<
 
 
 
 
ž
>
Vous consultez une page Web conservée, recueillie par Bibliothèque et Archives Canada le 2006-12-02 à 18:03:16. Il se peut que les informations sur cette page Web soient obsolètes, et que les liens hypertextes externes, les formulaires web, les boîtes de recherche et les éléments technologiques dynamiques ne fonctionnent pas. Voir toutes les versions de cette page conservée.
Chargement des informations sur les médias

You are viewing a preserved web page, collected by Library and Archives Canada on 2006-12-02 at 18:03:16. The information on this web page may be out of date and external links, forms, search boxes and dynamic technology elements may not function. See all versions of this preserved page.
Loading media information
X
Treasury Board of Canada, Secretariat - Government of Canada
Skip all menus Skip first menu
,  Français  Contact Us  Help  Search  Canada Site
     What's New  About Us  Policies  Documents  TBS Site
   Calendar  Links  FAQs  Presentations  Home
,
Chief Information Officer Branch
Information, Privacy and Security Policy Division
Privacy and Government
On-Line
Table of Contents
Introduction
Report Overview
Benefits of the PIA Process
Best Practices
Conclusions
List of Participants

Find Information:
by Subject [ A to Z ] by Sub-site
Versions:  
Print Version Print Version
RTF Version RTF Version
Related Subjects:
Government On-Line
Information Policy
Policy
Privacy
Feedback on Website
,
,

Report on PIA Best Practices ,

Previous Page Table of Contents Next Page

4. Best Practices

The best practices are organized under subjects that reflect the activities and outcomes of the PIA process.

4.1 PIA Policy Implementation Strategies

PIA implementation strategies are the overall steps taken to communicate and put into action the PIA Policy, and the following best practices were identified:

  1. To facilitate buy-in, establish a senior management committee to make decisions on the need for a PIA and who review all PIA reports.
  2. Develop an internal policy to integrate the PIA Policy requirements with other information management policy requirements.
  3. Develop an implementation plan as a guide for the implementation of the PIA Policy and Guidelines.
  4. One department found an ATIP Policy Advisory Committee was helpful in providing advice on the PIA implementation plan.
  5. All of the stakeholders need to be at the table at the start of the planning process.
  6. Develop a workflow on the PIA process to act as a roadmap for users.
  7. One department developed a short template to lead managers to a decision on whether or not a PIA is required.
  8. Appoint a senior executive to champion the implementation of the PIA process.

4.2 Implementation Challenges

PIA challenges are thought-provoking situations faced by some departments during the implementation of the PIA Policy. The following best practices were noted:

  1. The breadth of the PIA Policy presents a challenge because it encompasses not only information technology projects but also proposed legislation, Memorandums of Understanding and Information Sharing Agreements.
  2. Managers need a one-stop shop for advice on interrelated policy requirements such as the Data Matching Policy, PIA, TRA and SOS.
  3. Senior management has to be an active participant in the implementation process and this implies that departments clearly define roles and responsibilities in the PIA process.
  4. The conduct of a PIA should be part of the detailed project plan.
  5. It is difficult to find skilled resources either internally or externally to conduct PIAs.
  6. In some departments, there is a lack of resources available to conduct PIAs and to take the necessary steps in order to "operationalize" the policy by identifying approval1advisory committees, etc.

4.3 Internal Capacity for Completing Privacy Impact Assessment Reports

There are various ways that departments have acquired the skill sets needed to conduct the PIA process and the following best practices were offered:

  1. Departments have been using consultants to assist and mentor staff on how to complete the PIA process and thereby develop in-house PIA expertise.
  2. Departments will need internal PIA skills at a minimum to assess work that has been completed by consultants.
  3. It remains difficult to determine if each department or one department representing all departments participating in a multi-departmental project should conduct a PIA.
  4. Designating internal resources to conduct PIAs was difficult because the required privacy policy skills were scarce and the staff was already fully engaged.
  5. The PIA process requires privacy policy analysis skills that differ from the skills required to process privacy requests.

4.4 Tips on Embarking on a PIA

There are tips about conducting a PIA that are useful to know before the start of the PIA process. Here are some examples of best practices:

  1. Departments felt it was useful to discuss the PIA process with staff in other departments who had completed PIA Reports to gain insight from their experience.
  2. Departments felt it was useful to review completed PIA Reports obtained from TBS or the Office of the Privacy Commissioner to gain insight into the expectations for a completed report.
  3. The Office of the Privacy Commissioner needs much of the same documentation used by the departmental team engaged in the PIA process so it is useful to compile the documentation in one place as the PIA process unfolds.
  4. Organize a meeting for the PIA team and explain the PIA process as an introduction to the process.
  5. Defining the scope at an early stage of the PIA process is important.
  6. Keep a focus on the identification of privacy risks and strategies to manage or eliminate the risks.
  7. The development of a checklist of potential background documentation to review as part of the PIA process is helpful.
  8. Timing is important because it may be difficult to retrofit privacy into the project late in the planning cycle.
  9. Without clearly documented data flows it is difficult to identify what may be privacy risks.
  10. Ensure there is a sign-off on a decision not to complete a PIA.

4.5 Tips on Completing the PIA Privacy Analysis Questionnaire

The PIA Privacy Analysis Questionnaire is a key component of the PIA process and is used to generate information on potential privacy risks. The following best practices were provided:

  1. The responses to questions in the Questionnaire reflect a single point in time and there is little need to constantly revisit all of the questions.
  2. There were no examples of the use of Questionnaire B for Cross-jurisdictional PIAs because implementation of the PIA Policy is still in the developmental stage.
  3. The PIA team should go through the Questionnaire as a group.
  4. It is helpful when going through the Questionnaire to explain why the question is being asked.
  5. One department found that after the completion of a number of PIAs that some of the questions could be filled out in advance.

4.6 Tips for Completing the PIA Report

The PIA report is a policy-level discussion of a proposal that summarizes the specific privacy implications and risks together with mitigation measures; the following tips were provided:

  1. Defining the scope of the PIA is critical to the process.
  2. The person conducting the PIA really needs to understand what is being proposed to determine the affect on the management of personal information.
  3. Project staff have their own timelines and the PIA process timing needs some flexibility to support the Program Manager's business needs.
  4. The PIA Report has to be managed as a work in progress because there may be a tendency to complete the report and set it aside.
  5. Documentation has to form the basis of the PIA process to avoid speculation on what may or may not be involved in the proposed project.
  6. It is important to engage the entire PIA team during the discussion of the privacy risks and risk management plan.
  7. Treat the Executive Summary as a stand-alone document for non-program and non-technical audience that succinctly describes the program proposal, the privacy risks and mitigation measures.
  8. It is useful at the start of the PIA process to document who is accountable for which aspects in the process and the follow-up to the PIA Report.

4.7 Feedback from the Office of the Privacy Commissioner

The Office of the Privacy Commissioner reviews PIA reports and may offer comment on the privacy risks and mitigation measures. Here are some considerations:

  1. Departments found that is was useful to engage the Office of the Privacy Commissioner early in the PIA process to communicate the overall nature of the project and to discuss expectations.
  2. The Commissioner's Office described their expectations to one department concerning the submission of a PIA Report to include where appropriate:
  • A clear description of the scope of the PIA and the subjects to be covered in it
  • A clear and comprehensive description of all the actions to be pursued under the initiative involved
  • The architectural specifications of the initiative
  • The Threat and Risk Assessment report pertaining to the initiative
  • A copy of whatever legal instrument, agreement or Memorandum of Understanding was used to define the rights and responsibilities among parties to the initiative
  • Samples of third party contracts, including contracts for employment of persons hired to input data into the system, to ascertain whether they include appropriate privacy protection clauses
  • An explanation of the consent regime involved with respect to the personal information involved with the initiative
  • Copies of all rules and guidelines that have been prepared regarding the collection, use and disclosure of personal information for purposes of the initiative
  • A description of the procedures to follow in respect to complaints regarding the initiative and the oversight body designated to receive these complaints
  • Copies of all forms and public education materials that have been created which deal with informational privacy.
  1. Once all of the required documentation is provided, the Privacy Commissioner's Office is typically taking about eight weeks to provide comments on a PIA Report.

Previous Page Table of Contents Next Page
  ,
 Return to
Top of Page
Important Notices