PRIVACY IMPACT ASSESSMENT (PIA) WORKSHOP Part A: Getting Started

1
(No Transcript)
2
PRIVACY IMPACT ASSESSMENT (PIA) WORKSHOPPart A
Getting Started

• Claude Beaulé
• Privacy Consultant, Quebec, Canada
• September 27, 2007

3
Introduction

• Role and responsibilities of the Office of the
  Privacy Commissioner of Canada (OPC) under
  Canadas Privacy Impact Assessment (PIA) Policy,
  which took effect May 2002.
• OPCs PIA review process and the challenges posed
  by the implementation of the PIA Policy.
• Capacity of the OPC to respond to PIA challenges

4
PIA Policy Requirements
The Government of Canada PIA Policy requires
federal departments and agencies

• to conduct PIAs (or preliminary PIAs if
  warranted) for all new or modified programs or
  services that raise privacy issues
• to consult with the OPC at the early stages of
  the development of new programs and initiatives
• to provide copies of their final PIAs to the OPC
  before they implement programs or services and
• to publish the results of their PIAs on their
  department websites.

5
Role of the OPC

• Under the PIA Policy, the OPC is mandated to
  receive final copies of PIAs, and may provide
  comments and recommendations if warranted.
• The provision of advice to submitting departments
  and agencies remains at the discretion of the
  Privacy Commissioner.

6
Role of the OPC (contd)

• The role of the OPC is not to approve or reject
  projects that are described in PIAs, but to
  assess whether or not departments have done a
  good job of evaluating the impacts on the
  protection of personal information and that their
  projects and activities are respectful of the
  privacy rights of Canadians.
• By reviewing PIAs, the OPC is able to provide
  advice and guidance to institutions and identify
  solutions to eliminate or mitigate potential
  privacy risks. In some cases, the OPC may make
  recommendations for significant changes.

7
OPCs review of PIAs

• In conducting its review, the OPC assesses the
  PIA report for

• Completeness
• rationale and legal authority for the project
• description of the business process
• description of the personal information involved
  and data flow

8
OPCs review of PIAs (contd)

• description of the information security
  infrastructure associated with the project
• inclusion of necessary background documentation
  (e.g., TRAs, MOUs, contracts, etc.)
• an implementation schedule for the project
• an action plan to address privacy issues and
• a communications strategy, where appropriate.

9
OPCs review of PIAs (contd)

• 2. Quality of the Privacy Analysis
• that all the salient privacy risks and the
  associated implications of those risks have been
  correctly identified in the report and
• that the proposed remedies or mitigation
  strategies to deal with those risks are
  reasonable and appropriate.

10
OPCs review of PIAs (contd)

• If the OPC concludes at the end of its review
  that the PIA lacks certain data or that the
  privacy risks have not been adequately considered
  or dealt with, it will inform the department.
• The OPC may provide comments and recommendations
  to the department. However, the final decision
  on whether to implement those recommendations
  rests with the department.

11
General comment

• In my view, the most significant benefit that can
  be attributed to the PIA Policy is
• the increased awareness among government
  personnel at all levels of the importance of
  privacy and how it impacts on their day-to-day
  functions.
• Privacy is truly becoming a core consideration in
  the conception, design, and implementation of
  federal government programs and services, which
  is the purpose of the PIA Policy.