
	Mandate and Mission

	Privacy Legislation

	Information for Individuals

	Information for Businesses

	Parliamentary Activities

	Media Centre

	Blog

	Commissioner's Findings

	Privacy Impact Assessments

	Reports and Publications

	Resource Centre

	Key Issues

	Fact Sheets


	Privacy Quiz

	Proactive Disclosure

Privacy Impact Assessments

What are Privacy Impact Assessments (PIAs)?

Privacy Impact Assessments (PIAs) are used to identify the potential privacy risks of new or redesigned federal government programs or services. They also help eliminate or reduce those risks.

Virtually all federal departments, agencies and institutions must conduct PIAs for new or redesigned programs and services that raise privacy issues. (These institutions are listed in the Schedule to the Privacy Act.)

PIAs take a close look at how government departments protect personal information as it is collected, stored, used, disclosed and ultimately destroyed. These assessments help create a privacy-sensitive culture in government departments.

When is a PIA required?

Government departments must conduct a PIA in order to determine whether privacy issues are raised by proposals for new programs and services or by a substantial redesign of a program or the way it is delivered to the public.

A Preliminary PIA can help determine whether a complete PIA is needed. The preliminary assessment (PPIA) may find there are no or minimal privacy risks.
A PIA is generally required when a government department:

Collects, uses or discloses more personal information;
Collects personal information from a larger group of Canadians;
Plans to indirectly collect personal information. (For example, one department gives information it has collected to another department in order to check for fraud or whether an individual is eligible for benefits;)
Uses or expands the use of common personal identifiers such as Social Insurance Numbers;
Substantially redesigns the system that delivers a program to the public, or;
Contracts out or transfers a program or service to another level of government or the private sector.

Who conducts PIAs?

Individual government departments and agencies conduct their own PIAs. An assessment team often includes experts in several areas, including legal services, privacy, access to information and information technology.

What is the role of the Office of the Privacy Commissioner?

The Office of the Privacy Commissioner (OPC) consults with departments during the development of PIAs to make sure privacy issues are clearly understood. The OPC can offer advice and suggest solutions to potential privacy risks.

Government departments must submit final PIA reports to the OPC before they implement programs or services. The Privacy Commissioner may provide comments and recommendations to the department. However, the final decision on whether to implement those recommendations rests with the department.

PIAs are currently required under government policy set by the Treasury Board Secretariat. However, the Privacy Commissioner has called for the process to be required under law as part of a broader Privacy Act reform. The Commissioner supports the PIA policy, but believes turning it into law would make it stronger.

What fundamental principles guide PIAs ?

Ten fundamental privacy principles should guide how a PIA is conducted:

Accountability: Each government department must put someone in charge of making sure privacy policies and practices are followed.

Identifying purposes: Canadians must be told why their personal information is being collected at or before the time of collection.

Consent: Canadians must give their consent to the collection, use and disclosure of their personal information.

Limiting collection: Only information that is required should be collected.

Limiting use, disclosure and retention: Personal information can only be used or disclosed for the purpose for which it was collected. Further consent is required for any other purposes. Personal information should only be kept as long as necessary.

Accuracy: Government departments must make every effort to reduce the risk that incorrect personal information is used or disclosed.

Safeguards: Government departments must protect personal information from loss or theft. They must create safeguards to prevent unauthorized access, disclosure, copying, use or modification.

Openness: Government departments must make their privacy policies readily available to Canadians.

Individual access: Canadians have the right to ask to see any of their personal information held by government. They have the right to know who the information has been given to. They can challenge the accuracy of personal information and ask for corrections.

Challenging compliance: Canadians must be able to challenge a government department’s privacy practices.

These principles are usually referred to as “fair information principles”. They are included in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The OPC also believes they should be enshrined in a reformed Privacy Act, which imposes obligations on federal government departments.

What steps are involved in a PIA?

Some of the key steps in a PIA include:

Identifying all of the personal information related to a program or service and then looking at how it will be used;
Mapping where personal data is sent after it is collected;
Identifying privacy risks and the level of those risks; and
Finding ways to eliminate or reduce privacy risks.

How do PIAs protect my information?

The PIA policy has helped to improve the overall awareness of privacy within government institutions. It has focused attention on the potential privacy issues of a number of government programs. The whole process provides a greater level of protection for the personal information that Canadians give to the federal government. A well-functioning PIA practice is key for a sound privacy management framework. A PIA is a tool that helps ensure privacy protection is a core consideration when a project is planned and implemented. PIAs are meant to describe and document what personal information is collected, how it is collected, used, transmitted and stored, how and why it can be shared, and how it is protected from inappropriate disclosure at each step. In short, it is a risk mitigation tool.

Who can look at PIA reports?

Summaries of PIAs, written in easy-to-understand language and in both French and English, must be made available to the public by government departments and agencies.

More detailed information

The Treasury Board is responsible for the government’s PIA policy. Privacy Impact Assessments are explained in greater detail on Treasury Board’s web site at www.tbs-sct.gc.ca. Some key documents are:

The Privacy Impact Assessment Policy:
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp

Treasury Board guidelines for applying the Privacy Impact Assessment Policy:
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paipg-pefrld_e.asp

Treasury Board e-learning course on Privacy Impact Assessments:
http://www.tbs-sct.gc.ca/pgol-pged/piatp-pfefvp/index_e.asp

“The Role of the Privacy Impact Assessment,” speech by a representative of the Office of the Privacy Commissioner of Canada:
http://www.privcom.gc.ca/speech/2004/sp-d_040310_e.asp

February 2007