Part of our job here is to generate recommendations. The main recommendation of yours is to make it a requirement to do so.
Section 5.1 of the directive on privacy impact assessment provides that such an assessment must be done for “new or substantially modified programs and activities involving the creation, collection and handling of personal information”.
Do federal institutions make a clear distinction between a new and an existing program or activity?