Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
PIA Expectations
of the OPC
Lara McGuire Ives Manager, Privacy Impact Assessment Review
May 6, 2011
Structure of Presentation
Purpose of Conducting a PIA
Overview of Policy Framework & PIA Requirements
OPC PIA Expectations
OPC PIA Review Process
• Help to identify and resolve privacy risks
• Ensure that privacy protections are
incorporated into program design
• Compliance with Privacy Act and relevant
government policies/directives
• Public accountability
Purpose of Conducting a PIA
Stakeholders in Federal Government PIA
Process
• Federal departments and agencies
• Treasury Board Secretariat (TBS)
• Office of the Privacy Commissioner (OPC)
• Canadian public
TBS Privacy & Data Protection Framework
• 19 Policies and Guidelines
• 2 Acts/Regulations
• 4 Directives
TBS Directive on PIA
• Replaced previous PIA Policy (2002)
• Goal to streamline process to ensure that
a PIA is conducted in a manner that is
commensurate with the privacy risks
identified and respects the operating
environment of the government
institution
A PIA is Required When…
• Personal information is used as part of a
decision-making process directly affecting the
individual
• Substantial modifications are made to existing
programs/activities where personal information
is used or intended to be used for an
administrative purpose
• Contracting out/transferring of a program to
another level of government or private sector
results in substantial modifications
• 6.3.2 - Appropriate senior official must
determine whether a PIA is warranted in
cases where no decisions are made about
individuals or whether privacy protocol is
adequate to address impact on privacy
Requirements of TBS Directive on PIA
Directive on PIA
Multi-institutional Programs
• Lead institution to be appointed
• Interdepartmental committee to be
coordinated
• Appropriate approach for completion of
PIA(s) to be determined and documented
• Lead must oversee initial collection and
any disclosures to partner institutions
Directive on PIA – Review Requirements
• PIAs approved internally by:
– Section 10 responsibility
– “Appropriate” senior officials
– Legal services if necessary
• Approved PIA sent to TBS with proposed new or modified
Personal Information Bank (PIB)
– TBS only reviews mandatory requirements of the core
PIA for purposes of PIB registration
• PIA simultaneously provided to the OPC
– Authority to request documentation, discretion to
review/offer comments
TBS “Core” PIA
• Appendix C of the Directive
• Contents of core are mandatory, though
use of TBS template is not
• There will be instances when a full-
fledged PIA is required
TBS “Core” PIA Components
1) Overview/Initiation
2) Risk Area Identification and Categorization
3) Analysis of Personal Information Elements
4) Flow of Personal Information
5) Privacy Compliance Analysis
6) Summary of Analysis/Recommendations
7) Supplementary Documents
8) Formal Approval
• Distinction between roles of OPC/TBS
• Type and depth of information needed by
OPC to fulfill its role as guardian of
Canadians’ privacy rights differs from
basic requirements of core
• The core PIA template may be
appropriate in certain cases but still must
be filled out appropriately and contain
enough information for OPC’s review
OPC PIA Expectations
For example…
Section II – Risk Area Identification
OPC Expectations Document
Intent
• Shed light on OPC processes for analysing
privacy risks associated with government
initiatives
• Set out expectations regarding type and
depth of information to include in a PIA
• Help customize PIA format building upon
mandatory content of core PIA
OPC’s Expectations Document
Four-part test
Privacy principles
Action plan
Multi-institutional guidance
Checklists
OPC’s Four-Part Test
• Designed to have institutions assess
broader privacy risks and societal impacts
of certain programs from the outset
• Based on Canadian jurisprudence and
recognition of the quasi-constitutional
status of the right to privacy
• Meant for particularly intrusive/privacy-
invasive initiatives
• Is the measure demonstrably necessary to meet a specific need?
• Is it likely to be effective in meeting that need?
• Is the loss of privacy proportional to the need?
• Is there a less privacy-invasive option?
Institution to respond to the
following questions at outset of PIA:
OPC’s Four-Part Test
Case Study
CATSA Millimetre Wave Scanner
• OPC first consulted in 2007 during pilot
• Privacy a consideration from outset of
inherently privacy-invasive program
• Application of 4-part test to address the
necessity, proportionality, effectiveness
and intrusiveness of initiative
• Demonstrative of how PIAs should
function
OPC’s Expectations Document
The Privacy Principles
• Provide an accessible and logical
framework for completing a privacy
analysis
• Ensure programs are designed with
privacy in mind
• Demonstrate security of information when
held by government institutions
OPC’s Expectations Document
Action Plan
• Timeframe for mitigating identified risks
• Should be revisited and updated on an
ongoing basis
• Include auditing/compliance reporting
schedule
OPC’s Expectations Document
Multi-Institutional PIAs
• Reiterates guidance from TBS Directive
• Need for leadership role from one
institution
• Overarching PIA to provide a foundation
for expected privacy practices for all
partners
• Recommended PIA format
– To ensure complete assessments are
conducted
• Associated documentation
– Those considered integral to a thorough
review of risks
OPC’s Expectations Document
Checklists
OPC PIA Review Process
• Triage
– Resources focused on initiatives which pose
the greatest risk to privacy
• Documentation review
• Consultation
• Recommendations issued
• Institutional response
Changes to OPC’s Review Process
• Nature and number of recommendations
• ‘Big picture’ rather than ‘in the weeds’
• Focus on working with institutions to
address privacy risks
• Increase in consultations
Useful Links
• OPC Expectations Document:
http://www.priv.gc.ca/information/pub/gd_exp_201103_
e.cfm
• OPC Guidance Document - A Matter of Trust: Integrating
Privacy and Public Safety in the 21st Century:
http://www.priv.gc.ca/information/pub/gd_sec_201011_e
.cfm
• OPC Audit Report on the Privacy Management Frameworks
of Selected Federal Institutions:
http://www.priv.gc.ca/information/pub/ar-
vr/pmf_20090212_e.cfm
• CSA Model Code for the Protection of Personal Information:
http://www.csa.ca/cm/ca/en/privacy-
code/publications/view-privacy-code
Useful Links
• TBS Privacy and Data Protection Policies and Publications:
http://www.tbs-
sct.gc.ca/pubs_pol/gospubs/tbm_128/siglist-eng.asp
• Directive on PIA: http://www.tbs-sct.gc.ca/pol/doc-
eng.aspx?section=text&id=18308
• Policy on Privacy Protection: http://www.tbs-
sct.gc.ca/pol/doc-eng.aspx?id=12510
• Directive on Privacy Practices: http://www.tbs-
sct.gc.ca/pol/doc-eng.aspx?section=text&id=18309