PIA Expectations of the OPC

Similar documents
Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Staffordshire Police

Protection of Privacy Policy

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Pan-Canadian Trust Framework Overview

EXPLORATION DEVELOPMENT OPERATION CLOSURE

About the Office of the Australian Information Commissioner

Responsible Data Use Policy Framework

ARTICLE 29 Data Protection Working Party

Use of the Graded Approach in Regulation

COMMUNICATIONS POLICY

Operational Objectives Outcomes Indicators

PRIVACY IMPACT ASSESSMENT

British Columbia s Environmental Assessment Process

TECHNICAL AND OPERATIONAL NOTE ON CHANGE MANAGEMENT OF GAMBLING TECHNICAL SYSTEMS AND APPROVAL OF THE SUBSTANTIAL CHANGES TO CRITICAL COMPONENTS.

Guide to the Requirements for Public Information and Disclosure GD-99.3

Phase 2 Executive Summary: Pre-Project Review of AECL s Advanced CANDU Reactor ACR

Privacy by Design: Research and Action. Deirdre K. Mulligan

Upstream Oil and Gas. Spill Prevention, Preparedness, Response, and Recovery. March 2013

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

NCRIS Capability 5.7: Population Health and Clinical Data Linkage

Robert Bond Partner, Commercial/IP/IT

ADM-9-03:OT:RR:RD:TC H ARU DEPARTMENT OF HOMELAND SECURITY. U.S. Customs and Border Protection. [Docket No.

D1.10 SECOND ETHICAL REPORT

Australian Census 2016 and Privacy Impact Assessment (PIA)

Guide to Assist Land-use Authorities in Developing Antenna System Siting Protocols

NHS South Kent Coast. Clinical Commissioning Group. Complaints, Comments and Compliments Policy

NIMS UPDATE 2017 RUPERT DENNIS, FEMA REGION IV, NIMS COORDINATOR. National Preparedness Directorate / National Integration Center.

CAR Part IX Regulations for srpas Manufacturers. Presented by RPAS TF Eng to Industry, Jan. 24, 2019

How Explainability is Driving the Future of Artificial Intelligence. A Kyndi White Paper

Making It Your Own A PUBLIC ART POLICY AND PLANNING TEMPLATE. Arts North West Creative Opportunities 2012

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

What We Heard Report Inspection Modernization: The Case for Change Consultation from June 1 to July 31, 2012

Essay Questions. Please review the following list of questions that are categorized by your area of certification. The six areas of certification are:

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

EXECUTIVE BOARD MEETING METHODOLOGY FOR DEVELOPING STRATEGIC NARRATIVES

Privacy. New technologies, same responsibilities. Carole Fleeman Office of the Victorian Privacy Commissioner

Melbourne IT Audit & Risk Management Committee Charter

National Standard of the People s Republic of China

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

Methodology for Agent-Oriented Software

PRIMATECH WHITE PAPER COMPARISON OF FIRST AND SECOND EDITIONS OF HAZOP APPLICATION GUIDE, IEC 61882: A PROCESS SAFETY PERSPECTIVE

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Selecting, Developing and Designing the Visual Content for the Polymer Series

Public Hearing on the use of security scanners at EU airports. European Economic and Social Committee. Brussels, 11 January 2011

Privacy Policy Framework

Herts Valleys Clinical Commissioning Group. Review of NHS Herts Valleys CCG Constitution

2

WANT TO PARTICIPATE IN RESEARCH? THERE S AN APP FOR THAT!

Interoperable systems that are trusted and secure

Safety recommendations for nuclear power source applications in outer space

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

CENTER FOR DEVICES AND RADIOLOGICAL HEALTH. Notice to Industry Letters

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Details of the Proposal

II. Statutory and Regulatory Authorities for Underground Coal Mines

Integrated Reporting WG

2018 Census Independent Privacy Impact Assessment 7 July Trust An independent assessment. Privacy

Appendix 6.1 Data Source Described in Detail Vital Records

Strategy for a Digital Preservation Program. Library and Archives Canada

5 TH MANAGEMENT SEMINARS FOR HEADS OF NATIONAL STATISTICAL OFFICES (NSO) IN ASIA AND THE PACIFIC SEPTEMBER 2006, DAEJEON, REPUBLIC OF KOREA

Checklist. Please read Circular No (CR) before completing the checklist.

8th Floor, 125 London Wall, London EC2Y 5AS Tel: +44 (0) Fax: +44 (0)

November 18, 2011 MEASURES TO IMPROVE THE OPERATIONS OF THE CLIMATE INVESTMENT FUNDS

Report to Congress regarding the Terrorism Information Awareness Program

Mde Françoise Flores, Chair EFRAG 35 Square de Meeûs B-1000 Brussels Belgium January Dear Mde.

Violent Intent Modeling System

Presentation Outline

Student Data Privacy Consortium (SDPC) Privacy Contract Framework Getting Started Toolkit Track 1

Privacy Impact Assessment on use of CCTV

Caroline Thomas Chief Counsel, Exploration, Property & Aboriginal Affairs, Vale. Paul MacLean President, EEM Sustainable Management

CBD Request to WIPO on the Interrelation of Access to Genetic Resources and Disclosure Requirements

POLICY ON INVENTIONS AND SOFTWARE

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

M A R K E T L E D P R O P O SA LS

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT WASHINGTON, D.C October 23, 2003

Brief to the. Senate Standing Committee on Social Affairs, Science and Technology. Dr. Eliot A. Phillipson President and CEO

Impact on audit quality. 1 November 2018

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

AGREEMENT on UnifiedPrinciples and Rules of Technical Regulation in the Republic of Belarus, Republic of Kazakhstan and the Russian Federation

Exploration Licence EL Ballarat West

Pending issues arising from the work of the second Meeting of the Conference of the Parties

DRAFT RECOMMENDED INFORMATION NEEDS AND PROGRAM ELEMENTS FOR A PROPOSED AMP SOCIOECONOMIC PROGRAM SOCIOECONOMIC AD HOC GROUP

Marine Renewable-energy Application

IPRs and Public Health: Lessons Learned Current Challenges The Way Forward

Canada Voice Communications Plan (The Way Forward)

CI-GEF PROJECT AGENCY SCREENING RESULTS AND SAFEGUARD ANALYSIS

Local Content Implementation & Compliance. May 16-18, 2018 & October 10-12, Lagos, Nigeria. 1 P a g e

FRAMEWORK FOR MANAGEMENT DEVELOPMENT IN THE FEDERAL SCIENCE & TECHNOLOGY COMMUNITY (S&T)

The TRIPS Agreement and Patentability Criteria

clarify the roles of the Department and minerals industry in consultation; and

Training that is standardized and supports the effective operations of NIIMS.

Public Consultation: Horizon 2020 "Science with and for Society" - Work Programme Questionnaire

Internal Controls: The Basics National Grants Management Association May 17, 2017

Guidance on the anonymisation of clinical reports for the purpose of publication in accordance with policy 0070

PGNiG. Code. of Responsible Gas and Oil Production

The Blockchain Ethical Design Framework

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

Transcription:

PIA Expectations of the OPC Lara McGuire Ives Manager, Privacy Impact Assessment Review May 6, 2011

Structure of Presentation Purpose of Conducting a PIA Overview of Policy Framework & PIA Requirements OPC PIA Expectations OPC PIA Review Process

Purpose of Conducting a PIA Help to identify and resolve privacy risks Ensure that privacy protections are incorporated into program design Compliance with Privacy Act and relevant government policies/directives Public accountability

Stakeholders in Federal Government PIA Process Federal departments and agencies Treasury Board Secretariat (TBS) Office of the Privacy Commissioner (OPC) Canadian public

TBS Privacy & Data Protection Framework 19 Policies and Guidelines 2 Acts/Regulations 4 Directives

TBS Directive on PIA Replaced previous PIA Policy (2002) Goal to streamline process to ensure that a PIA is conducted in a manner that is commensurate with the privacy risks identified and respects the operating environment of the government institution

A PIA is Required When Personal information is used as part of a decision-making process directly affecting the individual Substantial modifications are made to existing programs/activities where personal information is used or intended to be used for an administrative purpose Contracting out/transferring of a program to another level of government or private sector results in substantial modifications

Requirements of TBS Directive on PIA 6.3.2 - Appropriate senior official must determine whether a PIA is warranted in cases where no decisions are made about individuals or whether privacy protocol is adequate to address impact on privacy

Directive on PIA Multi-institutional Programs Lead institution to be appointed Interdepartmental committee to be coordinated Appropriate approach for completion of PIA(s) to be determined and documented Lead must oversee initial collection and any disclosures to partner institutions

Directive on PIA Review Requirements PIAs approved internally by: Section 10 responsibility Appropriate senior officials Legal services if necessary Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) TBS only reviews mandatory requirements of the core PIA for purposes of PIB registration PIA simultaneously provided to the OPC Authority to request documentation, discretion to review/offer comments

TBS Core PIA Appendix C of the Directive Contents of core are mandatory, though use of TBS template is not There will be instances when a fullfledged PIA is required

TBS Core PIA Components 1) Overview/Initiation 2) Risk Area Identification and Categorization 3) Analysis of Personal Information Elements 4) Flow of Personal Information 5) Privacy Compliance Analysis 6) Summary of Analysis/Recommendations 7) Supplementary Documents 8) Formal Approval

OPC PIA Expectations Distinction between roles of OPC/TBS Type and depth of information needed by OPC to fulfill its role as guardian of Canadians privacy rights differs from basic requirements of core The core PIA template may be appropriate in certain cases but still must be filled out appropriately and contain enough information for OPC s review

For example Section II Risk Area Identification

OPC Expectations Document Intent Shed light on OPC processes for analysing privacy risks associated with government initiatives Set out expectations regarding type and depth of information to include in a PIA Help customize PIA format building upon mandatory content of core PIA

OPC s Expectations Document Four-part test Privacy principles Action plan Multi-institutional guidance Checklists

OPC s Four-Part Test Designed to have institutions assess broader privacy risks and societal impacts of certain programs from the outset Based on Canadian jurisprudence and recognition of the quasi-constitutional status of the right to privacy Meant for particularly intrusive/privacyinvasive initiatives

OPC s Four-Part Test Institution to respond to the following questions at outset of PIA: Is the measure demonstrably necessary to meet a specific need? Is it likely to be effective in meeting that need? Is the loss of privacy proportional to the need? Is there a less privacyinvasive option?

Case Study CATSA Millimetre Wave Scanner OPC first consulted in 2007 during pilot Privacy a consideration from outset of inherently privacy-invasive program Application of 4-part test to address the necessity, proportionality, effectiveness and intrusiveness of initiative Demonstrative of how PIAs should function

OPC s Expectations Document The Privacy Principles Provide an accessible and logical framework for completing a privacy analysis Ensure programs are designed with privacy in mind Demonstrate security of information when held by government institutions

OPC s Expectations Document Action Plan Timeframe for mitigating identified risks Should be revisited and updated on an ongoing basis Include auditing/compliance reporting schedule

OPC s Expectations Document Multi-Institutional PIAs Reiterates guidance from TBS Directive Need for leadership role from one institution Overarching PIA to provide a foundation for expected privacy practices for all partners

OPC s Expectations Document Checklists Recommended PIA format To ensure complete assessments are conducted Associated documentation Those considered integral to a thorough review of risks

OPC PIA Review Process Triage Resources focused on initiatives which pose the greatest risk to privacy Documentation review Consultation Recommendations issued Institutional response

Changes to OPC s Review Process Nature and number of recommendations Big picture rather than in the weeds Focus on working with institutions to address privacy risks Increase in consultations

Useful Links OPC Expectations Document: http://www.priv.gc.ca/information/pub/gd_exp_201103_ e.cfm OPC Guidance Document - A Matter of Trust: Integrating Privacy and Public Safety in the 21 st Century: http://www.priv.gc.ca/information/pub/gd_sec_201011_e.cfm OPC Audit Report on the Privacy Management Frameworks of Selected Federal Institutions: http://www.priv.gc.ca/information/pub/arvr/pmf_20090212_e.cfm CSA Model Code for the Protection of Personal Information: http://www.csa.ca/cm/ca/en/privacycode/publications/view-privacy-code

Useful Links TBS Privacy and Data Protection Policies and Publications: http://www.tbssct.gc.ca/pubs_pol/gospubs/tbm_128/siglist-eng.asp Directive on PIA: http://www.tbs-sct.gc.ca/pol/doceng.aspx?section=text&id=18308 Policy on Privacy Protection: http://www.tbssct.gc.ca/pol/doc-eng.aspx?id=12510 Directive on Privacy Practices: http://www.tbssct.gc.ca/pol/doc-eng.aspx?section=text&id=18309

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback