Archived - Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks Guidelines

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

1. Introduction

The guidelines are intended to provide a comprehensive framework for the completion of a Privacy Impact Assessment (PIA). They convey practical advice on the application of the Government of Canada's Privacy Impact Assessment Policy.

A PIA is a process that helps departments and agencies determine whether new technologies, information systems and initiatives or proposed programs and policies meet basic privacy requirements. It also assists government organizations to anticipate the public's reaction to any privacy implications of a proposal and as a result, could prevent costly program, service, or process redesign.

A checklist to determine when to do a PIA:

  1. Are you:
    • designing a new program or service,
    • making significant changes to an existing program or service, or
    • converting from a conventional service delivery mode to an electronic service delivery mode and you have outstanding privacy issues and no PIA?
  2. Does the program require you to collect, use or disclose any personal information, such as name, address, age, identifying number, educational, medical or employment history, etc.?
  3. Will the program require that you collect, use or disclose more personal information or more sensitive personal information than in the past? Are you shifting from informed consent to indirect collection of personal information?
  4. Will it be necessary to develop mechanisms to notify individuals about their privacy rights or to obtain the consent of individuals to collect, use and/or disclose their personal information?
  5. Will the program require you to collect personal information from other programs within your institution, other institutions, other governments or the private sector?
  6. Will the personal information generated by the program be used in decision-making processes that directly affect individuals, such as eligibility for programs or services or in enforcement activities?
  7. Will the personal information generated by the program be used for any other purposes, including research and statistical purposes?
  8. Will the personal information be shared with any other organizations for any purposes other than for which it was originally collected?
  9. Are you introducing new common client identifiers or are using the SIN without any legislative authority?
  10. Do you anticipate that the public will have any privacy concerns regarding the proposed program or service?
  11. Are you introducing changes to the business systems or infrastructure architecture that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information?

The Privacy Impact Assessment Guidelines are based upon the universal privacy principles identified in the Canadian Standards Association's Model Code for the Protection of Personal Information in addition to federal privacy legislation and policies.

The PIA process is similar to a continuous risk management approach and includes planning, analysis and education activities and has four core components:

  • Project initiation
  • Data flow analysis
  • Privacy analysis
  • Privacy impact analysis report

Conducting a PIA is a cooperative process that brings together a variety of skill sets to identify and assess privacy implications. The PIA process is meant to be adapted to fit a particular departmental application.

A choice of two questionnaires is provided in the Privacy Analysis section, one to accommodate federal programs and services and a second designed for cross-jurisdictional initiatives.

Goals of a Privacy Impact Assessment

A key goal of the PIA is to effectively communicate the privacy risks not addressed through other departmental mechanisms. The PIA is intended to contribute to senior management's ability to make fully informed policy, system design and procurement decisions.

Specific goals of a PIA include:

  • Building trust and confidence with citizens;
  • Promoting awareness and an understanding of privacy issues;
  • Ensuring that privacy protection is a key consideration in the initial framing of a project's objectives and activities;
  • Identifying a clear accountability for privacy issues so that it is incorporated into the role of projects managers and sponsors;
  • Reducing the risks of having to terminate or substantially review a program or service after its implementation in order to comply with privacy requirements;
  • Providing decision-makers with the information necessary to make informed policy, system design or procurement decisions based on an understanding of the privacy risks and the options available for mitigating those risks; and
  • Providing basic documentation on the business processes and flow of personal information for common use and review by the department's staff and as the basis for consultations with stakeholders, specifications, information privacy procedures, and communications.

2. Purpose

These guidelines aim to present a comprehensive framework to conduct a Privacy Impact Assessment (PIA). The PIA ensures that privacy principles and legislation are considered and adhered to throughout the lifecycle of a new program, service or initiative and where appropriate, for existing initiatives undergoing service transformation or redesign. Refer to Archived – Privacy Impact Assessment Policy.

3. Proceeding with a PIA

The following chart summarizes the different steps of the PIA process.

steps of the PIA process

What is a PIA?

A Privacy Impact Assessment is a process to determine the impacts of a proposal on an individual's privacy and ways to mitigate or avoid any adverse effects.

4. Process Overview

Step 1: Project Initiation

One of the first steps is to determine the scope of the PIA and to adapt the tools provided in the guidelines to the context.

If the initiative is at the early concept or design stage and detailed information is unknown, then departments and agencies should consider conducting a Preliminary Privacy Impact Assessment (Preliminary PIA). Once the initiative evolves and there are privacy risks, departments and agencies are required to conduct a full PIA.

Preliminary PIAs may also be conducted in unusual cases where upon reviewing the policy and guidelines and obtaining expert advice, the need for a PIA remains ambivalent.

A PIA is a dynamic process and as design changes occur in the business processes, the PIA should also be reviewed and updated.

Step 2: Data Flow Analysis

This activity involves a description and analysis of the business processes, architecture and detailed data flows contemplated for the proposal. The purpose of this step is to depict the personal information flows.

Step 3: Privacy Analysis

The privacy analysis examines the data flows in the context of applicable privacy policies and legislation. Questionnaires are used as a checklist that facilitates the identification of major privacy risks or vulnerabilities associated with the proposal.

There are two sets of questionnaires provided in the guidelines. Please refer in the Annexes to Questionnaire A for federal programs and services and to Questionnaire B for cross-jurisdictional initiatives.

Step 4: Privacy Impact Analysis Report

Building upon the outcomes from the previous steps, this is the final and most critical component of the privacy impact assessment process. This is a documented evaluation of the privacy risks and the associated implications of those risks along with a discussion of possible remedies or mitigation strategies.

The PIA report is designed as an effective communications tool used by a variety of stakeholders.

Common privacy risks associated with improved service delivery include:

Data profiling/data matching:
combining unrelated personal information obtained from a variety of sources to create new information about an individual or using information about an individual's preferences and habits to build a profile on the individual.
Transaction Monitoring:
observing or tracking the history of an individual's interaction with one or more programs or services. This usually results in creation of new personal information describing an individual's overall experience with one or more programs.
Identification of Individuals:
electronic service delivery generally requires identification of an individual and authentication of their identity as way of managing security risks. Surveillance risks exist where the use of common identifiers or identification systems facilitate data sharing, profiling or transaction monitoring.
Physical observation of individuals:
tracking the movement or location of an individual through the use of vehicle transponders, satellite locators, cameras or mechanisms for recording an individual's use of kiosks.
Publishing or re-distribution of public databases containing personal information:
electronic publishing frequently eliminates practical limits on the misuse of information, as it can be easily manipulated and used for purposes entirely unrelated or is intended use in manual form.
Lack or Doubtful Legal Authority:
failure to identify clear program authority to collect, use or disclose personal information raises concerns about whether an initiative should be undertaken on both the privacy front and with respect to the Charter of Rights and Freedoms Act.

5. Detailed Process Description

5.1 Part 1: Project Initiation/Needs Assessment

The very first step of the PIA process is to determine whether it is required.

The first question a departmental official needs to ask in determining whether to conduct a PIA is, "Is personal information being collected, used or disclosed in this initiative?

If the answer is "no" then a PIA is not warranted.

If the answer is "yes" or "maybe", departmental officials should then examine the checklist provided on the first page of the guidelines and the list of indictors in the Project Initiation section of the Archived – Privacy Impact Assessment Policy.

The primary rationale for choosing to conduct a Preliminary PIA instead of a full PIA is that a proposal is at an early design stage and lacks sufficient information to conduct a full PIA. In exceptional circumstances, a Preliminary PIA can also be conducted if there appears to be uncertainty whether the proposal involves privacy issues. Since the PIA is a continuous process that requires updating to reflect program, service or system changes, the results of a Preliminary PIA should facilitate developing a full PIA.

The Preliminary PIA will not be as comprehensive as the PIA but will serve to indicate to departmental program managers whether or not there are significant privacy risks for a proposal. Refer to Annex B for an example of a Table of Contents for a Preliminary PIA.

The minimal amount of information to be included in a Preliminary PIA is described in the PIA Policy.

Refinement of the privacy impact assessment tool is an ongoing process. Representatives from departments and agencies are encouraged to adapt it to fit their particular needs.

Project Charters, plans and the business case as required by the Enhanced Management Framework at: should be used to determine the scope of the PIA and to situate all PIA team members into the proper context. These documents also form the basis of the written description of the proposal.

By conducting a Preliminary PIA, institutions can also estimate their resource requirements, including the knowledge and skills needed to develop and maintain the PIA.

Generic or Overarching PIAs

As stipulated in the PIA Policy, departments and agencies should consider undertaking generic or overarching PIAs where proposals are similar or interrelated because individual PIAs would be a duplication of effort. An example of this situation is the use of one overarching PIA in lieu of conducting individual PIAs to cover a number of statistical survey requirements that have almost identical collection, use and disclosure processes. Generic PIAs may also apply to the current Government On-Line service clusters and portals.

5.1.1 Defining Resource Requirements

The nature and extent of resources required for a PIA will vary depending on the scope and complexity of the proposal.

Accountability for compliance with privacy requirements rests with deputy heads of an institution. Consequently, a deputy head may choose to designate a senior executive such as the senior privacy coordinator.

Involvement of the departmental senior privacy coordinator will facilitate the communications with the Privacy Commissioner's Office and help zero in on privacy risks.

The completion of a privacy impact assessment may need to draw upon a wide range of skill sets that would likely include:

Privacy expertise:
to provide advice and recommendations with respect to relevant program statues, the Privacy Act and the Access to Information Act, privacy issues, current privacy developments, national and international privacy standards, etc.
Legal expertise:
to provide advice and recommendations with respect to privacy and program authorities, institutional oversight mechanisms and potential conflicts where multiple statutes or jurisdictions are involved, etc.
Operational program and business design skills:
to examine proposals in terms of business flow and context, stakeholder analysis, public/private partnerships, governance structures and feasibility in terms of mitigation strategies, etc.
Technology and systems expertise:
to provide technical and systems advice on mainframe and legacy systems, Internet tools and system interfaces, information, security, technical architecture and data flows, etc.
Information and records keeping skills:
to provide advice on how records are kept and the retention of information.

Involvement of the departmental senior privacy coordinator will facilitate the communications with the Privacy Commissioner's Office and help zero in on privacy risks. It is important to recognize that only one individual should be assigned responsibility for the co-ordination and completion of the PIA. For a cross-jurisdictional initiative, the multi-disciplinary approach will likely involve individuals from each of the jurisdictions.

To assess the overall effectiveness of the policy and guidelines, departments and agencies may choose to involve their internal auditors. Please read the policy section referring to Institution Officials.

5.2 Part 2: Documenting the Data Flow

The essential starting point in any PIA is the description and analysis of the business context, the information flows involved in program delivery and the systems and infrastructure architectures. Business process diagrams permit a graphical description of the proposed business processes. The data flow tables describe the collection, use and disclosure of personal information in the business process. System and infrastructure architectures document any physical or logical separation of personal information or security mechanisms that prevent improper access to personal information or maintain any required separation.

5.2.1 Business Process Diagram

Any business activity associated with a program involves the management of information and consists of four elements:

  1. information collection
  2. transaction processing
  3. the results of transaction processing (e.g. a decision or issuance of a benefit)
  4. the record of the foregoing three elements.

A Business Flow Diagram simply identifies how information flows through the organization as a result of a particular business activity or activities. At a minimum, the diagram should identify, at a general level, the major components of the business processes and how personal information is collected, used, disclosed and retained through this process.

This diagram may be prepared using any of a number of methodologies, depending on the nature and complexity of the proposal. However, since the diagram is a critical communications vehicle, the instrument selected should be readily understood by officials from various backgrounds.

System and Infrastructure architecture diagrams and information can also be used to analyze inherent privacy risks based on the design of the program or service.

5.2.2 Data Flow Tables

While a diagram provides the "big picture" of a particular business activity, the details needed to conduct a privacy impact assessment are derived from the construction of a detailed Data Flow Table. These tables are based on the diagram below and follow each data element or cluster from collection, use, disclosure and to disposition. The following example is intended to illustrate the concept.

Description of personal information cluster

Collected by

Type of format
(e.g. paper, electronic)

Used by

Purpose of collection

Disclosed to

Storage or retention site

 

 

 

 

 

 

 

In describing the data cluster please ensure that you identify and describe all the personal data elements.

5.3 Part 3: Privacy Analysis

There are two questionnaires provided in this section, please complete either questionnaire A or B.

Questionnaire A (5.3.1) provides a series of questions derived from the requirements of the Privacy Act and dovetail with universal privacy principles. The questions form a general template for the privacy analysis that should be adapted for each proposal.

Questionnaire B (5.3.2) provides a series of questions derived from the universal privacy principles and is intended for cross-jurisdictional programs or services.

The privacy analysis consists of yes/no responses to a series of questions along with a comments section. An "N/D" (not determined) response may apply for situations where project planning is at an early stage. An "N/A" (not applicable) can be inserted where questions are not applicable.

Where appropriate, a section of the Privacy Act is cited at the end of the question (e.g. s. 4).

The "Provide Details" column should be used to explain specifically how a particular requirement is met or why it is not met, or should be used to provide specific authoritative references.

"Discussion Points" related to the questions are placed at the end of each section.

An operating assumption for the development of the cross-jurisdictional PIA is that individual jurisdictions should complete their own PIA based on their specific statutory and policy provisions.

If a response in either of the questionnaires indicates that the proposal has no legal authority to collect, use or disseminate personal information, then immediately consult a departmental legal advisor to determine whether to proceed any further with the initiative.

The results from completing the questionnaire will be used to form the basis of the PIA Report.

5.3.1 Questionnaire A: For Federal Programs and Services

Privacy ActPrinciple 1: Accountability for Personal Information

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

1.1 Has responsibility for the PIA been assigned?

Please indicate in the details column the name and position of the person responsible.

    

1.2 Has the custody and control of personal information been determined?

    

1.3 Has the accountability of the program custodian of personal information been documented?

    

1.4 Are the performance requirements of the custodian set out in a measurable way and subject to performance and compliance reviews?

    

1.5 Are third parties including the private sector involved in the custody or control of the personal information?

    

1.6 If third parties or private sector parties are involved, do you have an agreement in place that establishes privacy requirements?

    

1.7 If yes to 1.5, are the requirements of the Personal Information Protection and Electronic Documents Act applicable if the proposal involves the private sector?

    

1.8 Will the department be provided with the results of regularly scheduled audits and compliance checks on the privacy requirements of all involved parties?

    

1.9 Are the requirements for the Treasury Board Policy on Privacy and Data Protection being followed?

    

1.10 Are there any requirements in program legislation or policies on the management of personal information that affect the proposal?

    

Discussion Points:


Privacy Act Principle 2: Collection of Personal Information

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

2.1 What is your authority to collect personal information?

Please indicate the authority. If there is no authority, please consult with your legal advisor to determine if there is authority to proceed.

    

2.2 Is the personal information collected directly related to an operating program or activity? s. 4

    

2.3 Is personal information being collected directly from the individual? s. 5(1)

If no, why not?

    

2.4 Have the purposes for which the personal information is collected been documented?

If yes, provide specifics. s. 4

    

2.5 Is all the personal information collected necessary to the operating program or activity?

    

2.6 Is there notice at the collection stage that identifies the specific purposes for the collection, the authority for doing so and the individual serving as official contact? s. 5(2)

    

2.7 Is the notice associated with the collection of personal information available and consistent across all mediums of collection? s. 5(2)

    

2.8 Are secondary uses contemplated for the information collected? s. 7

If yes, describe them in the details column.

    

2.9 If personal information is to be used or disclosed for a secondary purpose not previously identified, is consent required? s. 7 & 8

    

2.10 If consent is not required for secondary purpose use or disclosure, is there authority for the use or disclosure? s. 7 & 8

    

2.11 Is information anonymized when used for planning, forecasting and/or evaluation purposes?

    

2.12 Is personal information collected from a public database?

    

2.13 Will quality assurance or security activities result in the collection of additional personal information?

    

2.14 Does the program or activity involve the collection through a common client identifier?

If yes, provide details about the identifier.

    

Discussion Points:


Privacy ActPrinciple 3: Consent

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

3.1 Is consent obtained directly from the individual?

If not, why not?

    

3.2 How is consent obtained?

    

3.3 Does consent require a positive action by an individual rather than being assumed as a default? s. 5, 7 & 8

    

3.4 If yes to 3.1 is the consent clear and unambiguous?

    

3.5 If consent is sought, is the form of consent likely to stimulate negative reaction (for example, opt-in or -out)?

    

3.6 Can an individual refuse to consent to the collection or use of personal information for a secondary purpose, unless required by law?

    

3.7 Would the refusal of an individual to consent to the collection or use of personal information for a secondary purpose disrupt the level of program service provided to the individual?

    

3.8 Are standards and mechanisms in place to ensure that the individual has capacity to give consent? s. 77(1)(m)

    

3.9 Are standards and mechanisms in place to ensure the recognition of persons authorized to make decisions on behalf of others (e.g. a minor or incapacitated person)? If not why not? s. 77(1)(m)

    

Discussion Points:


Privacy ActPrinciple 4: Use of Personal Information

Questions For Analysis

Yes

No

N/D
or
N/A

Provide Details

4.1 What is your authority to use personal information? Please indicate the authority.

If there is no authority please consult your legal advisor to determine the authority to proceed with the proposal.

    

4.2 Is personal information used exclusively for the purpose for which the information was obtained or compiled? s. 7 (a)

    

4.3 Are the uses of the information limited to what a reasonable person would consider appropriate in the circumstances?

    

4.4 Is personal information used for a purpose for which the information may be disclosed to the program by another institution? s. 7 (b)

    

4.5 Are personal identifiers, such as a social insurance number, used for the purposes of linking across multiple databases?

    

4.6 Where data matching, is it consistent with the stated purposes for which the personal information is collected?

    

4.7 Where personal information is used for data matching, have the requirements of the Treasury Board Secretariat Policy on Data Matching been identified?

    

4.8 Does the data matching activity require a notification to the Privacy Commissioner?

    

4.9 Is there an activity log attached to the personal information record to record uses not in the Index of Personal Information Banks? s. 9(1)?

    

4.10 Is personal information used for a consistent purpose that is not identified in a personal information bank? s.9(4)

    

Discussion Points:


Privacy ActPrinciple 5: Disclosure and Disposition of Personal Information

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

5.1 Is personal information disclosed with the consent of the individual? S. 8(1)

    

5.2 If personal information is not disclosed with consent, has the specific authority for disclosure been identified? s. 8(2)

If there is no authority to disclose personal information, please consult your departmental legal advisor.

    

5.3 Are personal identifiers, such as a social insurance number, disclosed?

    

5.4 Is the personal information to be disclosed limited to the purpose of disclosure?

    

5.5 Is personal information disclosed for a purpose that is not identified in a personal information bank? s. 9(4)

If yes, what is the method planned for disposal?

    

5.6 Will personal information be processed, disclosed or retained outside of Canada?

    

5.7 Is there an activity log attached to the personal information record to record the purposes of disclosure not listed in the Index of Personal Information Banks? s. 9(1)?

    

5.8 Is the personal information scheduled for retention and disposition? s. 6(1) & (3)

If yes, identify where in details column.

    

5.9 Where personal information is disclosed for data matching, have the requirements of the Treasury Board Policy on Data Matching been identified?

    

Discussion Points:


Privacy ActPrinciple 6: Accuracy of Personal Information

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

6.1 Will steps be taken to ensure that the personal information is accurate, complete and up-to-date? s. 6(2)

    

6.2 Does the record of personal information indicate the date of last information update?

    

6.3 Is a record kept of the source of the information used to make changes?

    

6.4 Where applicable, is there a procedure, automatically or at the request of an individual, to provide notices of correction to third parties to whom personal information has been previously disclosed? S. 12(2)(c)

    

6.5 Is there a record kept with respect of requests for a review of errors or omissions & corrections or decisions not to correct? s. 12(2)(b)

    

6.6 Is there a clearly defined process by which an individual may access, assess and discuss or dispute the accuracy of the record? Please briefly describe the steps?

    

Discussion Points:


Privacy Act Principle 7: Safeguarding Personal Information

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

7.1 Has a Threat and Risk Assessment been completed?

    

7.2 Have security procedures for the collection, transmission, storage and disposal of personal information, and access to it, been documented?

    

7.3 Are program and information technology staff trained in the requirements for protecting personal information and are they aware of the relevant policies regarding breaches of security or confidentiality?

    

7.4 Are there controls in place for any process to grant authorization to modify (add, change or delete) personal information from records?

    

7.5 Is the system designed so that access and changes to personal information can be audited by date and user identification?

    

7.6 Are user accounts, access rights and security authorizations controlled by a system or record management process?

    

7.7 Are access rights only provided to users on a "need to know basis" consistent with the stated purposes for which the personal information was collected? s. 5(2)

    

7.8 Are security measures commensurate with the sensitivity of the information recorded?

    

7.9 Are there contingency plans and documented procedures in place to identify and respond to security breaches or disclosures of personal information in error?

    

7.10 Are there documented procedures in place to communicate security violations to the data subject, law enforcement authorities and relevant program managers?

    

7.11 Is there a plan for quality assurance and audit programs to assess the ongoing state of the safeguards applicable to the system?

    

Discussion Points:


Privacy Act Principle 8: Openness

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

8.1 Describe how the results of any privacy impact assessment or audit will be made available to the public.

    

8.2 Are policies and practices relating to the proposal's management and handling of personal information available to the public?

    

8.3 Is there a communications plan to explain to the public how personal information will be managed and protected?

    

8.4 Is there a clearly defined and easy process for individuals to access such information and/or communicate with appropriate individuals with respect to policies and practices relating to management and protection of personal information?

    

8.5 Where appropriate, have key stakeholders been provided with an opportunity to comment on the privacy protection implications of the proposal?

    

8.6 Where appropriate, will public consultation take place on the privacy implications of the proposal?

    

8.7 Has the personal information been included in a personal information bank? s. 10

    

Discussion Points:


Privacy ActPrinciple 9: Individual's Access to Personal Information

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

9.1 Is the system designed to ensure that an individual can have access to his/her personal information including all other programs or applications that have received copies of the information? s. 12(10)

    

9.2 Is the system designed to ensure that an individual has been notified that a correction to his/her information has been made?

    

9.3 Are all custodians and participants aware of an individual's right of access and the complaint process?

    

9.4 Are there documented procedures developed or planned on how to initiate privacy requests or requests for the correction of personal information? s. 12(2)

    

9.5 Has consideration been given to providing individuals "routine" access to their personal information?

    

9.6 Are individuals provided with access to their personal information in the official language of choice? s. 17(2)

    

9.7 If appropriate, are individuals provided with access to their personal information in alternative format? s. 17(3)

    

Discussion Points:


Privacy ActPrinciple 10: Challenging Compliance

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

10.1 Are the complaint procedures for the proposed program or service consistent with legislated requirements? s. 29-35

    

10.2 To improve information management practices and standards, has a procedure been established to log and periodically review the nature, frequency and resolution of complaints?

    

10.3 Are there oversight and review mechanisms implemented or available to ensure accountability?

    

10.4 Have oversight agencies, including the Office of the Privacy Commissioner, issued reports or opinions on issues that would be relevant to the proposal?

If yes, please provide a summary of the above in the details column and append to final report.

    

Discussion Points:


5.3.2 Questionnaire B: Cross-Jurisdictional Program and Service Delivery

The 10 principles listed here reflect the privacy principles captured in the Canadian Standards Association Model Code for the Protection of Personal Information.

Principle 1: Accountability

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

1.1 Has responsibility for the PIA been assigned? Please indicate in the details column the name of the individual(s) responsible.

    

1.2 Is a separate PIA being undertaken by each jurisdiction?

    

1.3 Has custody and/or control of personal information been determined for the cross-jurisdictional electronic service delivery proposal, and:

    
  • Has the accountability of the jurisdictions and individuals in jurisdictions been documented for all privacy requirements?
    
  • Are the performance requirements of the jurisdictions comprehensively specified in a measurable way, and subject to specific performance or compliance reviews?
    
  • Where a jurisdiction and/or the private sector is not subject to a privacy law, will an agreement or contract establish equivalent privacy requirements? If yes, is the agreement in place?
    
  • Will each jurisdiction be provided with the results of regularly scheduled audits and compliance checks on the privacy practices of the cross-jurisdictional service delivery application?
    

1.4 Have legal opinions or policy advice been sought regarding:

    
  • the identification of privacy and other statutory requirements of each jurisdiction relating to the collection, use, disclosure, retention and disposal of personal information for the electronic service delivery proposal?
    
  • the identification of any statutory conflicts among jurisdictions and how the conflicts will be resolved?
    
  • if required, the authority to transfer jurisdictional program delivery responsibilities to the cross-jurisdictional electronic service delivery application, including a consideration of the authority for the electronic service to collect, u se, disclose or retain personal information as necessary on behalf of jurisdictions?
    
  • if required, the authority to alter or limit in any material way the collection, use or disclosure of personal information as authorized by jurisdictional program statutes and privacy laws for the purpose of delivering service through the cross-jurisdictional application?
    
  • the identification of any requirements for statutory or program delegation?
    

1.5 Has each jurisdiction identified all privacy policy requirements related to personal information and have conflicting requirements been resolved?

    

1.6 Are the views of Privacy Commissioners on the proposed cross-jurisdictional electronic service delivery proposal known?

If yes, please provide specifics in details column.

    

1.7 Have arrangements been made for transparent documented information systems so that individuals can be informed about how their personal information is collected, used and disclosed?

    

1.8 Have arrangements been made for independent audit, compliance and enforcement mechanisms for the cross-jurisdictional electronic delivery of services, including fulfillment of the commitments in the PIA process?

    

1.9 Does the cross-jurisdictional electronic service delivery proposal entail a privacy risk because accountability for and/or compliance with existing privacy requirements will be diminished?

    

1.10 Have privacy law and other statutory and policy conflicts among jurisdictions been resolved?

    

1.11 Where appropriate, have key stakeholders been provided with an opportunity to comment on the privacy protection implications of the cross-jurisdictional electronic delivery of services proposal?

    

1.12 Where appropriate, will public consultation take place on the privacy risks and the plans for resolution?

    

1.13 Is there an Agreement that details each jurisdiction's responsibilities in relation to the cross-jurisdictional electronic delivery of services proposal and privacy?

    

Discussion Points:


Principle 2 - Identifying Purposes

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

2.1 What are the specific authorities to collect personal information?

If your authority is questionable then you need to consult your legal advisor as to whether you have the authority to proceed with this proposal.

    

2.2 Has a clear relationship been established between the personal information to be collected and the cross-jurisdictional service delivery proposal's functional and operational requirements?

    

2.3 Have the purposes for which the personal information is collected been documented among jurisdictions?

    

2.4 Have the notice provisions among the jurisdictions been reconciled and have jurisdictional exceptions to the notice provision been identified and reconciled?

    

2.5 Have all options to minimize the routine collection of personal information been considered?

    

2.6 If personal information that has been collected is to be used for a purpose not previously identified, is consent required?

    

2.7 Have arrangements been made to provide full disclosure of the purposes for which personal information is collected?

    

Discussion Points:


Principle 3 – Consent

Questions For Analysis

 Yes No N/D or N/A

Provide Details

3.1 Is consent obtained directly from an individual?

If not, why not?

    

3.2 How is consent obtained?

    

3.3 Does the cross-jurisdictional proposal require an individual's consent to collect, use and/or disclose personal information, and if so, have jurisdictional differences been reconciled?

    

3.4 Does consent require a positive action by the individual, rather than being assumed as the default?

    

3.5 Where personal information is collected indirectly, is it necessary to obtain consent from the individual to whom the information pertains by either the jurisdiction collecting indirectly or the jurisdiction disclosing the information?

    

3.6 Does the proposal envision possible secondary uses for the personal information collected, and if so, do any jurisdictional consent requirements have to be reconciled?

    

3.7 Can an individual refuse to consent to the collection or use of personal information for a secondary purpose, unless required by law?

    

3.8 Are cross-jurisdictional standards in place for administering consent requirements that address:

    
  • making the determination whether the individual has the capacity to give consent by reasons of age or capacity;
    
  • recognition of persons authorized to make decisions on behalf of an incapable person or a minor.
    

3.9 Are the proposed consent provisions consistent with existing laws and standards in comparable areas of the public or private sector?

    

3.10 Is the form of the consent being sought (for example, opt-in or opt-out) likely to stimulate negative public reaction?

    

Discussion Points:


Principle 4 - Limiting Collection

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

4.1 Does the cross-jurisdictional proposal require the collection of more personal information than was previously collected by each jurisdiction?

    

4.2 Will individuals be monitored for purposes of quality assurance or security, and if so, will personal information be collected?

    

4.3 If required, has each jurisdiction identified the authority for the collection of personal information on their behalf?

    

4.4 Will measures be taken to ensure public confidence in the privacy practices related to the service when personal information that individuals are likely to consider highly sensitive is collected?

    

Discussion Points:


Principle 5 - Limiting Use, Disclosure, and Retention

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

5.1 What are the specific authorities to use personal information?

If your authority is questionable, then you need to consult your legal advisor as to whether you have the authority to proceed with this proposal.

    

5.2 Is personal Information used exclusively for the identified purposes and for uses that an individual would reasonably consider consistent with those purposes?

    

5.3 Are the uses of the information limited to what a reasonable person would consider appropriate in the circumstances?

    

5.4 Are personal identifiers, such as the social insurance number, used for the purposes of linking across multiple databases?

    

5.5 Where data linkages such as data matching or profiling occur, are they consistent with the stated purposes for which the personal information was collected?

    

5.6 Do jurisdictional data matching or data profiling policies require the conduct of a formal assessment and/or a review by the Privacy Commissioner?

    

5.7 Is there a need to reconcile among jurisdictions the length of time records of personal information are retained?

    

5.8 Will personal information be processed, disclosed or retained outside of Canada?

    

5.9 What are the specific authorities to disclose personal information?

If your authority is questionable, then you need to consult your legal advisor as to whether you have the authority to proceed with this proposal.

    

5.10 If required, is there a cross-jurisdictional procedure to govern the destruction of personal information?

    

5.11 If personal information is to be used for a new purpose, is the new purpose authorized and documented?

    

5.12 Is there a need for a cross-jurisdictional Agreement if data matching or data profiling is proposed as part of the electronic service delivery proposal?

    

5.13 Do you have an Agreement in place that covers data matching or data profiling activities?

    

5.14 Are any limitations on the use and disclosure of personal information set out in law or policy reinforced by the information and information technology architecture of the information systems?

    

Discussion Points:


Principle 6: Accuracy

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

6.1 Will steps be taken to ensure that the personal information is accurate complete and up-to-date?

    

6.2 Is a record kept of the source of the information used to make changes, e.g. paper or transaction records?

    

6.3 Where applicable, is there a procedure, automatically or at the request of the individual, to provide notices of correction to third parties to whom personal information has been disclosed?

    

6.4 Have cross-jurisdictional responsibilities for accuracy been identified?

    

6.5 Have any cross-jurisdictional differences in accuracy requirements been identified and reconciled?

    

6.6 Is there a record of decisions and reasons for refusing a request to correct a record of personal information?

    

6.7 Is there a clearly defined process by which an individual may access, assess and discuss or dispute the accuracy of the record?

Please briefly describe the steps?

    

Discussion Points:


Principle 7: Safeguards

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

7.1 Has a Threat and Risk Analysis been completed?

    

7.2 Have security procedures for the collection, transmission, storage, and disposal of personal information, and access to it, been documented with cross-jurisdictional conflicts identified and reconciled?

    

7.3 Are staff of the electronic delivery service trained in the requirements for protecting personal information and are they aware of the relevant policies regarding breeches of security or confidentiality?

    

7.4 Are there controls in place over the process to grant authorization to add, change or delete personal information from records?

    

7.5 Is the system designed so that access and changes to personal information can be audited by date and user identification?

    

7.6 Are user accounts, access rights and security authorizations controlled and recorded by an accountable systems or records management process?

    

7.7 Is user access to personal information limited to only that required to discharge assigned functions?

    

7.8 Are there contingency plans and documented procedures in place to identify security breaches or disclosures of personal information in error?

    

7.9 Are there documented procedures in place to communicate security violations to jurisdictions, data subjects and if appropriate, law enforcement authorities?

    

7.10 If sensitive personal information will be used in the electronic delivery of services, have technological tools and system design techniques been considered which may enhance both privacy and security, e.g. encryption, technologies of anonymity or pseudo-anonymity or digital signatures?

    

7.11 Have criteria been established for determining and authorizing "need to know" access to personal information?

    

Discussion Points:


Principle 8 – Openness

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

8.1 Describe how the results of any privacy impact assessment or audit will be made available to the public?

    

8.2 Will the cross-jurisdictional electronic service delivery project make available information on policies and practices related to the management and handling of personal information, including how personal information is used and how access is provided to the individual?

    

8.3 Where applicable, have jurisdictional Directories of Records (or equivalent) been updated?

    

8.4 Have communications products and/or a communications plan been developed to fully explain to the public how their personal information will be managed, including how it will be protected, as part of the cross-jurisdictional electronic delivery of services proposal?

    

Discussion Points:


Principle 9 - Individual Access

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

9.1 Is the system designed to ensure that access by an individual to all of their personal information can be achieved with minimal disruption to operations?

    

9.2 Has the cross-jurisdictional service delivery project documented how requests for personal information covered or not covered by a privacy law will be processed?

    

9.3 Are there documented procedures developed or planned on how to initiate privacy requests or requests for the correction of personal information?

    

9.4 Are the individual's access rights assured for all the data sets of all the parties in the information life cycle, including each jurisdiction, private sector partners and/or subcontractors?

    

9.5 Are all custodians aware of the cross-jurisdictional service delivery practices regarding the individual's right of access and any requirement to advise the individual of formal and informal appeal and/or complaint procedures?

    

9.6 Have procedures been established to provide individuals with access in a "routine" manner to their personal information collected by the cross-jurisdictional service delivery project?

    

Discussion Points:


Principle 10 - Challenging Compliance

Questions For Analysis

Yes

No

N/D or N/A

Provide Details

10.1 Are complaint and/or appeal procedures established for the cross-jurisdictional electronic service delivery proposal including the identification and resolution of any jurisdictional privacy law complaint and/or appeal conflicts?

       

10.2 Has a procedure been established to log and periodically review complaints and their resolution with a view to establishing improved information management practices and standards?

        

10.3 Have independent privacy oversight and review mechanisms been established for the cross-jurisdictional service delivery proposal?

       

10.4 Have oversight agencies, including privacy commissioners, issued reports or opinions on issues that would be relevant to the cross-jurisdictional electronic service delivery proposal?

If yes, please provide a summary of the above in the details column and append to the final report.

       

Discussion Points:

6. Part 4: Privacy Impact Analysis Report

6.1 Reviewing the Results

At this point in the process, departments and agencies should have a detailed description of the proposal, a detailed account of the data flows within the program or service and an analysis of its compliance with privacy requirements. This will provide a solid basis for determining any significant privacy issues that need to be addressed before the proposal progresses further.

As part of the analysis, departmental representatives should develop possible solutions for each privacy risk and an accompanying action plan to be used by the department or agency to ensure that privacy is managed effectively throughout the process.

6.2 Summary

If appropriate, a summary table can be used to display the risks and their implications for a proposal. Ideally the summary table should be designed so that it piggybacks onto existing departmental schema. Please ensure that if a table is used, that definitions are provided and that a consistent methodology is applied throughout. Please refer to Annex C for an example of a summary risk table.

Departments should refer to the Integrated Risk Management Framework and the Enhanced Management Framework for more details at:

6.3 Report Details

The report should reflect a policy level discussion of the proposal summarizing the specific privacy implications and risks identified. Departments should take into consideration the:

  • environmental context in which the proposal is being made and the public's expectations regarding privacy.

While the format of the PIA report can be tailored to suit departmental needs, it should convey the following information:

  1. A detailed description of the proposal summarizing information including objectives, rationale, clients, approach, programs and/or partners involved. The project charter, plan and business case can be used as a source for this information and should be made available for reference.
  2. A list of all the data elements that involve "personal information" and a related description.
  3. A list of all stakeholders and their roles and responsibilities.
  4. A list of relevant legislation and policies that have a bearing on privacy requirements of the proposal including any departmental program statutes and policies.
  5. A description of the specific privacy risks that have been identified through the privacy impact assessment process and if appropriate, an indication of the level of risk involved. Departments can choose to complete a summary table if appropriate; however, the use of the table is completely optional since some privacy experts recognize that is difficult to assess both the likelihood and impact of risk in this context.
  6. Possible options to eliminate or mitigate privacy risks, with a statement of the implications associated with those mechanisms where relevant. Include if appropriate any information on similar proposals and privacy risks identified in other jurisdictions and how the risks were handled.
  7. A description of any residual or outstanding risks that cannot be addressed through the mitigation mechanisms. Include where appropriate, references to and a description of public opinion or expectations regarding those residual risks.
  8. An outline of privacy oriented communications strategy, if the implementation of such a strategy is considered appropriate.

Examples of Table of Contents of a PIA report and a Preliminary PIA report are attached as Annexes A and B.

Refer to the policy for direction on departmental responsibilities concerning provision of the final PIA to the Privacy Commissioner and public notification. Departmental officials should consult their Privacy Coordinator for advice on the PIA report and communications with the Office of the Privacy Commissioner.

The summary results of the PIA can take the form of an executive summary that is written in plain, non-technical language and in each of the two official languages at the same time in accordance with the Official Languages Act. To achieve this objective, a communications specialist should be consulted.

The Office of the Privacy Commissioner has requested that departments and agencies do not publish any of their comments.

6.4 Addressing Risks

Experience over time has demonstrated that the most effective way to protect personal information is to use a combination of tools and strategies which include complying with the Privacy Act and Privacy and Data Protection Policy, using privacy-enhancing technologies and architectures, conducting privacy impact assessments, and engaging in public education.

Potential Outcomes of a PIA:

  • Use of anonymous information in lieu of personal information to achieve the same program objectives
  • Cost avoidance by considering privacy at the outset thus avoiding exponential design costs associated with retrofitting requirements at a later development stage
  • Building of public trust and confidence that privacy has been built into the design of the program or service.
  • Where risk cannot be mitigated through technical or policy instruments, a PIA will provide decision-makers with a full assessment of the risk.
  • A decision to abandon a project at an early stage based on the significance of the privacy risks.
  • A disciplined process that promotes open communications, common understanding and transparency.

Annex A - Table of Contents of a PIA

Document Change Control Table

  1. Executive Summary
  2. Introduction
    • 2.1 Report Objectives
    • 2.2 Scope of PIA
    • 2.3 Reference Documentation
    • 2.4 Participants
    • 2.5 Legislation and Policies
    • 2.6 Abbreviations Used in this Report
  3. Project Proposal
  4. Data Flow Analysis
    • 4.1 Business Flow Diagram and Description
    • 4.2 Data Flow Table
  5. Privacy Analysis
  6. Privacy Risk Management Plan
    • 6.1 Privacy Risk Mitigation
      • 6.1.1 <insert privacy risk heading # 1>
      • 6.1.2 <insert privacy risk heading # 2>
    • 6.2 Summary Table
  7. Communications Strategy

Annex B - Table of Contents of a Preliminary PIA

Document Change Control Table

  1. Executive Summary
  2. Introduction
    • 2.1 Rationale for a Preliminary PIA
    • 2.2 Report Objectives
    • 2.3 Scope of the Preliminary PIA
  3. Project Background
    • 3.1 Project Description
    • 3.2 Stakeholder Roles
  4. Legislative and Policy Authorities for the Project
  5. Description of Personal Information
    • 5.1 Data Clusters
    • 5.2 Data Flow Description and Table
  6. Potential Privacy Risks
    • 6.1 <insert privacy risk heading # 1>
    • 6.2 <insert privacy risk heading # 2>
  7. Overview of Security Requirements
  8. PIA Plan
    • 8.1 Activities
    • 8.2 Assumptions
    • 8.3 Consultations
    • 8.4 Resource Requirements

Annex C - Example of a Summary Table

Low:
There is a possibility that the risk will materialize but there are mitigating factors.
Moderate:
There is a strong possibility that the risk will materialize if no corrective measures are taken.
High:
There is a near certainty that the risk will materialize if no corrective measures are taken.
Example of a Summary Table

Element

Nature of risks

Level of risks

Comments

Mitigating Mechanisms

Low

Medium

High