PIA Expectations of the OPC Lara McGuire Ives Manager, Privacy Impact Assessment Review May 6, 2011
Structure of Presentation Purpose of Conducting a PIA Overview of Policy Framework & PIA Requirements OPC PIA Expectations OPC PIA Review Process
Purpose of Conducting a PIA Help to identify and resolve privacy risks Ensure that privacy protections are incorporated into program design Compliance with Privacy Act and relevant government policies/directives Public accountability
Stakeholders in Federal Government PIA Process Federal departments and agencies Treasury Board Secretariat (TBS) Office of the Privacy Commissioner (OPC) Canadian public
TBS Privacy & Data Protection Framework 19 Policies and Guidelines 2 Acts/Regulations 4 Directives
TBS Directive on PIA Replaced previous PIA Policy (2002) Goal to streamline process to ensure that a PIA is conducted in a manner that is commensurate with the privacy risks identified and respects the operating environment of the government institution
A PIA is Required When Personal information is used as part of a decision-making process directly affecting the individual Substantial modifications are made to existing programs/activities where personal information is used or intended to be used for an administrative purpose Contracting out/transferring of a program to another level of government or private sector results in substantial modifications
Requirements of TBS Directive on PIA 6.3.2 - Appropriate senior official must determine whether a PIA is warranted in cases where no decisions are made about individuals or whether privacy protocol is adequate to address impact on privacy
Directive on PIA Multi-institutional Programs Lead institution to be appointed Interdepartmental committee to be coordinated Appropriate approach for completion of PIA(s) to be determined and documented Lead must oversee initial collection and any disclosures to partner institutions
Directive on PIA Review Requirements PIAs approved internally by: Section 10 responsibility Appropriate senior officials Legal services if necessary Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) TBS only reviews mandatory requirements of the core PIA for purposes of PIB registration PIA simultaneously provided to the OPC Authority to request documentation, discretion to review/offer comments
TBS Core PIA Appendix C of the Directive Contents of core are mandatory, though use of TBS template is not There will be instances when a fullfledged PIA is required
TBS Core PIA Components 1) Overview/Initiation 2) Risk Area Identification and Categorization 3) Analysis of Personal Information Elements 4) Flow of Personal Information 5) Privacy Compliance Analysis 6) Summary of Analysis/Recommendations 7) Supplementary Documents 8) Formal Approval
OPC PIA Expectations Distinction between roles of OPC/TBS Type and depth of information needed by OPC to fulfill its role as guardian of Canadians privacy rights differs from basic requirements of core The core PIA template may be appropriate in certain cases but still must be filled out appropriately and contain enough information for OPC s review
For example Section II Risk Area Identification
OPC Expectations Document Intent Shed light on OPC processes for analysing privacy risks associated with government initiatives Set out expectations regarding type and depth of information to include in a PIA Help customize PIA format building upon mandatory content of core PIA
OPC s Expectations Document Four-part test Privacy principles Action plan Multi-institutional guidance Checklists
OPC s Four-Part Test Designed to have institutions assess broader privacy risks and societal impacts of certain programs from the outset Based on Canadian jurisprudence and recognition of the quasi-constitutional status of the right to privacy Meant for particularly intrusive/privacyinvasive initiatives
OPC s Four-Part Test Institution to respond to the following questions at outset of PIA: Is the measure demonstrably necessary to meet a specific need? Is it likely to be effective in meeting that need? Is the loss of privacy proportional to the need? Is there a less privacyinvasive option?
Case Study CATSA Millimetre Wave Scanner OPC first consulted in 2007 during pilot Privacy a consideration from outset of inherently privacy-invasive program Application of 4-part test to address the necessity, proportionality, effectiveness and intrusiveness of initiative Demonstrative of how PIAs should function
OPC s Expectations Document The Privacy Principles Provide an accessible and logical framework for completing a privacy analysis Ensure programs are designed with privacy in mind Demonstrate security of information when held by government institutions
OPC s Expectations Document Action Plan Timeframe for mitigating identified risks Should be revisited and updated on an ongoing basis Include auditing/compliance reporting schedule
OPC s Expectations Document Multi-Institutional PIAs Reiterates guidance from TBS Directive Need for leadership role from one institution Overarching PIA to provide a foundation for expected privacy practices for all partners
OPC s Expectations Document Checklists Recommended PIA format To ensure complete assessments are conducted Associated documentation Those considered integral to a thorough review of risks
OPC PIA Review Process Triage Resources focused on initiatives which pose the greatest risk to privacy Documentation review Consultation Recommendations issued Institutional response
Changes to OPC s Review Process Nature and number of recommendations Big picture rather than in the weeds Focus on working with institutions to address privacy risks Increase in consultations
Useful Links OPC Expectations Document: http://www.priv.gc.ca/information/pub/gd_exp_201103_ e.cfm OPC Guidance Document - A Matter of Trust: Integrating Privacy and Public Safety in the 21 st Century: http://www.priv.gc.ca/information/pub/gd_sec_201011_e.cfm OPC Audit Report on the Privacy Management Frameworks of Selected Federal Institutions: http://www.priv.gc.ca/information/pub/arvr/pmf_20090212_e.cfm CSA Model Code for the Protection of Personal Information: http://www.csa.ca/cm/ca/en/privacycode/publications/view-privacy-code
Useful Links TBS Privacy and Data Protection Policies and Publications: http://www.tbssct.gc.ca/pubs_pol/gospubs/tbm_128/siglist-eng.asp Directive on PIA: http://www.tbs-sct.gc.ca/pol/doceng.aspx?section=text&id=18308 Policy on Privacy Protection: http://www.tbssct.gc.ca/pol/doc-eng.aspx?id=12510 Directive on Privacy Practices: http://www.tbssct.gc.ca/pol/doc-eng.aspx?section=text&id=18309