1 / 15

The Privacy Impact Assessment Guidelines

The Privacy Impact Assessment Guidelines. Guy Herriges Manager, Information and Privacy Office of the Corporate Chief Strategist, MBS November 2000. Why do a PIA?. New technologies are transforming how we do business

enoch
Download Presentation

The Privacy Impact Assessment Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Privacy Impact Assessment Guidelines Guy Herriges Manager, Information and Privacy Office of the Corporate Chief Strategist, MBS November 2000

  2. Why do a PIA? • New technologies are transforming how we do business • Promise of greater efficiency, integration, effectiveness, and responsiveness • But they are also raising new concerns about privacy • We need to address these concerns to ensure success • PIA provides a methodology for identifying and addressing privacy issues at every stage in a project

  3. Managing Privacy Risk • Privacy Impact Assessment (PIA) is the best tool at our disposal • Evidence-based decision-making instrument that considers both technical compliance with privacy requirements and public expectations • generates/communicates confidence that privacy objectives have been met, • takes variety of perspectives into account, • promotes fully informed policy decision-making and system design choices, • helps ministries to adequately anticipate public reaction to the privacy implications of a given proposal by considering all perspectives

  4. Possible Indicators of the Need to do a PIA • Creation/modification of databases containing personal information; • Proposals involving identification or authentication schemes; • Program/service channel redesign or merger - single window; • The use of smart cards; • New delivery structures or partnerships, including devolution; • Technology changes; • Common infrastructure projects

  5. MBS Requirements • A PIA is required where proposals may affect client privacy • Privacy is affected by any substantive change to the collection, use, or disclosure of personal information • Ministries/Cluster CIO determines whether a PIA is required

  6. Perspectives on Privacy • A variety of perspectives inform debates around privacy • Legal perspective - compliance with privacy rules • Consumer perspective - privacy as a consumer protection issue and fairness in the marketplace, especially in e-commerce • Rights-based perspective - privacy as a right in itself and in relation to other rights (e.g. free association, autonomy) • Public policy issue - management of privacy risk, public expectations, and building public confidence and trust

  7. Components of the PIA 1. Proposal analysis 2. Data flow analysis • Outline how and when information is collected, used, and disclosed 3. Compliance Analysis • Verify technical compliance with statutory requirements and broader conformity with general privacy principles 4. Risk Management Strategy • Identify privacy risks and propose solutions

  8. Proposal Analysis • Under development • Description of Essential Aspects of a Proposal • Environmental/Issues Scan • Identification of Significant Privacy Issues

  9. Data Flow Analysis • Business Process Diagrams identifying major components of a business process • Documented data flow • Identification of specific personal data elements or clusters of data and their collection, use and disclosure

  10. Samples from Projects

  11. Page 30 PIA Guide

  12. Compliance Analysis • Key questions that interrogate a proposal’s compliance with privacy legislation and program statutes. • Identification of broader privacy issues that may raise public concerns. • Questions organized under privacy principles of CSA Model Privacy Code and Freedom of Information and Protection of Privacy Act

  13. Risk Analysis • Summary of conclusions from the privacy analysis • Legal compliance issues based on analysis of data flow • Identification of residual risk • Broader privacy risks/stakeholder reaction • Communications strategy

  14. Resource and Skill Requirements • Depends on scope and stage of project • Range of skills that may be useful on PIA team include: • Policy Development • Operational Program and Business Design • Technology and Systems • Risk and Compliance Analysis • Procedural and Legal • Access to Information and Privacy

  15. Conclusion • PIA is available from Information and Privacy Office, MBS • http://www.gov.on.ca./MBS/english/fip/

More Related