Sharing Canada’s Experience on Privacy Impact Assessments with Europe

Radio Frequency Identification Privacy Impact Assessment Framework conference

February 8, 2012
Brussels, Belgium

Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Delivered via video message)

(Check against delivery)


Good morning everyone. First of all, while I’m sorry I can’t be with you in person, I’m pleased to share thoughts on our Office’s experience with privacy impact assessments.

Privacy impact assessments, or PIAs, have been a requirement for federal Departments and Agencies embarking on initiatives involving the collection of personal information for nearly a decade.

PIAs are valuable because they compel developers to put privacy at the forefront of their thinking. Whereas before, problems would only come to light through complaints to our office once an initiative was already active, PIAs enable risks to be identified early in development, so they can be mitigated before any collection takes place.

In my message today, I am going to discuss:

  • our unique experience with Privacy Impact Assessments; and
  • their benefits for our work and for Canadians.

I also want to convey the importance of:

  • emphasizing training and accountability;
  • providing guidance to developers;
  • encouraging early action; and
  • underlining how the process benefits the organization itself.

Before getting to that, I want to note some key differences between PIAs in Canada and how they’re envisaged within your framework. While the European framework deals with private sector developers, in Canada, PIAs are required for federal public sector initiatives. While our office encourages private sector organizations to complete Privacy Impact Assessments, they’re not required by law.

In doing these, government Departments need to demonstrate to our Office that they have analyzed their initiatives to determine:

  • what personal information will be collected;
  • the purposes for its use;
  • the potential risks to privacy; and
  • how they will be mitigated.

While the Canadian experience is based on assessments done with regard to public sector initiatives, many important elements can be transposed to private sector work as well.

In Canada, our Office’s role is to review assessments and provide advice on how developers can modify plans to better protect and respect privacy. In many cases, Departments are grateful for our advice and follow it accordingly. However, our advice is not binding. Nonetheless, the fact that Departments need to provide us with their Assessments is extremely beneficial.

The information we gain on new initiatives is invaluable. As noted, we have the opportunity to provide analysis and advice, often leading to more privacy-friendly initiatives. And by gaining insight on everything the government’s planning involving personal information collection; we’re able to discover systemic trends, which inform our audit, investigation, policy and public education priorities.

A further benefit flowing directly to the public is the fact that government Departments and agencies need to post summaries of Privacy Impact Assessments on their websites. Thanks to this transparency requirement, all stakeholders and citizens are provided with insight on how new initiatives will affect privacy. As a result, Departments have further incentive to demonstrate their respect for a value Canadians cherish.

Now, as I’ve already noted, there are some important differences between Canada’s PIA regime and the technology-specific Framework for Europe. That said, I’m happy to provide some advice based on our experience. As with Canada, I note that your framework calls for applications being graded in order to determine the level of examination required. This is similar to Canada, where the first step in the process is a risk identification and categorization exercise determining the appropriate depth of assessment.

Of course, an organization may be reluctant to make a major investment in training several employees. And this is where an emphasis on accountability can help matters. For example, in Canada, we call on Departments and agencies to designate one individual or small group to be accountable for the organization’s compliance with privacy principles. This includes responsibility for establishing a Privacy Impact Assessment development and approval process. If Europe were to follow a similar path, companies would be encouraged to streamline their training costs and develop the specialisation to bring coherence and consistency to their privacy operations.

Of course, the more “free” guidance data protection authorities can provide; the better. This is why our Office actively offers guidance to Departments on how to prepare assessments with quality and thoroughness. For example, our Office offers annual workshops, providing hands-on advice toward preparing assessments with quality and thoroughness.

We also offer a publication, called Expectations, which serves as a guide for Departments and agencies. It provides insight into what our Office looks for in them. It also conveys a sense of the wider importance of Privacy Impact Assessments. In other words, it underlines the fact that these assessments are about more than fulfilling an administrative process. That, in fact, they’re about meeting the public interest and preserving the trust which ideally underlies the relationship between state and citizen. Consequently, we advise you to look for ways to provide developers the knowledge they need to both meet the needs of the process, and understand the opportunity they have to build consumer trust.

We also advise you to focus providing guidance beyond the initial assessment. Just as your framework recognizes the need for developers to update their Assessments when they make further developments to their products, a similar “evergreen” approach is used in Canada, and our office recommends devising a schedule to inform when an assessment should be revisited. In other words, provide specifics on when companies should examine them to determine if they should be updated.

And finally, use whatever leverage you have to ensure the process starts as early as possible. The earlier an issue is discovered, the easier and less expensive it will be to resolve. As we all know, privacy needs to be central to, and at the forefront, of planning. Early PIA action helps to realize this objective and, as our experience shows, it can help avoid negative events.

As I’m sure many of you can imagine, as the northern neighbor to the United States, Canada’s past decade has included several new initiatives that seek to meet national security and trade priorities while impacting privacy. In fact, many of these involved the use of RFID technology. For example, the development of electronic passports and enhanced driver’s licences, which contain chips that can be read when a car is queued at a border checkpoint to ostensibly speed-up inspection rates and traffic flow.

And it’s with regard to enhanced driver’s licenses that I can share a story which very strongly articulates the need and usefulness of beginning Privacy Impact Assessment work and getting DPAs involved as early as possible. In 2007, the Canada Border Services Agency was working with the United States Department of Homeland Security on establishing the infrastructure to put enhanced drivers licences into operation. During the program’s trial phase, it was agreed that the data files of thousands of Canadians, would be provided to the Department Homeland Security for storage in its databases. Particularly given the existence of the U.S.A. PATRIOT Act, this decision was very troubling when it came to privacy.

Thankfully, this plan came to light at a meeting to kick-off the privacy impact assessment process, which our Office attended. And thanks to us learning this, we were able to note that the transfer of data was both highly invasive and unnecessary to achieve the program’s goals. As a result, no mass transfer of Canadians’ personal information to the US database took place. And so today, when an enhanced driver’s license is scanned by Homeland Security, its database pings one housed in Canada, which provides access to verify the single file in question.

If not for the existence of a mandatory Privacy Impact Assessment process, however, things could have been very different. And without early notice, had the wholesale transfer of data proceeded as initially planned, it would have been extremely costly, perhaps even prohibitively so, to reverse such an action.

In closing, now, let me thank you once again for this opportunity. I’d like to note that we’ll continue following developments on this initiative, and that a representative from my Office is registered to attend the PIA Framework Project Consortium’s April workshop in Sopot, Poland.

Furthermore, I noted with interest that the draft General Data Protection Regulation which became available in December proposed the wider use of Privacy Impact Assessments within the EU. And should there be a need, please know that my Office is open to further exchange on this topic. As we all know, issues impacting privacy don’t discriminate based on nationality. Rather, they affect all people and so transcend borders. This is why I look forward to continued learning and collaboration between our jurisdictions for mutual benefit.

Thank you once again, and please accept our best wishes for both a productive conference and successful implementation of the Framework.

Date modified: