Privacy Impact Assessments (PIAs)

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Advisory Committee on Information Management (ACIM) and small federal agencies

May 15, 2002
Ottawa, Ontario

Claude Beaulé
Acting Director, Privacy Impact Assessment

(Check Against Delivery)

---

I have been asked to speak to you today about Privacy Impact Assessments (PIAs) that are now required to be conducted on all government projects that involve the collection, use and disclosure of personal information, and the role of the Office of the Privacy Commissioner (OPC) in this process.

Many of you are quite familiar with the Office of the Privacy Commissioner - but for those who are not, the Privacy Commissioner is an independent guardian of the privacy rights of Canadians. This role includes overseeing and enforcing two federal privacy statutes; the Privacy Act that applies to all federal government institutions, and the new Personal Information Protection and Electronic Documents Act which extends personal data protection rights to the federally regulated private sector.

The OPC is responsible for ensuring that the gathering and handling of personal information, in the public or private sector, does not violate the privacy rights of Canadians. That means not only investigating and responding to complaints, but undertaking audits, conducting research into privacy issues, promoting public awareness and education, and providing advice to Parliament, government, and the private sector on privacy issues.

In short, we are a watch dog; charged with generally keeping a watchful eye on anything that may have an impact on the privacy rights of Canadians, which is why we, of course, have an interest in any government initiatives that involves the collection, use and disclosure of personal information.

Before going into detail about PIAs and the role of the OPC in conducting these reviews, I would like to talk briefly about what we mean when we speak of privacy.

In the context of information systems, the terms "confidentiality" and "security" are often thought of as synonymous with respecting privacy. These terms, however, are better understood as particular manifestations of the right to privacy.

The Privacy Commissioner defines privacy as "the right to control access to one's person and information about oneself." The right to privacy means that individuals get to decide what and how much information to give up, to whom it is given, and for what uses.

Confidentiality is different. It's the obligation of a custodian to protect the personal information that it has been entrusted with. A promise of confidentiality imposes a duty of care to maintain the secrecy of the information, and not to use or disclose the information for an unauthorized purpose.

Security is something else again. It's the process of assessing the threats and risks posed to information, and taking steps to protect the information against unauthorized or unintended access, use, intrusion, loss, or destruction.

The significance of the differences between these concepts is perhaps best illustrated by example. If you collect more personal information than is necessary to fulfill a specific purpose, or without and individual's consent, a fundamental principle of privacy will have been breached. Treating that information as confidential or having the best security system in place to protect that information will not change the fact that an individual's privacy has been violated.

So the distinctions are significant: privacy, a fundamental right; confidentiality, an obligation to protect information; and, security, the process of protection.

Exercising one's right to determine to whom and for what purpose information about ourselves will be shared with others, varies depending on the context of the communication.

In a commercial context, for example, parties are free to enter into transactions and define the terms of their relationship. To this extent, consumers are likely able to exercise a higher degree of control over their personal information than say in a transaction involving government. This is because, unlike businesses, governments have the power to coerce the collection of personal information from their citizens.

When a government agency or program needs personal information to carry out its mission, that information will be collected. Whether it is for Employment Insurance or other programs, such as Income Tax, firearms registry or census, individuals are not in a strong position to refuse to consent to the collection and use of their personal information. Indeed, in some cases, those who refuse to give up their information may not only lose a benefit, they may be fined or even sent to jail.

Therefore government has a special trust relationship with citizens - even greater than that demanded of private sector companies. For this reason, government must be particularly vigilant in maintaining the trust that citizens place in its ability to preserve their privacy, as well as the security and confidentiality of their records under its control.

Conducting a PIA is one very useful way that government institutions can honour that public trust, and in so doing earn the confidence of the citizenry. Winning the confidence of the citizenry, however, requires something more than just complying with the black letter of the law. It demands adopting practices and procedures that give effect to the principles underlying the right to privacy.

Since the Privacy Act came into force, government, and our society at large, have undergone revolutionary changes. In government, those changes find expression in the renewed focus on rationalising administrative structures to minimise waste and the incidence of duplication.

It finds expression in the trend towards partnering with other government and non-governmental organisations in the delivery of public goods and services to improve efficiency and effectiveness. And it finds expression in the marshalling of advanced data processing and communications technology in the service of those objectives.

These trends, which are altering the way governments do business, have significant implications for privacy. Delivering government programs across departments and jurisdictions, for example, will likely lead to merging databases, bringing walls down between agencies and programs, within government, and across levels of government.

That may sound good, but it must be remembered that those walls are also walls between collections of personal information. They are there for a reason.

One of the basic principles of privacy is that personal information collected for one purpose shouldn't be used for another without consent. The walls between banks of personal information are a sort of built-in way of ensuring that this principle is respected.

Information about individuals and their interactions with government is collected for specific uses. The separate databases it's held in-the "silos" as they are called-reflect the purposes that justified the collection and retention of the information in the first place.

Because the information is compartmentalized, there are some inefficiencies. There's some duplication. There are tantalizing questions that you could answer easily if you could just merge a couple of databases. But these inefficiencies are a trade-off for real benefits-very important ones, even if they're not immediately apparent.

Without those silo walls, someone with a need to know only one piece of information can have access to lots more than he or she needs or has any right to. If I surrender information in order to get a CPP disability pension, the only person who should have access to that information is someone with a demonstrable need for it, for the purposes I agreed to when I surrendered it. And that person doesn't need to know anything else about me. I can only count on that being the case when there are walls between the different banks of information.

Furthermore, if governments operate on an open platform, permitting the sharing of information between departments, there will be added difficulties for individuals knowing about or controlling the quality and distribution of the information about themselves. This means that individuals will have even less control over their personal information.

These are some of the reasons for silo walls. Another is that, without them, information can be combined-data can be matched-to reveal new information. That can lead to the tracking and profiling of citizens-and that's a distinguishing feature of surveillance societies.

Separate databases are a built in protection against such hazards to privacy. However, we accept that sometimes there is justification for matching personal information from different sources. Both the Privacy Act and the new private sector law allow it in certain exceptional circumstances. But those circumstances are strictly limited, and they have to be justified.

Increased reliance on non-governmental organizations to assist in the delivery of public services, and the merging of public and private databases, present another serious matter of concern. Again, we come to the issue of walls. The linkage of existing networks could eventually lead to one inter-operable system combining the information holdings of all sectors of society, both public and private.

Where information systems are connected there arises, particularly in the context of the electronic delivery of government services, the need for some common form of client identification and authentication mechanism. This constitutes yet another area of concern.

Authentication mechanisms are necessary for a networked economy, but they're fraught with problems. For example, the need to validate transactions could lead to larger accumulations of personal data for identity and authentication purposes.

It may also lead to the establishment of a new national identifier, or de-facto version of one. Such an identifier could come to constitute a key to unlocking the entire storehouse of personal information collected by government, and its private sector contractors. Governments would therefore be granted even greater opportunities to bring together information about more aspects of the affairs of individuals and for assembling personal profiles of their citizens.

It may also give rise to other potential risks to individuals, such as identity theft and unintended disclosures of personal information, if used by unauthorised persons.

Finally, of course, there is the potential threat to the security and confidentiality of information transmitted over public networks attendant to the provision of on-line services. While open to technical fixes, the added vulnerability of information held and transmitted in electronic form is nonetheless real and substantial.

These troubling scenarios underscore the need to ensure privacy is a primary consideration at the planning stage of any government initiative involving the collection, use and disclosure of personal information. As stated earlier, one way to do this, when you're designing projects, is to do a Privacy Impact Assessment.

A PIA is a tool that allows a department to forecast the impacts of a proposal on privacy, assess its compliance with privacy legislation and principles, and determine what's required to overcome the negative impacts.

We believe that Privacy Impact Assessments can serve six main purposes in the design, acceptance and implementation of any government proposal:

1. acting as an early warning and planning tool;
2. forecasting and/or confirming the impacts of a government proposal on the privacy of individuals and groups;
3. assessing the proposal's compliance with privacy protection legislation and principles (like the Privacy Act, PIPED Act and the CSA Model Privacy Code);
4. determining the actions and strategies required to avoid or overcome the negative impacts of the proposal;
5. avoiding the adverse publicity, the loss of credibility and public confidence, and the legal costs, remedies and sanctions that could result from a government proposal with negative impacts on Canadians' privacy; and
6. increasing Canadians' privacy awareness by informing them of the details of the proposal and by involving them in its design, acceptance and implementation.

However, we must not confound PIAs with privacy compliance audits. A privacy compliance audit simply focuses on legal compliance with the laws. A PIA is a risk assessment tool that goes beyond the legal tests in privacy law, which represent minimum acceptable practice.

It involves looking at all the personal information practices that go into the system, such as what kinds of information are collected, how consent is obtained, how and for how long the information is kept, how it's used, and who it's disclosed to.

It involves looking at things like the purposes and statutory authorities for collection, use, and disclosure, what kinds of linkages there will be between this and other information, and how individuals will be able to exercise their right of access to their information.

It involves identifying risks to privacy associated with a given program, information management system or technology, and coming up with solutions to avoid or at least mitigate those risks.

In sum, a PIA is the following:

• A feasibility study from a privacy perspective;
• A risk-management tool;
• A sensitisation instrument to help create an organisational culture of respect for privacy;
• And finally, a means of monitoring whether your methods of addressing privacy risks are working.

Just as environmental impact assessments are a regular feature of environmental proposals, it makes sense to evaluate technological initiatives for their privacy implications early on, and this is what PIAs are designed to do.

The conduct of a PIA is a shared responsibility. As the TB Policy states, they are co-operative endeavours, requiring a variety of skill sets, including those of program managers, technical specialists, and privacy and legal advisors. The deputy head of federal institution, departments or agency is responsible for determining if a PIA is required.

Of particular significance is the fact that this policy requires government bodies to inform the Office of the Privacy Commissioner of all PIAs being conducted and to send completed PIAs as soon as possible to our office for review.

By reviewing the documentation in co-operation with institutional officials, our office will then be able to provide advice and guidance to institutions and identify solutions to potential privacy risks.

Our role is not to approve or reject the projects that are assessed in the PIAs-our role is to assess whether or not departments have done a good job of evaluating the privacy impact of a project or proposal.

As well, formally involving a privacy oversight office in the process of assessing the privacy impact of new and modified government projects and proposals would be a first. It would make for a collaborative, non-judgmental way of promoting the goals of the Privacy Act. This kind of collaborative approach makes a great deal of sense.

We suggest, therefore:

• That you conduct an initial assessment of your project as early as possible;
• That you contact us directly with questions at an early stage - we can help you understand what we are looking for in a PIA; and
• That you send us the final PIA as soon as it is complete.

Let's look a little more closely at the kinds of questions you'd ask in an initial assessment of a given project. Will the proposal involve:

• a new or increased collection, use or disclosure of personal information, with or without the consent of individuals;
• a broadening of target populations;
• a shift from direct to indirect collection of personal information;
• an expansion of personal information collection for purposes of program integration, program administration, or program eligibility;
• new data matching or increased data sharing of personal information between programs or across institutions, jurisdictions, or sectors;
• development of new or extended use of common personal identifiers;
• significant changes to the business processes or systems that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information; or
• the contracting out or devolution of a program or service to another level government or the private sector.

These are questions likely to alert you to possible violations of privacy. You also need to ask questions about the resources to deal with them-such as whether there's an accountability structure in place to deal with privacy issues.

Down the line, when you're reviewing the compliance of your systems with privacy legislation and principles, the Privacy Impact Assessment will prove an excellent tool for ensuring that those involved in the review-system operators, management, and representatives of the oversight body-understand each other and the system.

In summary, what will our office be looking for when in reviewing PIAs?

Several things:

• First of all, we will want to make sure that the department or agency has the legal authority to collect personal information.
• Next, we want to ensure that the PIA is very clear about the amount and type of personal information that will be collected, how it will be used, and if it will be disclosed to other departments or organisations.
• We will also be looking to see if the project involves data matching. In other words, will it involve combining unrelated personal information to create new information about individuals?
• And we will be reviewing the PIA to make sure that the personal information will be adequately protected.

Overall, we want to be able to assure ourselves that the PIA accurately identifies all the privacy risks associated with the project and that appropriate measures are being proposed to avoid or minimise these risks.

If done right, a PIA is a way to avoid extra costs, adverse publicity and the loss of credibility and public confidence that could result from a proposal that is not privacy friendly. A PIA is also a way to raise awareness and understanding of privacy principles both internally and among citizens. It is a way, as stated earlier, that government institutions can honour the trust conferred upon them to respect the privacy rights of the citizenry, and win their confidence.

How will our office operate?

Our comments are not intended to be made public, but are intended as guidance and advice to the department.

We have been working on developing our review procedures for several months in anticipation of the official launch of the policy.

The Privacy Commissioner will be informed of every PIA when we receive it.

We have created a unit specifically to review PIAs with senior members of OPC staff.

We certainly understand the need for a quick turnaround and we don't want to delay projects.

We encourage departments and agencies to contact us as early as possible so that any potential trouble spots can be identified at an early stage.