Privacy Act 1988 and the 13 Australian Privacy Principles.
Who is required to conduct PIAs in Australia?
Australian Government agencies are required to conduct PIAs for high-privacy-risk projects under the Privacy (Australian Government Agencies — Governance) APP Code 2017. Private sector organisations with turnover above $3 million are APP entities under the Privacy Act. The Privacy Act Amendment (Tranche 1), passed December 2024, strengthened accountability obligations, and the statutory tort of privacy commenced June 2025. Health service providers must conduct PIAs regardless of size as they handle sensitive information. State and territory government agencies are also required to conduct PIAs under their respective legislation.
What are the penalties for privacy breaches in Australia?
Under the amended Privacy Act provisions, maximum penalties for serious privacy breaches can reach $50 million for body corporates, with individual penalties up to $2.5 million. Additional consequences include mandatory breach notifications, reputational damage, operational disruption, legal action, and potential director liability. The statutory tort of privacy, which commenced June 2025, also allows individuals to sue for serious invasions of privacy.
How does PIMS help with Privacy Impact Assessments?
PIMS streamlines the PIA process with pre-configured OAIC templates covering all 13 Australian Privacy Principles, workflow management to track assessments from draft to approval, a proper risk register with treatment tracking, complete audit trails, and audit-ready reporting. It replaces inefficient Word documents and spreadsheets with a purpose-built platform.
What is a Personal Information Map?
A Personal Information Map visualises how personal information flows through your organisation — linking the data elements you collect to the systems that process them and the PIAs that assess them. The OAIC PIA template requires organisations to describe and map personal information flows. PIMS automates this with a visual mapping tool rather than relying on diagrams drawn once and never updated.
Do I need to map my data flows?
Yes. The OAIC PIA template explicitly requires you to "describe and map the project's personal information flows" with sufficient detail to show what information is collected, used, and disclosed, how it is stored and protected, and who has access. PIMS provides the Information Asset Register, Data Dictionary, and Personal Information Maps to fulfil this requirement systematically.
Can PIMS handle different PIA processes for different types of initiatives?
Yes. PIMS supports both simple and tiered PIA workflows. Simple workflows use threshold questions to determine whether a full PIA is needed. Tiered workflows use screening questions to route initiatives to the appropriate level of assessment based on complexity and risk — useful for organisations that need to distinguish between preliminary and comprehensive PIAs.
What is a Privacy Program in PIMS?
The Privacy Program section is your organisation's privacy command centre. It brings together your program summary, regulatory framework, privacy contacts, key dates, training, policies and procedures, and a glossary in one place. It replaces the scattered intranet pages, shared drives, and spreadsheets that most organisations use to manage their privacy program.
What is an AI Assessment?
An AI Assessment (AIA) is a structured evaluation of an AI system's risks and governance requirements — similar to how a Privacy Impact Assessment evaluates privacy risks. It covers areas like transparency, fairness, human oversight, data governance, accuracy, and regulatory compliance. PIMS AI Assessments are aligned to the EU AI Act, the automated decision-making obligations under Australia's Privacy Act, and Australia's Guidance for AI Adoption (AI6).
When do I need an AI Assessment?
If your AI system makes or supports decisions that affect individuals, processes personal information, operates in a regulated sector, or has any connection to the EU market, you should be assessing it. The EU AI Act is fully applicable from August 2026, and Australia's automated decision-making transparency obligations commence in December 2026. PIMS uses a quick threshold survey to help you determine whether a full assessment is needed — so you're not over-assessing low-risk tools or under-assessing high-risk systems.
How does PIMS handle both PIAs and AI Assessments?
PIAs and AI Assessments share the same infrastructure in PIMS — same workflow engine, same risk register, same sign-off process, same audit trail. Most AI systems that need an AIA also need a PIA because they handle personal information. PIMS lets you link them so you have a complete view of both the privacy and AI risks for any initiative, without managing parallel processes in separate tools.
What is an Initiative in PIMS?
An Initiative is a project, program, new service, or product that requires one or more privacy, AI, or security assessments. In PIMS, you can create an Initiative to group all related assessments together — so a single project that needs a PIA, an AI Assessment, and a Supplier Risk Assessment can be managed as one program of work. Business context (business area, responsible team, capabilities, and processes) is set once at the Initiative level and flows automatically to every linked assessment. Initiatives are optional — you can always raise a standalone assessment — but they become valuable as your assessment volume grows and projects span multiple assessment types.
What security assessments does PIMS support?
PIMS currently includes a structured Supplier Risk Assessment template for evaluating the security posture of vendors and third-party processors before engagement and periodically thereafter. The template covers identity and access management, data protection, incident response, business continuity, and privacy obligations — aligned to AICPA TSC, CSA CAIQ v4.1, ACSC Essential Eight, and the Privacy Act 1988.
Additional security assessment types — including Information Security Risk Assessments and broader ISMS support — are on the roadmap. PIMS is designed so that all assessment types share the same workflow engine, risk register, and audit trail, and can be linked to a shared Initiative for a complete governance view of any project.
What industries is PIMS designed for?
PIMS is designed for any organisation handling personal information in Australia or New Zealand — including foreign companies with Australian operations. Key industries include healthcare providers, aged care facilities, early childhood services, government agencies, not-for-profits, financial services, education, and privacy consultancies managing compliance across multiple organisations.
Is PIMS suitable for my organisation?
PIMS is built for any organisation handling personal information in Australia or New Zealand — including healthcare providers, aged care facilities, childcare centres, government agencies, private sector organisations, and foreign companies operating in Australia. It's particularly valuable if you need to demonstrate compliance during audits.
Does PIMS align with the OAIC PIA template?
Yes. PIMS comes with the official OAIC PIA template out of the box, covering all 13 Australian Privacy Principles. You can also configure your own templates and risk frameworks to match your organisation's specific requirements.
What privacy laws does PIMS support?
PIMS supports the Privacy Act 1988 (Cth), Australian Privacy Principles, and state and territory privacy legislation including the Information Privacy Act 2009 (Qld), PPIPA 1998 (NSW), Privacy and Data Protection Act 2014 (Vic), and others. PIMS also supports the Privacy Act 2020 (NZ). When you configure your operating jurisdictions, PIMS automatically identifies applicable legislation and filters training content to what's relevant. Foreign organisations doing business in Australia are subject to the Privacy Act if they have an Australian link — PIMS helps them understand and comply with their obligations.
Does PIMS include privacy training?
Yes. PIMS includes interactive training modules covering Australian and New Zealand privacy law, with content broken down by jurisdiction. Training covers federal legislation, the Australian Privacy Principles, state and territory frameworks, PIA requirements, and regulator guidance. Content is filtered to your organisation's configured regulatory framework. Additional modules covering practical workplace scenarios and notifiable data breaches are in development.
Ready to Streamline Your Privacy and AI Governance?
See how PIMS can help your organisation manage Privacy Impact Assessments and AI Assessments in one place.