Treasury Board of Canada, Secretariat - Government of Canada
Skip all menus Skip first menu
,  Français  Contact Us  Help  Search  Canada Site
     What's New  About Us  Policies  Documents  TBS Site
   Calendar  Links  FAQs  Presentations  Home
,
Chief Information Officer Branch
Information, Privacy and Security Policy Division
Privacy and Government
On-Line
PIA e-learning tool
PPIA Report
PIA Report
PIA Audit Guide
PIA Best Practices
Cookie Guidelines
Notice & Consent Guidelines
Glossary
FAQs

Find Information:
by Subject [ A to Z ] by Sub-site
Versions:  
Print Version Print Version
Related Subjects:
Assessment
Government On-Line
Privacy
Feedback on Website
, 		,

Frequently Asked Questions - Privacy Impact Assessment (PIA) Policy,


What is the PIA Policy, and why was it developed?
What legislation supports the PIA policy?
Under what circumstances must a PIA be developed?
How will departments apply the PIA Policy?
How will the PIA Policy be enforced?
Are PIAs new?
Are PIAs made public?
Was any consultation done for this Policy?
 
line

What is the PIA Policy, and why was it developed?
The Privacy Impact Assessment (PIA) Policy enhances the government's implementation of the federal Privacy Act by providing federal departments and agencies with a consistent framework to identify and resolve privacy issues during the design or re-design of programs and services.   The Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks will assist institutions in conducting assessments.

While the PIA Policy is new, federal departments and agencies already conduct assessments and take steps to ensure the protection of Canadians' privacy in transactions with the government.   The PIA Policy was developed to help federal departments and agencies better provide Canadians with assurance that their privacy is protected when they deal with the Government of Canada, whether they transmit their personal information in-person, by telephone, by mail or on-line.  This will be accomplished by documenting, publishing and maintaining PIAs for all programs and services where privacy issues may be inherent.

This is the first time a national government has made conducting PIAs a matter of official policy.  By taking a leadership role in privacy management, the Government of Canada reaffirms its commitment to privacy and its role as custodian of personal information.  Privacy protection is vital to the success of the Government On-Line initiative.

What legislation supports the PIA policy?
The PIA Policy, developed with input from the Office of the Privacy Commissioner, is based on privacy principles outlined in the Privacy Act. The Privacy Commissioner has publicly endorsed PIAs as a means of ensuring the protection of Canadians' personal information.

The Privacy Act sets out roles and obligations for departments and the Treasury Board of Canada Secretariat is responsible to guide departments and agencies on how they apply the principles contained within the Act.  The Office of the Privacy Commissioner has the mandate to investigate and respond to complaints related to the Act. 

Link to Privacy Act on Department of Justice web site:
http://laws.justice.gc.ca/en/P-21/index.html

Under what circumstances must a PIA be developed?
Departments and agencies must conduct PIAs for proposals for all new programs and services that raise privacy issues.  For programs and services implemented prior to this policy, institutions must undertake assessments if they are substantially re-designing them; changing the way they are delivered; or transforming them for electronic service delivery in a manner that affects the collection, use or disclosure of personal information.

Institutions must initiate and define the scope of the PIAs in the early stages of the design or re-design of a program or service so as to influence the developmental process.  If the proposal involves any of the following, a Privacy Impact Assessment is required: 

  • a new or increased collection, use or disclosure of personal information, with or without the consent of individuals;
  • a broadening of target populations;
  • a shift from direct to indirect collection of personal information;
  • an expansion of personal information collection for purposes of program integration, program administration or program eligibility;
  • new data matching or increased sharing of personal information between programs or across institutions, jurisdictions or sectors;
  • development of or a new or extended use of common personal identifiers;
  • significant changes to the business processes or systems that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information; or
  • the contracting out or devolution of a program or service to another level of government or the private sector.

How will departments apply the PIA Policy?
Detailed criteria on conducting a PIA is contained in the Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks.  These guidelines provide a step-by-step approach to the assessment process. The steps include project initiation, data flow analysis, privacy analysis and preparing the Privacy Impact Assessment Report.  Where programs and services involve cross-jurisdictional or cross-sectoral activities, PIAs assist institutions in identifying the requirements of the various legislations and ensure that the provisions of federal legislation and policies are respected.

Treasury Board of Canada Secretariat is also providing support to departments and agencies through a number of information sessions and workshops.  Other planned support includes templates, the development of best practices, an independent PIA expert and an e-learning tool.

How will the PIA Policy be enforced?
Treasury Board Secretariat (TBS) will monitor compliance with the PIA Policy in the context of the government-wide policies and guidelines pertaining to all aspects of project management.  TBS will undertake a comprehensive review of the provisions and operation of the policy within five years of its coming into effect.

Are PIAs new?
PIAs have been used as far back as the 1970s. They have more recently been used in the U.S., New Zealand, Hong Kong and elsewhere.  Several Canadian provinces have also adopted PIAs.   While the PIA Policy is new, federal departments and agencies already conduct assessments and take steps to ensure the protection of Canadians' privacy in transactions with the government.  This policy makes it mandatory for all federal departments and agencies to document, publish and maintain PIAs for all programs and services where privacy risks may be inherent.

Are PIAs made public?
Institutions must make summaries of the results of their PIAs available to the public in a timely manner, using plain language and in both official languages.  Institutions must routinely release summaries of their assessments, taking into account that:

  • there may be components that must be protected under the Access to Information Act or the Privacy Act;
  • in certain cases, assessments could contain information that would render systems or security measures vulnerable; or
  • in certain cases, assessments could refer to programs or services that have not been formally approved or announced.

The Internet and conventional publishing should be used to disseminate assessments and may include references and links to related documentation.

Was any consultation done for this Policy?
Extensive consultation took place with the Federal/Provincial Privacy Working Group, Treasury Board Secretariat policy centres, stakeholder communities and key interdepartmental committees including the Information Management/Information Technology Board (IMB), Treasury Board Senior Advisory Committee (TBSAC) and its Information Management Sub-committee.  The Office of the Privacy Commissioner also had input into the development of the PIA Policy.

  ,
Date published: 2002-08-12
Last updated: 2003-11-19
Date reviewed: 2002-06-27
 Return to
Top of Page		 Important Notices