Why think about privacy? A guide to the Privacy Impact Assessments process

Government institutions need to use personal information to do their jobs. Personal information, for example, is vital for processing employment insurance and income tax payments, tracking epidemics or determining who may pose a threat to national security.

Canadians appreciate the efficient delivery of important services that meet the public interest. But they can also feel violated when their personal information becomes public, or worse, falls into the wrong hands.

The Office of the Privacy Commissioner has the mission of protecting and promoting the privacy rights of Canadians.

The Office wants society and government to reap the benefits of quality public service while safeguarding the privacy of Canadians.

One key way federal institutions can do that is by conducting Privacy Impact Assessments, or PIAs. The process of doing a PIA helps an organization achieve the most effective program with the least impact privacy. A PIA should be undertaken early in the development of initiatives and activities to help ensure privacy risks are found and addressed head-on, as soon as possible. 

A proper PIA can help an organization gain and maintain the trust and confidence of Canadians.

And when it comes to your organization developing a privacy-sensitive program, the OPC is here to help. The OPC wants to be in a position to understand your initiative and make recommendations to mitigate risks to privacy. The Office can also offer advice before you get started. For example:

When is a PIA needed?
What is the proper format to use?
What kind of extra information is needed?

To answer these questions, the OPC has prepared an Expectations Document. It provides guidance on what type of information you need to complete a privacy impact assessment, and it tells you what the Office will be looking for when it conducts a review.      

It’s important to know that the OPC doesn’t approve PIAs.

Federal institutions prepare PIAs in accordance with the Treasury Board Secretariat Directive on PIAs

The OPC’s guidance complements this Directive.

According to it, a final copy of the approved core PIA is to be submitted to OPC at the same time it’s provided to Treasury Board Secretariat.

The Directive says that Secretariat officials will review the core PIA to ensure it includes the required documentation. They will also review and approve any Personal Information Bank descriptions to meet obligations under the Privacy Act.

While the OPC does not approve your work, the Office undertakes reviews PIAs along with their associated documents. The Office will offer you advice, comments, consultation and recommendations.

The respective roles of OPC and TBS are explained fully in the Expectations Document. On top of this, the document addresses four main topics for consideration:

• The four-part test;
• The ten privacy principles;
• Action plans;
• Guidance for multi-institutional PIAs; and
• Checklists for PIA formatting and associated documentation

First, the four-part test asks government departments to answer the following four questions to weigh reasonable limitations on rights and freedoms in a free and democratic society

The first part of the test determines if the proposed measure is demonstrably necessary to meet a specified need. The OPC asks for an account of how the collection, use and disclosure of personal information will be done in the least privacy invasive way possible.

Second, is the measure likely to be effective in meeting that need? The OPC seeks empirical evidence of how the proposed activities will address the stated need. This could be statistics, trial results, or something similar.

Third, is the loss of privacy proportional to the need? The OPC’s mission is to protect and promote the privacy rights of Canadians, so it wants to know that all repercussions have been considered.

And finally, is there a less privacy invasive option available? In other words, can the same goal be achieved in another way that uses less personal information at less risk? If not, the OPC would seek an explanation as to why that is not feasible.

Upon answering the questions in the four-part test, the security of information in the hands of government must also be demonstrated. This is where it’s useful to analyze the initiative’s risks against the ten universal privacy and fair information practice principles of the Canadian Standards Association Model Code for the Protection of Personal Information. These principles assess the architecture of the program and ensure that it is constructed with privacy in mind. The ten principles are:

• Accountability – There should be an administrative structure in place to oversee compliance with the principles. Institutions should include plans for proper training on privacy issues and evidence of consultation with legal departments and privacy information branches.
• Identifying Purposes - Institutions must demonstrate that the information they propose to collect is reasonable and necessary for the program or activity. The Privacy Act restricts the collection of personal information to that which relates directly to an operating program or activity.
• Consent –Generally, knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.  But, of course, when it comes to the public sector, personal information may be collected by federal institutions without individual consent because the government has legislative authority to do so.
• Limiting collection - The collection of personal information shall be limited to that which is necessary for the identified purposes. Our office expects to see a clear justification of the need for each data element collected.
• Limiting use, disclosure and retention - Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by or provided for by legislation. In addition, personal information shall be retained only as long as is necessary to fulfil those purposes and in accordance with specific retention periods set-out in the Privacy Act Regulations.
• Accuracy - Personal information should be as accurate, complete, and up-to-date as necessary.
• Safeguards - Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
• Openness - Institutions shall make readily available to individuals information about policies and practices relating to the management of personal information.
• Individual Access - The Privacy Act gives individuals the right to access their own personal information in the hands of government, and to request that corrections be made.
• Challenging compliance - Institutions must have procedures must be in place to receive and respond to complaints or inquiries about policies and practices relating to the handling of personal information.

The ten principles assess the risks of a program in a thorough and logical way.

Ideally, government institutions should strive to provide evidence that each of the principles has been considered.

It’s important to note that the privacy risks you identify in a PIA should also be addressed in the overall Threat and Risk Assessment you prepare for an initiative.

The third section of the OPC’s Expectations Document addresses action plans. This recognizes that preparing a Privacy Impact Assessment isn’t a one-time event.

Rather, PIAs are only effective if risks are continuously identified and addressed over time. An action plan introduces timelines to assess and address risks, taking resources and time constraints into consideration. An audit or compliance assessment schedule should be part of an action plan so your institution can both report on its success and adjust it to account for new realities and developments.

A group or individual should be responsible for the action plan and it should be revisited on an ongoing basis and updated as situations warrant.

If the PIA is for multiple institutions working together, it is important for one institution to take a leadership role. This helps to ensure coherent communication with the OPC as well as the effective identification of the privacy risks amongst all institutions.

Finally, the Expectations Document includes two checklists to help you prepare the PIA. The first checklist covers what should be included to ensure a thorough assessment without the need to request more information.

• A cover letter signed at the appropriate level of authority.
• A detailed project overview including objectives, rationale, clients, approach, programs and/or partners involved.
• A list of all stakeholders and their roles and responsibilities.
• A list of all data elements that involve personal information and a related description of the data flow.
• A list of relevant legislation and policies to demonstrate legal authority for the collection of personal information.
• A privacy analysis identifying risks associated with the project.
• A detailed risk mitigation plan outlining measures that will address privacy risks, including any risks that cannot be addressed and why.
• An outline of a privacy-oriented communications strategy, if appropriate.
• Details on internal procedures relating to response to privacy breaches, access and correction requests, and complaints.

The second checklist specifies documents integral to an in-depth analysis. Without these documents, there is a chance of serious privacy risks going unidentified, potentially compromising the rights of Canadians:

• Project-specific policies and procedures.
• A summary of privacy risks identified in any Threat and Risk Assessment, and an account of action taken to address these risks.
• A copy of any legal instrument, agreement or Memorandum of Understanding that was used to define the rights and responsibilities.
• Copies of third party contracts pertaining to information haring.
• Copies of any forms used to collect personal information.
• Copies of any public education materials that have been created which deal with personal information management.

Once an organization examines its initiative through the lens of the four part test and ten privacy principles, and establishes an action plan, the OPC’s review of the PIA can begin.

First, the Office conducts a triage of the file to see if what level of risk it holds.

The OPC evaluates the nature of the information involved. For example, Is biometric data captured? Or is tombstone data involved?   

And the Office considers the overall risks posed to privacy.

PIA files are assigned to review officers who may contact you to arrange a consultation. Such meetings can help both the OPC and your organization establish a clear understanding of an initiative or possibly determine high risk elements that might otherwise be overlooked.

The review officer will also consult with OPC legal, policy or technical experts as needed.  

After this review, the OPC issues comments or recommendations and asks that you respond.

We’ve now just about reached the end of our time. In closing, please remember that the OPC encourages action on your part and discussion with the Office as early as possible in high-risk cases in order to share helpful advice quickly and directly as needed.

The OPC wants institutions to consider privacy concerns as early as possible to ensure they are discussed and dealt with before personal information is lost or leaked, privacy violated and trust diminished.

A privacy impact assessment helps you make informed decisions. And when you submit your PIA to the OPC, it leads to recommendations that strengthen privacy protection and as a result, your credibility in the eyes of Canadians.