1

Privacy Impact Assessment

ARMA WorkshopApril 5, 2006

Alec Campbell

2

Introduction

What is a PIA? A formal assessment of the privacy implications

associated with a given project, initiative, or collection of records, usually in reference to applicable legislation or policy.

Who in the audience has participated in a PIA before?

3

Agenda

Today’s discussion: Overview of selected PIA templates and

approaches The Alberta OIPC PIA process and template in

more detail, if you wish Key issues in PIA planning and preparation

4

Introduction

PIAs have become a critical tool in privacy management PIAs are proactive, not reactive Well-suited to risk management Provide evidence of due diligence

Inspired by the environmental impact assessment Formal PIA processes have taken some time to

develop, and there is still no widespread standard

5

Overview of Approaches

Federal approaches Treasury Board Secretariat

Selected provincial approaches BC Ontario Alberta (detail)

Private sector approaches Canadian Institute of CAs (CICA)

6

Federal Approach

Treasury Board Secretariat http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist_e.asp

Institutions must develop and maintain Privacy Impact Assessments

PIA Guidelines: A Framework to Manage Privacy Risks Institutions seeking approval from the Treasury Board

pursuant to the Project Approval Policy must include the results of the PIA

Depts urged to consult PC but not required

7

TBS PIA Process

8

Federal ApproachTBS PIA Guidelines Table of

Contents Introduction Purpose Proceeding with a PIA Process Overview Detailed Process Description

Part 1: Project Initiation/Needs Assessment Defining Resource

Requirements

Part 2: Documenting the Data Flow Business Process Diagram Data Flow Tables

Part 3: Privacy Analysis Questionnaire A: For federal

programs and services Questionnaire B: Cross-Jurisdictional

Program and Service Delivery Part 4: Privacy Impact Analysis

Report Reviewing the Results

Summary Table Privacy Impact Analysis Report Addressing Risks

9

Provincial Approaches

BC PIAs mandatory under FOIP Act, not under PIPA Not reviewed by IPC

Ontario PIAs required for major projects by Ont Govt policy Not mandatory under FIPPA, MFIPPA or PHIPA.

Alberta PIAs not mandatory under FOIP Act or PIPA, but mandatory under HIA OIPC must review HIA PIAs and usually reviews GoA PIAs. OIPC PIA review function is unique among IPCs.

10

Provincial Approaches: BC http://www.mser.gov.bc.ca/privacyaccess/PIA/PIAprocess.htm

A PIA needs to be completed for all new initiatives.

PIA Contents:

• Basic Information • Descriptive Information • Personal Information Collection

(1) Authorization for Collection(2) How will the personal information be collected?

(3) Notification to collect information • Use of Personal Information • Disclosure of Personal

Information • Accuracy and Correction of

Personal Information • Security Arrangements for the

Protection of Personal Information

• Retention of Personal Information • Director/Manager of Information

and Privacy (DMIP) or FOIPP Coordinator Review

• Signatures

11

Provincial Approaches: Ontario

http://www.accessandprivacy.gov.on.ca/english/pia/index.html

Annual Information and Information Technology (I&IT) plans submitted to Ministry of Government Services (MGS) must include a Privacy Impact Assessment where proposals may affect client privacy.

12

Provincial Approaches: Ontario

Conceptual Analysis Data Flow Analysis Follow-up Analysis

Prepare a plain language description of the scope and business rationale of proposed initiative

Identify in a preliminary way potential privacy issues and risks, and key stakeholders

Provide a detailed description of essential aspects of the proposal, including a policy analysis of major issues

Document the major flows of personal information

Compile an environment issues scan to review how other jurisdictions handled a similar initiative

Identify stakeholder issues and concerns

Assessment of public reaction

Analyze data flows through business process diagrams, and identify specific personal data elements or clusters of data

Assess proposal’s compliance with FOI and privacy legislation, relevant program statutes, and broader conformity with general privacy principles

Analyze risk based on the privacy analysis of the initiative, and identify possible solutions

Review design options, and identify outstanding privacy issues/concerns that have not been addressed

Prepare response for unresolved privacy issues

Review and analyze physical hardware and system design of proposed initiative to ensure compliance with privacy design requirements

Provide a final review of the proposed initiative

Conduct a privacy and risk analysis of any new changes to the proposed initiative relating to hardware and software design to ensure compliance with FOI and privacy legislation, relevant program statutes, and broader conformity with general privacy principles

Prepare a communications plan

Process

13

Provincial Approaches: Ontario

PEOPLE PROCESS ENVIRONMENT TECHNOLOGY

Consider ongoing management, privacy training programs, general organizational awareness of privacy and security issues, the level of knowledge required to perform specific functions, the availability of manuals and other forms of guidance, and mechanisms for communicating privacy and security policies.

Consider what information is collected, why and how it is collected, how privacy and security are ensured operationally, and what mechanisms are in place to provide individual access to information.

Consider the physical space where information is stored, physical security measures, the availability of secure document disposal facilities, and processes for secure disposal of old information technology (e.g., personal computers, legacy servers, etc.) that may hold personal information.

Consider system design characteristics, data security and integrity measures, access controls, and audit trails.

Relevant Factors to Consider

14

Provincial Approaches: Ontario

Flow Charts Structured Analysis Object-oriented Analysis

Are most useful for relatively simple applications. Flow charts provide a good general sense of program steps and data flows, along with an outline of the relationships among these elements and the progression between them

Identify major steps in a program and then breaks these steps down, according to function, until the project can be represented as a progression through a series of small steps. This is a good way of reducing very complex projects into manageable components

Combines the mapping of processes with the mapping of the data flows attached to those processes. It sets out the processes and the organization of these processes (i.e. the architecture), and specifies which data are being used and where in each process they are being used

Analytical Approaches

15

Provincial Approaches: Alberta http://www.oipc.ab.ca/pia/ Unlike other jurisdictions, Alberta’s PIA template comes from

the IPC, not government Privacy impact assessments are mandatory under the HIA

HIA team at the OIPC requires use of the AB template PIAs not mandatory under FOIP Act.

FOIP team at the OIPC does not necessarily require use of the OIPC template

IPC reviews but will not "approve" a PIA. If satisfied, the Commissioner will "accept" the PIA. Acceptance is not approval; it merely reflects the IPC’s acceptance that the organization has made reasonable efforts to protect privacy

IPC does not review PIAs under PIPA

16

Provincial Approaches: AlbertaCRITICAL COMPONENTS  

Organizational Privacy Management

Organizational strategic plan or business plan addressing privacy protection  

Organizational privacy policy or privacy charter  

Organizational privacy procedures, guidelines and controls  

Physical security and access control documentation  

IT security and access control documentation  

Records management policies and procedures for personal information  

Project Privacy Management

Project summary and description  

Listing of all personal information or personal data elements for project  

Personal information data flow diagram  

Personal information access documentation ("access matrix")  

Statutory authority documentation  

17

Private Sector Approaches

AICPA/CICA Privacy Framework Developed jointly by American and

Canadian CA associations Based on principles similar, but not

identical, to CSA Model Code Includes general guidelines and

evaluation criteria Comprehensive – 90 pages

CICA Privacy Framework

18

Issues in PIA Planning and Preparation

Why do it? Due diligence

If you have a privacy complaint later, having done a PIA will demonstrate efforts to protect privacy

Risk management PIA will identify potential privacy risks before they materialize,

allowing you to take measures to prevent problems Risks: IPC inquiry costs, loss of stakeholder trust, bad publicity,

cost of retroactive privacy measures, legal costs, etc. Cost containment

A PIA will often cost less than a privacy breach resulting from a failure to do the PIA.

19

Issues in PIA Planning and Preparation

Who should do it? Those who will be responsible for the project or initiative

after it is up and running – they have to know the privacy issues

Involve all responsible business areas - actively If it’s an IT project, make sure both IT and the business

area are involved – not just the development team If project is complex or it’s your first PIA, bring in a

consultant – but you should not need a consultant for every PIA.

PIA findings should be approved by the senior manager responsible for the project

20

Issues in PIA Planning and Preparation

When to do it? As early in project planning as possible

Need to know PI data elements and flows to complete For IT projects, make it part of the system design phase For administrative and management projects, do PIA after

process design but before implementation Need for PIA, or lack thereof, should be part of the project

proposal or business case.

21

Issues in PIA Planning and Preparation

Some IM requirements related to PIAs Need to document personal information flows All project planning information needs to be accessible and available to

PIA team Once completed, the PIA should be easily and widely accessible, with

the possible exception of some security information Once project is implemented, changes to PI management should be

reflected in an updated PIA – so need related triggers, which will involve IM

For large organizations, useful to establish a repository of PIAs Include PIAs from other organizations similar to yours – use OIPC

repository as starting point. Consider sector-wide repositories? Provides guidance for future PIAs.

22

Provincial Approaches: Alberta

Alberta PIA Template & Instructions

Show of hands:

How many in the audience are familiar with the Alberta template?

http://www.oipc.ab.ca/pia

23

Where to Get More Information

See URLs for PIA sources Consult your FOIP Coordinator or HIA privacy officer List of Alberta consultants available from AGS at

foiphelpdesk@gov.ab.ca

Alec Campbell, PrincipalExcela Associates Inc.

www.excela.ca780-945-0123alec@excela.info

24

Discussion

Questions? Concerns? Examples? Good or bad experiences?