29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620361

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # PRIVACY IMPACT ASSESSMENT (PIA) WORKSHOP Part A: Getting Started Claude Beaulé Privacy Consultant, Quebec, Canada September 27, 2007

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # Introduction Role and responsibilities of the Office of the Privacy Commissioner of Canada (OPC) under Canadas Privacy Impact Assessment (PIA) Policy, which took effect May OPCs PIA review process and the challenges posed by the implementation of the PIA Policy. Capacity of the OPC to respond to PIA challenges

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # PIA Policy Requirements to conduct PIAs (or preliminary PIAs if warranted) for all new or modified programs or services that raise privacy issues; to consult with the OPC at the early stages of the development of new programs and initiatives; to provide copies of their final PIAs to the OPC before they implement programs or services; and to publish the results of their PIAs on their department websites. The Government of Canada PIA Policy requires federal departments and agencies:

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # Role of the OPC Under the PIA Policy, the OPC is mandated to receive final copies of PIAs, and may provide comments and recommendations if warranted. The provision of advice to submitting departments and agencies remains at the discretion of the Privacy Commissioner.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # Role of the OPC (contd) The role of the OPC is not to approve or reject projects that are described in PIAs, but to assess whether or not departments have done a good job of evaluating the impacts on the protection of personal information and that their projects and activities are respectful of the privacy rights of Canadians. By reviewing PIAs, the OPC is able to provide advice and guidance to institutions and identify solutions to eliminate or mitigate potential privacy risks. In some cases, the OPC may make recommendations for significant changes.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # OPCs review of PIAs In conducting its review, the OPC assesses the PIA report for: 1. 1.Completeness rationale and legal authority for the project; description of the business process; description of the personal information involved and data flow;

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # OPCs review of PIAs (contd) description of the information security infrastructure associated with the project; inclusion of necessary background documentation (e.g., TRAs, MOUs, contracts, etc.); an implementation schedule for the project; an action plan to address privacy issues; and a communications strategy, where appropriate.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # OPCs review of PIAs (contd) 2. Quality of the Privacy Analysis that all the salient privacy risks and the associated implications of those risks have been correctly identified in the report; and that the proposed remedies or mitigation strategies to deal with those risks are reasonable and appropriate.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # OPCs review of PIAs (contd) If the OPC concludes at the end of its review that the PIA lacks certain data or that the privacy risks have not been adequately considered or dealt with, it will inform the department. The OPC may provide comments and recommendations to the department. However, the final decision on whether to implement those recommendations rests with the department.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE # General comment In my view, the most significant benefit that can be attributed to the PIA Policy is : the increased awareness among government personnel at all levels of the importance of privacy and how it impacts on their day-to-day functions. Privacy is truly becoming a core consideration in the conception, design, and implementation of federal government programs and services, which is the purpose of the PIA Policy.