Building privacy into pilot projects
February 1, 2022
Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
When developing an initiative or testing a new technology, institutions sometimes conduct a pilot project. Pilots can be effective in helping an institution determine if an initiative is likely to fulfill its intended objectives and to test the use of new technology before rolling things out on a broader scale. Pilot projects can also help identify gaps or risks as well as the steps institutions should take to mitigate them.
Pilot projects may require the collection, use, disclosure and retention of personal information. When personal information is involved in pilots, risks to privacy must be assessed. This can, however, be done in a way that is contextual and takes into account the scale of the initiative and its level of risk.
Key takeaway: It is important to remember that even though a pilot may only last for a short duration, institutions always need to ensure they are compliant with law and policy. Specifically, institutions should ensure pilots comply with:
- The legal requirements set out in the Privacy Act;
- The institution’s enabling legislation; and
- Government of Canada and Treasury Board of Canada Secretariat (TBS) policies and directives.
Pilot projects and privacy impact assessments
A Privacy Impact Assessment (PIA) is a risk management process that helps institutions ensure they meet legal requirements and identify the impacts their programs and activities will have on individuals’ privacy.
A PIA is generally required if a program or activity – whether permanent or pilot – has an impact on the personal information of individuals. Institutions should determine if a PIA is required as per the TBS Directive on Privacy Impact Assessment and, if so, conduct one before they launch a pilot.
The PIA process is designed to be flexible and scalable. The length and complexity of your PIA process will depend on the scale, complexity and risk level of your pilot. A PIA on a low-complexity, low-risk, short-term initiative should address all key components of the PIA process, but you will likely find that:
- fewer parties need to be involved in the process
- stakeholder consultation may not be necessary
- there are limited information flows to map
- there are fewer components to describe
- there are fewer privacy impacts and therefore fewer recommendations to discuss
- the final PIA report is shorter
Expectations: OPC’s Guide to the Privacy Impact Assessment Process can help guide institutions through the PIA process.
Note that it is critical that you determine the legal authority for your pilot before considering whether you should undertake a PIA. If you do not have legal authority, you should not proceed with the initiative.
Reducing risk when conducting a pilot
Institutions can take a number of steps to reduce risks to privacy when conducting pilot projects, including by doing the following:
- Conduct the appropriate risk management process before the pilot is launched, such as a PIA or a Privacy Protocol;
- Consider whether information sharing agreements or contracts with third parties may be required and incorporate privacy;
- Plan for how personal information will be handled, retained, and disposed of, should the pilot not become a permanent program;
- Consider whether a testing phase requires the use of personal information and if so, how much;
- Ensure that the public is notified of how their personal information will be collected, and for what purpose and add information about the pilot on the institution’s public facing website, as appropriate; and
- Obtain valid consent for the collection, use, disclosure and retention of personal information when consent is required under the Privacy Act.
Seeking privacy expertise
We encourage institutions to consult their Access to Information and Privacy (ATIP) services long before initiating a pilot project. Institutions may also wish to consult with OPC’s Government Advisory Directorate. The Government Advisory Directorate is happy to answer questions and provide advice to institutions early in the development, and throughout the lifecycle of programs and activities. For more information, please contact the Government Advisory Directorate at firstname.lastname@example.org.
Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.
- Date modified: