Data protection impact assessments

Name: Data protection impact assessments
Creator: TestPattern Community
License: https://opensource.org/licenses/MIT

Identifies documents containing references to data protection impact assessments in Australian contexts. This information type is classified as personally identifiable information under the Privacy Act 1988.

Type: regex
Engine: boost_regex
Confidence: medium
Confidence justification: category-aware structural regex with anchor and context constraints replaces phrase-only detection.
Detection quality: Mixed
Jurisdictions: global
Regulations: AML/CTF Act (Cth), HRIPA (Cth), IPA 2009 (Qld), My Health Records Act 2012 (Cth), NDB Scheme (Cth), Privacy Act 1988 (Cth), TIA Act 1979 (Cth)
Frameworks: ISO 27001, ISO 27701
Data categories: pii
Scope: wide
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?is)\b(?:data\s+protection\s+impact\s+assessments|impact\s+assessment|privacy\s+impact\s+assessment|risk\s+assessment|data\s+protection|mitigation\s+measures|residual\s+risk|Privacy\s+Act)\b

Corroborative evidence keywords

data protection impact assessments, data, protection, impact, assessments, privacy, compliance, risk

Proximity: 300 characters

Should match

data protection impact assessments — Primary topic phrase match
impact assessment — Case-insensitive topic phrase match
privacy impact assessment — Alternative topic phrase match
risk assessment — Additional topic phrase match

Should not match

unrelated generic text without domain phrases — No relevant topic phrases present
placeholder value 12345 — Random text should not match topic-specific regex
data inventory compliance — Generic word pair from old broad template should not match

Known false positives

Common words and phrases related to data protection impact assessments appearing in policy documents, training materials, HR templates, or compliance guidelines without actual personal data. Mitigation: Require corroborative evidence keywords within the proximity window to confirm sensitive data context rather than general discussion.
In Australian English, similar terminology used in formal or administrative contexts (education, professional documentation) that does not constitute sensitive data collection. Mitigation: Layer with additional contextual signals such as structured identifiers, form fields, or database column headers to distinguish sensitive records from general references.
High-frequency pattern matches in large document corpora due to broad regex anchors. Expected match rate is significantly higher than specific identifier patterns. Mitigation: Tune confidence thresholds for bulk scanning. Consider using this pattern primarily as a pre-filter with secondary validation.

References

https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments
https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines