Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

UK AI regulation bill receives second reading

AI Notetakers – the risks and benefits

UN adopts AI resolution which focuses on safety

Ontario school boards sue makers of Facebook, Instagram, Snapchat and TikTok

Tennessee Elvis Act, replication of voices” by AI

Australian government proposes to implement AI changes

Podcast -Ontario IPC discusses facial recognition

Draft American Privacy Act introduced

Blog

Privacy Audits (updated)

September 7, 2023 - Sharon Young, Analyst

Your organization has undertaken a privacy impact assessment (PIA) as part of its process of designing and implementing a new program. So, what’s next?

Once the new program has gone live, your organization should plan regular privacy audits to ensure that the program is operating in a manner that complies with applicable access and privacy legislation.

When undertaking the PIA process, your organization would have identified privacy impacts and identified methods (controls) to manage and/or mitigate the privacy impacts of the program to ensure compliance with the applicable access and privacy legislation.

During a privacy audit, you will determine if the controls identified through the PIA process are adequate in managing and/or mitigating the privacy impacts. This will include identifying what personal information/personal health information is actually being collected, used, and disclosed; reviewing the information systems used to store and manage the information; and reviewing the program’s policies, procedures, and actual practices to ensure your organization is managing personal information and/or personal health information in compliance with the applicable access and privacy legislation. While time-consuming, it is a worthwhile exercise to hopefully minimize the impacts of potential privacy breaches.

Through the audit process, your organization may identify areas of the program that may not be in compliance with applicable access and privacy legislation; or areas that may be inviting privacy vulnerabilities. Examples could be:

  1. Collecting, using and/or disclosing more personal information/personal health information than is necessary.
  2. Storing more personal information/personal health information instead of disposing of information in accordance with records and disposition schedules.
  3. Inadequate safeguards in protecting personal information/personal health information, including de-activating the accounts of employees on leave or of former employees.

Once inadequacies in controls are identified, your organization should identify methods to manage and mitigate the privacy impacts.

Programs will inevitably evolve as time goes on. It’s always a good idea to schedule regular privacy audits to ensure privacy impacts are being managed and/or mitigated to reduce the likelihood of a privacy breach.

While my office has not conducted any formal privacy audits, my office has the ability to conduct audits pursuant to subsection 33(d) of The Freedom of Information and Protection of Privacy Act, subsection 32(d) of The Local Authority Freedom of Information and Protection of Privacy Act, and subsection 52(d) of The Health Information Protection Act.

 

 

Categories: BlogTags: , , ,

Back to Blog