Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a process that enables organizations to be proactive in ensuring that a project, program or process is planned or designed in such a way that mitigates or eliminates privacy impacts.
What is a privacy impact?
A privacy impact is when there are inadequate safeguards to protect information/personal health information, or FOIP, LA FOIP or HIPA does not authorize the collection, use, and/or disclosure of personal information or personal health information.
What does the PIA process look like?
It is a good idea that your organization involves its Privacy Officer in the planning stages of projects. The Privacy Officer can lead the way in carrying out the PIA but all employees of an organization should expect to participate in the PIA process.
During the planning stages of a project, the objective, structure, and the roles and responsibilities of employees will be formed. During this time, the Privacy Officer can identify areas where there may be a privacy impact. As a team, your organization can brainstorm methods to mitigate or eliminate privacy impacts. For example, the PIA can identify where information sharing agreements will need to be developed so the handling and sharing of personal information/personal health information will be in compliance with FOIP, LA FOIP, or HIPA. The PIA can also assist your organization in developing policies or procedures so that employees limit the amount of personal health information that is collected, used, or disclosed to minimize the likelihood of a privacy breach.
It is not a good idea to regard the PIA as a one-time exercise that can be done quickly by the Privacy Officer alone. In order for a PIA to be effective, your organization should expect that the PIA process will last for most of, if not all, the duration of the planning of a project. Even though a PIA can be time-consuming, it can help prevent your organization from dealing with a massive (and expensive) privacy breach down the road.
Where can I find PIA resources?
You will find on our office’s website (under the Resources tab) that we have created Privacy Impact Assessment (PIA) documents that your organization can use as guidance to conduct a PIA. There is a PDF version of the PIA documents which includes explanations, instructions, and tables that lists key questions your organization should be considering and answering when planning and designing a project, program or process.
While all four steps of the PIA process is documented in the PDF document, we are also offering the MS Word version of each step of the PIA process. This is so you can download the tables and enter in your comments electronically.
Can I provide feedback on the IPC’s PIA resources?
Yes, you can! Feel free to ask us any questions or give us feedback on the PIA resources at firstname.lastname@example.org.