Privacy Impact Assessment Guidelines

PART ONE

PRIVACY IMPACT ASSESSMENTS: AN OVERVIEW

What is a Privacy Impact Assessment?

A privacy impact assessment (PIA) is a process that helps to determine whether new technologies, information systems, and proposed programs or policies meet basic privacy requirements. It measures both technical compliance with privacy legislation -- such as the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and the broader privacy implications of a given proposal.

Privacy Impact Analysis at a Glance

The Three components of the PIA process include:

GOALS OF A PRIVACY IMPACT ASSESSMENT

The PIA process is designed to ensure that privacy is considered throughout the business redesign or project development cycle, and particularly at the conceptual stage, the final design approval and funding stage, the implementation and communications stage, and at the post-implementation audit or review stage.

The goals of a PIA include:

• providing senior executives and the government with the tools necessary to make fully- informed policy and system design and/or procurement decisions based on an understanding of privacy risk and of the options available for mitigating that risk;
• ensuring accountability for privacy issues is clearly incorporated into the role of project managers and sponsors;
• ensuring that there is a consistent format and structured process for analysing both technical and legal compliance with FIPPA and MFIPPA, relevant program statutes, MBC Directives, and internationally accepted fair information practices;
• ensuring that the protection of privacy is included in the core criteria for business or I&IT projects, and for subsidiary project activities, to reduce the potential for subsequent project termination or retrofitting systems for privacy compliance;
• providing basic documentation on the flow of personal information for common use and review by policy and program design staff, systems analysts, and security analysts, and as the basis for:
• consultations with the Information and Privacy Commissioner, and other stakeholder groups,
• public announcements,
• adequate notice and consent statements for clients, legislative amendments, contract specifications and penalties, partnership agreements, and monitoring and enforcement mechanisms,
• post-implementation verification and periodic reviews and audits;
• preventing the inadvertent development of personal information management systems that may be characterized or criticized as facilitating surveillance; and
• identifying remedial steps necessary to improve privacy protection in pre-existing programs or systems.

WHEN IS A PRIVACY IMPACT ASSESSMENT NEEDED?

Management Board Requirements

The new guidelines for the annual Information and Information Technology (I&IT) plans submitted to Ministry of Government Services (MBS) indicate that a PIA may be required where proposals and submissions may affect client privacy. A PIA will now normally be required as part of any Management Board of Cabinet (MBC) submission seeking approval to begin the detailed design phase or to request funding approval for product acquisition or system development work.

It is the responsibility of sponsoring ministries to identify projects that may affect client privacy. This guide has been prepared to assist ministries in identifying such projects and in completing the required Privacy Impact Assessment (PIA). Further assistance and support is available through MBS's Information and Privacy Office.

Identifying Initiatives that Require a Privacy Impact Assessment

Not all proposals involve a substantive change to the collection, use, or disclosure of personal information. Those that do, however, must be accompanied by a PIA for approval.

Examples of initiatives that are likely to require a PIA include those involving:

• Creation or modification of databases containing personal information, particularly where the information is sensitive and/or includes a significant number of people;
• Identification and authentication schemes, especially proposals for multi-purpose identifiers or those that make use of biometrics;
• Constraining or eliminating existing opportunities for anonymity or pseudonymity through program or service channel redesign in a given program area or service delivery context; and
• the use of smart cards.

Sponsoring ministries should be aware that as systems become more complex, the probability of unexpected cause and effect relationships increases, so that proposals that appear to involve minor technical enhancements for customer convenience and governmental efficiency may, in fact, represent significant privacy risks.

Some common scenarios are outlined below, along with guidelines for determining whether a PIA may be required in each instance. Ministries should consider the full scope of a proposal's implications government-wide or in an "enterprise" context (as defined in the Enterprise Information and Information Technology Architecture Principles), as it may effect the overall advisability of the project, or highlight the importance of certain aspects of the business or systems design. Consideration should also be given to the flow of personal information beyond the program, to payment clearing agents and financial institutions, and any legislation applying to those entities.

Common Scenarios

Minor

Generally, proposals involving minor changes to the scope of program information requirements -- such as the collection of additional eligibility data as authorized by statute and reflected in revised notices or consents, or data matching agreements developed in accordance with the Directive on Computer Matching of Personal Information -- would not require a PIA.

Major Changes to Existing Programs

Proposals that entail major increases in the scope of collection, use and disclosure of personal information, through program integration, broadening of target populations, a significant shift toward indirect collection of personal information, or the expansion of data collection for new eligibility criteria or program administration functions, for example, should be accompanied by a PIA.

If the current program does not involve potentially contentious privacy issues, a PIA would be required only for those elements of the program or project that are being changed. Thus, it would likely not be necessary to map the data flow for the entire system, or to perform a privacy analysis for all the categories of personal information collected, through the relationship between the current program and the proposed changes may need to be examined.

New Programs

In general, proposals for new programs that involve significant collection, use, or disclosure of personal information should be accompanied by a PIA.

New Delivery Structures and Partnerships

Limited Out-Sourcing

The specific details of out-sourcing arrangements will determine whether a PIA is required. Sponsors should consult with the Access and Privacy Office for assistance in determining if a PIA is needed.

If an out-sourcing arrangement provides that personal information collected for the program will not be linked to non-program personal information or used for non-program purposes, that the government will retain control of and accountability for the personal information, and that appropriate security and compliance verification measures will be implemented, a PIA will not likely be required.

Delivery Channel(s) Management

If an out-sourcing arrangement delegates operational decision-making power regarding delivery channels and customer service systems, a PIA is required.

Multi-Program Front End Delivery Integration

Where a proposal for integrated program delivery involves the integration of personal information collected for distinct legislative programs, a PIA is required. Co-location of program delivery, which includes shared IT&I infrastructures but not services -- such as common client indexes or files, or common customer billing or benefit payments systems -- does not require a PIA.

Devolution

A PIA is not required where functions are devolved to an agency or municipal entity that is or will be scheduled under FIPPA, or where the ministry retains accountability for the personal information collected.

Other proposed devolution's may require a PIA; sponsors should consult with the FOI/Privacy Office.

Changes in Technology

Maintenance

Routine system maintenance such as minor software upgrades or patches, temporary changes to ensure Y2K compliance, or replacement of equipment that does not materially change information management functions or system security does not require a PIA.

Upgrades

Minor upgrades which have no impact on the way in which personal information is managed do not require a PIA.

Major upgrades to systems and operating systems that change the functionality of information management, access protocols, records indexes or security features, however, should be accompanied by a PIA. Where such upgrades are not accompanied by program design and delivery changes, the PIA will normally be limited to identifying the risks, improvements, countermeasures and net privacy effects of the proposed upgrades.

Additional Systems Linkages

Proposals that involve linking separate program databases, or creating files that index or point to the personal information of individuals on such databases, require a PIA. Where data matches are undertaken in accordance with the Directive on Data Matching, a PIA is not required.

Enhanced Accessibility

Changes that effect how and where program administrators, customers or third parties access personal information require a PIA. Examples of such changes would include putting new or additional customer data on the Internet or on other media such as CD-ROMs, on virtual private networks, or at kiosks.

Ministries should note that the Directive on Managing, Distributing and Pricing Government Information (Intellectual Property) requires that a PIA be included with any request to Publications Ontario to sell or license a personal information database. In addition, providing other program areas or governments with network access to customer databases may require a PIA. Ministries operating personal information databases accessible by municipalities or other entities must complete a PIA before allowing them to change access systems.

EIA Initiatives and Common/Strategic Products

Enterprise Information and Information Technology Architecture (EIA) initiatives, including out-sourced transaction subsystems, card systems, and common applications products for the collection, transmission, or storage of personal information, require a PIA. If vendors or products have already been selected, a PIA must still be completed prior to pilot trials and project implementation. Privacy risks identified through the privacy impact assessment process that cannot be minimized or eliminated must be calculated as part of the overall cost of the proposal.

PREPARING FOR A PRIVACY IMPACT ASSESSMENT

The Timing of the Privacy Impact Assessment

Informed decision making and the ability to design a system architecture which address actual or potential privacy concerns are dependent, on early identification of privacy issues. An understanding of the kinds of questions that will arise in the context of the privacy impact assessment, as well as a sense of where risks may lie, should therefore be incorporated into the early phases of the project and system development life cycles.

While the completion of a full and detailed PIA may only be possible at later stages in the system development and acquisition phase, the PIA is best approached as an evolving document which will grow increasingly detailed over time.

Resource Requirements

The scope and volume of resources needed to complete a PIA will depend on a number of factors, including what stage the project or proposal is at, and the scope of the proposed changes to or new uses of personal information. Policy, technical, and legal staff will normally participate in the completion of the PIA.

In general, it will be most efficient to begin the PIA process at the start of the conceptual stage of the initiative, as some components of the PIA will, in any event, be completed as part of the normal policy development process. In addition, early consideration of privacy issues should prevent unnecessary effort being expended on the development of options that are incompatible with key privacy-related business and technology design decisions.

Assigning Responsibility for the Privacy Impact Assessment

While accountability for compliance with privacy requirements ultimately rests with the "head" of a public body (normally the Minister), sponsors may find it useful to designate a senior level project team member as the privacy lead or project privacy manager (PPM). The PPM should have a clear mandate to participate in or review the project design decisions against the criteria of the PIA, and provide a steady flow of advice and feedback to the senior project management team.

The Range of Skills That May be Useful

The PPM may need to draw upon a wide range of skill sets from internal or external resources that are to be assigned to the project. Such skills would likely include:

• Policy Development skills Relating to business-specific policy experience, broad strategic policy and planning skills, and stakeholder impact analysis and consultation skills.
• Operational Program and Business Design skills Relating to those associated with examination of proposals for the operational flow of the business, and analyse the feasibility, practicality, efficiency of the program and of public/private partnerships.
• Technology and Systems expertise Relating to the design, attributes and operations of mainframe and legacy systems, networking products, new Internet tools, system security, and front-end customer interface systems including, counter/staff terminal entry, unattended computer/kiosk, Automated Voice response, attended voice/call centres, remote access/ Internet tools, smart cards, card read/write devices at the customer interface level, financial or transaction settlement systems, and biometric tools.
• Risk and Compliance Analysis skills Relating to those associated with comprehensive financial and due diligence audits, and the emerging specialties related to audits of computer system vulnerabilities.
• Procedural and Legal skills Relating to program authority for Out-Sourcing, program or agent collection and use of personal information, jurisdiction of institutional oversight mechanisms, statutory, regulatory and contractual options, and potential statutory or code conflicts where multiple statutes or jurisdictions are involved.
• Access to Information and Privacy expertise Relating to the FIPPA/MFIPPA, privacy provisions in relevant program statutes, national and international privacy standards, privacy enhancing technologies, and current privacy developments.

[Continue to Part Two]

[Back to Table of Contents]

MGS home | central site | feedback | search | site map | français
About the Ministry | Services for Business | Services for Individuals
Employment in the OPS | Information Technology | Archives of Ontario | Related Sites

Telephone Service: For general ministry information, call (416) 326-8555 or Toll free 1-800-268-1142 (in Ontario).
For consumer information and advice: (416) 326-8800 or Toll free1-800-889-9768.
TTY/Teletypewriter users only: (416) 325-3408 or Toll free 1-800-268-7095.

Please send your comments, feedback and inquiries to: Info.MGCS@ontario.ca

© Copyright 2008 Queen's Printer for Ontario

Privacy | External Links Disclaimer.