Seasons Greetings and a Happy New Year to all!

Save the Date –Top of Mind webinar -privacy commissioners from across Canada – January 31 noon Eastern

Ontario -updated guidelines re: automated license Plate Readers

Consultation – federal Directive on Automated Decision Making

Life Labs investigation report, Ontario and BC

Privacy cases summarized – Osler, Hoskin & Harcourt

Ontario’s IPC has podcast on indigenous data prospectives

Canada’s privacy Commissioner investigates CRA

Blog

Privacy Impact Assessments

June 22, 2023 - Sharon Young, Analyst

Back in 2015, my office blogged privacy impact assessments (PIA). It has been awhile since then so I thought I would highlight our PIA resources once again!

What is a privacy impact assessment (PIA)?

A PIA is a process that assists organizations in assessing whether a project, program, or process complies with the applicable access and privacy legislation. In Saskatchewan, government institutions are subject to The Freedom of Information and Protection of Privacy Act (FOIP), local authorities are subject to The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and trustees are subject to The Health Information Protection Act (HIPA).

What is a privacy impact?

A “privacy impact” is when there are inadequate safeguards to protect personal information or personal health information, or FOIP/LA FOIP/HIPA does not authorize the collection, use, and/or disclosure of personal information or personal health information.

When does an organization engage the PIA process?

As projects are designed, developed, implemented, and carried out, privacy impacts may arise and will need to be addressed. Therefore, PIAs should be done at the outset and throughout projects. The PIA process is not a short exercise and it can require a lot of time and effort depending on the complexity of the project. Further, the PIA process is not a stand-alone, one-time exercise.

Who should be a part of the PIA process?

Although an organization’s Privacy Officer often takes the lead on conducting PIAs, employees and representatives from participating program area, branch, division, business unit, other institutions and third parties can expect to be involved in the PIA process. The PIA process can only be effective if it comprehensively reviews the project.

What should the organization do when it identifies a privacy impact?

When a privacy impact is identified, that is an opportunity for organizations to make adjustments to the project to ensure personal information or personal health information is protected to the greatest extent possible and to be in compliance with the FOIP/LA FOIP/HIPA. For example, if the PIA reveals there is no legal authority for the collection, use, or disclosure of certain personal information or personal health information, then the organization should determine if such personal information or personal health information is required for the project. If not, then the exclusion of such personal information or personal health information in the project will assist the organization in eliminating a privacy impact but still carrying forward with the project.

Where can I find more information?

Check out my office’s guidance documents on privacy impact assessments. My office offers both a PDF and Word version of this document. The Word version allows for organizations to fill in the PIA. Organizations should keep in mind that the guidance document is meant to be a guide. It is not a definitive method of conducting a PIA.

You can also check out Chapter 6 of my office’s Guide to FOIP and Guide to LA FOIP for more step-by-step information on how to conduct PIAs.

Can I get feedback on a PIA?

Yes. If your organization has completed a PIA and want my office to review and provide feedback, you may engage in my office’s consultation process. For more information about the consultation process, please check out my office’s Consultation Request Form.

Categories: BlogTags: ,

Back to Blog