5 ways to improve your Privacy Impact Assessments
January 25, 2023
Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
Conducting Privacy Impact Assessments (PIAs) is a risk-management process that helps institutions ensure that they meet legal requirements and identify the impact their programs and activities will have on individuals’ privacy. The Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Impact Assessment requires that federal institutions conduct PIAs in a manner commensurate with the level of privacy risk identified prior to establishing any new or substantially modified program or activity involving personal information (s.5.2.1).
Federal institutions often ask us, at the Office of the Privacy Commissioner of Canada (OPC), what exactly to include in PIA reports. The TBS Directive sets out, in Appendix C, the minimum content to include in every PIA report. When considering what to include, departments must begin with this list of core requirements.
The purpose of this Bulletin is to highlight 5 elements of PIA reports that we often see neglected or mishandled. While some of these elements go beyond core PIA requirements, including them can help support a more rigorous PIA. They can also help you to improve readability for internal stakeholders and signatories, as well as the OPC in providing feedback on PIA reports.
Whether or not you incorporate all of the following suggestions, your PIA must meaningfully analyze the privacy impact of your initiatives. For more information on how to do this, please consult our guidance document: Expectations: OPC’s Guide to the Privacy Impact Assessment Process.
Legal authority
Legal authority is one of the core PIA elements required by the TBS Directive (Appendix C, Section I(e)). Institutions must properly identify their authority to undertake the initiative. We have seen institutions invoke s. 4 of the Privacy Act for their authority to collect personal information. However, s. 4 establishes the collection rule for all institutions: “No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.” It does not grant collection authority.
Rather, when outlining your institution’s legal authority, you must locate it either in your institution’s own governing legislation, in other empowering legislation like the Financial Administration Act or in some other legal instrument, such as an order in council, that specifically grants your institution the authority to collect the personal information. If you are not sure whether you have legal authority, you should consult your ATIP and/or Legal Services before proceeding with your initiative. Once you have established your legal authority, your PIA should cite the specific source or sources that allow you to proceed.
Scope
The TBS Directive does not explicitly require institutions to define the scope of your PIA, but it is a crucial step to ensure a clear analysis. In order to identify what data elements are involved, accurately capture the data flows, and eventually determine privacy risks, you must determine what falls within, and what falls out of, the scope of your analysis. For example, if your PIA focuses only on the complaint-handling function of an initiative, the risks will be different than a PIA scoped to include the full initiative, up to and including its complaint response function. Once you have determined the scope of your PIA, it is helpful to outline it to readers early in the document. To further help readers, you can add references to other closely related PIAs on adjacent programs.
Implementation date
Ideally, PIAs are completed well in advance of a program’s launch. While the TBS Directive does not require departments to include an initiative’s implementation period in a PIA report, it is a key piece of information that contextualizes the whole program for any reader who may access the document. Additionally, it is an important element for the OPC to understand when reviewing the PIA, to help guide their recommendations.
Action plan or risk mitigation plan
PIAs are tools to help institutions identify privacy risks and develop mitigation measures to reduce or eliminate those risks. However, mitigation measures are only meaningful once they are implemented. An action plan is a useful strategy to ensure that departments implement measures in a timely manner. While the TBS Directive requires that institutions develop mitigation plans or strategies for high-level risks, we have found that these kinds of action plans provide a benefit in all cases, as discussed below.
When we refer to “action plans,” we refer to a summary of the following elements:
- the risks and mitigating measures identified in the PIA
- an associated deadline or date of implementation for those mitigating measures
- the name of the individual or team responsible for the action
This action plan becomes a useful reference that simplifies follow-up. It helps to ensure that the required actions are complete and improves accountability by clearly defining roles and responsibilities. It can also assist in meeting the requirement in Appendix C, Section V of TBS’s Directive on Privacy Impact Assessments to identify specific compliance actions taken or to be taken to meet with requirements under s. 4-8 of the Privacy Act.
Supplementary documents
Among the core requirements, the TBS Directive notes that a PIA should include a list of additional documents that were used or are related to the core PIA. While it is not required by the TBS Directive, you may wish to consider including copies of these supplementary documents with your PIA to support your analysis and facilitate review. This can be useful when the documents relate closely to the initiative, and the content of the documents ties in with a privacy issue or mitigating measure. Some relevant documents may include information sharing agreements, institutional policies/procedures cited in the PIA, copies of privacy notices or copies or summaries of security assessments related to technologies.
Conclusion
We understand that completing a PIA report may be challenging. We also know how effective PIAs can be to ensure that your initiatives meet Privacy Act requirements, respect the obligations contained in TBS’s privacy policy suite and encourage the kinds of privacy-protective practices that enhance public trust in government.
The OPC’s Government Advisory Directorate is available to consult with federal government institutions on privacy-impactful programs and activities, and on the PIA process. Do not hesitate to email us at scg-ga@priv.gc.ca if you would like our help.
TBS’s Privacy and Data Protection Division is also available to consult with institutions and to advise on considerations across the TBS privacy policy suite, including the PIA process. You can reach them at ippd-dpirp@tbs-sct.gc.ca.
Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.
- Date modified: