What are Privacy Impact Assessments?
Privacy Impact Assessments (PIAs) are used to identify the potential privacy risks of new or redesigned federal government programs or services. They also help eliminate or reduce those risks to an acceptable level.
Virtually all government institutions, as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations, must conduct PIAsfor new or redesigned programs and services that raise privacy issues.
PIAs take a close look at how government departments protect personal information as it is collected, used, disclosed, stored and ultimately destroyed. These assessments help create a privacy-sensitive culture in government departments.
When is a PIA required?
Under the Treasury Board of Canada Secretariat's (TBS) Directive on Privacy Impact Assessment (effective April 1, 2010) government departments must conduct a PIA in a manner that is commensurate with the level of privacy risk identified, before establishing any new or substantially modified program or activity involving personal information.
Specifically, a PIA is generally required when a government department:
- Uses or intends to use personal information in a decision-making process that directly affects an individual;
- Substantially modifies existing programs or activities where personal information is being used, or intended to be used, in a decision-making process that directly affects an individual;
- Contracts out or transfers a program or service to another level of government or the private sector resulting in substantial modifications to a program or activity;
- Substantially redesigns the system that delivers a program to the public, or;
- Collects personal information which will not be used in
decision-making process that directly affect an individual but which will have an impact on privacy.
Who conducts PIAs?
Individual government departments and agencies conduct their own PIAs. An assessment team often includes experts in several areas, including legal services, privacy, access to information and information technology.
What fundamental principles guide PIAs?
Ten fundamental privacy principles should guide how a PIA is conducted:
Accountability: Each government department must put someone in charge of making sure privacy policies and practices are followed.
Identifying purposes: Canadians must be told why their personal information is being collected at or before the time of collection.
Consent: Canadians must give their consent to the collection, use, and disclosure of their personal information.
Limiting collection: Only information that is required should be collected.
Limiting use, disclosure and retention: Personal information can only be used or disclosed for the purpose for which it was collected. Further consent is required for any other purposes. Personal information should only be kept as long as necessary.
Accuracy: Government departments must make every effort to reduce the risk that incorrect personal information is used or disclosed.
Safeguards: Government departments must make protect personal information from loss or theft. They must create safeguards to prevent unauthorized access, disclosure, copying, use or modification.
Openness: Government departments must make their privacy policies readily available to Canadians.
Individual access: Canadians have the right to ask to see any of their personal information held by government. They have the right to know who the information had been given to. They can challenge the accuracy of personal information and ask for corrections.
Challenging compliance: Canadians must be able to challenge a government department's privacy practices.
These principles are usually referred to as the " fair information principles", and are articulated in the Canadian Standards Association Model Code for the Protection of Personal Information. They are also included in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law. The OPC believes they should be enshrined in a reformed Privacy Act, which imposes obligations on federal government departments.
What steps are involved in a PIA?
Some of the key steps in a PIA include:
- Identifying all of the personal information related to a program or service and then looking at how it will be used;
- Applying the OPC's four-part test for necessity and proportionality to highly intrusive initiatives or technologies (see OPC's Expectations document for more information);
- Applying the ten privacy principles;
- Mapping where personal data is sent after it is collected;
- Identifying privacy risks and the level of those risks; and
- Finding ways to eliminate or reduce privacy risks at an acceptable level.
How do PIAs protect my information?
A PIA is a tool that helps ensure privacy protection is a core consideration when a project is planned and implemented. PIAs are meant to describe and document what personal information is collected, how it is collected, used, transmitted and stored, how and why it can be shared, and how it is protected from inappropriate disclosure at each step. In short, it is a risk mitigation tool.