Canadian Flag   Treasury Board of Canada, Secretariat
,

,

Report on PIA Best Practices ,


Report on

Best Practices Identified During the
Implementation of the Privacy Impact 
Assessment Policy and Guidelines

Chief Information Officer Branch
Treasury Board Secretariat

March 20, 2003

Table of Contents

Acronyms and Abbreviations Used in this Report

1. Introduction

2. Report Overview

2.1 Report Objective
2.2 Methodology

3. Benefits of the PIA Process

4. Best Practices

4.1 PIA Policy Implementation Strategies
4.2 Implementation Challenges
4.3 Internal Capacity for Completing Privacy Impact Assessment Reports
4.4 Tips on Embarking on a PIA
4.5 Tips on Completing the PIA Privacy Analysis Questionnaire
4.6 Tips for Completing the PIA Report
4.7 Feedback from the Office of the Privacy Commissioner

5. Conclusions

6. Annex A - List of Participants

Acronyms and Abbreviations Used in this Report

ATIP Access to Information and Privacy
PIA Privacy Impact Assessment
TBS  Treasury Board Secretariat
TRA Threat and Risk Assessment
SOS Statement of Sensitivity

1. Introduction

The Treasury Board of Canada approved the Privacy Impact Assessment (PIA) Policy in early 2002 with an effective date of May 2, 2002. The objective of the Policy is to assure Canadians that privacy principles are being taken into account when there are proposals for, and during the design, implementation and evolution of programs and services that raise privacy issues by:

  • Prescribing the development and maintenance of PIAs
  • Communicating routinely the results of PIAs to the Privacy Commissioner and the public.

Treasury Board Secretariat (TBS) developed and issued the Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks to convey advice on the application of the Policy.

The Policy and Guidelines can be found at:
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp

2. Report Overview

2.1 Report Objective

The objective of this report is to identify practical tips and best practices for implementing the PIA Policy and Guidelines into departmental day-to-day operations. These best practices should be read in conjunction with the PIA Policy and Guidelines.

2.2 Methodology

The Chief Information Officer Branch of TBS hosted two one-half day sessions attended by representatives of 11 departments and agencies and five consulting firms. The attendees had a diverse range of experience in implementing the PIA Policy and Guidelines, conducting PIAs and/or communicating the results of PIAs to senior management and the Office of the Privacy Commissioner.

3. Benefits of the PIA Process

Participants identified a number of benefits to departments associated with the PIA process:

  1. The PIA process makes project planners articulate in precise terms what the project is about.
  2. Privacy is considered at the front end of a project so that privacy issues are known and can be addressed early in the project planning process.
  3. The PIA process presents an opportunity to communicate, discuss and increase the awareness of the Privacy Act.
  4. The PIA process enhances program planning relative to privacy and results in better public policy.
  5. The PIA process provides a disciplined approach to the identification and mitigation of privacy risks resulting in better information management practices.
  6. The PIA process is an excellent means to learn about privacy.
  7. Some departments reported a better understanding of the relationship between Program legislation and the Privacy Act.

4. Best Practices

The best practices are organized under subjects that reflect the activities and outcomes of the PIA process.

4.1 PIA Policy Implementation Strategies

PIA implementation strategies are the overall steps taken to communicate and put into action the PIA Policy, and the following best practices were identified:

  1. To facilitate buy-in, establish a senior management committee to make decisions on the need for a PIA and who review all PIA reports.
  2. Develop an internal policy to integrate the PIA Policy requirements with other information management policy requirements.
  3. Develop an implementation plan as a guide for the implementation of the PIA Policy and Guidelines.
  4. One department found an ATIP Policy Advisory Committee was helpful in providing advice on the PIA implementation plan.
  5. All of the stakeholders need to be at the table at the start of the planning process.
  6. Develop a workflow on the PIA process to act as a roadmap for users.
  7. One department developed a short template to lead managers to a decision on whether or not a PIA is required.
  8. Appoint a senior executive to champion the implementation of the PIA process.

4.2 Implementation Challenges

PIA challenges are thought-provoking situations faced by some departments during the implementation of the PIA Policy. The following best practices were noted:

  1. The breadth of the PIA Policy presents a challenge because it encompasses not only information technology projects but also proposed legislation, Memorandums of Understanding and Information Sharing Agreements.
  2. Managers need a one-stop shop for advice on interrelated policy requirements such as the Data Matching Policy, PIA, TRA and SOS.
  3. Senior management has to be an active participant in the implementation process and this implies that departments clearly define roles and responsibilities in the PIA process.
  4. The conduct of a PIA should be part of the detailed project plan.
  5. It is difficult to find skilled resources either internally or externally to conduct PIAs.
  6. In some departments, there is a lack of resources available to conduct PIAs and to take the necessary steps in order to "operationalize" the policy by identifying approval1advisory committees, etc.

4.3 Internal Capacity for Completing Privacy Impact Assessment Reports

There are various ways that departments have acquired the skill sets needed to conduct the PIA process and the following best practices were offered:

  1. Departments have been using consultants to assist and mentor staff on how to complete the PIA process and thereby develop in-house PIA expertise.
  2. Departments will need internal PIA skills at a minimum to assess work that has been completed by consultants.
  3. It remains difficult to determine if each department or one department representing all departments participating in a multi-departmental project should conduct a PIA.
  4. Designating internal resources to conduct PIAs was difficult because the required privacy policy skills were scarce and the staff was already fully engaged.
  5. The PIA process requires privacy policy analysis skills that differ from the skills required to process privacy requests.

4.4 Tips on Embarking on a PIA

There are tips about conducting a PIA that are useful to know before the start of the PIA process. Here are some examples of best practices:

  1. Departments felt it was useful to discuss the PIA process with staff in other departments who had completed PIA Reports to gain insight from their experience.
  2. Departments felt it was useful to review completed PIA Reports obtained from TBS or the Office of the Privacy Commissioner to gain insight into the expectations for a completed report.
  3. The Office of the Privacy Commissioner needs much of the same documentation used by the departmental team engaged in the PIA process so it is useful to compile the documentation in one place as the PIA process unfolds.
  4. Organize a meeting for the PIA team and explain the PIA process as an introduction to the process.
  5. Defining the scope at an early stage of the PIA process is important.
  6. Keep a focus on the identification of privacy risks and strategies to manage or eliminate the risks.
  7. The development of a checklist of potential background documentation to review as part of the PIA process is helpful.
  8. Timing is important because it may be difficult to retrofit privacy into the project late in the planning cycle.
  9. Without clearly documented data flows it is difficult to identify what may be privacy risks.
  10. Ensure there is a sign-off on a decision not to complete a PIA.

4.5 Tips on Completing the PIA Privacy Analysis Questionnaire

The PIA Privacy Analysis Questionnaire is a key component of the PIA process and is used to generate information on potential privacy risks. The following best practices were provided:

  1. The responses to questions in the Questionnaire reflect a single point in time and there is little need to constantly revisit all of the questions.
  2. There were no examples of the use of Questionnaire B for Cross-jurisdictional PIAs because implementation of the PIA Policy is still in the developmental stage.
  3. The PIA team should go through the Questionnaire as a group.
  4. It is helpful when going through the Questionnaire to explain why the question is being asked.
  5. One department found that after the completion of a number of PIAs that some of the questions could be filled out in advance.

4.6 Tips for Completing the PIA Report

The PIA report is a policy-level discussion of a proposal that summarizes the specific privacy implications and risks together with mitigation measures; the following tips were provided:

  1. Defining the scope of the PIA is critical to the process.
  2. The person conducting the PIA really needs to understand what is being proposed to determine the affect on the management of personal information.
  3. Project staff have their own timelines and the PIA process timing needs some flexibility to support the Program Manager's business needs.
  4. The PIA Report has to be managed as a work in progress because there may be a tendency to complete the report and set it aside.
  5. Documentation has to form the basis of the PIA process to avoid speculation on what may or may not be involved in the proposed project.
  6. It is important to engage the entire PIA team during the discussion of the privacy risks and risk management plan.
  7. Treat the Executive Summary as a stand-alone document for non-program and non-technical audience that succinctly describes the program proposal, the privacy risks and mitigation measures.
  8. It is useful at the start of the PIA process to document who is accountable for which aspects in the process and the follow-up to the PIA Report.

4.7 Feedback from the Office of the Privacy Commissioner

The Office of the Privacy Commissioner reviews PIA reports and may offer comment on the privacy risks and mitigation measures. Here are some considerations:

  1. Departments found that is was useful to engage the Office of the Privacy Commissioner early in the PIA process to communicate the overall nature of the project and to discuss expectations.
  2. The Commissioner's Office described their expectations to one department concerning the submission of a PIA Report to include where appropriate:
  • A clear description of the scope of the PIA and the subjects to be covered in it
  • A clear and comprehensive description of all the actions to be pursued under the initiative involved
  • The architectural specifications of the initiative
  • The Threat and Risk Assessment report pertaining to the initiative
  • A copy of whatever legal instrument, agreement or Memorandum of Understanding was used to define the rights and responsibilities among parties to the initiative
  • Samples of third party contracts, including contracts for employment of persons hired to input data into the system, to ascertain whether they include appropriate privacy protection clauses
  • An explanation of the consent regime involved with respect to the personal information involved with the initiative
  • Copies of all rules and guidelines that have been prepared regarding the collection, use and disclosure of personal information for purposes of the initiative
  • A description of the procedures to follow in respect to complaints regarding the initiative and the oversight body designated to receive these complaints
  • Copies of all forms and public education materials that have been created which deal with informational privacy.
  1. Once all of the required documentation is provided, the Privacy Commissioner's Office is typically taking about eight weeks to provide comments on a PIA Report.

5. Conclusions

The PIA best practices session illustrated a strong endorsement of the benefits of the policy and the current TBS activities that provide proactive support to departments on PIA Policy and Guidelines implementation activities. Departments were very aware and supportive of the innovative ways that TBS has and plans to implement the PIA Policy and Guidelines.

The implementation of the Privacy Impact Assessment Policy and Guidelines is still in the early stages. When departments participating in the best practices sessions were asked to rate their department's integration of the PIA Policy requirements into day-to-day operations, on a scale of 1 (low) to 5 (high), most rated integration as 1 or 2.

There are many PIA reports under development. However, there are few examples of PIA reports that have completed the entire PIA process including the review with the Office of the Privacy Commissioner and follow-up on recommendations from the Privacy Commissioner.

The PIA process illustrated an overall need for privacy training in general. TBS identified this need during the development of the e-Learning Tool for the PIA process. The e-Learning tool is scheduled for implementation at the start of the 2003-2004 fiscal year and will contain a module devoted to privacy.

Timing of the PIA process is important because it may be difficult and/or expensive to retrofit privacy into the project late in the planning cycle. Departments will need to spend time once the PIA Report is complete to consider follow-up activities, monitor the implementation of privacy risk management measures and determine if project changes will lead to an update of the PIA Report.

Although the objective of the PIA process is risk management, departments receive ancillary benefits from the process that contribute to better information management practices. Since PIA implementation is in the early stages, in another 6 months TBS should have another session to build on these best practices in 2003/2004.

6. Annex A - List of Participants

The Information Policy Division of Treasury Board of Canada Secretariat would like to thank and acknowledge the contributions of the following participants:

Alain Rocain, Deloitte & Touche, PIA Consultant

Andrée Morissette, Public Works & Government Services Canada, Senior ATIP Officer

Anita Lloyd, Public Works & Government Services Canada, ATIP Coordinator

Brian Foran, Health Canada, Director - Information, Analysis and Connectivity Branch

Brian McCracken, Canada Customs Revenue Agency, Policy Officer - BN Strategic Planning & Policy Section

Corinne Cormier, Veterans Affairs, A/Deputy Coordinator (Policy & Training) - ATIP

David Reid, Heritage Canada, Director, Strategy and Consultation

Diane Burrows, A/Director, Public Rights Administration

Don Mccoll, Citizenship and Immigration Canada, Senior Public Rights Administrator

Éric Charlebois, Health Canada, Project Officer - Health Surveillance

Frank Bradley, Indian & Northern Affairs Canada, Business Analyst - IRS - CIS Project

Grant Boyd, Canada Customs Revenue Agency, ATIP Coordinator

Judy Humenick, Heritage Canada, Manager, Policy Development, GOL Branch

Larry Kennedy, Health Canada, Senior Policy Analyst, Information, Analysis and Connectivity Branch

Marc-André Gaudet, Agriculture Canada, Acting Manager - ATIP

Matthew Chan, Indian & Northern Affairs Canada, Project Director - Operations Branch

Michael Power, Gowlings, PIA Consultant

Nicole Sarafin, Public Service Commission, ATIP Coordinator & Legislative Affairs Officer

Paula Bédard, Human Resources Development Canada, Senior Public Rights Administrator - ATIP

Peter Hull, Canada Customs Revenue Agency, Director - ATIP

Peter Rock, Citizenship and Immigration Canada, Senior Public Rights Administrator

Rick Shields, McCarthy Tétrault LLP, PIA Consultant

Scott Crosby, Sysanova, PIA Consultant

Susan Seeger, A/Chief, Access to Information and Privacy

Suzan Appleby, Citizenship and Immigration Canada, Senior Public Rights Administrator

Tom McMahon, Treasury Board Secretariat, Senior Counsel - Justice
,
Government of Canada
Date published: 2003-05-05
Last updated: 2004-04-08
Date reviewed: 2003-05-02