pia expectations of the opc - international association of ... · • approved pia sent to tbs with...

PIA Expectations

of the OPC

Lara McGuire Ives Manager, Privacy Impact Assessment Review

May 6, 2011

Structure of Presentation

Purpose of Conducting a PIA

Overview of Policy Framework & PIA Requirements

OPC PIA Expectations

OPC PIA Review Process

• Help to identify and resolve privacy risks

• Ensure that privacy protections are

incorporated into program design

• Compliance with Privacy Act and relevant

government policies/directives

• Public accountability

Purpose of Conducting a PIA

Stakeholders in Federal Government PIA

Process

• Federal departments and agencies

• Treasury Board Secretariat (TBS)

• Office of the Privacy Commissioner (OPC)

• Canadian public

TBS Privacy & Data Protection Framework

• 19 Policies and Guidelines

• 2 Acts/Regulations

• 4 Directives

TBS Directive on PIA

• Replaced previous PIA Policy (2002)

• Goal to streamline process to ensure that

a PIA is conducted in a manner that is

commensurate with the privacy risks

identified and respects the operating

environment of the government

institution

A PIA is Required When…

• Personal information is used as part of a

decision-making process directly affecting the

individual

• Substantial modifications are made to existing

programs/activities where personal information

is used or intended to be used for an

administrative purpose

• Contracting out/transferring of a program to

another level of government or private sector

results in substantial modifications

• 6.3.2 - Appropriate senior official must

determine whether a PIA is warranted in

cases where no decisions are made about

individuals or whether privacy protocol is

adequate to address impact on privacy

Requirements of TBS Directive on PIA

Directive on PIA

Multi-institutional Programs

• Lead institution to be appointed

• Interdepartmental committee to be

coordinated

• Appropriate approach for completion of

PIA(s) to be determined and documented

• Lead must oversee initial collection and

any disclosures to partner institutions

Directive on PIA – Review Requirements

• PIAs approved internally by:

– Section 10 responsibility

– “Appropriate” senior officials

– Legal services if necessary

• Approved PIA sent to TBS with proposed new or modified

Personal Information Bank (PIB)

– TBS only reviews mandatory requirements of the core

PIA for purposes of PIB registration

• PIA simultaneously provided to the OPC

– Authority to request documentation, discretion to

review/offer comments

TBS “Core” PIA

• Appendix C of the Directive

• Contents of core are mandatory, though

use of TBS template is not

• There will be instances when a full-

fledged PIA is required

TBS “Core” PIA Components

1) Overview/Initiation

2) Risk Area Identification and Categorization

3) Analysis of Personal Information Elements

4) Flow of Personal Information

5) Privacy Compliance Analysis

6) Summary of Analysis/Recommendations

7) Supplementary Documents

8) Formal Approval

• Distinction between roles of OPC/TBS

• Type and depth of information needed by

OPC to fulfill its role as guardian of

Canadians’ privacy rights differs from

basic requirements of core

• The core PIA template may be

appropriate in certain cases but still must

be filled out appropriately and contain

enough information for OPC’s review

OPC PIA Expectations

For example…

Section II – Risk Area Identification

OPC Expectations Document

Intent

• Shed light on OPC processes for analysing

privacy risks associated with government

initiatives

• Set out expectations regarding type and

depth of information to include in a PIA

• Help customize PIA format building upon

mandatory content of core PIA

OPC’s Expectations Document

Four-part test

Privacy principles

Action plan

Multi-institutional guidance

Checklists

OPC’s Four-Part Test

• Designed to have institutions assess

broader privacy risks and societal impacts

of certain programs from the outset

• Based on Canadian jurisprudence and

recognition of the quasi-constitutional

status of the right to privacy

• Meant for particularly intrusive/privacy-

invasive initiatives

• Is the measure demonstrably necessary to meet a specific need?

• Is it likely to be effective in meeting that need?

• Is the loss of privacy proportional to the need?

• Is there a less privacy-invasive option?

Institution to respond to the

following questions at outset of PIA:

OPC’s Four-Part Test

Case Study

CATSA Millimetre Wave Scanner

• OPC first consulted in 2007 during pilot

• Privacy a consideration from outset of

inherently privacy-invasive program

• Application of 4-part test to address the

necessity, proportionality, effectiveness

and intrusiveness of initiative

• Demonstrative of how PIAs should

function


The Privacy Principles

• Provide an accessible and logical

framework for completing a privacy

analysis

• Ensure programs are designed with

privacy in mind

• Demonstrate security of information when

held by government institutions


Action Plan

• Timeframe for mitigating identified risks

• Should be revisited and updated on an

ongoing basis

• Include auditing/compliance reporting

schedule


Multi-Institutional PIAs

• Reiterates guidance from TBS Directive

• Need for leadership role from one

institution

• Overarching PIA to provide a foundation

for expected privacy practices for all

partners

• Recommended PIA format

– To ensure complete assessments are

conducted

• Associated documentation

– Those considered integral to a thorough

review of risks


Checklists

OPC PIA Review Process

• Triage

– Resources focused on initiatives which pose

the greatest risk to privacy

• Documentation review

• Consultation

• Recommendations issued

• Institutional response

Changes to OPC’s Review Process

• Nature and number of recommendations

• ‘Big picture’ rather than ‘in the weeds’

• Focus on working with institutions to

address privacy risks

• Increase in consultations

Useful Links

• OPC Expectations Document:

http://www.priv.gc.ca/information/pub/gd_exp_201103_

e.cfm

• OPC Guidance Document - A Matter of Trust: Integrating

Privacy and Public Safety in the 21st Century:

http://www.priv.gc.ca/information/pub/gd_sec_201011_e

.cfm

• OPC Audit Report on the Privacy Management Frameworks

of Selected Federal Institutions:

http://www.priv.gc.ca/information/pub/ar-

vr/pmf_20090212_e.cfm

• CSA Model Code for the Protection of Personal Information:

http://www.csa.ca/cm/ca/en/privacy-

code/publications/view-privacy-code

Useful Links

• TBS Privacy and Data Protection Policies and Publications:

http://www.tbs-

sct.gc.ca/pubs_pol/gospubs/tbm_128/siglist-eng.asp

• Directive on PIA: http://www.tbs-sct.gc.ca/pol/doc-

eng.aspx?section=text&id=18308

• Policy on Privacy Protection: http://www.tbs-

sct.gc.ca/pol/doc-eng.aspx?id=12510

• Directive on Privacy Practices: http://www.tbs-

sct.gc.ca/pol/doc-eng.aspx?section=text&id=18309