Report on PIA Best Practices 
Report on
Best Practices Identified During the
Implementation of the Privacy Impact
Assessment Policy and Guidelines
Chief Information Officer Branch
Treasury Board Secretariat
March 20, 2003
Table of Contents
Acronyms and Abbreviations Used in this Report
1. Introduction
2. Report Overview
2.1 Report Objective
2.2 Methodology
3. Benefits of the PIA Process
4. Best Practices
4.1 PIA Policy Implementation Strategies
4.2 Implementation Challenges
4.3 Internal Capacity for Completing Privacy Impact Assessment Reports
4.4 Tips on Embarking on a PIA
4.5 Tips on Completing the PIA Privacy Analysis Questionnaire
4.6 Tips for Completing the PIA Report
4.7 Feedback from the Office of the Privacy Commissioner
5. Conclusions
6. Annex A - List of Participants
ATIP |
Access to Information and Privacy |
PIA |
Privacy Impact Assessment |
TBS |
Treasury Board Secretariat |
TRA |
Threat and Risk Assessment |
SOS |
Statement of Sensitivity |
The Treasury Board of Canada approved the Privacy Impact Assessment
(PIA) Policy in early 2002 with an effective date of May 2, 2002. The
objective of the Policy is to assure Canadians that privacy principles
are being taken into account when there are proposals for, and during the
design, implementation and evolution of programs and services that raise
privacy issues by:
- Prescribing the development and maintenance of PIAs
- Communicating routinely the results of PIAs to the Privacy Commissioner and
the public.
Treasury Board Secretariat (TBS) developed and issued the Privacy Impact
Assessment Guidelines: A Framework to Manage Privacy Risks to
convey advice on the application of the Policy.
The Policy and Guidelines can be found at:
http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp
The objective of this report is to identify practical tips and best
practices for implementing the PIA Policy and Guidelines into
departmental day-to-day operations. These best practices should be read in
conjunction with the PIA Policy and Guidelines.
The Chief Information Officer Branch of TBS hosted two one-half day
sessions attended by representatives of 11 departments and agencies and five
consulting firms. The attendees had a diverse range of experience in
implementing the PIA Policy and Guidelines, conducting PIAs
and/or communicating the results of PIAs to senior management and the Office
of the Privacy Commissioner.
Participants identified a number of benefits to departments associated with
the PIA process:
- The PIA process makes project planners articulate in precise terms what the
project is about.
- Privacy is considered at the front end of a project so that privacy issues
are known and can be addressed early in the project planning process.
- The PIA process presents an opportunity to communicate, discuss and
increase the awareness of the Privacy Act.
- The PIA process enhances program planning relative to privacy and results
in better public policy.
- The PIA process provides a disciplined approach to the identification and
mitigation of privacy risks resulting in better information management
practices.
- The PIA process is an excellent means to learn about privacy.
- Some departments reported a better understanding of the relationship
between Program legislation and the Privacy Act.
The best practices are organized under subjects that reflect the activities
and outcomes of the PIA process.
PIA implementation strategies are the overall steps taken to communicate
and put into action the PIA Policy, and the following best practices
were identified:
- To facilitate buy-in, establish a senior management committee to make
decisions on the need for a PIA and who review all PIA reports.
- Develop an internal policy to integrate the PIA Policy requirements
with other information management policy requirements.
- Develop an implementation plan as a guide for the implementation of the PIA
Policy and Guidelines.
- One department found an ATIP Policy Advisory Committee was helpful in
providing advice on the PIA implementation plan.
- All of the stakeholders need to be at the table at the start of the
planning process.
- Develop a workflow on the PIA process to act as a roadmap for users.
- One department developed a short template to lead managers to a decision on
whether or not a PIA is required.
- Appoint a senior executive to champion the implementation of the PIA
process.
PIA challenges are thought-provoking situations faced by some departments
during the implementation of the PIA Policy. The following best practices were
noted:
- The breadth of the PIA Policy presents a challenge because it
encompasses not only information technology projects but also proposed
legislation, Memorandums of Understanding and Information Sharing Agreements.
- Managers need a one-stop shop for advice on interrelated policy
requirements such as the Data Matching Policy, PIA, TRA and SOS.
- Senior management has to be an active participant in the implementation
process and this implies that departments clearly define roles and
responsibilities in the PIA process.
- The conduct of a PIA should be part of the detailed project plan.
- It is difficult to find skilled resources either internally or externally
to conduct PIAs.
- In some departments, there is a lack of resources available to conduct PIAs
and to take the necessary steps in order to "operationalize" the policy by
identifying approval1advisory committees, etc.
There are various ways that departments have acquired the skill sets needed
to conduct the PIA process and the following best practices were offered:
- Departments have been using consultants to assist and mentor staff on how
to complete the PIA process and thereby develop in-house PIA expertise.
- Departments will need internal PIA skills at a minimum to assess work that
has been completed by consultants.
- It remains difficult to determine if each department or one department
representing all departments participating in a multi-departmental project
should conduct a PIA.
- Designating internal resources to conduct PIAs was difficult because the
required privacy policy skills were scarce and the staff was already fully
engaged.
- The PIA process requires privacy policy analysis skills that differ from
the skills required to process privacy requests.
There are tips about conducting a PIA that are useful to know before the
start of the PIA process. Here are some examples of best practices:
- Departments felt it was useful to discuss the PIA process with staff in
other departments who had completed PIA Reports to gain insight from their
experience.
- Departments felt it was useful to review completed PIA Reports obtained
from TBS or the Office of the Privacy Commissioner to gain insight into the
expectations for a completed report.
- The Office of the Privacy Commissioner needs much of the same documentation
used by the departmental team engaged in the PIA process so it is useful to
compile the documentation in one place as the PIA process unfolds.
- Organize a meeting for the PIA team and explain the PIA process as an
introduction to the process.
- Defining the scope at an early stage of the PIA process is important.
- Keep a focus on the identification of privacy risks and strategies to
manage or eliminate the risks.
- The development of a checklist of potential background documentation to
review as part of the PIA process is helpful.
- Timing is important because it may be difficult to retrofit privacy into
the project late in the planning cycle.
- Without clearly documented data flows it is difficult to identify what may
be privacy risks.
- Ensure there is a sign-off on a decision not to complete a PIA.
The PIA Privacy Analysis Questionnaire is a key component of the PIA
process and is used to generate information on potential privacy risks. The
following best practices were provided:
- The responses to questions in the Questionnaire reflect a single point in
time and there is little need to constantly revisit all of the questions.
- There were no examples of the use of Questionnaire B for
Cross-jurisdictional PIAs because implementation of the PIA Policy is
still in the developmental stage.
- The PIA team should go through the Questionnaire as a group.
- It is helpful when going through the Questionnaire to explain why the
question is being asked.
- One department found that after the completion of a number of PIAs that
some of the questions could be filled out in advance.
The PIA report is a policy-level discussion of a proposal that summarizes
the specific privacy implications and risks together with mitigation measures;
the following tips were provided:
- Defining the scope of the PIA is critical to the process.
- The person conducting the PIA really needs to understand what is being
proposed to determine the affect on the management of personal information.
- Project staff have their own timelines and the PIA process timing needs
some flexibility to support the Program Manager's business needs.
- The PIA Report has to be managed as a work in progress because there may be
a tendency to complete the report and set it aside.
- Documentation has to form the basis of the PIA process to avoid speculation
on what may or may not be involved in the proposed project.
- It is important to engage the entire PIA team during the discussion of the
privacy risks and risk management plan.
- Treat the Executive Summary as a stand-alone document for non-program and
non-technical audience that succinctly describes the program proposal, the
privacy risks and mitigation measures.
- It is useful at the start of the PIA process to document who is accountable
for which aspects in the process and the follow-up to the PIA Report.
The Office of the Privacy Commissioner reviews PIA reports and may offer
comment on the privacy risks and mitigation measures. Here are some
considerations:
- Departments found that is was useful to engage the Office of the Privacy
Commissioner early in the PIA process to communicate the overall nature of the
project and to discuss expectations.
- The Commissioner's Office described their expectations to one department
concerning the submission of a PIA Report to include where appropriate:
- A clear description of the scope of the PIA and the subjects to be covered
in it
- A clear and comprehensive description of all the actions to be pursued
under the initiative involved
- The architectural specifications of the initiative
- The Threat and Risk Assessment report pertaining to the initiative
- A copy of whatever legal instrument, agreement or Memorandum of
Understanding was used to define the rights and responsibilities among parties
to the initiative
- Samples of third party contracts, including contracts for employment of
persons hired to input data into the system, to ascertain whether they include
appropriate privacy protection clauses
- An explanation of the consent regime involved with respect to the personal
information involved with the initiative
- Copies of all rules and guidelines that have been prepared regarding the
collection, use and disclosure of personal information for purposes of the
initiative
- A description of the procedures to follow in respect to complaints
regarding the initiative and the oversight body designated to receive these
complaints
- Copies of all forms and public education materials that have been created
which deal with informational privacy.
- Once all of the required documentation is provided, the Privacy
Commissioner's Office is typically taking about eight weeks to provide
comments on a PIA Report.
The PIA best practices session illustrated a strong endorsement of the
benefits of the policy and the current TBS activities that provide proactive
support to departments on PIA Policy and Guidelines
implementation activities. Departments were very aware and supportive of the
innovative ways that TBS has and plans to implement the PIA Policy and Guidelines.
The implementation of the Privacy Impact Assessment Policy and Guidelines
is still in the early stages. When departments participating in the best
practices sessions were asked to rate their department's integration of the PIA
Policy requirements into day-to-day operations, on a scale of 1 (low) to 5
(high), most rated integration as 1 or 2.
There are many PIA reports under development. However, there are few
examples of PIA reports that have completed the entire PIA process including
the review with the Office of the Privacy Commissioner and follow-up on
recommendations from the Privacy Commissioner.
The PIA process illustrated an overall need for privacy training in
general. TBS identified this need during the development of the e-Learning
Tool for the PIA process. The e-Learning tool is scheduled for implementation
at the start of the 2003-2004 fiscal year and will contain a module devoted to
privacy.
Timing of the PIA process is important because it may be difficult and/or
expensive to retrofit privacy into the project late in the planning cycle.
Departments will need to spend time once the PIA Report is complete to
consider follow-up activities, monitor the implementation of privacy risk
management measures and determine if project changes will lead to an update of
the PIA Report.
Although the objective of the PIA process is risk management, departments
receive ancillary benefits from the process that contribute to better
information management practices. Since PIA implementation is in the early
stages, in another 6 months TBS should have another session to build on these
best practices in 2003/2004.
The Information Policy Division of Treasury Board of Canada Secretariat
would like to thank and acknowledge the contributions of the following
participants:
Alain Rocain, Deloitte & Touche, PIA Consultant
Andrée Morissette, Public Works & Government Services Canada,
Senior ATIP Officer
Anita Lloyd, Public Works & Government Services Canada, ATIP
Coordinator
Brian Foran, Health Canada, Director - Information, Analysis and
Connectivity Branch
Brian McCracken, Canada Customs Revenue Agency, Policy Officer - BN
Strategic Planning & Policy Section
Corinne Cormier, Veterans Affairs, A/Deputy Coordinator (Policy
& Training) - ATIP
David Reid, Heritage Canada, Director, Strategy and Consultation
Diane Burrows, A/Director, Public Rights Administration
Don Mccoll, Citizenship and Immigration Canada, Senior Public Rights
Administrator
Éric Charlebois, Health Canada, Project Officer - Health
Surveillance
Frank Bradley, Indian & Northern Affairs Canada, Business
Analyst - IRS - CIS Project
Grant Boyd, Canada Customs Revenue Agency, ATIP Coordinator
Judy Humenick, Heritage Canada, Manager, Policy Development, GOL
Branch
Larry Kennedy, Health Canada, Senior Policy Analyst, Information,
Analysis and Connectivity Branch
Marc-André Gaudet, Agriculture Canada, Acting Manager - ATIP
Matthew Chan, Indian & Northern Affairs Canada, Project Director
- Operations Branch
Michael Power, Gowlings, PIA Consultant
Nicole Sarafin, Public Service Commission, ATIP Coordinator &
Legislative Affairs Officer
Paula Bédard, Human Resources Development Canada, Senior Public
Rights Administrator - ATIP
Peter Hull, Canada Customs Revenue Agency, Director - ATIP
Peter Rock, Citizenship and Immigration Canada, Senior Public Rights
Administrator
Rick Shields, McCarthy Tétrault LLP, PIA Consultant
Scott Crosby, Sysanova, PIA Consultant
Susan Seeger, A/Chief, Access to Information and Privacy
Suzan Appleby, Citizenship and Immigration Canada, Senior Public
Rights Administrator
Tom McMahon, Treasury Board Secretariat, Senior Counsel - Justice
|