Canadian Privacy Impact Assessments (PIAs) identify potential privacy threats that exist in new or revamped federal government programs or services. The objective of the assessment is to eliminate or reduce privacy or security threats. All federal departments, agencies and institutions are obliged to conduct PIAs for any programs or services that may raise privacy concerns. As part of the process, the department must examine and asses the procedures for protection of personal information throughout the program’s lifecycle (i.e. collection, storage, usage, disclosure and destruction).
When to do a PIA?
Each government department or agency is responsible for conducting the PIA. The procedure is carried out by an appointed assessment team, which includes experts in legal services, privacy, access to information and information technology. A preliminary PIA may be carried out to determine whether or not a full PIA is necessary. The preliminary PIA may find that there are minimal or no privacy risks, in which case a full PIA does not need to be completed.
The following criteria may help to identify situations in which a PIA is necessary:
- If a new program or service is being designed.
- If an existing program or service is undergoing significant changes.
- If a conventional service delivery mode is being converted to an electronic mode.
- If the program involves the collection, use or disclosure of personal information (e.g. name, address, age, education/medical/employment history, etc.).
- If the program is changing from informed consent to indirect collection of personal or sensitive information.
- If the program requires the collection of personal information from other programs within the institution, other institutions, other governments or organizations in the private sector.
- If the program will be used in decision-making processes (e.g. eligibility for programs/services).
- If the personal information will be used for research or statistical purposes.
- If the SIN (social insurance number) will be used without any legislative authority.
- If the public might have privacy concerns regarding the program/service.
- If there will be physical or logical separation of personal information.
- If the infrastructure architecture will affect the security mechanisms used to manage or control access to personal information.
Objectives & Goals
The purpose of a PIA is to establish that privacy principles and legislation are embedded within a new program or service and adhered to throughout its lifecycle. The main goal of a PIA is to effectively communicate any privacy risks that cannot be addressed in any other way. Senior management depends on PIAs to make fully informed decisions regarding policy, system design and procurement. Other goals of PIAs include:
- Build citizens’ trust and confidence.
- Promote awareness and understanding of privacy issues.
- Ensure privacy is a central consideration in the initial design of a project’s objects and activities.
- Identify accountability for privacy concerns.
- Reduce risks of program termination due to privacy requirements.
- Provide decision-makers with necessary information, understanding of privacy threats and a means for mitigating those threats.
- Establish basic documentation regarding business processes and flow of personal information throughout the department.
Ten privacy principles (the Fair Information Principles) regulate the PIA process:
- Accountability: Is there someone in the department who oversees privacy policies and practices?
- Identifying Purposes: Is the public informed of the reasons for collection of personal information?
- Consent: Does the individual give consent to the collection, use and disclosure of his/her personal information?
- Limiting Collection: Is the information collected absolutely required?
- Limiting Use, Disclosure & Retention: Is the personal information used or disclosed for the identified purposes? If information is used for other purposes, does the department secure consent? Is the information disposed of when it is no longer necessary?
- Accuracy: Does the department ensure that inaccurate personal information is not used or disclosed?
- Safeguards: Does the department protect personal information from loss, theft, unauthorized access, disclosure, copying, use or modification?
- Openness: Are privacy policies readily available to the public?
- Individual Access: Can individuals see any of their personal information? Can they challenge the accuracy of their personal information and demand that it be corrected?
- Challenging Compliance: Can individuals challenge the privacy practices of the department?
The PIA is done as part of a cooperative process, tailored for the operations of a specific department or application. It is made up of four core components:
- Project initiation: In this step, the scope of the PIA process is defined. Team resources are designated. The required PIA tools are adopted.
- Data flow analysis: In this step, the proposed business processes are described. Clusters of personal information are identified in the business processes. Detailed data flowcharts showing the path of personal information are also developed.
- Privacy analysis: This involves either a federal program questionnaire, or a cross-jurisdictional questionnaire. The questionnaire responses are discussed and further details are gathered. The privacy issues and implications are described.
- Privacy impact analysis report: In this step, privacy risks are summarized. The degree of risk is identified. Any options to mitigate risks are discussed and established.
The result of the PIA process should be a documented evaluation of privacy threats, implications and response strategies. A PIA report should be an effective communication tool for stakeholders. As a result of the process, the assessment team may find one or more of the following common privacy risks:
- This refers to the combination of unrelated personal information that may be obtained from a number of different sources.
- The personal information is used to create new information about the individual.
- For example, a person’s preferences and habits are combined to develop a profile.
Identification of Individuals
- This is especially common for services that are delivered electronically.
- Identification and authentication is one way to manage security risks. However, there may be surveillance threats if common identifiers or identification systems can facilitate data sharing, monitoring or profiling.
- This involves the observation or tracking of an individuals’ interaction history.
- The result is new personal information that reflects the individual’s overall experience.
Lack of/Doubtful Legal Authority
- This involves the failure to identify the program authority to collect, use or disclose personal information.
- This may be a violation of privacy legislation as well as the Charter of Rights and Freedoms.
Physical Observation of Individuals
- This refers to tracking the movement/location of individuals.
- This may involve vehicle transponders, satellite locators, cameras or other recording mechanisms.
Publishing/Redistribution of Personal Information Databases
- This is often done through electronic publishing, which facilitates the misuse of information.
- Electronic publications can easily be manipulated and used for unauthorized purposes.
The Role of the OPC
During the PIA process, the OPC (Office of the Privacy Commissioner) may consult with departments to ensure that all privacy issues are understood, as well as to offer advice and suggestions regarding potential privacy threats and solutions. The OPC receives the final PIA reports before any new programs or services are implemented. During review, the OPC may offer comments and recommendations to the department. These are not binding; the decision to implement the OPC’s recommendations is solely that of the department.
The completion of PIAs is required under Treasury Board Secretariat policy. The OPC hopes to have the PIA process covered under federal legislation, as part of the Privacy Act reform. In doing so, the PIA process would be greatly reinforced. The OPC believes that the Privacy Act should provide a set of principles underlying a curriculum for PIA specialists, which currently does not exist. The OPC would also like the PIA process to be obligatory, not only for new or modified programs, but as a required component of annual reports and department performance reports.
This article explores PIAs (Privacy Impact Assessments), which ensure that privacy policies and legislation are adhered to at all stages of a program/service. In Canada, PIAs must be completed for new or modified federal government programs or services. The article examines the key components, goals and objectives of PIAs as well as the role of the OPC (Office of the Privacy Commissioner) in developing, responding to and modifying PIAs.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Canadian government structure (I.A.a.)
- Privacy Impact Assessments (IV.B.a.i.)