It presents key concepts and lays out how an institution may assess its programs and activities, including the legal requirements and privacy principles to consider. In the digital age, it has become far easier to collect, store, analyze, and share huge amounts of personal information. Many Canadians have become accustomed to living and working in connected, online networks.
And digitization has created new opportunities for organizations to more efficiently accomplish their tasks. Government institutions hold much more personal information today than when the Privacy Act became law in And while more extensive and innovative uses of personal information may bring greater economic and social benefits, this also increases potential privacy risks.
Individual privacy is not a right we can simply trade away for innovation, efficiency or commercial gain. Canadians agree. We know it is not always easy. Indeed, it has become harder than ever to know for certain whether information held by a government institution could be used to identify an individual when combined with other information — for example, when combined with information available on the Internet or with information held by another government institution or a third party.
Done properly and before launching an initiative, PIA s can help ensure that legal requirements are met and that privacy impacts are either addressed or minimized, before a problem occurs. In other parts of the world such as Europe, PIA s are becoming the legal standard. We provide advice through:.
The OPC can provide federal institutions with more informal, proactive advice and guidance on programs and activities that may impact privacy. However, we encourage you to consult us long before you finalize your report. The OPC is happy to engage in informal discussions and to answer questions and provide advice to institutions early in the development and throughout the lifecycle of their programs and activities.
Once the PIA report is completed, we review the final version, and provide written recommendations where we identify additional risks or gaps. However, we use a triage process to determine which reports will be subject to a secondary review and formal recommendations.
You should submit select relevant documents, such as information-sharing agreements and summaries of security assessments to the OPC with your PIA report.
We may request supplementary documents, in-person meetings or site visits, where needed. Notwithstanding the role of the OPC in the review of PIA reports, accountability for privacy compliance rests squarely with the heads of federal institutions or the official responsible for section 10 of the Privacy Act. Tip: The OPC may comment publicly, including in our annual report to Parliament, on advice we have provided to institutions regarding the privacy risks posed by their programs and activities, including whether that advice was accepted.
It is critical that you determine the legal authority for your program or activity before considering whether you should undertake a PIA. If you do not have legal authority, you should not proceed with the initiative. The advice and direction provided in this document assume you have legal authority to collect, use and disclose information as part of your project. First and foremost, conducting a PIA is a means of helping to ensure compliance with:.
Adhering to the requirements above will reduce your risk of improper or unauthorized collection, use, disclosure, retention or disposal of personal information. While programs and activities must comply with legal and policy requirements, they should also be designed to incorporate best practices and to minimize negative impacts on the privacy of individuals. A PIA may not eliminate such risks altogether, but should help to identify and manage them. There is often more than one way of designing a project.
A PIA can help identify the least privacy intrusive way of achieving a legitimate aim. PIA s are an early warning system, allowing institutions to identify and mitigate risks as early and as completely as possible. They are a key tool for decision-makers, enabling them to deal with issues internally and proactively rather than waiting for complaints, external intervention or bad press.
An effective PIA can help build trust with Canadians by demonstrating due diligence and compliance with legal and policy requirements as well as privacy best practices. The real value comes from the analysis that occurs as part of the process of working through the PIA questions. Tip: Institutions should ensure compliance with the Privacy Act. Even when a program is legally compliant, you should identify and manage the risk that it may negatively impact the privacy of individuals.
Where possible eliminate impacts altogether. A PIA is generally required if your program or activity may have an impact on the personal information of individuals. Examples of personal information include: name, address, employment history, fingerprints, medical diagnoses and personal opinions.
The TBS Directive on Privacy Impact Assessment encourages institutions to undertake a PIA if their program or activity will have an impact on privacy and there are potential privacy risks that should be assessed and mitigated. While you may not be required to do a PIA in such circumstances, thoroughly assessing risks to privacy through a PIA will help you develop legally compliant and privacy-friendly programs. Based on this assessment you may choose to conduct a PIA even when there is no administrative use of personal information.
Institutions should consider each project individually to decide whether a PIA is warranted. Tip: It is important to assess the privacy impacts of new as well as old initiatives. Begin with programs and activities likely to pose the greatest risk. Use this flowchart to help you determine if you need to do a PIA.
If you decide not to conduct a PIA , document your decision and the rationale. As a best practice, you should identify and address the privacy impacts of your programs and activities even when you do not do a formal PIA. Consider whether you should complete other formal assessments or procedures along with or instead of a PIA.
Whereas PIA s concentrate on privacy compliance as well as risks to privacy posed by programs and activities, other assessments have different areas of focus. For example:. Tip: If the types of questions posed in the Directive on Privacy Impact Assessment or in this guide seem ill-suited to your project, perhaps a PIA is not the assessment you should be doing!
You can always contact our office to discuss your concerns. You should consult the Directive to ensure that your PIA complies.
Beyond TBS requirements, this document outlines the Privacy Act requirements and best practices that institutions should consider in going through the PIA process. The discussion that follows is intended to help institutions comprehensively assess and reduce risks to privacy. The process is designed to be flexible and scalable.
The length and complexity of your PIA process will depend on the scale, complexity and risk level of your project. PIA s are a tool to help you assess the privacy impacts of your program and to identify any compliance issues.
If you know your program you can conduct a PIA. You may not need to engage all of the parties listed above for each PIA , however, at a minimum, involve relevant program and privacy staff in any PIA process.
If there is doubt and it is difficult to determine a high risk, a DPIA should nevertheless be conducted. This process must be repeated at least every three years. In addition, the national supervisory authorities have to establish and publish a list of processing operations which always require a data protection impact assessment in their jurisdiction positive list.
They are also free to publish a list of processing activities which specifically do not require a privacy impact assessment negative list. How and by what criteria the consequences and risks for the data subjects are assessed, remains largely unanswered. The OAIC encourages organisations to undertake PIAs for projects that involve handling of personal information, and share their findings publicly. Different entities might have their own processes for undertaking PIAs, or choose to use a different methodology.
Not every project will need a PIA. If an entity bound by the Privacy Act is developing a project that involves personal information, it must comply with that Act. Your entity is responsible and accountable for the personal information it collects, even when the information is held by external service providers or contractors operating in Australia or overseas. A threshold assessment helps you work out, early in the project, whether a PIA is necessary.
There is no hard-and-fast rule about whether a PIA will be necessary, and each project must be considered individually. This assessment allows projects with no or minimal information privacy implications to be identified relatively easily and quickly. Generally, if personal information is involved in the project, some form of PIA may be necessary.
If personal information is not involved in the project, the project is unlikely to impact on information privacy and a PIA will not be necessary. A PIA may not be necessary if the project does not propose any changes to existing information handling practices, if the privacy implications of these practices have been assessed previously and controls are current and working well. If no personal information is being handled, you might still decide to conduct a PIA if you wish to show how you are avoiding the use of personal information.
For example, if a project uses de-identified information, a PIA could explain how and why this information will be used and how the entity conducting the project will prevent the future re-identification of the information. You might also find it useful to undertake a PIA to show how the project will deal with other kinds of personal privacy not covered by the Privacy Act, such as bodily, behavioural and communications privacy.
Regardless of whether you proceed to a PIA, you should keep a record of the threshold assessment. This could include the following information:. Planning should consider a range of elements, including:. The planning process should take into account that the PIA is a process which will need to continue beyond the development of recommendations and the preparation of the PIA report to include implementation and monitoring.
The size or budget for a project is not a useful indicator of its likely privacy impact, and even a small-scale project may have significant privacy implications. There is no single way of doing a PIA or setting out a PIA report and entities are encouraged to take a flexible approach.
The structure and length of a PIA report will be proportionate to the nature of the project and the nature of the organisation carrying out the project. Reports should be easy to follow and thorough without being needlessly repetitive or jargonistic. Steps set out separately in this Guide may be combined or re-ordered in a report if this assists with readability and reduces the need to re-explain or repeat material.
For example, an explanation of personal information flows and privacy risks could be presented alongside proposed mitigation strategies. Some examples of how detailed the PIA process might be for different types of projects are below.
These examples are not exhaustive. If a project is incremental and relatively limited in privacy scope, only a short PIA may be needed for example, a project making a relatively minor adjustment to an established, existing program, or securely collecting and using a very limited amount of personal information that is not sensitive.
Initially, projects at the conceptual stages of development may only be able to address the PIA key stages in a less detailed way. For example, information flows can only be mapped based on the information available at the time, limiting the preliminary analysis of privacy impacts and possible management strategies. As the project develops and the issues become clearer, the PIA can be updated and supplemented, becoming more comprehensive.
In significant projects, preparing preliminary reports and interim recommendations will provide early visibility of privacy risks and assist in ensuring privacy is considered and addressed in the design of the project.
Projects that have broad scope and are at a relatively advanced stage of development will need a comprehensive PIA or sometimes more than one. A comprehensive PIA will work through the key stages in much more detail. Generally, whoever is managing the project would be responsible for ensuring the PIA is carried out. The nature and size of the project will influence the size of the team needed to conduct the PIA, and how much the team needs to draw on external specialist knowledge.
A PIA is unlikely to be effective if it is done by a staff member working in isolation. A range of expertise may be required, including information security, technology, risk management, law, ethics, operational procedures and industry-specific knowledge. Seeking external input from experts not involved in the project can help to identify privacy impacts not previously recognised.
Some projects will have substantially more privacy impact than others. A robust and independent PIA conducted by external assessors may be preferable in those instances. The team conducting the PIA needs to be familiar with the Privacy Act, any other legislation or regulations that might apply to personal information handling for example, state or territory legislation , and the broader dimensions of privacy.
Consultation with key stakeholders is basic to the PIA process. It helps to ensure that key privacy issues are noted, addressed and communicated. A PIA should always consider community attitudes to and expectations of privacy.
Affected individuals are likely to be key stakeholders, so public consultation is important, particularly where a substantial amount of personal information is being handled or where sensitive information is involved.
Public consultation also adds to community awareness about the project and can increase confidence in the way the project and the entity is handling personal information.
The extent and timing of the consultation will vary depending on the stage of the project. The project description should be kept fairly brief, and should not include analysis of the privacy implications, as this will be addressed in later stages of the PIA.
This information is important as it provides context for the rest of the PIA. Information about the project prepared for the threshold assessment can also be usefully included at this stage. If the project is still at an early stage, it may not be possible to prepare a detailed description, but this can be updated as more becomes known about the project.
The project description should be sufficiently detailed to allow external stakeholders to understand the project, and should be written in plain English, avoiding overly technical language or jargon. Stakeholders are those who are or might be interested in or affected by the project being considered.
An entity will have internal stakeholders and external stakeholders, including regulatory authorities, clients, advocacy organisations, service providers, industry experts, academics and others. The stakeholder list should identify both categories of stakeholders, and individuals and organisations within each of these categories.
It may be necessary to add to the stakeholder list as the project progresses. It may not be necessary to consult with all the identified stakeholders, depending on the scale and likely privacy impacts of the project, but some form of consultation should occur as part of the PIA. Consulting with stakeholders may assist in identifying privacy risks and concerns that have not been identified by the team undertaking the PIA, and possible strategies to mitigate these risks.
Consultation may also offer stakeholders the opportunity to discuss risks and concerns with the entity and to gain a better understanding of, and provide comment on, any proposed mitigation strategies. Importantly, consultation is also likely to provide confidence to the public that their privacy has been considered.
Failure to consult may give rise to criticism about a lack of consultation in relation to the project. For consultation to be effective, stakeholders will need to be sufficiently informed about the project, be provided with the opportunity to provide their perspectives and raise any concerns, and have confidence that their perspectives will be taken into account in the design of the project.
Many consultation models are available, including telephone or online surveys, focus groups and workshops, seeking public submissions, and stakeholder interviews. Consultation does not necessarily need to be a separate step as it can be useful to consult throughout the PIA process. It is important that some form of targeted consultation is undertaken, even if widespread public consultation is not possible for example, if a private organisation is concerned about sharing commercially sensitive information widely , such as with groups representing relevant sectors of the population, or advocacy groups with expertise in privacy.
The analysis should be sufficiently detailed to provide a sense of what information will be collected, used and disclosed, how it will be held and protected, and who will have access to it. To map information flows effectively, you will need to communicate with other staff and project stakeholders.
If you try to map information flows in isolation, you run the risk of overlooking valuable information about how the project will work and how personal information will be handled. This could cause problems later on that may be difficult or expensive to remedy. Mapping should also describe the current personal information environment and how the project will affect it. Areas for consideration when you are mapping the information flows are outlined below. These points will help you describe how your project deals with each of these areas and draw your attention to any privacy issues.
Your responses should be documented and used in the privacy impact analysis stage. They will also be useful for the preparation of the PIA report. If appropriate, consider using diagrams depicting the flow of information, or tables setting out the key information for different types of personal information to be used in the project.
Identify and describe information notice about collection to be given to the individual and how it will be given, including:.
Data linkage or matching, which involves aggregating or bringing together personal information that has been collected for different purposes, has additional privacy risks.
If your project will involve data linkage or matching, identify and describe:. Once you have mapped the information flows, you need to identify and critically analyse how the project impacts upon privacy, both positively and negatively. Ultimately, the privacy impact analysis should attempt to determine whether the project has acceptable privacy outcomes, or unacceptable privacy impacts.
The analysis should include consideration of the content of the information and the context in which the information is collected.
It is also important to note that some types of personal information are more sensitive than others, such as genetic, health or criminal conviction information. While a PIA is more than a compliance check, it is essential to consider compliance with privacy legislation and any other privacy law relevant to your agency or organisation.
This guide provides guidance on ensuring compliance with the Privacy Act, but there may also be other privacy-related legislation and rules that apply to your entity, such as secrecy provisions or information handling obligations in other legislation.
0コメント