1 Privacy Impact Assessment ARMA Workshop April 5, 2006 Alec Campbell
1
Privacy Impact Assessment
ARMA WorkshopApril 5, 2006
Alec Campbell
2
Introduction
What is a PIA? A formal assessment of the privacy implications
associated with a given project, initiative, or collection of records, usually in reference to applicable legislation or policy.
Who in the audience has participated in a PIA before?
3
Agenda
Today’s discussion: Overview of selected PIA templates and
approaches The Alberta OIPC PIA process and template in
more detail, if you wish Key issues in PIA planning and preparation
4
Introduction
PIAs have become a critical tool in privacy management PIAs are proactive, not reactive Well-suited to risk management Provide evidence of due diligence
Inspired by the environmental impact assessment Formal PIA processes have taken some time to
develop, and there is still no widespread standard
5
Overview of Approaches
Federal approaches Treasury Board Secretariat
Selected provincial approaches BC Ontario Alberta (detail)
Private sector approaches Canadian Institute of CAs (CICA)
6
Federal Approach
Treasury Board Secretariat http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist_e.asp
Institutions must develop and maintain Privacy Impact Assessments
PIA Guidelines: A Framework to Manage Privacy Risks Institutions seeking approval from the Treasury Board
pursuant to the Project Approval Policy must include the results of the PIA
Depts urged to consult PC but not required
7
TBS PIA Process
8
Federal ApproachTBS PIA Guidelines Table of
Contents Introduction Purpose Proceeding with a PIA Process Overview Detailed Process Description
Part 1: Project Initiation/Needs Assessment Defining Resource
Requirements
Part 2: Documenting the Data Flow Business Process Diagram Data Flow Tables
Part 3: Privacy Analysis Questionnaire A: For federal
programs and services Questionnaire B: Cross-Jurisdictional
Program and Service Delivery Part 4: Privacy Impact Analysis
Report Reviewing the Results
Summary Table Privacy Impact Analysis Report Addressing Risks
9
Provincial Approaches
BC PIAs mandatory under FOIP Act, not under PIPA Not reviewed by IPC
Ontario PIAs required for major projects by Ont Govt policy Not mandatory under FIPPA, MFIPPA or PHIPA.
Alberta PIAs not mandatory under FOIP Act or PIPA, but mandatory under HIA OIPC must review HIA PIAs and usually reviews GoA PIAs. OIPC PIA review function is unique among IPCs.
10
Provincial Approaches: BC http://www.mser.gov.bc.ca/privacyaccess/PIA/PIAprocess.htm
A PIA needs to be completed for all new initiatives.
PIA Contents:
• Basic Information • Descriptive Information • Personal Information Collection
(1) Authorization for Collection(2) How will the personal information be collected?
(3) Notification to collect information • Use of Personal Information • Disclosure of Personal
Information • Accuracy and Correction of
Personal Information • Security Arrangements for the
Protection of Personal Information
• Retention of Personal Information • Director/Manager of Information
and Privacy (DMIP) or FOIPP Coordinator Review
• Signatures
11
Provincial Approaches: Ontario
http://www.accessandprivacy.gov.on.ca/english/pia/index.html
Annual Information and Information Technology (I&IT) plans submitted to Ministry of Government Services (MGS) must include a Privacy Impact Assessment where proposals may affect client privacy.
12
Provincial Approaches: Ontario
Conceptual Analysis Data Flow Analysis Follow-up Analysis
Prepare a plain language description of the scope and business rationale of proposed initiative
Identify in a preliminary way potential privacy issues and risks, and key stakeholders
Provide a detailed description of essential aspects of the proposal, including a policy analysis of major issues
Document the major flows of personal information
Compile an environment issues scan to review how other jurisdictions handled a similar initiative
Identify stakeholder issues and concerns
Assessment of public reaction
Analyze data flows through business process diagrams, and identify specific personal data elements or clusters of data
Assess proposal’s compliance with FOI and privacy legislation, relevant program statutes, and broader conformity with general privacy principles
Analyze risk based on the privacy analysis of the initiative, and identify possible solutions
Review design options, and identify outstanding privacy issues/concerns that have not been addressed
Prepare response for unresolved privacy issues
Review and analyze physical hardware and system design of proposed initiative to ensure compliance with privacy design requirements
Provide a final review of the proposed initiative
Conduct a privacy and risk analysis of any new changes to the proposed initiative relating to hardware and software design to ensure compliance with FOI and privacy legislation, relevant program statutes, and broader conformity with general privacy principles
Prepare a communications plan
Process
13
Provincial Approaches: Ontario
PEOPLE PROCESS ENVIRONMENT TECHNOLOGY
Consider ongoing management, privacy training programs, general organizational awareness of privacy and security issues, the level of knowledge required to perform specific functions, the availability of manuals and other forms of guidance, and mechanisms for communicating privacy and security policies.
Consider what information is collected, why and how it is collected, how privacy and security are ensured operationally, and what mechanisms are in place to provide individual access to information.
Consider the physical space where information is stored, physical security measures, the availability of secure document disposal facilities, and processes for secure disposal of old information technology (e.g., personal computers, legacy servers, etc.) that may hold personal information.
Consider system design characteristics, data security and integrity measures, access controls, and audit trails.
Relevant Factors to Consider
14
Provincial Approaches: Ontario
Flow Charts Structured Analysis Object-oriented Analysis
Are most useful for relatively simple applications. Flow charts provide a good general sense of program steps and data flows, along with an outline of the relationships among these elements and the progression between them
Identify major steps in a program and then breaks these steps down, according to function, until the project can be represented as a progression through a series of small steps. This is a good way of reducing very complex projects into manageable components
Combines the mapping of processes with the mapping of the data flows attached to those processes. It sets out the processes and the organization of these processes (i.e. the architecture), and specifies which data are being used and where in each process they are being used
Analytical Approaches
15
Provincial Approaches: Alberta http://www.oipc.ab.ca/pia/ Unlike other jurisdictions, Alberta’s PIA template comes from
the IPC, not government Privacy impact assessments are mandatory under the HIA
HIA team at the OIPC requires use of the AB template PIAs not mandatory under FOIP Act.
FOIP team at the OIPC does not necessarily require use of the OIPC template
IPC reviews but will not "approve" a PIA. If satisfied, the Commissioner will "accept" the PIA. Acceptance is not approval; it merely reflects the IPC’s acceptance that the organization has made reasonable efforts to protect privacy
IPC does not review PIAs under PIPA
16
Provincial Approaches: AlbertaCRITICAL COMPONENTS
Organizational Privacy Management
Organizational strategic plan or business plan addressing privacy protection
Organizational privacy policy or privacy charter
Organizational privacy procedures, guidelines and controls
Physical security and access control documentation
IT security and access control documentation
Records management policies and procedures for personal information
Project Privacy Management
Project summary and description
Listing of all personal information or personal data elements for project
Personal information data flow diagram
Personal information access documentation ("access matrix")
Statutory authority documentation
17
Private Sector Approaches
AICPA/CICA Privacy Framework Developed jointly by American and
Canadian CA associations Based on principles similar, but not
identical, to CSA Model Code Includes general guidelines and
evaluation criteria Comprehensive – 90 pages
CICA Privacy Framework
18
Issues in PIA Planning and Preparation
Why do it? Due diligence
If you have a privacy complaint later, having done a PIA will demonstrate efforts to protect privacy
Risk management PIA will identify potential privacy risks before they materialize,
allowing you to take measures to prevent problems Risks: IPC inquiry costs, loss of stakeholder trust, bad publicity,
cost of retroactive privacy measures, legal costs, etc. Cost containment
A PIA will often cost less than a privacy breach resulting from a failure to do the PIA.
19
Issues in PIA Planning and Preparation
Who should do it? Those who will be responsible for the project or initiative
after it is up and running – they have to know the privacy issues
Involve all responsible business areas - actively If it’s an IT project, make sure both IT and the business
area are involved – not just the development team If project is complex or it’s your first PIA, bring in a
consultant – but you should not need a consultant for every PIA.
PIA findings should be approved by the senior manager responsible for the project
20
Issues in PIA Planning and Preparation
When to do it? As early in project planning as possible
Need to know PI data elements and flows to complete For IT projects, make it part of the system design phase For administrative and management projects, do PIA after
process design but before implementation Need for PIA, or lack thereof, should be part of the project
proposal or business case.
21
Issues in PIA Planning and Preparation
Some IM requirements related to PIAs Need to document personal information flows All project planning information needs to be accessible and available to
PIA team Once completed, the PIA should be easily and widely accessible, with
the possible exception of some security information Once project is implemented, changes to PI management should be
reflected in an updated PIA – so need related triggers, which will involve IM
For large organizations, useful to establish a repository of PIAs Include PIAs from other organizations similar to yours – use OIPC
repository as starting point. Consider sector-wide repositories? Provides guidance for future PIAs.
22
Provincial Approaches: Alberta
Alberta PIA Template & Instructions
Show of hands:
How many in the audience are familiar with the Alberta template?
http://www.oipc.ab.ca/pia
23
Where to Get More Information
See URLs for PIA sources Consult your FOIP Coordinator or HIA privacy officer List of Alberta consultants available from AGS at
Alec Campbell, PrincipalExcela Associates Inc.
24
Discussion
Questions? Concerns? Examples? Good or bad experiences?