1 Privacy Impact Assessment ARMA Workshop April 5, 2006 Alec Campbell

2 Introduction What is a PIA?  A formal assessment of the privacy implications associated with a given project, initiative, or collection of records, usually in reference to applicable legislation or policy. Who in the audience has participated in a PIA before?

3 Agenda Today’s discussion:  Overview of selected PIA templates and approaches  The Alberta OIPC PIA process and template in more detail, if you wish  Key issues in PIA planning and preparation

4 Introduction PIAs have become a critical tool in privacy management  PIAs are proactive, not reactive  Well-suited to risk management  Provide evidence of due diligence Inspired by the environmental impact assessment Formal PIA processes have taken some time to develop, and there is still no widespread standard

5 Overview of Approaches Federal approaches  Treasury Board Secretariat Selected provincial approaches  BC  Ontario  Alberta (detail) Private sector approaches  Canadian Institute of CAs (CICA)

6 Federal Approach Treasury Board Secretariat   Institutions must develop and maintain Privacy Impact Assessments  PIA Guidelines: A Framework to Manage Privacy Risks  Institutions seeking approval from the Treasury Board pursuant to the Project Approval Policy must include the results of the PIA  Depts urged to consult PC but not required

7 TBS PIA Process

8 Federal Approach TBS PIA Guidelines Table of Contents Introduction Purpose Proceeding with a PIA Process Overview Detailed Process Description  Part 1: Project Initiation/Needs Assessment Defining Resource Requirements  Part 2: Documenting the Data Flow Business Process Diagram Data Flow Tables  Part 3: Privacy Analysis Questionnaire A: For federal programs and services Questionnaire B: Cross- Jurisdictional Program and Service Delivery  Part 4: Privacy Impact Analysis Report Reviewing the Results  Summary Table  Privacy Impact Analysis Report  Addressing Risks

9 Provincial Approaches BC  PIAs mandatory under FOIP Act, not under PIPA  Not reviewed by IPC Ontario  PIAs required for major projects by Ont Govt policy  Not mandatory under FIPPA, MFIPPA or PHIPA. Alberta  PIAs not mandatory under FOIP Act or PIPA, but mandatory under HIA  OIPC must review HIA PIAs and usually reviews GoA PIAs.  OIPC PIA review function is unique among IPCs.

10 Provincial Approaches: BC A PIA needs to be completed for all new initiatives. PIA Contents: Basic Information Descriptive Information Personal Information Collection (1) Authorization for Collection (2) How will the personal information be collected? ( 3) Notification to collect information Use of Personal Information Disclosure of Personal Information Accuracy and Correction of Personal Information Security Arrangements for the Protection of Personal Information Retention of Personal Information Director/Manager of Information and Privacy (DMIP) or FOIPP Coordinator Review Signatures

11 Provincial Approaches: Ontario Annual Information and Information Technology (I&IT) plans submitted to Ministry of Government Services (MGS) must include a Privacy Impact Assessment where proposals may affect client privacy.

12 Provincial Approaches: Ontario Conceptual AnalysisData Flow AnalysisFollow-up Analysis Prepare a plain language description of the scope and business rationale of proposed initiative Identify in a preliminary way potential privacy issues and risks, and key stakeholders Provide a detailed description of essential aspects of the proposal, including a policy analysis of major issues Document the major flows of personal information Compile an environment issues scan to review how other jurisdictions handled a similar initiative Identify stakeholder issues and concerns Assessment of public reaction Analyze data flows through business process diagrams, and identify specific personal data elements or clusters of data Assess proposal’s compliance with FOI and privacy legislation, relevant program statutes, and broader conformity with general privacy principles Analyze risk based on the privacy analysis of the initiative, and identify possible solutions Review design options, and identify outstanding privacy issues/concerns that have not been addressed Prepare response for unresolved privacy issues Review and analyze physical hardware and system design of proposed initiative to ensure compliance with privacy design requirements Provide a final review of the proposed initiative Conduct a privacy and risk analysis of any new changes to the proposed initiative relating to hardware and software design to ensure compliance with FOI and privacy legislation, relevant program statutes, and broader conformity with general privacy principles Prepare a communications plan Process

13 Provincial Approaches: Ontario PEOPLEPROCESSENVIRONMENTTECHNOLOGY Consider ongoing management, privacy training programs, general organizational awareness of privacy and security issues, the level of knowledge required to perform specific functions, the availability of manuals and other forms of guidance, and mechanisms for communicating privacy and security policies. Consider what information is collected, why and how it is collected, how privacy and security are ensured operationally, and what mechanisms are in place to provide individual access to information. Consider the physical space where information is stored, physical security measures, the availability of secure document disposal facilities, and processes for secure disposal of old information technology (e.g., personal computers, legacy servers, etc.) that may hold personal information. Consider system design characteristics, data security and integrity measures, access controls, and audit trails. Relevant Factors to Consider

14 Provincial Approaches: Ontario Flow ChartsStructured AnalysisObject-oriented Analysis Are most useful for relatively simple applications. Flow charts provide a good general sense of program steps and data flows, along with an outline of the relationships among these elements and the progression between them Identify major steps in a program and then breaks these steps down, according to function, until the project can be represented as a progression through a series of small steps. This is a good way of reducing very complex projects into manageable components Combines the mapping of processes with the mapping of the data flows attached to those processes. It sets out the processes and the organization of these processes (i.e. the architecture), and specifies which data are being used and where in each process they are being used Analytical Approaches

15 Provincial Approaches: Alberta Unlike other jurisdictions, Alberta’s PIA template comes from the IPC, not government Privacy impact assessments are mandatory under the HIA  HIA team at the OIPC requires use of the AB template PIAs not mandatory under FOIP Act.  FOIP team at the OIPC does not necessarily require use of the OIPC template IPC reviews but will not "approve" a PIA. If satisfied, the Commissioner will "accept" the PIA. Acceptance is not approval; it merely reflects the IPC’s acceptance that the organization has made reasonable efforts to protect privacy IPC does not review PIAs under PIPA

16 Provincial Approaches: Alberta CRITICAL COMPONENTS Organizational Privacy Management Organizational strategic plan or business plan addressing privacy protection Organizational privacy policy or privacy charter Organizational privacy procedures, guidelines and controls Physical security and access control documentation IT security and access control documentation Records management policies and procedures for personal information Project Privacy Management Project summary and description Listing of all personal information or personal data elements for project Personal information data flow diagram Personal information access documentation ("access matrix") Statutory authority documentation

17 Private Sector Approaches AICPA/CICA Privacy Framework  Developed jointly by American and Canadian CA associations  Based on principles similar, but not identical, to CSA Model Code  Includes general guidelines and evaluation criteria  Comprehensive – 90 pages

18 Issues in PIA Planning and Preparation Why do it?  Due diligence If you have a privacy complaint later, having done a PIA will demonstrate efforts to protect privacy  Risk management PIA will identify potential privacy risks before they materialize, allowing you to take measures to prevent problems Risks: IPC inquiry costs, loss of stakeholder trust, bad publicity, cost of retroactive privacy measures, legal costs, etc.  Cost containment A PIA will often cost less than a privacy breach resulting from a failure to do the PIA.

19 Issues in PIA Planning and Preparation Who should do it?  Those who will be responsible for the project or initiative after it is up and running – they have to know the privacy issues  Involve all responsible business areas - actively  If it’s an IT project, make sure both IT and the business area are involved – not just the development team  If project is complex or it’s your first PIA, bring in a consultant – but you should not need a consultant for every PIA.  PIA findings should be approved by the senior manager responsible for the project

20 Issues in PIA Planning and Preparation When to do it?  As early in project planning as possible Need to know PI data elements and flows to complete  For IT projects, make it part of the system design phase  For administrative and management projects, do PIA after process design but before implementation  Need for PIA, or lack thereof, should be part of the project proposal or business case.

21 Issues in PIA Planning and Preparation Some IM requirements related to PIAs  Need to document personal information flows  All project planning information needs to be accessible and available to PIA team  Once completed, the PIA should be easily and widely accessible, with the possible exception of some security information  Once project is implemented, changes to PI management should be reflected in an updated PIA – so need related triggers, which will involve IM  For large organizations, useful to establish a repository of PIAs Include PIAs from other organizations similar to yours – use OIPC repository as starting point. Consider sector-wide repositories? Provides guidance for future PIAs.

22 Provincial Approaches: Alberta Show of hands : How many in the audience are familiar with the Alberta template?

23 Where to Get More Information See URLs for PIA sources Consult your FOIP Coordinator or HIA privacy officer List of Alberta consultants available from AGS at Alec Campbell, Principal Excela Associates Inc

24 Discussion Questions? Concerns? Examples? Good or bad experiences?