Privacy Impact Assessments
What are Privacy Impact Assessments?
Privacy Impact Assessments (PIAs) are used to identify the potential privacy risks of new or redesigned federal government programs or services. They also help eliminate or reduce those risks to an acceptable level.
Virtually all government institutions, as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations, must conduct PIAs for new or redesigned programs and services that raise privacy issues.
PIAs take a close look at how government departments protect personal information as it is collected, used, disclosed, stored and ultimately destroyed. These assessments help create a privacy-sensitive culture in government departments.
When is a PIA required?
Under the Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Impact Assessment (effective April 1, 2010) government departments must conduct a PIA in a manner that is commensurate with the level of privacy risk identified, before establishing any new or substantially modified program or activity involving personal information.
Specifically, a PIA is generally required when a government department:
- Uses or intends to use personal information in a decision-making process that directly affects an individual;
- Substantially modifies existing programs or activities where personal information is being used, or intended to be used, in a decision-making process that directly affects an individual;
- Contracts out or transfers a program or service to another level of government or the private sector resulting in substantial modifications to a program or activity;
- Substantially redesigns the system that delivers a program to the public, or;
- Collects personal information which will not be used in decision-making process that directly affect an individual but which will have an impact on privacy.
Who conducts PIAs?
Individual government departments and agencies conduct their own PIAs. An assessment team often includes experts in several areas, including legal services, privacy, access to information and information technology.
What is the role of the Office of the Privacy Commissioner?
The Office of the Privacy Commissioner (OPC) may consult with departments before or during the development of PIAs to ensure privacy issues are clearly understood. The OPC can offer advice and suggest solutions to potential privacy risks.
Government departments must submit final PIA reports to the OPC before they implement programs or services. The OPC may not undertake in-depth reviews of all PIAs it receives as it may focus on initiatives that, in its view, pose the greatest risk to privacy. Pursuant to the Directive, the Privacy Commissioner may request further analysis or additional information from departments to complete its review of a PIA. The OPC may provide comments and recommendations in the form of letters of recommendations to departments, however, the final decision on whether to implement those recommendations rests with the department.
In March 2011, the OPC published a guidance document, “Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada”, to set out its expectations regarding the type and depth of information that should be provided by government institutions when submitting final PIA reports to its office.
While PIAs are currently required under government policy set by the Treasury Board of Canada Secretariat, the Privacy Commissioner has called for the process to be required under law as part of a broader Privacy Act reform. The Commissioner supports the PIA Directive, but believes turning it into law would make it stronger.
What fundamental principles guide PIAs?
Ten fundamental privacy principles should guide how a PIA is conducted:
Accountability: Each government department must put someone in charge of making sure privacy policies and practices are followed.
Identifying purposes: Canadians must be told why their personal information is being collected at or before the time of collection.
Consent: Canadians must give their consent to the collection, use and disclosure of their personal information.
Limiting collection: Only information that is required should be collected.
Limiting use, disclosure and retention: Personal information can only be used or disclosed for the purpose for which it was collected. Further consent is required for any other purposes. Personal information should only be kept as long as necessary.
Accuracy: Government departments must make every effort to reduce the risk that incorrect personal information is used or disclosed.
Safeguards: Government departments must protect personal information from loss or theft. They must create safeguards to prevent unauthorized access, disclosure, copying, use or modification.
Openness: Government departments must make their privacy policies readily available to Canadians.
Individual access: Canadians have the right to ask to see any of their personal information held by government. They have the right to know who the information has been given to. They can challenge the accuracy of personal information and ask for corrections.
Challenging compliance: Canadians must be able to challenge a government department’s privacy practices.
These principles are usually referred to as the “fair information principles”, and are articulated in the Canadian Standards Association Model Code for the Protection of Personal Information. They are also included in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The OPC believes they should be enshrined in a reformed Privacy Act, which imposes obligations on federal government departments.
What steps are involved in a PIA?
Some of the key steps in a PIA include:
- Identifying all of the personal information related to a program or service and then looking at how it will be used;
- Applying the OPC’s four-part test for necessity and proportionality to highly intrusive initiatives or technologies (see OPC’s Expectations document for more information);
- Applying the ten privacy principles;
- Mapping where personal data is sent after it is collected;
- Identifying privacy risks and the level of those risks; and
- Finding ways to eliminate or reduce privacy risks at an acceptable level.
How do PIAs protect my information?
A PIA is a tool that helps ensure privacy protection is a core consideration when a project is planned and implemented. PIAs are meant to describe and document what personal information is collected, how it is collected, used, transmitted and stored, how and why it can be shared, and how it is protected from inappropriate disclosure at each step. In short, it is a risk mitigation tool.
Since the implementation of a PIA Policy for the Government of Canada in 2002, PIAs have helped to improve the overall awareness of privacy within government institutions. Their conduct has helped to focus attention on the potential privacy issues of a number of government programs. The whole process provides a greater level of protection for the personal information that Canadians give to the federal government. A well-functioning PIA practice is key for a sound privacy management framework.
Who can look at PIA reports?
Summaries of PIAs, written in easy-to-understand language and in both French and English, must be made available to the public by government departments and agencies.
More detailed information
TBS is responsible for the government’s PIA policy. PIAs are explained in greater detail on TBS’s web site. Some key documents are:
“The Privacy Impact Assessment: Your GPS Through the New Landscape of Privacy Protection”, speech by Assistant Privacy Commissioner of Canada.
Updated in December 2011