PIA Expectations of the OPC

Transcription

1 PIA Expectations of the OPC Lara McGuire Ives Manager, Privacy Impact Assessment Review May 6, 2011

2 Structure of Presentation Purpose of Conducting a PIA Overview of Policy Framework & PIA Requirements OPC PIA Expectations OPC PIA Review Process

3 Purpose of Conducting a PIA Help to identify and resolve privacy risks Ensure that privacy protections are incorporated into program design Compliance with Privacy Act and relevant government policies/directives Public accountability

4 Stakeholders in Federal Government PIA Process Federal departments and agencies Treasury Board Secretariat (TBS) Office of the Privacy Commissioner (OPC) Canadian public

5 TBS Privacy & Data Protection Framework 19 Policies and Guidelines 2 Acts/Regulations 4 Directives

6 TBS Directive on PIA Replaced previous PIA Policy (2002) Goal to streamline process to ensure that a PIA is conducted in a manner that is commensurate with the privacy risks identified and respects the operating environment of the government institution

7 A PIA is Required When Personal information is used as part of a decision-making process directly affecting the individual Substantial modifications are made to existing programs/activities where personal information is used or intended to be used for an administrative purpose Contracting out/transferring of a program to another level of government or private sector results in substantial modifications

8 Requirements of TBS Directive on PIA Appropriate senior official must determine whether a PIA is warranted in cases where no decisions are made about individuals or whether privacy protocol is adequate to address impact on privacy

9 Directive on PIA Multi-institutional Programs Lead institution to be appointed Interdepartmental committee to be coordinated Appropriate approach for completion of PIA(s) to be determined and documented Lead must oversee initial collection and any disclosures to partner institutions

10 Directive on PIA Review Requirements PIAs approved internally by: Section 10 responsibility Appropriate senior officials Legal services if necessary Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) TBS only reviews mandatory requirements of the core PIA for purposes of PIB registration PIA simultaneously provided to the OPC Authority to request documentation, discretion to review/offer comments

11 TBS Core PIA Appendix C of the Directive Contents of core are mandatory, though use of TBS template is not There will be instances when a fullfledged PIA is required

12 TBS Core PIA Components 1) Overview/Initiation 2) Risk Area Identification and Categorization 3) Analysis of Personal Information Elements 4) Flow of Personal Information 5) Privacy Compliance Analysis 6) Summary of Analysis/Recommendations 7) Supplementary Documents 8) Formal Approval

13 OPC PIA Expectations Distinction between roles of OPC/TBS Type and depth of information needed by OPC to fulfill its role as guardian of Canadians privacy rights differs from basic requirements of core The core PIA template may be appropriate in certain cases but still must be filled out appropriately and contain enough information for OPC s review

14 For example Section II Risk Area Identification

15 OPC Expectations Document Intent Shed light on OPC processes for analysing privacy risks associated with government initiatives Set out expectations regarding type and depth of information to include in a PIA Help customize PIA format building upon mandatory content of core PIA

16 OPC s Expectations Document Four-part test Privacy principles Action plan Multi-institutional guidance Checklists

17 OPC s Four-Part Test Designed to have institutions assess broader privacy risks and societal impacts of certain programs from the outset Based on Canadian jurisprudence and recognition of the quasi-constitutional status of the right to privacy Meant for particularly intrusive/privacyinvasive initiatives

18 OPC s Four-Part Test Institution to respond to the following questions at outset of PIA: Is the measure demonstrably necessary to meet a specific need? Is it likely to be effective in meeting that need? Is the loss of privacy proportional to the need? Is there a less privacyinvasive option?

19 Case Study CATSA Millimetre Wave Scanner OPC first consulted in 2007 during pilot Privacy a consideration from outset of inherently privacy-invasive program Application of 4-part test to address the necessity, proportionality, effectiveness and intrusiveness of initiative Demonstrative of how PIAs should function

20 OPC s Expectations Document The Privacy Principles Provide an accessible and logical framework for completing a privacy analysis Ensure programs are designed with privacy in mind Demonstrate security of information when held by government institutions

21 OPC s Expectations Document Action Plan Timeframe for mitigating identified risks Should be revisited and updated on an ongoing basis Include auditing/compliance reporting schedule

22 OPC s Expectations Document Multi-Institutional PIAs Reiterates guidance from TBS Directive Need for leadership role from one institution Overarching PIA to provide a foundation for expected privacy practices for all partners

23 OPC s Expectations Document Checklists Recommended PIA format To ensure complete assessments are conducted Associated documentation Those considered integral to a thorough review of risks

24 OPC PIA Review Process Triage Resources focused on initiatives which pose the greatest risk to privacy Documentation review Consultation Recommendations issued Institutional response

25 Changes to OPC s Review Process Nature and number of recommendations Big picture rather than in the weeds Focus on working with institutions to address privacy risks Increase in consultations

26 Useful Links OPC Expectations Document: e.cfm OPC Guidance Document - A Matter of Trust: Integrating Privacy and Public Safety in the 21 st Century: OPC Audit Report on the Privacy Management Frameworks of Selected Federal Institutions: CSA Model Code for the Protection of Personal Information:

27 Useful Links TBS Privacy and Data Protection Policies and Publications: Directive on PIA: Policy on Privacy Protection: Directive on Privacy Practices:

28