The guidelines are intended to provide a comprehensive framework for the
completion of a Privacy Impact Assessment (PIA). They convey practical advice on
the application of the Government of Canada's Privacy Impact Assessment
Policy.
A PIA is a process that helps departments and agencies determine whether new
technologies, information systems and initiatives or proposed programs and
policies meet basic privacy requirements. It also assists government
organizations to anticipate the public's reaction to any privacy implications of
a proposal and as a result, could prevent costly program, service, or process
redesign.
A checklist to determine when to do a PIA:
1. Are you:
- designing a new program or service,
- making significant changes to an existing program or service, or
- converting from a conventional service delivery mode to an electronic
service delivery mode and you have outstanding privacy issues and no PIA?
- Does the program require you to collect, use or disclose any personal
information, such as name, address, age, identifying number, educational,
medical or employment history, etc.?
- Will the program require that you collect, use or disclose more personal
information or more sensitive personal information than in the past? Are
you shifting from informed consent to indirect collection of personal
information?
- Will it be necessary to develop mechanisms to notify individuals about
their privacy rights or to obtain the consent of individuals to collect,
use and/or disclose their personal information?
- Will the program require you to collect personal information from other
programs within your institution, other institutions, other governments or
the private sector?
- Will the personal information generated by the program be used in
decision-making processes that directly affect individuals, such as
eligibility for programs or services or in enforcement activities?
- Will the personal information generated by the program be used for any
other purposes, including research and statistical purposes?
- Will the personal information be shared with any other organizations for
any purposes other than for which it was originally collected?
- Are you introducing new common client identifiers or are using the SIN
without any legislative authority?
- Do you anticipate that the public will have any privacy concerns
regarding the proposed program or service?
- Are you introducing changes to the business systems or infrastructure
architecture that affect the physical or logical separation of personal
information or the security mechanisms used to manage and control access
to personal information?
The Privacy Impact Assessment Guidelines are based upon the
universal privacy principles identified in the Canadian Standards Association'sModel
Code for the Protection of Personal Information in addition to federal
privacy legislation and policies.
The PIA process is similar to a continuous risk management approach and
includes planning, analysis and education activities and has four core
components:
-
- Project initiation
- Data flow analysis
- Privacy analysis
- Privacy impact analysis report
Conducting a PIA is a cooperative process that brings together a variety of
skill sets to identify and assess privacy implications. The PIA process is meant
to be adapted to fit a particular departmental application.
A choice of two questionnaires is provided in the Privacy Analysis section,
one to accommodate federal programs and services and a second designed for
cross-jurisdictional initiatives.
Goals of a Privacy Impact Assessment
A key goal of the PIA is to effectively communicate the
privacy risks not addressed through other departmental mechanisms. The PIA is
intended to contribute to senior management's ability to make fully informed
policy, system design and procurement decisions.
Specific goals of a PIA include:
- Building trust and confidence with citizens;
- Promoting awareness and an understanding of privacy issues;
- Ensuring that privacy protection is a key consideration in the initial
framing of a project's objectives and activities;
- Identifying a clear accountability for privacy issues so that it is
incorporated into the role of projects managers and sponsors;
- Reducing the risks of having to terminate or substantially review a
program or service after its implementation in order to comply with
privacy requirements;
- Providing decision-makers with the information necessary to make
informed policy, system design or procurement decisions based on an
understanding of the privacy risks and the options available for
mitigating those risks; and
- Providing basic documentation on the business processes and flow of
personal information for common use and review by the department's staff
and as the basis for consultations with stakeholders, specifications,
information privacy procedures, and communications.
These guidelines aim to present a comprehensive framework to conduct a
Privacy Impact Assessment (PIA). The PIA ensures that privacy principles and
legislation are considered and adhered to throughout the lifecycle of a new
program, service or initiative and where appropriate, for existing initiatives
undergoing service transformation or redesign. Refer to the policy
at http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp.
The following chart summarizes the different steps of the PIA process.
![steps of the PIA process](/web/20061201202247im_/http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/piapg-pefrld-1_tm_e.gif)
What is a PIA?
A Privacy Impact Assessment is a process to determine the impacts of a
proposal on an individual's privacy and ways to mitigate or avoid any adverse
effects.
Step 1: Project Initiation
One of the first steps is to determine the scope of the PIA and to adapt the
tools provided in the guidelines to the context.
If the initiative is at the early concept or design stage and detailed
information is unknown, then departments and agencies should consider conducting
a Preliminary Privacy Impact Assessment (Preliminary PIA). Once
the initiative evolves and there are privacy risks, departments and agencies are
required to conduct a full PIA.
Preliminary PIAs may also be conducted in unusual cases where upon reviewing
the policy and guidelines and obtaining expert advice, the need for a PIA
remains ambivalent.
A PIA is a dynamic process and as design changes occur in the business
processes, the PIA should also be reviewed and updated.
Step 2: Data Flow Analysis
This activity involves a description and analysis of the business processes,
architecture and detailed data flows contemplated for the proposal. The purpose
of this step is to depict the personal information flows.
Step 3: Privacy Analysis
The privacy analysis examines the data flows in the context of applicable
privacy policies and legislation. Questionnaires are used as a checklist that
facilitates the identification of major privacy risks or vulnerabilities
associated with the proposal.
There are two sets of questionnaires provided in the guidelines. Please refer
in the Annexes to Questionnaire A for federal programs and services and to
Questionnaire B for cross-jurisdictional initiatives.
Step 4: Privacy Impact Analysis Report
Building upon the outcomes from the previous steps, this is the final and
most critical component of the privacy impact assessment process. This is a
documented evaluation of the privacy risks and the associated implications of
those risks along with a discussion of possible remedies or mitigation
strategies.
The PIA report is designed as an effective communications tool used by a
variety of stakeholders.
Common privacy risks associated with improved service delivery
include…
Data profiling/data matching: combining unrelated
personal information obtained from a variety of sources to create new
information about an individual or using information about an individual's
preferences and habits to build a profile on the individual.
Transaction Monitoring: observingor tracking
the history of an individual's interaction with one or more programs or
services. This usually results in creation of new personal information
describing an individual's overall experience with one or more programs.
Identification of Individuals: electronic service
delivery generally requires identification of an individual and authentication
of their identity as way of managing security risks. Surveillance risks exist
where the use of common identifiers or identification systems facilitate data
sharing, profiling or transaction monitoring.
Physical observation of individuals: tracking the
movement or location of an individual through the use of vehicle transponders,
satellite locators, cameras or mechanisms for recording an individual's use of
kiosks.
Publishing or re-distribution of public databases containing
personal information: electronic publishing frequently
eliminates practical limits on the misuse of information, as it can be easily
manipulated and used for purposes entirely unrelated or is intended use in
manual form.
Lack or Doubtful Legal Authority:
failure to identify clear program authority to collect, use or disclose
personal information raises concerns about whether an initiative should be
undertaken on both the privacy front and with respect to the Charter of
Rights and Freedoms Act.
The very first step of the PIA process is to determine whether it is
required.
The first question a departmental official needs to ask in determining
whether to conduct a PIA is, "Is personal information being collected, used
or disclosed in this initiative?
If the answer is "no" then a PIA is not warranted.
If the answer is "yes" or "maybe", departmental officials
should then examine the checklist provided on the first page of the guidelines
and the list of indictors in the Project Initiation section of the Privacy
Impact Assessment Policy at:
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp.
The primary rationale for choosing to conduct a Preliminary PIA instead of a
full PIA is that a proposal is at an early design stage and lacks sufficient
information to conduct a full PIA. In exceptional circumstances, a Preliminary
PIA can also be conducted if there appears to be uncertainty whether the
proposal involves privacy issues. Since the PIA is a continuous process that
requires updating to reflect program, service or system changes, the results of
a Preliminary PIA should facilitate developing a full PIA.
The Preliminary PIA will not be as comprehensive as the PIA but will serve to
indicate to departmental program managers whether or not there are significant
privacy risks for a proposal. Refer to Annex B for an example of a Table of
Contents for a Preliminary PIA.
The minimal amount of information to be included in a Preliminary PIA is
described in the PIA Policy at: http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp.
Refinement of the privacy impact assessment tool is an ongoing process.
Representatives from departments and agencies are encouraged to adapt it to fit
their particular needs.
Project Charters, plans and the business case as required by
the Enhanced Management Framework at: http://www.tbs-sct.gc.ca/emf-cag/
should be used to determine the scope of the PIA and to situate all PIA team
members into the proper context. These documents also form the basis of the
written description of the proposal.
By conducting a Preliminary PIA, institutions can also estimate their
resource requirements, including the knowledge and skills needed to develop and
maintain the PIA.
Generic or Overarching PIAs
As stipulated in the PIA Policy, departments and agencies should
consider undertaking generic or overarching PIAs where proposals are similar or
interrelated because individual PIAs would be a duplication of effort. An
example of this situation is the use of one overarching PIA in lieu of
conducting individual PIAs to cover a number of statistical survey requirements
that have almost identical collection, use and disclosure processes. Generic
PIAs may also apply to the current Government On-Line service clusters and
portals.
The nature and extent of resources required for a PIA will vary depending on
the scope and complexity of the proposal.
Accountability for compliance with privacy requirements rests with deputy
heads of an institution. Consequently, a deputy head may choose to designate a
senior executive such as the senior privacy coordinator.
Involvement of the departmental senior privacy coordinator will facilitate
the communications with the Privacy Commissioner's Office and help zero in on
privacy risks.
The completion of a privacy impact assessment may need to draw upon a wide
range of skill sets that would likely include:
-
- Privacy expertise: to provide advice and recommendations
with respect to relevant program statues, the Privacy Act and the Access
to Information Act, privacy issues, current privacy developments,
national and international privacy standards, etc.
-
- Legal expertise: to provide advice and recommendations
with respect to privacy and program authorities, institutional oversight
mechanisms and potential conflicts where multiple statutes or jurisdictions
are involved, etc.
-
- Operational program and business design skills: to
examine proposals in terms of business flow and context, stakeholder
analysis, public/private partnerships, governance structures and feasibility
in terms of mitigation strategies, etc.
-
- Technology and systems expertise: to provide technical
and systems advice on mainframe and legacy systems, Internet tools and
system interfaces, information, security, technical architecture and data
flows, etc.
-
- Information and records keeping skills: to provide advice
on how records are kept and the retention of information.
Involvement of the departmental senior privacy coordinator will facilitate
the communications with the Privacy Commissioner's Office and help zero in on
privacy risks. It is important to recognize that only one individual should be
assigned responsibility for the co-ordination and completion of the PIA. For a
cross-jurisdictional initiative, the multi-disciplinary approach will likely
involve individuals from each of the jurisdictions.
To assess the overall effectiveness of the policy and guidelines, departments
and agencies may choose to involve their internal auditors. Please read the
policy section referring to Institution Officials at:
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp.
The essential starting point in any PIA is the description and analysis of
the business context, the information flows involved in program delivery and the
systems and infrastructure architectures. Business process diagrams permit a
graphical description of the proposed business processes. The data flow tables
describe the collection, use and disclosure of personal information in the
business process. System and infrastructure architectures document any physical
or logical separation of personal information or security mechanisms that
prevent improper access to personal information or maintain any required
separation.
Any business activity associated with a program involves the management of
information and consists of four elements:
- information collection
- transaction processing
- the results of transaction processing (e.g. a decision or issuance of a benefit)
- the record of the foregoing three elements.
A Business Flow Diagram simply identifies how information flows through the
organization as a result of a particular business activity or activities. At a
minimum, the diagram should identify, at a general level, the major components
of the business processes and how personal information is collected, used,
disclosed and retained through this process.
This diagram may be prepared using any of a number of methodologies,
depending on the nature and complexity of the proposal. However, since the
diagram is a critical communications vehicle, the instrument selected should be
readily understood by officials from various backgrounds.
System and Infrastructure architecture diagrams and information can also be
used to analyze inherent privacy risks based on the design of the program or
service.
While a diagram provides the "big picture" of a particular business
activity, the details needed to conduct a privacy impact assessment are derived
from the construction of a detailed Data Flow Table. These tables are based on
the diagram below and follow each data element or cluster from collection, use,
disclosure and to disposition. The following example is intended to illustrate
the concept.
Data Flow Tables
Description of personal information cluster
|
Collected by
|
Type of format
(e.g. paper, electronic)
|
Used by
|
Purpose of collection
|
Disclosed to
|
Storage or retention site
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In describing the data cluster please ensure that you identify and describe
all the personal data elements.
There are two questionnaires provided in this section, please complete either
questionnaire A or B.
Questionnaire A (5.3.1) provides a series of questions derived from the
requirements of the Privacy Act and dovetail with universal privacy
principles. The questions form a general template for the privacy analysis that
should be adapted for each proposal.
Questionnaire B (5.3.2) provides a series of questions derived from the
universal privacy principles and is intended for cross-jurisdictional programs
or services.
The privacy analysis consists of yes/no responses to a series of questions
along with a comments section. An "N/D" (not determined) response may
apply for situations where project planning is at an early stage. An
"N/A" (not applicable) can be inserted where questions are not
applicable.
Where appropriate, a section of the Privacy Act is cited at the end
of the question (e.g. s. 4).
The "Provide Details" column should be used to explain specifically
how a particular requirement is met or why it is not met, or should be used to
provide specific authoritative references.
"Discussion Points" related to the questions are placed at the end
of each section.
An operating assumption for the development of the cross-jurisdictional PIA
is that individual jurisdictions should complete their own PIA based on their
specific statutory and policy provisions.
If a response in either of the questionnaires indicates that the proposal has
no legal authority to collect, use or disseminate personal information, then
immediately consult a departmental legal advisor to determine whether to proceed
any further with the initiative.
The results from completing the questionnaire will be used to form the basis
of the PIA Report.
Privacy Act Principle 1: Accountability for
Personal Information
Privacy Act Principle 1: Accountability for Personal Information
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
1.1 Has responsibility for the PIA been assigned?
Please indicate in the details column the name and position of the
person responsible.
|
|
|
|
|
1.2 Has the custody and control of personal information been
determined?
|
|
|
|
|
1.3 Has the accountability of the program custodian of personal
information been documented?
|
|
|
|
|
1.4 Are the performance requirements of the custodian set out in a
measurable way and subject to performance and compliance reviews?
|
|
|
|
|
1.5 Are third parties including the private sector involved in the
custody or control of the personal information?
|
|
|
|
|
1.6 If third parties or private sector parties are involved, do you
have an agreement in place that establishes privacy requirements?
|
|
|
|
|
1.7 If yes to 1.5, are the requirements of the Personal Information
Protection and Electronic Documents Act applicable if the proposal
involves the private sector?
|
|
|
|
|
1.8 Will the department be provided with the results of regularly
scheduled audits and compliance checks on the privacy requirements of all
involved parties?
|
|
|
|
|
1.9 Are the requirements for the Treasury Board Policy on Privacy
and Data Protection being followed?
|
|
|
|
|
1.10 Are there any requirements in program legislation or policies on
the management of personal information that affect the proposal?
|
|
|
|
|
Discussion Points:
Privacy Act Principle 2: Collection of Personal Information
Privacy Act Principle 2: Collection of Personal Information
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
2.1 What is your authority to collect personal information?
Please indicate the authority. If there is no authority, please consult
with your legal advisor to determine if there is authority to proceed.
|
|
|
|
|
2.2 Is the personal information collected directly related to an
operating program or activity? s. 4
|
|
|
|
|
2.3 Is personal information being collected directly from the
individual? s. 5(1)
If no, why not?
|
|
|
|
|
2.4 Have the purposes for which the personal information is collected
been documented?
If yes, provide specifics. s. 4
|
|
|
|
|
2.5 Is all the personal information collected necessary to the
operating program or activity?
|
|
|
|
|
2.6 Is there notice at the collection stage that identifies the
specific purposes for the collection, the authority for doing so and the
individual serving as official contact? s. 5(2)
|
|
|
|
|
2.7 Is the notice associated with the collection of personal
information available and consistent across all mediums of collection? s.
5(2)
|
|
|
|
|
2.8 Are secondary uses contemplated for the information collected? s. 7
If yes, describe them in the details column.
|
|
|
|
|
2.9 If personal information is to be used or disclosed for a secondary
purpose not previously identified, is consent required? s. 7 & 8
|
|
|
|
|
2.10 If consent is not required for secondary purpose use or
disclosure, is there authority for the use or disclosure? s. 7 & 8
|
|
|
|
|
2.11 Is information anonymized when used for planning, forecasting
and/or evaluation purposes?
|
|
|
|
|
2.12 Is personal information collected from a public database?
|
|
|
|
|
2.13 Will quality assurance or security activities result in the
collection of additional personal information?
|
|
|
|
|
2.14 Does the program or activity involve the collection through a
common client identifier?
If yes, provide details about the identifier.
|
|
|
|
|
Discussion Points:
Privacy Act Principle 3: Consent
Privacy Act Principle 3: Consent
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
3.1 Is consent obtained directly from the individual?
If not, why not?
|
|
|
|
|
3.2 How is consent obtained?
|
|
|
|
|
3.3 Does consent require a positive action by an individual rather than
being assumed as a default? s. 5, 7 & 8
|
|
|
|
|
3.4 If yes to 3.1 is the consent clear and unambiguous?
|
|
|
|
|
3.5 If consent is sought, is the form of consent likely to stimulate
negative reaction (for example, opt-in or -out)?
|
|
|
|
|
3.6 Can an individual refuse to consent to the collection or use of
personal information for a secondary purpose, unless required by law?
|
|
|
|
|
3.7 Would the refusal of an individual to consent to the collection or
use of personal information for a secondary purpose disrupt the level of
program service provided to the individual?
|
|
|
|
|
3.8 Are standards and mechanisms in place to ensure that the individual
has capacity to give consent? s. 77(1)(m)
|
|
|
|
|
3.9 Are standards and mechanisms in place to ensure the recognition of
persons authorized to make decisions on behalf of others (e.g. a minor or
incapacitated person)? If not why not? s. 77(1)(m)
|
|
|
|
|
Discussion Points:
Privacy Act Principle 4: Use of Personal
Information
Privacy Act Principle 4: Use of Personal Information
|
Yes
|
No
|
N/D
or
N/A
|
Provide Details
|
4.1 What is your authority to use personal information? Please indicate
the authority.
If there is no authority please consult your legal advisor to determine
the authority to proceed with the proposal.
|
|
|
|
|
4.2 Is personal information used exclusively for the purpose for which
the information was obtained or compiled? s. 7 (a)
|
|
|
|
|
4.3 Are the uses of the information limited to what a reasonable person
would consider appropriate in the circumstances?
|
|
|
|
|
4.4 Is personal information used for a purpose for which the
information may be disclosed to the program by another institution? s. 7
(b)
|
|
|
|
|
4.5 Are personal identifiers, such as a social insurance number, used
for the purposes of linking across multiple databases?
|
|
|
|
|
4.6 Where data matching, is it consistent with the stated purposes for
which the personal information is collected?
|
|
|
|
|
4.7 Where personal information is used for data matching, have the
requirements of the Treasury Board Secretariat Policy on Data Matching
been identified?
|
|
|
|
|
4.8 Does the data matching activity require a notification to the
Privacy Commissioner?
|
|
|
|
|
4.9 Is there an activity log attached to the personal information
record to record uses not in the Index of Personal Information Banks? s.
9(1)?
|
|
|
|
|
4.10 Is personal information used for a consistent purpose that is not
identified in a personal information bank? s. 9(4)
|
|
|
|
|
Discussion Points:
Privacy Act Principle 5: Disclosure and
Disposition of Personal Information
Privacy Act Principle 5: Disclosure and Disposition of Personal
Information
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
5.1 Is personal information disclosed with the consent of the
individual? S. 8(1)
|
|
|
|
|
5.2 If personal information is not disclosed with consent, has the
specific authority for disclosure been identified? s. 8(2)
If there is no authority to disclose personal information, please
consult your departmental legal advisor.
|
|
|
|
|
5.3 Are personal identifiers, such as a social insurance number,
disclosed?
|
|
|
|
|
5.4 Is the personal information to be disclosed limited to the purpose
of disclosure?
|
|
|
|
|
5.5 Is personal information disclosed for a purpose that is not
identified in a personal information bank? s. 9(4)
If yes, what is the method planned for disposal?
|
|
|
|
|
5.6 Will personal information be processed, disclosed or retained
outside of Canada?
|
|
|
|
|
5.7 Is there an activity log attached to the personal information
record to record the purposes of disclosure not listed in the Index of
Personal Information Banks? s. 9(1)?
|
|
|
|
|
5.8 Is the personal information scheduled for retention and
disposition? s. 6(1) & (3)
If yes, identify where in details column.
|
|
|
|
|
5.9 Where personal information is disclosed for data matching, have the
requirements of the Treasury Board Policy on Data Matching been
identified?
|
|
|
|
|
Discussion Points:
Privacy Act Principle 6: Accuracy of
Personal Information
Privacy Act Principle 6: Accuracy of Personal Information
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
6.1 Will steps be taken to ensure that the personal information is
accurate, complete and up-to-date? s. 6(2)
|
|
|
|
|
6.2 Does the record of personal information indicate the date of last
information update?
|
|
|
|
|
6.3 Is a record kept of the source of the information used to make
changes?
|
|
|
|
|
6.4 Where applicable, is there a procedure, automatically or at the
request of an individual, to provide notices of correction to third
parties to whom personal information has been previously disclosed? S.
12(2)(c)
|
|
|
|
|
6.5 Is there a record kept with respect of requests for a review of
errors or omissions & corrections or decisions not to correct? s.
12(2)(b)
|
|
|
|
|
6.6 Is there a clearly defined process by which an individual may
access, assess and discuss or dispute the accuracy of the record? Please
briefly describe the steps?
|
|
|
|
|
Discussion Points:
Privacy Act Principle 7: Safeguarding Personal Information
Privacy Act Principle 7: Safeguarding Personal Information
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
7.1 Has a Threat and Risk Assessment been completed?
|
|
|
|
|
7.2 Have security procedures for the collection, transmission, storage
and disposal of personal information, and access to it, been documented?
|
|
|
|
|
7.3 Are program and information technology staff trained in the
requirements for protecting personal information and are they aware of the
relevant policies regarding breaches of security or confidentiality?
|
|
|
|
|
7.4 Are there controls in place for any process to grant authorization
to modify (add, change or delete) personal information from records?
|
|
|
|
|
7.5 Is the system designed so that access and changes to personal
information can be audited by date and user identification?
|
|
|
|
|
7.6 Are user accounts, access rights and security authorizations
controlled by a system or record management process?
|
|
|
|
|
7.7 Are access rights only provided to users on a "need to know
basis" consistent with the stated purposes for which the personal
information was collected? s. 5(2)
|
|
|
|
|
7.8 Are security measures commensurate with the sensitivity of the
information recorded?
|
|
|
|
|
7.9 Are there contingency plans and documented procedures in place to
identify and respond to security breaches or disclosures of personal
information in error?
|
|
|
|
|
7.10 Are there documented procedures in place to communicate security
violations to the data subject, law enforcement authorities and relevant
program managers?
|
|
|
|
|
7.11 Is there a plan for quality assurance and audit programs to assess
the ongoing state of the safeguards applicable to the system?
|
|
|
|
|
Discussion Points:
Privacy Act Principle 8:
Openness
Privacy Act Principle 8: Openness
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
8.1 Describe how the results of any privacy impact assessment or audit
will be made available to the public.
|
|
|
|
|
8.2 Are policies and practices relating to the proposal's management
and handling of personal information available to the public?
|
|
|
|
|
8.3 Is there a communications plan to explain to the public how
personal information will be managed and protected?
|
|
|
|
|
8.4 Is there a clearly defined and easy process for individuals to
access such information and/or communicate with appropriate individuals
with respect to policies and practices relating to management and
protection of personal information?
|
|
|
|
|
8.5 Where appropriate, have key stakeholders been provided with an
opportunity to comment on the privacy protection implications of the
proposal?
|
|
|
|
|
8.6 Where appropriate, will public consultation take place on the
privacy implications of the proposal?
|
|
|
|
|
8.7 Has the personal information been included in a personal
information bank? s. 10
|
|
|
|
|
Discussion Points:
Privacy Act Principle 9: Individual's
Access to Personal Information
Privacy Act Principle 9: Individual's Access to Personal Information
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
9.1 Is the system designed to ensure that an individual can have access
to his/her personal information including all other programs or
applications that have received copies of the information? s. 12(10)
|
|
|
|
|
9.2 Is the system designed to ensure that an individual has been
notified that a correction to his/her information has been made?
|
|
|
|
|
9.3 Are all custodians and participants aware of an individual's right
of access and the complaint process?
|
|
|
|
|
9.4 Are there documented procedures developed or planned on how to
initiate privacy requests or requests for the correction of personal
information? s. 12(2)
|
|
|
|
|
9.5 Has consideration been given to providing individuals
"routine" access to their personal information?
|
|
|
|
|
9.6 Are individuals provided with access to their personal information
in the official language of choice? s. 17(2)
|
|
|
|
|
9.7 If appropriate, are individuals provided with access to their
personal information in alternative format? s. 17(3)
|
|
|
|
|
Discussion Points:
Privacy Act Principle 10: Challenging
Compliance
Privacy Act Principle 10: Challenging Compliance
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
10.1 Are the complaint procedures for the proposed program or service
consistent with legislated requirements? s. 29-35
|
|
|
|
|
10.2 To improve information management practices and standards, has a
procedure been established to log and periodically review the nature,
frequency and resolution of complaints?
|
|
|
|
|
10.3 Are there oversight and review mechanisms implemented or available
to ensure accountability?
|
|
|
|
|
10.4 Have oversight agencies, including the Office of the Privacy
Commissioner, issued reports or opinions on issues that would be relevant
to the proposal?
If yes, please provide a summary of the above in the details column and
append to final report.
|
|
|
|
|
Discussion Points:
The 10 principles listed here reflect the privacy principles captured in the
Canadian Standards Association Model Code for the Protection of Personal
Information.
Principle 1: Accountability
Principle 1: Accountability
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
|
1.1 Has responsibility for the PIA been assigned? Please indicate in
the details column the name of the individual(s) responsible.
|
|
|
|
|
1.2 Is a separate PIA being undertaken by each jurisdiction?
|
|
|
|
|
1.3 Has custody and/or control of personal information been determined
for the cross-jurisdictional electronic service delivery proposal, and:
|
|
|
|
|
- Has the accountability of the jurisdictions and individuals in
jurisdictions been documented for all privacy requirements?
|
|
|
|
|
- Are the performance requirements of the jurisdictions
comprehensively specified in a measurable way, and subject to specific
performance or compliance reviews?
|
|
|
|
|
- Where a jurisdiction and/or the private sector is not subject to a
privacy law, will an agreement or contract establish equivalent
privacy requirements? If yes, is the agreement in place?
|
|
|
|
|
- Will each jurisdiction be provided with the results of regularly
scheduled audits and compliance checks on the privacy practices of the
cross-jurisdictional service delivery application?
|
|
|
|
|
1.4 Have legal opinions or policy advice been sought regarding:
|
|
|
|
|
- the identification of privacy and other statutory requirements of
each jurisdiction relating to the collection, use, disclosure,
retention and disposal of personal information for the electronic
service delivery proposal?
|
|
|
|
|
- the identification of any statutory conflicts among jurisdictions
and how the conflicts will be resolved?
|
|
|
|
|
- if required, the authority to transfer jurisdictional program
delivery responsibilities to the cross-jurisdictional electronic
service delivery application, including a consideration of the
authority for the electronic service to collect, u se, disclose or
retain personal information as necessary on behalf of jurisdictions?
|
|
|
|
|
- if required, the authority to alter or limit in any material way the
collection, use or disclosure of personal information as authorized by
jurisdictional program statutes and privacy laws for the purpose of
delivering service through the cross-jurisdictional application?
|
|
|
|
|
- the identification of any requirements for statutory or program
delegation?
|
|
|
|
|
1.5 Has each jurisdiction identified all privacy policy requirements
related to personal information and have conflicting requirements been
resolved?
|
|
|
|
|
1.6 Are the views of Privacy Commissioners on the proposed
cross-jurisdictional electronic service delivery proposal known?
If yes, please provide specifics in details column.
|
|
|
|
|
1.7 Have arrangements been made for transparent documented information
systems so that individuals can be informed about how their personal
information is collected, used and disclosed?
|
|
|
|
|
1.8 Have arrangements been made for independent audit, compliance and
enforcement mechanisms for the cross-jurisdictional electronic delivery of
services, including fulfillment of the commitments in the PIA process?
|
|
|
|
|
1.9 Does the cross-jurisdictional electronic service delivery proposal
entail a privacy risk because accountability for and/or compliance with
existing privacy requirements will be diminished?
|
|
|
|
|
1.10 Have privacy law and other statutory and policy conflicts among
jurisdictions been resolved?
|
|
|
|
|
1.11 Where appropriate, have key stakeholders been provided with an
opportunity to comment on the privacy protection implications of the
cross-jurisdictional electronic delivery of services proposal?
|
|
|
|
|
1.12 Where appropriate, will public consultation take place on the
privacy risks and the plans for resolution?
|
|
|
|
|
1.13 Is there an Agreement that details each jurisdiction's
responsibilities in relation to the cross-jurisdictional electronic
delivery of services proposal and privacy?
|
|
|
|
|
Discussion Points:
Principle 2 - Identifying Purposes
Principle 2 - Identifying Purposes
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
|
2.1 What are the specific authorities to collect personal information?
If your authority is questionable then you need to consult your legal
advisor as to whether you have the authority to proceed with this
proposal.
|
|
|
|
|
2.2 Has a clear relationship been established between the personal
information to be collected and the cross-jurisdictional service delivery
proposal's functional and operational requirements?
|
|
|
|
|
2.3 Have the purposes for which the personal information is collected
been documented among jurisdictions?
|
|
|
|
|
2.4 Have the notice provisions among the jurisdictions been reconciled
and have jurisdictional exceptions to the notice provision been identified
and reconciled?
|
|
|
|
|
2.5 Have all options to minimize the routine collection of personal
information been considered?
|
|
|
|
|
2.6 If personal information that has been collected is to be used for a
purpose not previously identified, is consent required?
|
|
|
|
|
2.7 Have arrangements been made to provide full disclosure of the
purposes for which personal information is collected?
|
|
|
|
|
Discussion Points:
Principle 3 – Consent
Principle 3 – Consent
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
3.1 Is consent obtained directly from an individual?
If not, why not?
|
|
|
|
|
3.2 How is consent obtained?
|
|
|
|
|
3.3 Does the cross-jurisdictional proposal require an individual's
consent to collect, use and/or disclose personal information, and if so,
have jurisdictional differences been reconciled?
|
|
|
|
|
3.4 Does consent require a positive action by the individual, rather
than being assumed as the default?
|
|
|
|
|
3.5 Where personal information is collected indirectly, is it necessary
to obtain consent from the individual to whom the information pertains by
either the jurisdiction collecting indirectly or the jurisdiction
disclosing the information?
|
|
|
|
|
3.6 Does the proposal envision possible secondary uses for the personal
information collected, and if so, do any jurisdictional consent
requirements have to be reconciled?
|
|
|
|
|
3.7 Can an individual refuse to consent to the collection or use of
personal information for a secondary purpose, unless required by law?
|
|
|
|
|
3.8 Are cross-jurisdictional standards in place for administering
consent requirements that address:
|
|
|
|
|
- making the determination whether the individual has the capacity to
give consent by reasons of age or capacity;
|
|
|
|
|
- recognition of persons authorized to make decisions on behalf of an
incapable person or a minor.
|
|
|
|
|
3.9 Are the proposed consent provisions consistent with existing laws
and standards in comparable areas of the public or private sector?
|
|
|
|
|
3.10 Is the form of the consent being sought (for example, opt-in or
opt-out) likely to stimulate negative public reaction?
|
|
|
|
|
Discussion Points:
Principle 4 - Limiting Collection
Principle 4 - Limiting Collection
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
4.1 Does the cross-jurisdictional proposal require the collection of
more personal information than was previously collected by each
jurisdiction?
|
|
|
|
|
4.2 Will individuals be monitored for purposes of quality assurance or
security, and if so, will personal information be collected?
|
|
|
|
|
4.3 If required, has each jurisdiction identified the authority for the
collection of personal information on their behalf?
|
|
|
|
|
4.4 Will measures be taken to ensure public confidence in the privacy
practices related to the service when personal information that
individuals are likely to consider highly sensitive is collected?
|
|
|
|
|
Discussion Points:
Principle 5 - Limiting Use, Disclosure, and Retention
Principle 5 - Limiting Use, Disclosure, and Retention
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
5.1 What are the specific authorities to use personal information?
If your authority is questionable, then you need to consult your legal
advisor as to whether you have the authority to proceed with this
proposal.
|
|
|
|
|
5.2 Is personal Information used exclusively for the identified
purposes and for uses that an individual would reasonably consider
consistent with those purposes?
|
|
|
|
|
5.3 Are the uses of the information limited to what a reasonable person
would consider appropriate in the circumstances?
|
|
|
|
|
5.4 Are personal identifiers, such as the social insurance number, used
for the purposes of linking across multiple databases?
|
|
|
|
|
5.5 Where data linkages such as data matching or profiling occur, are
they consistent with the stated purposes for which the personal
information was collected?
|
|
|
|
|
5.6 Do jurisdictional data matching or data profiling policies require
the conduct of a formal assessment and/or a review by the Privacy
Commissioner?
|
|
|
|
|
5.7 Is there a need to reconcile among jurisdictions the length of time
records of personal information are retained?
|
|
|
|
|
5.8 Will personal information be processed, disclosed or retained
outside of Canada?
|
|
|
|
|
5.9 What are the specific authorities to disclose personal information?
If your authority is questionable, then you need to consult your legal
advisor as to whether you have the authority to proceed with this
proposal.
|
|
|
|
|
5.10 If required, is there a cross-jurisdictional procedure to govern
the destruction of personal information?
|
|
|
|
|
5.11 If personal information is to be used for a new purpose, is the
new purpose authorized and documented?
|
|
|
|
|
5.12 Is there a need for a cross-jurisdictional Agreement if data
matching or data profiling is proposed as part of the electronic service
delivery proposal?
|
|
|
|
|
5.13 Do you have an Agreement in place that covers data matching or
data profiling activities?
|
|
|
|
|
5.14 Are any limitations on the use and disclosure of personal
information set out in law or policy reinforced by the information and
information technology architecture of the information systems?
|
|
|
|
|
Discussion Points:
Principle 6: Accuracy
Principle 6: Accuracy
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
6.1 Will steps be taken to ensure that the personal information is
accurate complete and up-to-date?
|
|
|
|
|
6.2 Is a record kept of the source of the information used to make
changes, e.g. paper or transaction records?
|
|
|
|
|
6.3 Where applicable, is there a procedure, automatically or at the
request of the individual, to provide notices of correction to third
parties to whom personal information has been disclosed?
|
|
|
|
|
6.4 Have cross-jurisdictional responsibilities for accuracy been
identified?
|
|
|
|
|
6.5 Have any cross-jurisdictional differences in accuracy requirements
been identified and reconciled?
|
|
|
|
|
6.6 Is there a record of decisions and reasons for refusing a request
to correct a record of personal information?
|
|
|
|
|
6.7 Is there a clearly defined process by which an individual may
access, assess and discuss or dispute the accuracy of the record?
Please briefly describe the steps?
|
|
|
|
|
Discussion Points:
Principle 7: Safeguards
Principle 7: Safeguards
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
7.1 Has a Threat and Risk Analysis been completed?
|
|
|
|
|
7.2 Have security procedures for the collection, transmission, storage,
and disposal of personal information, and access to it, been documented
with cross-jurisdictional conflicts identified and reconciled?
|
|
|
|
|
7.3 Are staff of the electronic delivery service trained in the
requirements for protecting personal information and are they aware of the
relevant policies regarding breeches of security or confidentiality?
|
|
|
|
|
7.4 Are there controls in place over the process to grant authorization
to add, change or delete personal information from records?
|
|
|
|
|
7.5 Is the system designed so that access and changes to personal
information can be audited by date and user identification?
|
|
|
|
|
7.6 Are user accounts, access rights and security authorizations
controlled and recorded by an accountable systems or records management
process?
|
|
|
|
|
7.7 Is user access to personal information limited to only that
required to discharge assigned functions?
|
|
|
|
|
7.8 Are there contingency plans and documented procedures in place to
identify security breaches or disclosures of personal information in
error?
|
|
|
|
|
7.9 Are there documented procedures in place to communicate security
violations to jurisdictions, data subjects and if appropriate, law
enforcement authorities?
|
|
|
|
|
7.10 If sensitive personal information will be used in the electronic
delivery of services, have technological tools and system design
techniques been considered which may enhance both privacy and security,
e.g. encryption, technologies of anonymity or pseudo-anonymity or digital
signatures?
|
|
|
|
|
7.11 Have criteria been established for determining and authorizing
"need to know" access to personal information?
|
|
|
|
|
Discussion Points:
Principle 8 – Openness
Principle 8 – Openness
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
8.1 Describe how the results of any privacy impact assessment or audit
will be made available to the public?
|
|
|
|
|
8.2 Will the cross-jurisdictional electronic service delivery project
make available information on policies and practices related to the
management and handling of personal information, including how personal
information is used and how access is provided to the individual?
|
|
|
|
|
8.3 Where applicable, have jurisdictional Directories of Records (or
equivalent) been updated?
|
|
|
|
|
8.4 Have communications products and/or a communications plan been
developed to fully explain to the public how their personal information
will be managed, including how it will be protected, as part of the
cross-jurisdictional electronic delivery of services proposal?
|
|
|
|
|
Discussion Points:
Principle 9 - Individual Access
Principle 9 - Individual Access
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
9.1 Is the system designed to ensure that access by an individual to
all of their personal information can be achieved with minimal disruption
to operations?
|
|
|
|
|
9.2 Has the cross-jurisdictional service delivery project documented
how requests for personal information covered or not covered by a privacy
law will be processed?
|
|
|
|
|
9.3 Are there documented procedures developed or planned on how to
initiate privacy requests or requests for the correction of personal
information?
|
|
|
|
|
9.4 Are the individual's access rights assured for all the data sets of
all the parties in the information life cycle, including each
jurisdiction, private sector partners and/or subcontractors?
|
|
|
|
|
9.5 Are all custodians aware of the cross-jurisdictional service
delivery practices regarding the individual's right of access and any
requirement to advise the individual of formal and informal appeal and/or
complaint procedures?
|
|
|
|
|
9.6 Have procedures been established to provide individuals with access
in a "routine" manner to their personal information collected by
the cross-jurisdictional service delivery project?
|
|
|
|
|
Discussion Points:
Principle 10 - Challenging Compliance
Principle 10 - Challenging Compliance
|
Yes
|
No
|
N/D or N/A
|
Provide Details
|
10.1 Are complaint and/or appeal procedures established for the
cross-jurisdictional electronic service delivery proposal including the
identification and resolution of any jurisdictional privacy law complaint
and/or appeal conflicts?
|
|
|
|
|
10.2 Has a procedure been established to log and periodically review
complaints and their resolution with a view to establishing improved
information management practices and standards?
|
|
|
|
|
10.3 Have independent privacy oversight and review mechanisms been
established for the cross-jurisdictional service delivery proposal?
|
|
|
|
|
10.4 Have oversight agencies, including privacy commissioners, issued
reports or opinions on issues that would be relevant to the
cross-jurisdictional electronic service delivery proposal?
If yes, please provide a summary of the above in the details column and
append to the final report.
|
|
|
|
|
Discussion Points:
At this point in the process, departments and agencies should have a detailed
description of the proposal, a detailed account of the data flows within the
program or service and an analysis of its compliance with privacy requirements.
This will provide a solid basis for determining any significant privacy issues
that need to be addressed before the proposal progresses further.
As part of the analysis, departmental representatives should develop possible
solutions for each privacy risk and an accompanying action plan to be used by
the department or agency to ensure that privacy is managed effectively
throughout the process.
If appropriate, a summary table can be used to display the risks and their
implications for a proposal. Ideally the summary table should be designed so
that it piggybacks onto existing departmental schema. Please ensure that if a
table is used, that definitions are provided and that a consistent methodology
is applied throughout. Please refer to Annex C for an example of a summary risk
table.
Departments should refer to the Integrated Risk Management Framework and the
Enhanced Management Framework for more details at:
http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/rmf-cgr_e.asp
http://www.tbs-sct.gc.ca/emf-cag/index_e.asp.
The report should reflect a policy level discussion of the
proposal summarizing the specific privacy implications and risks identified.
Departments should take into consideration the:
- environmental context in which the proposal is being made and the
- public's expectations regarding privacy.
While the format of the PIA report can be tailored to suit departmental
needs, it should convey the following information:
- A detailed description of the proposal summarizing
information including objectives, rationale, clients, approach, programs
and/or partners involved. The project charter, plan and business case can be
used as a source for this information and should be made available for
reference.
- A list of all the data elements that involve "personal
information" and a related description.
- A list of all stakeholders and their roles and responsibilities.
- A list of relevant legislation and policies that have a
bearing on privacy requirements of the proposal including any departmental
program statutes and policies.
- A description of the specific privacy risks that have
been identified through the privacy impact assessment process and if
appropriate, an indication of the level of risk involved. Departments can
choose to complete a summary table if appropriate; however, the use of the
table is completely optional since some privacy experts recognize that is
difficult to assess both the likelihood and impact of risk in this context.
-
- Possible options to eliminate or mitigate privacy risks,
with a statement of the implications associated with those mechanisms where
relevant. Include if appropriate any information on similar proposals and
privacy risks identified in other jurisdictions and how the risks were
handled.
- A description of any residual or outstanding risks that
cannot be addressed through the mitigation mechanisms. Include where
appropriate, references to and a description of public opinion or
expectations regarding those residual risks.
- An outline of privacy oriented communications strategy,
if the implementation of such a strategy is considered appropriate.
Examples of Table of Contents of a PIA report and a Preliminary PIA report
are attached as Annexes A and B.
Refer to the policy for direction on departmental responsibilities concerning
provision of the final PIA to the Privacy Commissioner and public notification.
Departmental officials should consult their Privacy Coordinator for advice on
the PIA report and communications with the Office of the Privacy Commissioner.
The summary results of the PIA can take the form of an executive summary that
is written in plain, non-technical language and in each of the two official
languages at the same time in accordance with the Official Languages Act.
To achieve this objective, a communications specialist should be
consulted.
The Office of the Privacy Commissioner has requested that departments and
agencies do not publish any of their comments.
Experience over time has demonstrated that the most effective way to protect
personal information is to use a combination of tools and strategies which
include complying with the Privacy Act and Privacy and Data
Protection Policy, using privacy-enhancing technologies and architectures,
conducting privacy impact assessments, and engaging in public education.
Potential Outcomes of a PIA:
- Use of anonymous information in lieu of personal information to achieve
the same program objectives
- Cost avoidance by considering privacy at the outset thus avoiding
exponential design costs associated with retrofitting requirements at a
later development stage
- Building of public trust and confidence that privacy has been built into
the design of the program or service.
- Where risk cannot be mitigated through technical or policy instruments,
a PIA will provide decision-makers with a full assessment of the risk.
- A decision to abandon a project at an early stage based on the
significance of the privacy risks.
- A disciplined process that promotes open communications, common
understanding and transparency.
Document Change Control Table
1. Executive Summary
2. Introduction
2.1 Report Objectives
2.2 Scope of PIA
2.3 Reference Documentation
2.4 Participants
2.5 Legislation and Policies
2.6 Abbreviations Used in this Report
3. Project Proposal
4. Data Flow Analysis
4.1 Business Flow Diagram and Description
4.2 Data Flow Table
5. Privacy Analysis
6. Privacy Risk Management Plan
6.1 Privacy Risk Mitigation
6.1.1 <insert privacy risk heading # 1>
6.1.2 <insert privacy risk heading # 2>
6.2 Summary Table
7. Communications Strategy
Document Change Control Table
1. Executive Summary
2. Introduction
2.1 Rationale for a Preliminary PIA
2.2 Report Objectives
2.3 Scope of the Preliminary PIA
3. Project Background
3.1 Project Description
3.2 Stakeholder Roles
4. Legislative and Policy Authorities for the Project
5. Description of Personal Information
5.1 Data Clusters
5.2 Data Flow Description and Table
6. Potential Privacy Risks
6.1 <insert privacy risk heading # 1>
6.2 <insert privacy risk heading # 2>
7. Overview of Security Requirements
8. PIA Plan
8.1 Activities
8.2 Assumptions
8.3 Consultations
8.4 Resource Requirements
Low: There is a possibility that the risk will materialize but there are
mitigating factors.
Moderate: There is a strong possibility that the risk will materialize if no
corrective measures are taken.
High: There is a near certainty that the risk will materialize if no
corrective measures are taken.
Example of a Summary Table
Element
|
Nature of risks
|
Level of risks
|
Comments
|
Mitigating Mechanisms
|
Low
|
Medium
|
High
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|