pia expectations of the opc - international association of ... · • approved pia sent to tbs with...
TRANSCRIPT
![Page 1: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/1.jpg)
PIA Expectations
of the OPC
Lara McGuire Ives Manager, Privacy Impact Assessment Review
May 6, 2011
![Page 2: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/2.jpg)
Structure of Presentation
Purpose of Conducting a PIA
Overview of Policy Framework & PIA Requirements
OPC PIA Expectations
OPC PIA Review Process
![Page 3: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/3.jpg)
• Help to identify and resolve privacy risks
• Ensure that privacy protections are
incorporated into program design
• Compliance with Privacy Act and relevant
government policies/directives
• Public accountability
Purpose of Conducting a PIA
![Page 4: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/4.jpg)
Stakeholders in Federal Government PIA
Process
• Federal departments and agencies
• Treasury Board Secretariat (TBS)
• Office of the Privacy Commissioner (OPC)
• Canadian public
![Page 5: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/5.jpg)
TBS Privacy & Data Protection Framework
• 19 Policies and Guidelines
• 2 Acts/Regulations
• 4 Directives
![Page 6: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/6.jpg)
TBS Directive on PIA
• Replaced previous PIA Policy (2002)
• Goal to streamline process to ensure that
a PIA is conducted in a manner that is
commensurate with the privacy risks
identified and respects the operating
environment of the government
institution
![Page 7: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/7.jpg)
A PIA is Required When…
• Personal information is used as part of a
decision-making process directly affecting the
individual
• Substantial modifications are made to existing
programs/activities where personal information
is used or intended to be used for an
administrative purpose
• Contracting out/transferring of a program to
another level of government or private sector
results in substantial modifications
![Page 8: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/8.jpg)
• 6.3.2 - Appropriate senior official must
determine whether a PIA is warranted in
cases where no decisions are made about
individuals or whether privacy protocol is
adequate to address impact on privacy
Requirements of TBS Directive on PIA
![Page 9: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/9.jpg)
Directive on PIA
Multi-institutional Programs
• Lead institution to be appointed
• Interdepartmental committee to be
coordinated
• Appropriate approach for completion of
PIA(s) to be determined and documented
• Lead must oversee initial collection and
any disclosures to partner institutions
![Page 10: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/10.jpg)
Directive on PIA – Review Requirements
• PIAs approved internally by:
– Section 10 responsibility
– “Appropriate” senior officials
– Legal services if necessary
• Approved PIA sent to TBS with proposed new or modified
Personal Information Bank (PIB)
– TBS only reviews mandatory requirements of the core
PIA for purposes of PIB registration
• PIA simultaneously provided to the OPC
– Authority to request documentation, discretion to
review/offer comments
![Page 11: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/11.jpg)
TBS “Core” PIA
• Appendix C of the Directive
• Contents of core are mandatory, though
use of TBS template is not
• There will be instances when a full-
fledged PIA is required
![Page 12: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/12.jpg)
TBS “Core” PIA Components
1) Overview/Initiation
2) Risk Area Identification and Categorization
3) Analysis of Personal Information Elements
4) Flow of Personal Information
5) Privacy Compliance Analysis
6) Summary of Analysis/Recommendations
7) Supplementary Documents
8) Formal Approval
![Page 13: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/13.jpg)
• Distinction between roles of OPC/TBS
• Type and depth of information needed by
OPC to fulfill its role as guardian of
Canadians’ privacy rights differs from
basic requirements of core
• The core PIA template may be
appropriate in certain cases but still must
be filled out appropriately and contain
enough information for OPC’s review
OPC PIA Expectations
![Page 14: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/14.jpg)
For example…
Section II – Risk Area Identification
![Page 15: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/15.jpg)
OPC Expectations Document
Intent
• Shed light on OPC processes for analysing
privacy risks associated with government
initiatives
• Set out expectations regarding type and
depth of information to include in a PIA
• Help customize PIA format building upon
mandatory content of core PIA
![Page 16: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/16.jpg)
OPC’s Expectations Document
Four-part test
Privacy principles
Action plan
Multi-institutional guidance
Checklists
![Page 17: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/17.jpg)
OPC’s Four-Part Test
• Designed to have institutions assess
broader privacy risks and societal impacts
of certain programs from the outset
• Based on Canadian jurisprudence and
recognition of the quasi-constitutional
status of the right to privacy
• Meant for particularly intrusive/privacy-
invasive initiatives
![Page 18: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/18.jpg)
• Is the measure demonstrably necessary to meet a specific need?
• Is it likely to be effective in meeting that need?
• Is the loss of privacy proportional to the need?
• Is there a less privacy-invasive option?
Institution to respond to the
following questions at outset of PIA:
OPC’s Four-Part Test
![Page 19: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/19.jpg)
Case Study
CATSA Millimetre Wave Scanner
• OPC first consulted in 2007 during pilot
• Privacy a consideration from outset of
inherently privacy-invasive program
• Application of 4-part test to address the
necessity, proportionality, effectiveness
and intrusiveness of initiative
• Demonstrative of how PIAs should
function
![Page 20: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/20.jpg)
OPC’s Expectations Document
The Privacy Principles
• Provide an accessible and logical
framework for completing a privacy
analysis
• Ensure programs are designed with
privacy in mind
• Demonstrate security of information when
held by government institutions
![Page 21: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/21.jpg)
OPC’s Expectations Document
Action Plan
• Timeframe for mitigating identified risks
• Should be revisited and updated on an
ongoing basis
• Include auditing/compliance reporting
schedule
![Page 22: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/22.jpg)
OPC’s Expectations Document
Multi-Institutional PIAs
• Reiterates guidance from TBS Directive
• Need for leadership role from one
institution
• Overarching PIA to provide a foundation
for expected privacy practices for all
partners
![Page 23: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/23.jpg)
• Recommended PIA format
– To ensure complete assessments are
conducted
• Associated documentation
– Those considered integral to a thorough
review of risks
OPC’s Expectations Document
Checklists
![Page 24: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/24.jpg)
OPC PIA Review Process
• Triage
– Resources focused on initiatives which pose
the greatest risk to privacy
• Documentation review
• Consultation
• Recommendations issued
• Institutional response
![Page 25: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/25.jpg)
Changes to OPC’s Review Process
• Nature and number of recommendations
• ‘Big picture’ rather than ‘in the weeds’
• Focus on working with institutions to
address privacy risks
• Increase in consultations
![Page 26: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/26.jpg)
Useful Links
• OPC Expectations Document:
http://www.priv.gc.ca/information/pub/gd_exp_201103_
e.cfm
• OPC Guidance Document - A Matter of Trust: Integrating
Privacy and Public Safety in the 21st Century:
http://www.priv.gc.ca/information/pub/gd_sec_201011_e
.cfm
• OPC Audit Report on the Privacy Management Frameworks
of Selected Federal Institutions:
http://www.priv.gc.ca/information/pub/ar-
vr/pmf_20090212_e.cfm
• CSA Model Code for the Protection of Personal Information:
http://www.csa.ca/cm/ca/en/privacy-
code/publications/view-privacy-code
![Page 27: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/27.jpg)
Useful Links
• TBS Privacy and Data Protection Policies and Publications:
http://www.tbs-
sct.gc.ca/pubs_pol/gospubs/tbm_128/siglist-eng.asp
• Directive on PIA: http://www.tbs-sct.gc.ca/pol/doc-
eng.aspx?section=text&id=18308
• Policy on Privacy Protection: http://www.tbs-
sct.gc.ca/pol/doc-eng.aspx?id=12510
• Directive on Privacy Practices: http://www.tbs-
sct.gc.ca/pol/doc-eng.aspx?section=text&id=18309
![Page 28: PIA Expectations of the OPC - International Association of ... · • Approved PIA sent to TBS with proposed new or modified Personal Information Bank (PIB) – TBS only reviews mandatory](https://reader033.vdocuments.us/reader033/viewer/2022042220/5ec6f06efcd4fc0a6e7acbf3/html5/thumbnails/28.jpg)