Privacy Impact Assessment Guidelines

PART FOUR - PIA TOOL KIT

Documenting the Data Flow - Step One

A business activity can be described from an information management perspective as a series of processes consisting of:

• information collection (data inputs);
• transaction processing involving the application of rules, validations and decision-making;
• the provision of a product or service in terms of a decision, benefit, or licence (output); and
• transactional data recording the above events. These may be in the form of temporary records such as system logs, paper forms used prior to input, and data records or subject files in any media.

Step One involves a two-part process. The first is the preparation of a business process diagram. At a minimum, the diagram should identify, at a general level, the major components of the business process and how personal information is collected, used, disclosed, and retained through this process.

The business process diagram may be prepared using any of a number of methodologies. In choosing an approach, ministries should consider the nature and complexity of the proposed project. Some possible approaches to mapping the business process would include:

• Flow Charts. Are most useful for relatively simple applications. Flow charts provide a good general sense of program steps and data flows, along with an outline of the relationships among these elements and the progression between them.

• Structured Analysis. Identifying major steps in a program, and then breaking these steps down, according to function, until the project can be represented as a progression through a series of small steps. This is a good way of breaking very complex projects down into more manageable components.

• Object-oriented Analysis. Combines the mapping of processes with a mapping of the data flows attached to those processes. It should set out the processes, the organization of these processes (i.e. the architecture), specify which data are being used, and where in each process they are being used.

The framework for this analysis can be found at Figure A2.

Goals of Step One

A Note on Complex Systems

The final result should always be a charting of all the personal information collected, directly or indirectly, by or on behalf of an organization, illustrating the regular and irregular uses and disclosures of the information, and how it is stored.

The Data Flow Analysis

The second section A.2 records all of the direct and indirect collection activities by program staff, other individuals and organizations relating to the above data element or cluster category.

Section A.3 documents the planned or regular disclosures of the data elements or cluster. It also identifies the custody of both program and transaction related records that contain personal identifiers. These forms of records are increasingly common in large systems using multiple business partners in the information life cycle.

Irregular disclosures are to be listed in section A.4.

If there are any other records that may be populated with the data elements or clusters not previously captured, they should be listed in section A.5, along with an explanation of who is responsible for the record, and what privacy protections apply.

Use of Information

1. where the person to whom the information relates has identified that information in particular and consented to its use;
2. for the purpose for which it was obtained or compiled or for a consistent purpose; or
3. for the purpose for which the information may be disclosed to the institution under section 42 or under section 32 of the Municipal Freedom of Information and Protection of Privacy Act.

THE PRIVACY ANALYSIS - STEP TWO

As a process, a PIA is designed to provide evidence of compliance with privacy principles. Step Two, the privacy analysis, contributes to this goal by taking analysts through a series of key questions that interrogate a proposal's technical compliance with FIPPA and relevant program statutes. Additional questions aim at measuring broader conformity with general privacy principles and at anticipating likely public reaction to key issues associated with the proposal. The goal,  then, is not simply to ascertain that FIPPA requirements have been met, but also to flesh out broader privacy issues that may raise public concerns, and so should be brought to the attention of decision makers.

Not all questions in the analysis section will be relevant to every proposal. By the same token, the questions listed may not reflect all the considerations that will be important in a given context, particularly where program statutes may outline particular requirements with regard to privacy or where there is evidence (e.g. from other jurisdictions) that public concern may focus on a particular element of a proposal. This section, therefore, can and should be modified where necessary to ensure that all relevant questions have been considered. Questions should not, however, be focused solely on strict technical compliance with legislative requirements, but should attempt to identify areas of potential public concern.

Generally problem areas with privacy issues will in most cases be found to relate to those questions where the answer is in the "NO" column for each principle. A summary of privacy concerns for each of the 10 principles may be noted in the "NOTES" box provided and flagged for further analysis.

The principles and questions listed below are organized around the ten principles of the CSA Standard, which are:

• Accountability,
• Identifying Purposes,
• Limiting Collection,
• Consent,
• Limiting Use, Disclosure, and Retention,
• Accuracy,
• Safeguards,
• Openness,
• Individual Access, and
• Challenging Compliance

Federal, provincial and territorial Ministers responsible for the Information Highway agreed, in June 1998, to support the CSA Standard as a minimum standard for privacy protection in all jurisdictions and to avoid, wherever possible, the development of inconsistent approaches. The CSA Standard is also the basis of the proposed federal privacy law (Bill C-6), which, if passed, will regulate the collection, use and disclosure of personal information broadly in the private sector.

Principle 1 -- Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

1.1

Accountability for the organization's compliance with the principles rests with the designated individual(s) (or, where the institution is subject to FIPPA, with the "head" as defined by the Act in s. 2 and in O. Reg. 460), even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).

1.2

The identity of the individual(s) designated by the organization to oversee the organization's compliance with the principles shall be made known upon request.

1.3

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization should use contractual or other means to provide a comparable level of protection when the information is being processed by a third party.

FIPPA makes institutions accountable for the collection, use, disclosure and retention of personal information managed directly or on their behalf by other public or private sector partners. In programs that rely on partnerships, organizations may find it useful to develop program-specific privacy codes or standards that clearly articulate expectations and responsibilities, as in the ESD Privacy Standard.

1.4

The CSA Standard requires organizations to implement policies and practices to give effect to the principles, including

• implementing procedures to protect personal information;
• establishing procedures to receive and respond to complaints and inquiries;
• training staff and communicating to staff information about the organization's policies and practices; and
• developing information to explain the organization's policies and procedures.

Some aspects of these requirements are captured under sections of FIPPA/MFIPPA, but in this area the requirements of the CSA Standard are, overall, more rigorous. Organizations working with private sector partners who are required by federal law to meet the Standard in an arrangement where FIPPA/MFIPPA do not apply should, however, consider these requirements.

Discussion

While accountability for compliance with privacy requirements ultimately rests with the Ahead of a public body (e.g. the Minister), organizations may find it useful to designate a Project Privacy Manager (PPM) who will be responsible for the management and coordination of information resources, policies and procedures, and for overseeing the completion of the PIA.

Questions For Analysis

Anticipating Public Expectations

In the past, concerns have been raised about the implications of ASD for access to government information and the protection of personal information. Expressions of such concern can be found, for example, in the Information and Privacy Commissioner's 1998 Annual Report, which comments on the privatization of Ontario Hydro, and changes to the Safety and Consumer Statutes Administration Act, 1996 such that independent non-profit corporations will take over supervisory and inspection functions in a number of areas, including elevators, amusement rides and gasoline handling.

Other jurisdictions are also facing important challenges with regard to access to information and privacy in ASD. With this in mind, analysts should consider the following questions:

Does the proposal entail a real or perceived decrease in public accountability (for example, through the use of private sector partners)?

Has a strategy been developed for communicating to the public about measures that are in place to ensure appropriate accountability?

Notes

Principle 2 - Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

2.1

The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle and the Individual Access principle.

Under s. 39 of FIPPA, an organization collecting personal information must inform the individual to whom the information relates of:

• the legal authority for the collection;
• the principal purpose or purposes for which the personal information is intended to be used; and
• the title, business address and business telephone number of a public official who can answer the individual's questions about the collection.

This does not apply where the head may refuse to disclose the personal information under subsection 14 (1) or (2) (law enforcement).

2.2

Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfill these purposes. The Limiting Collection principle requires an organization to collect only that information necessary for the purposes that have been identified.

Identifying purposes enables organizations to focus their data collection on only that information which is necessary for the stated purposes, or to find alternatives to the collection of personal information. This is critical to effectively limiting collection. Since data collection and maintenance is expensive, "identifying purposes" is the first step in reducing operating costs throughout the information life cycle.

2.3

Organizations shall provide a statement of purposes (notice of collection, s. 39 (2)) to be made available through all mediums of delivery (i.e. paper forms, counter, phone, on-line, automated telephone or kiosk service) and shall identify the personal information to be collected, the authority for its collection, the principal purpose(s) for which it is collected, and the name, position, address and telephone number of a contact person.

In addition, s. 45 of FIPPA requires annual publication of an index (the Directory of Records) of all personal information banks setting forth, in respect of each personal information bank:

1. its name and location;
2. the legal authority for its establishment;
3. the types of personal information maintained in it;
4. how the personal information is used on a regular basis;
5. to whom the personal information is disclosed on a regular basis;
6. the categories of individuals about whom personal information is maintained; and
7. the policies and practices applicable to the retention and disposal of the personal information.

Collection of information that is not personally identifiable, such as the automated collection of statistical transaction information, does not have to be described in the notice of collection or the personal information bank section of the Directory of Records.

2.4

When personal information that has been collected is to be used for a purpose not previously identified, or for a purpose not consistent with a previously identified purpose, the new purpose shall be identified prior to use. Unless the new purpose is permitted by law, the consent of the individual is required before information can be used for that purpose. (FIPPA, s. 41, s. 46)

Where personal information is used or disclosed for a purpose other than those identified, FIPPA requires that a record of the use or disclosure be appended to the record containing the personal information (s. 46).

2.5

Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected, as per FIPPA s. 39 (2).

2.6

This principle is linked closely to the Limiting Collection principle and the Limiting Use, Disclosure, and Retention principle.

Discussion

Statements of purpose should be simple, and may imply certain consistent purposes. For example, a statement that customer financial information, such as a credit card number or cheque, is used for the purposes of processing payment for a good or service (such as a fishing license or provincial park reservation) would reasonably include disclosure to a collection agency in the event of non-payment.

Care must be taken to ensure that consistent purposes are reasonable and not contrived; a full disclosure of purposes is required.

Questions for Analysis

Anticipating Public Expectations

Are the purposes identified consistent with what public expectations are likely to be given the nature of the initiative?

See further questions under Openness.

Notes

Principle 3 -- Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where otherwise permitted under FIPPA.

Note: In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking an individual's consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated.

3.1

Where consent is required for the indirect collection of personal information and the subsequent use or disclosure of information, an organization should seek consent for the use or disclosure of the information at the time as it seeks consent for collection.

Consent for indirect collection should generally include:

• the identification of the personal information to be collected;
• the source from which the personal information may be collected; and
• the name of the institution that is to collect the personal information.

A record should be kept with the date and the details of the authorization.

3.2

The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed (FIPPA, s. 39 (2)). For example, if address information is to be used for the mailing of related literature, it would be important to distinguish between a business sending its own or related firms mailings from the address list in its possession, and the sale or release of that address list to other firms or generic direct marketing agencies. (See FIPPA s. 43)

3.3

An organization may not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes such as those authorized by legislation (FIPPA, s. 38 (2).

3.4

In obtaining consent, the reasonable expectations of the individual are relevant. For example, a public utility commission may disclose personal information to a debt collection agency to recover monies owed to the commission for utility bills in arrears. Such disclosures would reasonably be expected by persons who have not discharged their debts to the commission. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.

Under sections 42(c), 43 FIPPA / s.32(c), 33 MFIPPA, personal information may be disclosed for the purpose(s) for which it was originally collected, or for a consistent purpose. A purpose is a consistent purpose only if the individual from whom the information was directly collected might reasonably have expected such a disclosure of the information. For further elaboration on this point, see Principle 5.

3.5

The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. Some examples would be:

1. an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
2. a checkoff box may be used to allow individuals to express their consent. Individuals who do not check the box are assumed not to consent;
3. consent may be given orally when information is collected over the telephone; and
4. consent may be given at the time that individuals use a product or service.

Generally, seeking written consent is preferable because it provides the best evidence that consent was given. A written consent should specify:

• the particular personal information to be used;
• how or for what purpose the information will be used;
• the date of the consent; and
• the institution to which the consent is given.

Where consent is obtained verbally, a notation should be made on the file and/or record indicating that verbal consent to use the personal information for a particular purpose was obtained, and recording the circumstances of the consent.

3.6

An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization should inform the individual of the implications of such withdrawal and ensure information systems have the capacity to record and act upon the withdrawal of consent.

Discussion

While authority for the use of personal information may flow from a number of sources, including program statutes and the consistent purposes rationale, consent is generally favoured as the underpinning of fair information practices.

Sometimes the purpose for which the information is collected is obvious. For example, an individual who inserts a long distance card into a telephone reasonably expects the telephone company to use the personal information for the purposes of billing the cardholder. This purpose so closely aligns with the data subject's expectations that consent is expressed by their act of inserting the card into the telephone.

Nonetheless, the individual has a right to know what the principle purposes of the collection are, or indeed that there are no other intended purposes for the information. The application which the individual completes in order to obtain the card should identify all the purposes. The list of purposes need not be so inclusive that individuals will not read or comprehend it.

While consent may be sought in various ways, organizations should be sensitive to public expectations when determining which method to employ. Experience in the private sector suggests that consumers are generally hostile to methods of seeking consent that rely on an opt-out, rather than an opt-in to positively indicate consent. In addition, the proposed federal legislation, Bill C-6, which will apply broadly throughout the private sector, operates on the basis of consent. This is likely to have a significant influence on public expectations, and may result in mounting pressure for government programs to place a greater emphasis on consent.

Questions For Analysis

Anticipating Public Expectations

Are the proposed consent provisions consistent with existing standards in comparable areas of the public or private sector?

Is the form of the consent being sought (for example, opt-in or opt-out) likely to stimulate negative public reaction?

Has the opportunity for the data subject to participate knowledgeably in decisions affecting their personal information been maximized through the use of informed consent?

Notes

Principle 4 -- Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

4.1

Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected must be limited to that which is necessary to fulfill the purposes identified. In addition, one of three conditions set out in s. 38 (2) of FIPPA must exist in order for personal information to be collected:

• The collection must be expressly authorized by statute;
• The information must be used for law enforcement purposes; or
• The information must be necessary for the proper administration of a lawfully authorized activity.

The authority to collect personal information is limited to the collection of necessary information.

4.2

Personal information must be collected by fair and lawful means. Organizations must not collect information by misleading or deceiving individuals about the purposes for which they are doing so.

4.3

Personal information must be collected directly from the individual to whom it relates unless FIPPA expressly permits indirect collection, as set out in s. 39.

An individual may consent to an indirect collection of his or her own personal information. The authorization must include:

• an identification of the personal information to be collected;
• the source from which personal information may be collected;
• the name of the institution that is to collect the personal information.

4.4

This principle is linked closely to the Identifying Purposes principle and the Consent principle.

Discussion

Organizations should consider the business objectives of data collection and examine alternative means of achieving those objectives. In some cases, these can be satisfied without collecting personally identifiable information, thereby dispensing with additional administrative requirements to meet policy and legal obligations regarding privacy and security.

For example, where card readers are used by transportation companies instead of tokens, the basic information needed is whether the individual is authorized to make the trip. For planning purposes, it may be useful to know a vehicle's entrance and exit points and time of day of travel, but this does not necessitate collection of personally identifiable information about the individual card holder. Collecting only the information necessary may limit the degree of privacy risk associated with a given initiative, and may also satisfy business efficiency goals.

Questions For Analysis

Anticipating Public Expectations

Does the program require the collection of personal information that clients are likely to consider highly sensitive? If so, what steps have been taken to ensure public confidence?

Often, the first step in effectively limiting collection is narrowly and precisely defining the statutory authority for collection. Relying heavily on the discretion of public officials to limit data collection, without appropriate statutory limitations, may prove difficult in the face of competing pressures to maximize data collection. With this in mind, is the statutory authority for collection as narrowly defined as possible?

Notes

Principle 5 -- Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

5.1

Organizations using personal information for a new purpose shall document this purpose.

In order to comply with s. 41 of FIPPA, an institution must not use personal information in its custody or under its control except

1. where the individual has consented, in writing, to the use of that particular information for a specified purpose;
2. for the purpose for which it was obtained or compiled or for a consistent purpose;
3. for a purpose for which it was disclosed under section 42 of the Act (where disclosure permitted). See Principle 3 on this point.

5.2

Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.

Regulations under FIPPA (O. Reg. 460 s. 5) prescribe a general one-year minimum retention period for personal information following the last date of use of the information. Operational and legal considerations may require a longer retention period. In developing records retention guidelines, organizations should refer not only to FIPPA, but also to the MBS Directive on the Management of Recorded Information and the Archives Act.

5.3

Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations should develop guidelines and implement procedures to govern the destruction of personal information.

Institutions subject to FIPPA may dispose of personal information only by (1) transferring it to the Archives of Ontario or (2) by destroying it in such a manner that the information cannot be reconstructed or retrieved. (O. Reg. 459 s. 2)

In addition, each institution must maintain a disposal record setting out what personal information has been destroyed or transferred to the Archives of Ontario and the date of that destruction or transfer. This disposal record must not contain personal information. (O. Reg. 459, s. 6)

5.4

Personal information must not be disclosed without proper authority. Under FIPPA, access to personal information within an organization should ordinarily be allowed only on a need-to-know basis (s. 42 (d)). Generally, this should be based upon a two-part test:

1. the employee must need access to the information in order to perform their duties; and
2. the access by the employee must be in support of a legitimate business function of the organization (i.e. they must not use their access privileges for personal reasons).

Under O. Reg. 460, s. 4 (2) the head of an organization is responsible for ensuring that only those individuals who need a record for the performance of their duties shall have access to it.

Disclosures outside the organization must be in accordance with section 42 of the Act (s. a-c, e-n).

5.5

This principle is closely linked to the Consent principle, the Identifying Purposes principle, and the Individual Access principle.

Discussion

The principle of limiting use, disclosure and retention is particularly relevant in the context of data matching, profiling, and data warehousing. Such activities should be initiated only after the completion of a business case which includes its own privacy impact assessment, identification of the techniques which will be used to validate the result of the matching or profiling activity, and the method of notifying the individuals prior to taking action against them. The business case must be reviewed by the IPC in accordance with the MBS Directive on Enhancing Privacy: Computer Matching of Personal Information.

Another area in which the Limitation Principle may be relevant is with regard to public records. Public records are usually created by government agencies for some purpose which benefits society. For example, land title information is made public so that individuals can determine who the registered owner and lien holders are on a given property. Other records are public by custom, such as telephone directories.

New or additional uses of personal information which are not consistent with the context or purpose for which the record was initially made public may pose a major challenge. For example, the public would not expect land title information, including land value and the initial balance of the mortgage to be retrievable by the name of the owner. There is a public benefit is retrieving the information by property description; when the information is available by the name of the owner or mortgagor, the disclosure may become intrusive and, in some cases, may pose a threat to security.

Adopting new technologies to improve basic services creates opportunities for new uses, including revenue sources, which must be carefully analyzed in the context of fair information practices and privacy rights. Under FIPPA, the head of a public body is accountable for approving all consistent uses of public records. The MBS Directive on Managing, Distributing, and Pricing Government Information (Intellectual Property) provides guidance in these circumstances.

Questions For Analysis

Anticipating Public Expectations

Are the limitations on the use and disclosure of personal information set out in law or policy reinforced by the information and information technology architecture of the information systems?

Notes

Principle 6 -- Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

6.1

The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual. (FIPPA s. 40 (2))

6.2

Section 40 (2) of FIPPA stipulates that the head of an institution shall take reasonable steps to ensure that personal information on the records of the institution is not used unless it is accurate and up to date. Organizations should note, however, that FIPPA does not require that personal information which is not being used be routinely updated.

By the same token, the CSA Standard holds that an organization should not routinely update personal information, unless such a process is necessary to fulfill the primary purposes for which the information was collected. When discrepancies are noted, the subject should be given the opportunity to correct or clarify discrepancies.

6.3

Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Questions For Analysis

Principle 7 -- Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

7.1

The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Organizations shall protect personal information regardless of the format in which it is held. (O. Reg. 460 s. 4, and MBS Directive on Information and Information Technology Security.)

7.2

The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.

7.3

The methods of protection should include:

1. physical measures, for example, locked filing cabinets and restricted access to offices;
2. organizational measures, for example, security clearances and limiting access on a A need-to-know basis; and
3. technological measures, for example, the use of passwords, PKI, biometrics, and encryption.

7.4

Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.

O. Reg. 460, s. 4 (1) states that every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

7.5

Care shall be used in the disposal or destruction of personal information, to present unauthorized parties from gaining access to the information. (O. Reg. 459, s. 4 and 5 and the MBS Information and Information Technology Security Directive)

Discussion

As information systems become larger and more complex, security risks increase and potential rewards for unauthorized access grow. These risks must be measured and evaluated in terms of the effect on public confidence, lost business days, costs of rebuilding the data, and the consequences to data subjects of corrupted data, public release, or covert use by unauthorized parties.

There are a variety of technological tools and system design techniques which may enhance both privacy and security. These may include strong encryption, technologies of anonymity or pseudo-anonymity, and digital signatures.

Questions For Analysis

Anticipating Public Expectations:

Have security risks been assessed from the point of view not only of the organization, but also of the client in terms of the potential impact of a security breach (e.g. is there potential for credit card numbers to be compromised)?

Where a particular delivery channel poses a high security risk, has an alternative been maintained?

Notes

Principle 8 -- Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

8.1

Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals should be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. (FIPPA s. 31, 32, 45)

The Enterprise Information Architecture Privacy Design Principles stipulate that an information system involving personal information should be transparent, so that individuals can verify how their information is being collected, used or disclosed. The types of transactions, the linkages within the system and the way in which the personal information is collected, used, disclosed and retained must be clearly visible to system users and to data subjects. When requested, ministries and agencies should be able to provide a full description of all circumstances where the organization discloses an individual's personal information to third parties.

8.2

Organizations must make certain information available under FIPPA (s. 31, 32, 33, 34, 35, 36, 45). For the Directory of Records, for example, this information includes:

1. the name/title and address of the person who is accountable for the organization's polices and practices and to whom complaints or inquiries can be forwarded;
2. the means of gaining access to personal information held by the organization;
3. a description of the type of personal information held by the organization, including a general account of its use;
4. a copy of any brochures or other information that explain the organization's policies, standards, or codes; and
5. what personal information is made available to related organizations (e.g. partners or subsidiaries).

8.3

An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.

Questions For Analysis

Anticipating Public Expectations

Given that the minimum requirements for openness under FIPPA may not be adequate to meet public expectations or to ensure public confidence in a new program or initiative, the following questions might also be considered:

Have communications products and/or a communications plan been developed to fully explain information processing practices so as to reassure the public, in some detail, about how their personal information will be protected?

Have opportunities for routine disclosure and active dissemination been fully explored, as recommended by the IPC? Routine disclosure occurs when access to a general record is granted on a routine basis as the result of a request. Active dissemination refers to the release of information without any request. For additional information, see Routine Disclosure/Active Dissemination: A Joint Project of the Office of the Information and Privacy Commissioner/Ontario and The Freedom of Information and Privacy Branch, Ministry of Government Services)

Notes

Principle 9 -- Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

Section 49 of FIPPA / s. 38 of MFIPPA set out the grounds for refusing to disclose personal information to the individual to whom it pertains. The grounds are enumerated in subsections 49(a) through (f) FIPPA/38(a) through (f) MFIPPA, and include those cases where disclosure:

• would constitute an unjustified invasion of another individual's personal privacy;
• would reveal a confidential source and the information relates to an evaluation or opinion compiled to determine suitability for employment or for the awarding of government contracts or other benefits;
• could reasonably be expected to prejudice the individual's mental or physical health; or
• could reasonably be expected to reveal information received in confidence.

9.1

Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. In addition, the organization should provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed. (FIPPA s. 10, 31, 32, 35, 44-47)

9.2

An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

9.3

In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization should provide a list of organizations to which it may have disclosed information about the individual.

9.4

An organization shall respond to an individual's request within the time limits provided under FIPPA and may charge fees for access in accordance with the regulations (O. Reg. 460, s. 5.2, 5.3, 6, 6.1, 7, 8, 9). The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

9.5

When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. (FIPPA s. 47)

9.6

When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge should be recorded by the organization. When appropriate, the existence for the unresolved challenge should be transmitted to third parties having access to the information in question. (FIPPA s. 47)

Discussion

Individuals sometimes disagree with the organization's interpretation of the information in their file. Where the organization is satisfied that the information is incorrect, it must correct the information in accordance with this principle. In those instances where the organization does not agree that the information is incorrect, the individual should be able to file a statement of disagreement which is displayed to authorized staff each time the contentious record is displayed.

Questions For Analysis

Anticipating Public Expectations

In some cases, it will be both possible and desirable to provide routine access to personal information. For example, an individual may wish to verify the address a program has on file in order to confirm that it is up to date. Having such a request go through the formal FOI process adds unnecessary complexity and expense. Routine access should be provided wherever possible.

Have opportunities for providing routine access to personal information been fully explored? Is routine access supported through appropriate policies and operational procedures?

Notes

Principle 10 -- Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. (FIPPA, Part IV)

10.1

The individual accountable for an organization's compliance is discussed under principle one.

10.2

Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint process should be easily accessible and simple to use.

10.3

Organizations shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint mechanisms, such as internal processes and remedies available through the IPC's office. In addition, where government services are delivered through third parties, organizations should ensure that these parties notify individuals of the existence of such mechanisms where relevant. (See the MBS Directive on Alternative Service Delivery Framework)

Discussion

Ministries are accountable under FIPPA for complaints regarding the collection, use, and disclosure of personal information under their control and on their behalf, and for responding to access requests within legislative time frames. In addition, individuals may complain to the IPC.

Ministries and partners should establish procedures to informally resolve customer complaints regarding personal information practices. Mechanisms should be put in place to ensure that partners co-operate fully with the responsible ministry and provide all necessary information to respond to a complaint or appeal.

Questions For Analysis

Anticipating Public Expectations

While the emphasis in Principle 10 is on responding to specific complaints, organizations should also be aware of the risk of more generalized policy critiques. The Annual Report of the IPC, for example, may call public attention to certain design features that may undermine the protection of personal information. Such critiques often focus on the broad privacy implications of a given program or proposal, rather than simple technical compliance with FIPPA. Organizations must be sensitive to these risks when assessing the privacy implications of their proposals. 

Questions which may help organizations to understand the sources of such risks would include:

Has a similar program been proposed or implemented in other jurisdictions (nationally or internationally) and, if so, how did watchdog agencies, the media, and the public react? What elements of the program, if any, caused the greatest public concern, and what measures have been put in place to pre-empt similar reactions in Ontario?

Have watchdog agencies, including privacy commissioners in other provinces, issued reports or opinions on issues that would be relevant to the proposal and, if so, have these been taken into account?

Where appropriate, have key internal or external stakeholders been provided with an opportunity to comment on the implications of the proposal for the protection of personal information?

Notes

SUMMARIZING THE RESULTS - STEP THREE

At this stage in the process, organizations should have both a detailed account of the data flow within a program or proposed program, and an analysis of compliance with FIPPA and broader privacy principles. This should provide a solid basis for determining whether there are any outstanding privacy issues which should be addressed before or as the proposal moves forward.

Organizations should have identified and resolved technical compliance with the requirements of FIPPA through the PIA process. Therefore, any outstanding privacy issues which will form part of the summary document will relate to compliance with broader privacy principles and possible triggers of negative public reaction. An understanding of the environment in which the proposal is being made and of public expectations with regard to privacy must, therefore, figure prominently in the determination of what the outstanding issues are.

In summarizing their results, organizations should keep in mind that one of the key goals of the privacy impact assessment is to provide senior executives and the government with the tools necessary to make fully- informed policy and system design and/or procurement decisions based on an understanding of privacy risk and of the options available for mitigating that risk. When preparing the summary of the results of the PIA, then, analysts should seek to communicate clearly about risks or possible risks that have been identified through the PIA process, particularly where those risks have not been successfully addressed through system design or policy measures (i.e. residual risks).

While the format of the summary will be largely determined by the organization's needs, it should, at a minimum, convey the following information:

• a description of the proposal including programs and/or partners involved, objectives, timing and key milestones, resource requirements, public benefits, and pointers to more detailed information about the proposal;
• a list of relevant legislation that may have a bearing on privacy requirements, including program statutes, and relevant policies, including any applicable Management Board Directives;
• the specific privacy risks relevant to the proposal;
• the options that exist for addressing or mitigating those risks, along with the implications of each option;
• an analysis of whether other jurisdictions, either in Canada or internationally, have addressed similar risks and whether their approaches were successful;
• any residual risks that cannot be addressed through the proposed options and, where possible, an analysis of the likely implications of these residual risks in terms of public reaction and program success;
• a proposed privacy communications strategy, if appropriate.

Privacy Risks Identification Template

[Continue to Part Five]

[Back to Part Three]

[Back to Table of Contents]

MGS home | central site | feedback | search | site map | français
About the Ministry | Services for Business | Services for Individuals
Employment in the OPS | Information Technology | Archives of Ontario | Related Sites

Telephone Service: For general ministry information, call (416) 326-8555 or Toll free 1-800-268-1142 (in Ontario).
For consumer information and advice: (416) 326-8800 or Toll free1-800-889-9768.
TTY/Teletypewriter users only: (416) 325-3408 or Toll free 1-800-268-7095.

Please send your comments, feedback and inquiries to: Info.MGCS@ontario.ca

© Copyright 2008 Queen's Printer for Ontario

Privacy | External Links Disclaimer.