PART 3: THE PRIVACY IMPACT ASSESSMENT PROCESS
3.1 DESCRIPTION OF A PRIVACY IMPACT ASSESSMENT
3.2 GOALS OF THE PRIVACY IMPACT ASSESSMENT
3.3 COMPLETING THE PRIVACY IMPACT ASSESSMENT

PART 4: PRIVACY IMPACT ASSESSMENT DATA ANALYSIS
4.1 DATA FLOW DESCRIPTION
4.2 BUSINESS PROCESS DIAGRAM
4.3 DATA FLOW TABLES

PART 5: PRIVACY IMPACT ASSESSMENT: PRIVACY ANALYSIS
Principle 1: Accountability
Principle 2: Identifying Purposes
Principle 3 -Consent
Principle 4 -Limiting Collection
Principle 5 -Limiting Use, Disclosure, and Retention
Principle 6: Accuracy
Principle 7: Safeguards
Principle 8 -Openness
Principle 9 -Individual Access
Principle 10 -Challenging Compliance

PART 6: PRIVACY IMPACT ASSESSMENT: RISK MANAGEMENT PLAN
APPENDIX A: CSA MODEL CODE
APPENDIX B: DATA FLOW TABLES

EXECUTIVE SUMMARY
1. BACKGROUND
The Privacy Issue in a Cross-jurisdictional Context

	Governments across Canada have expressed their commitment to the protection of personal 
	information. This commitment is particularly relevant in the context of efforts to identify, 
	develop, and implement electronic service delivery applications to improve customer 
	service. Where such efforts involve cross-or multi-jurisdictional service delivery, the 
	protection of personal information may be complicated by a number of factors, such as 
	differing legislative frameworks, or variations in public expectations. 

In cross-jurisdictional electronic service delivery, the privacy focus is on information privacy. Information privacy can be described as the measure of control individuals may exercise over when, how and to what extent they will share personal information about themselves. The Canadian public has identified information privacy as one of the major concerns connected with electronic Internet based services. Polling data from late 1998 shows that 86% of Canadians are very concerned about giving out credit card information online, and that 91% are concerned about giving out credit card information online.

The Basis of the Privacy Impact Assessment: The CSA Standard In 1996, the Canadian Standards Association (CSA) published a Model Code for the Protection of Personal Information approved by the Standards Council of Canada as a National Standard. The CSA Standard articulates a standard set of fair information principles and reflects a consensus among industry, consumer, government, and other special interest groups.

In 1998, Federal-Provincial and Territorial Ministers Responsible for the Information Highway agreed to support the CSA Standard as a minimum standard for privacy protection in all jurisdictions."

Therefore, this Model Cross-Jurisdictional Privacy Impact Assessment Guide uses the CSA Standard to assess the privacy implications, privacy issues and privacy risks associated with cross-jurisdictional electronic service delivery proposals. The Standard is to be used in conjunction with existing privacy laws that express similar fair information principles.

The Nature of the Privacy Risk in Cross-Jurisdictional ESD Applications

	Cross jurisdictional ESD applications are likely to involve or support the collection, use, 
	processing and disclosure of personal information among a number of government
	jurisdictions. In this context, privacy risks may flow from any of a number of sources, 
	including system characteristics, technical architecture, and program design. 

2. THE MODEL PRIVACY IMPACT ASSESSMENT
The Goals of a Cross-Jurisdictional Privacy Impact Assessment

A privacy impact assessment (PIA) is a process that determines whether new proposals for or modifications to existing applications for cross-jurisdictional electronic delivery of services to individuals meet privacy requirements and expectations.

The PIA process is designed to ensure that privacy is considered throughout the business redesign or project development cycle. The result of a privacy impact assessment is documented assurance that all privacy issues have been identified and adequately addressed.

The goals of the assessment are achieved by:

• measuring compliance with the CSA Model Code as a minimum standard;
• providing a framework for verifying compliance with the privacy legislation and policies of particular jurisdictions;
• identifying the broader privacy issues of a given proposal that may be of potential public concern.

Tailoring the Privacy Impact Assessment for Specific Projects
The Model Cross-Jurisdictional Privacy Impact Assessment Guide provides a methodological framework. The specific stages in the Guide, along with the questions it poses, are designed to be modified to fit the nature of the potential privacy implications and risks associated with a given project. For example, for a cross-jurisdictional information technology proposal for electronic service delivery with minor privacy risks, the business process diagram may be sufficient to describe the data flows. Here the Data Flow Table may be condensed because only one cluster of data elements will be tracked. For a cross-jurisdictional electronic service delivery project with major privacy risks, however, the privacy analysis and risk management plan may be significantly expanded and further questions may be added to the Privacy Analysis.

An operating assumption for the development of the cross-jurisdictional PIA is that individual jurisdictions may choose to complete their own PIA based on their specific statutory and policy provisions. The jurisdictional PIA can be used in parallel with the cross-jurisdictional PIA to fully identify the complete spectrum of privacy implications.

Components of the Privacy Impact Assessment
The Privacy Impact Assessment process has the following components and will result in the following documentation:

• Data analysis documentation: a business process diagram and data flow tables to analyze from a data protection viewpoint how and by whom personal information will be collected, used and disclosed
• Privacy analysis documentation: an analysis of the data flow and potential privacy issues against the privacy principles in the CSA

  Model Code for the Protection of Personal Information and relevant jurisdictional privacy laws and policies to determine and document the privacy implications and risks of the proposal. Questions are organized around the following ten principles:

  • Accountability,
  • Identifying Purposes,
  • Limiting Collection,
  • Consent,
  • Limiting Use, Disclosure, and Retention,
  • Accuracy,
  • Safeguards,
  • Openness,
  • Individual Access, and
  • Challenging Compliance
    
    
• Privacy risk management plan: a documented evaluation of the privacy implications and risks with actions, recommendations and/ or options to mitigate the risks including a high level policy-based discussion of the electronic service delivery proposal and privacy.

The Timing of the Privacy Impact Assessment
Proper design of electronic service delivery systems is dependent, to some extent, on early consideration of privacy issues. An understanding of the kinds of questions that will arise in the context of the privacy impact assessment, as well as a sense of where risks may lie, should therefore be incorporated into the early phases of the system development life cycle. While the completion of a full and detailed privacy impact assessment may only be possible at later stages in the system development and acquisition phase, the privacy impact is best approached as an evolving document which will grow increasingly detailed over time. Thus, even at the concept and system definition stages, consideration should be given to the sources of potential risk. In these early stages, a consideration of the potential sources of risk will likely be expressed in terms of a privacy issues scan which outlines the possible implications of broad design choices.

PART 1: PURPOSE OF THE GUIDE
Governments across Canada are committed to the protection of personal information collected in the course of their provision of services to the Public. Most Federal, Provincial and Territorial Governments are subject to privacy laws that regulate the collection, use, disclosure and retention of personal information.

Personal information is information or a combination of information that identifies an individual. The information could be an identifying number or a combination of information like name and address.

Both the private sector and governments are identifying, developing and implementing electronic service delivery applications to improve customer service. These applications are a vital part of "reinventing" government to make it more relevant, effective and affordable and geared to the needs of citizens. Some of the government applications will involve cross-jurisdictional cooperation and may transmit, process and store personal information in the course of service delivery to individuals.

Privacy implications and risks may surface because of the cross-jurisdictional flow of personal information. An electronic service delivery application might involve the private sector in addition to government jurisdictions. The privacy risks need to be identified, assessed and resolved to create cross-jurisdictional applications that protect and potentially enhance privacy.

The public is concerned about privacy and security when personal information is collected for an electronic service delivery transaction, whether in the public or private sector. Recent surveys of public opinion provide ample evidence of the concern for privacy.

The purpose of this Guideline is to present a model process for a cross-jurisdictional Privacy Impact Assessment (PIA). The PIA described in this Guideline is a process to manage the successful resolution of any privacy risks in proposed information systems and technologies for cross-jurisdictional electronic delivery of services to individuals. The PIA is a key component of the overall business planning that takes place for these services.

The Guideline was developed at the request of the Chief Information Officers of Canada, the Provinces and Territories. It is intended for use as an integral part of the business planning for cross-jurisdictional projects or modifications to existing applications that involve the electronic delivery of services to individuals.

PART 2: PRIVACY AND ELECTRONIC SERVICE DELIVERY
2.1 PRIVACY
Privacy has many dimensions. At its broadest, privacy can be described as the desire of individuals to maintain control of access to their private realms. Individuals may be concerned about such diverse privacy issues as unwanted junk mail, intrusiveness into their homes, monitoring of their personal communications or surveillance of their activities.

In the context of cross-jurisdictional electronic delivery of services, the privacy focus is on informational privacy. Informational privacy can be described as the measure of control individuals may exercise to determine when, how and to what extent they will share personal information about themselves.

The Canadian public has identified informational privacy as one of the major concerns connected with electronic Internet based services.

2.2 MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION
In the early 1990's, the Canadian Standards Association (CSA) brought together representatives from government, industry, labour, consumer advocacy groups and private groups, among others, to address the need for a Canadian standard to protect personal information. A Model Code for the Protection of Personal Information was published by the CSA and approved by the Standards Council of Canada as a National Standard in 1996.

The CSA Standard is based on Guidelines Governing the Protection of Privacy and the Transborder Flows of Personal Data. The Guidelines were developed for the Organization for Economic Cooperation and Development in 1980. Privacy laws in Canada have generally been based on the privacy principles in the Guidelines. The European Union's (EU) Directive on Protection of Personal Data with Regard to the Processing of Personal Data and on the Free Movement of Such Data adopted in July, 1995 and effective on October, 1998 is also based on these privacy principles. The Directive on Data Protection controls the flow of personal information out of EU members. Non-EU countries judged not to have "adequate" protection could be prevented from receiving personal information from EU members.

To facilitate electronic delivery of services and address privacy concerns, the Federal-Provincial and Territorial Ministers Responsible for the Information Highway agreed in 1998 that consumers must have confidence that:

• their personal information will be adequately protected, and
• their transactions are secure and private.

The Ministers agreed to support the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information as a minimum standard for privacy protection in jurisdictions. The Standard would be used in conjunction with existing privacy laws in each jurisdiction, where applicable. These privacy laws articulate principles similar to the CSA Code's standards for the protection of personal information or "fair information practices" in each jurisdiction.

Because of the wide acceptance of the CSA privacy principles in Canada, the model Privacy Impact Assessment in this Guide uses the principles as the basis to assess the privacy implications, privacy issues and privacy risks of cross-jurisdictional electronic delivery of service proposals.

2.3 CROSS-JURISDICTIONAL ELECTRONIC SERVICE DELIVERY

Governments are reviewing service delivery to identify potential applications for cross-jurisdictional electronic delivery of services to individuals. Governments are looking at electronic delivery of services as a way of interacting with the public more rapidly, more efficiently and more responsively.

Services in the future might be delivered in the following ways:

• a kiosk used by individuals to access a variety of multi-jurisdictional programs
• a home computer used to access an Internet site hosting a variety of programs for service delivery to
• a smart card used by an individual to access multiple government programs.

2.4 PRIVACY RISKS OF CROSS-JURISDICTIONAL ELECTRONIC SERVICE DELIVERY APPLICATIONS

There are privacy implications and risks involved in the development (or enhancement) of cross-jurisdictional electronic service delivery applications. These applications support the collection, use, processing and disclosure of personal information among a number of government jurisdictions. The privacy risks may come from a variety of sources including system characteristics, technical architecture and design of the electronic service and/ or program design.

The privacy concerns of individuals may increase when the electronic delivery of services does not have adequate transparency or oversight of privacy practices. Cross-jurisdictional electronic delivery of services need not inherently erode privacy or be incompatible with the goals of protecting personal information. If properly designed, electronic service delivery information systems can enhance privacy.

Proper design of electronic service delivery systems is dependent, to some extent, on early consideration of privacy issues. An understanding of the kinds of questions that will arise in the context of the privacy impact assessment, as well as a sense of where risks may lie, should therefore be incorporated into the early phases of the system development life cycle. While the completion of a full and detailed privacy impact assessment may only be possible at later stages in the system development and acquisition phase, the privacy impact is best approached as an evolving document which will grow increasingly detailed over time. Thus, even at the concept and system definition stages shown below, consideration should be given to the sources of potential risk discussed later in this section and to the principles outlined in Part Five of the impact assessment.

Public Opinion
Numerous surveys have demonstrated that the public is concerned about both privacy and security in relation to the electronic delivery of services in both the public and private sectors. The privacy factors that may have an effect on public opinion and that may need to be assessed include:

• transparency: If the public does not know or understand the cross-jurisdictional practices for handling personal information in the electronic service delivery environment, transactions may be minimized.
• oversight mechanisms: Without an independent oversight mechanism for the review of cross-jurisdictional privacy practices related to the electronic delivery of services, a lack of public confidence in the service may develop.
• Privacy Commissioner(s): Privacy Commissioners may have recommended privacy practices or provided public statements relative to cross-jurisdictional electronic delivery of services to individuals. Planners need to know the public positions or concerns of the Commissioners that may impact on these proposals.

Privacy Risks for Individuals

Examples of privacy risks that may arise include:

• data profiling/ data matching: Profiling and matching (or data linking) occur by combining unrelated personal information from a variety of sources to create new information about individuals. Data matching and profiling may be facilitated by storing personal information in centralized databases or by linking unrelated databases.
• transaction monitoring: Monitoring occurs when an individual's transactions with one or more programs are tracked. The tracking usually results in the creation of new personal information about the individual's overall experience with the government.
• identification of individuals: Electronic delivery of services generally requires the identification of individuals as a way of managing security risks. Some proposals may also require the authentication of an individual's identity. Methods of identification and authentication may include biometrics (based on biological characteristics such as fingerprints) and single universal identification numbers. Surveillance risks exist when the use of common identifiers or identification systems facilitates data sharing and/ or profiling or transaction monitoring.
• physical observation of individuals: The movement or location of individuals may be tracked through the operation of mechanisms to record an individual's use of a kiosk
• data processing offshore: The processing and/ or storage of personal information outside of Canada may result in diminished data protection for individuals.

System Characteristics, Technical Architecture and Service Delivery Design Privacy Risks The privacy risks associated with cross-jurisdictional electronic service delivery may be a product of the architecture or technical characteristics of the systems used to support the service or of the technologies that drive those systems.

The following are examples of potential privacy risks associated with system characteristics and the technical architecture of systems:

• common (network) directory services: Most systems seek to maximize ease of access by providing multi-user access from any number of locations. A central list of individuals authorized to access the system is maintained along with their system privileges. Most central listing activity is designed to collect similar listings from linked or related systems that make it possible to find someone with an ID, electronic address, or privileges within the connected systems. This function is known as common directory services.

  Where common directory services list personal information about individuals as electronic service delivery customers, privacy implications arise. A privacy risk may be identified if a directory is shared between jurisdictional programs or aggregated into a multi-system common directory service for a number of jurisdictions.



• public key infrastructures: A public key infrastructure (PKI) uses digital signature technology and cryptography to facilitate the secure transmission of data to its intended recipient. After a certificate is issued, only the combination of a private key known only to the recipient with a public key will allow access to transmitted data.

  The implementation of PKI systems may involve the development of customer directories that link the traits or attributes of individuals, such as customer signatures, to their participation in unrelated programs.



• smart cards: Smart cards are essentially computers in card form. An individual's interface with an electronic delivery service takes place by inserting the card into a reader connected to a screen and keypad for viewing or entering data. Where an application is designed that does not offer physical control of the card, it may be possible for a variety of card readers and service delivery systems to access the personal information stored on the card. Where a directory function is part of a card's operating system, a list of all the data files and programs stored on the card may be generated. Therefore, without privacy controls, the relationship of the cardholder to unrelated programs or records of transactions may be accessible to anyone with a reader and/ or card transaction software.

Program Design Privacy Risks

The design of the overall electronic service delivery program may have a privacy impact in the following ways:

• delivery channel design: The design of services for individuals may involve the merging of previously isolated transaction systems into a common cross-governmental window. The channel design may combine data collection activities through a common window for previously isolated program data collection systems from a number of jurisdictions.

  If the private sector is part of the service delivery system, there may be gaps in the privacy protection measures if privacy laws do not cover the complete electronic service application.

  Proposals to diminish the legislated protection for personal information and/ or the oversight method may present a privacy risk.



• service monitoring: There is growing trend to monitor service delivery to measure customer satisfaction and allocate resources. Internet browser cookies and transaction logging systems may be used to capture personal information without the consent of the individual. The information may be used to create profiles of individuals.



• delivery channel management: The shift toward new service delivery channels can pose distinct challenges for security and privacy. Systems based on personal interaction at a counter or signed paper mail are moving to computer or kiosk-based transactions, automated voice response, call centres or remote access systems. The new systems may raise privacy issues with regard to client identification and authentication. Other privacy issues may be related to the need to obtain an individual's consent to collect personal information and the need to provide an individual with a notice how personal information will be used.

PART 3: THE PRIVACY IMPACT ASSESSMENT PROCESS
3.1 DESCRIPTION OF A PRIVACY IMPACT ASSESSMENT
A privacy impact assessment (PIA) is a process to determine whether new proposals for or modifications to existing applications for cross-jurisdictional electronic delivery of services to individuals meet privacy requirements and expectations. The process could also be used for cross-jurisdictional projects that do not deliver services but use personal information. The PIA process includes planning, analysis and education.

The PIA process:

• measures compliance with privacy legislation and policies
• identifies the broader privacy risks and implications of a given proposal using the privacy principles of the CSA Model Code for the Protection of Personal Information
• identifies privacy issues of potential public concern that may be relevant to the cross-jurisdictional proposal for the electronic delivery of services.

The Privacy Impact Assessment process has the following components and will result in the following documentation:

• data analysis documentation: a business process diagram and data flow tables to analyze from a data protection viewpoint how and by whom personal information will be collected, used and disclosed
• privacy analysis documentation: an analysis of the data flow and potential privacy issues against the privacy principles in the CSA Model Code for the Protection of Personal Information and relevant jurisdictional privacy laws and policies to determine and document the privacy implications and risks of the proposal
• privacy risk management plan: a documented evaluation of the privacy implications and risks with actions, recommendations and/ or options to mitigate the risks including a high level policy-based discussion of the electronic service delivery proposal and privacy.

Because the privacy impact assessment is a dynamic process, the documentation above will be created at an early stage in the cross-jurisdictional project. The documentation can then be used as part of the project planning and management as the project proceeds. If changes occur in the project details that affect the PIA, the PIA process documentation can be reviewed and updated.

The result of a privacy impact assessment is documented assurance that all privacy issues have been identified and either adequately addressed or, in the case of outstanding privacy risks, brought forward for further direction. The ability to provide such an assurance is largely dependent on the extent to which all relevant factors and potential privacy issues have been considered.

A PIA generates confidence that privacy objectives have been met, and promotes informed policy decision-making and system design choices.

3.2 GOALS OF THE PRIVACY IMPACT ASSESSMENT

The PIA process is designed to ensure that privacy is considered throughout the business redesign or project development cycle. The goals of a PIA include:

• ensuring that privacy protection is reflected as a core criterion in the initial framing of cross-jurisdictional electronic service delivery objectives and in subsidiary project activities
• ensuring accountability for privacy issues is clearly incorporated into the role of project managers and sponsors
• providing senior decision-makers with the information necessary to make fully-informed policy and system design and/ or procurement decisions based on an understanding of privacy implications and risks and of the options available for mitigating those risks
• providing basic documentation on the flow of personal information for common use and review by policy and program design staff, systems analysts, and security analysts, and for use as the basis for consultations, public announcements, legislative amendments, contract specifications and cross-jurisdictional agreements.

3.3 COMPLETING THE PRIVACY IMPACT ASSESSMENT

The PIA process should ensure that privacy is considered throughout the cross-jurisdictional electronic service delivery project development cycle, and particularly at the conceptual stage, the final design approval and funding stage, the implementation and communications stage, and at the post-implementation audit or review stage.

The Privacy Impact Assessment process in this Guide is adaptable to the nature of the potential privacy implications associated with the proposed cross-jurisdictional electronic service delivery project. The PIA is adaptable in that it is designed to be modified to fit the nature of the potential privacy implications and risks associated with the project. For example, for a cross-jurisdictional information technology proposal for electronic service delivery with minor privacy risks, the business process diagram may be sufficient to describe the data flows. In the above example, the Data Flow Table may be condensed because only one cluster of data elements will be tracked. For a cross-jurisdictional electronic service delivery project with major privacy risks, the privacy analysis and risk management plan may be significantly expanded and further questions may be added to the Privacy Analysis.

An operating assumption for the development of the cross-jurisdictional PIA is that individual jurisdictions may choose to complete their own PIA based on their specific statutory and policy provisions. The jurisdictional PIA can be used in parallel with the cross-jurisdictional PIA to fully identify the complete spectrum of privacy implications.

The PIA process is a cooperative process that brings together many skills to identify, assess and resolve privacy implications. The skills include knowledge of privacy, information and records management, information technology, business planning and management and relevant laws and policies. Typically, a team of individuals with the skills identified above and any other skills relevant to the privacy impact assessment process will complete the process. The multidisciplinary approach will likely involve individuals from each of the jurisdictions involved in the electronic service delivery project. One individual should be assigned overall responsibility for the completion of the PIA process on behalf of the jurisdictions. This individual will coordinate the process in cooperation with each jurisdiction's lead contact for the PIA process.

PART 4: PRIVACY IMPACT ASSESSMENT: DATA ANALYSIS
4.1 DATA FLOW DESCRIPTION AND ANALYSIS

The privacy impact assessment process has three components. The first component is an analysis of the data flows of personal information associated with the proposed cross-jurisdictional electronic service delivery proposal. This analysis is conducted using a Business Process Diagram and Data Flow Tables.

An analyst reviewing the Diagram and Data Flow Tables will be able to identify and track personal information from the point of collection to the point where all copies of the information are destroyed or permanently archived. While tracking the life cycle of the personal information, the analyst would have an accurate description of all the users and stakeholders who accessed or used the personal information. The analyst would also have an accurate picture of where copies of records of personal information may exist.

4.2 BUSINESS PROCESS DIAGRAM

A business activity can be described from an information management perspective as a series of processes consisting of:

• information collection (data inputs);
• transaction processing involving the application of rules, validations and decision-making;
• product or service provision in terms of a decision, benefit, or licence (output); and
• transaction recording of the above events that may be in the form of temporary records such as system logs, paper forms used prior to input and data records or subject files in any media.

A high-level Business Process Diagram is prepared to provide an overall picture of the business activity. The Diagram should identify, at a general level, how personal information flows through an organization or organizations, focussing on collection, use, storage and disclosure.

4.3 DATA FLOW TABLES
While the Business Process Diagram documents the high level flow of personal information, it does not generally provide an adequate level of detail for subsequent stages in the privacy impact assessment process. To obtain the detail, Data Flow Tables are created that build on the Business Process Diagram. The Data Flow Tables track each data element or cluster of elements (of personal information) from the point of collection until all copies of the information are destroyed or permanently archived. Personal information can be "clustered" when it will be collected, used and/ or disclosed as a unit for one purpose. For example, name, address and date of birth may be collected for purposes of identification.

Each cluster of data elements (or a data element) should be defined by:

• naming the cluster
• listing the data elements of personal information in the cluster
• describing each cluster, including the rationale for collection (e. g. identification, verify eligibility, etc.).

The analysis of the information contained in the Data Flow Tables provides details of how personal information is collected, used and disclosed. The focus of the data analysis is on those aspects of the information management life cycle that may have the greatest impact on determining whether a proposal successfully meets privacy requirements.

The data analysis information is then used with the second component in the process, the Privacy Analysis, to assist in identifying some of the privacy implications and risks associated with the proposed electronic service delivery proposal. Because information on the Data Flow Tables will identify specifically how personal information is collected and how the information will be used and disclosed, many of the questions posed in the Privacy Analysis can be answered with confidence that the response is accurate.

A response in the Privacy Analysis may lead to the identification of a privacy risk. For example, the Data Flow Tables may show that the personal information will be used for new purposes and that a new unique identifying number is proposed. This information will be used in the Privacy Analysis, Principle 5 (5.1, 5.2, 5.8), to identify possible privacy implications and risks.

Examples of Data Flow Tables are presented in the Appendix. The two Tables cover the collection of personal information and the use and disclosure of personal information. The Tables can be customized as needed depending on the complexity of the specific cross-jurisdictional service delivery proposal.

PART 5: PRIVACY IMPACT ASSESSMENT: PRIVACY ANALYSIS

The second part of the three-part privacy impact assessment process is the Privacy Analysis. The Analysis is designed to provide evidence of compliance with privacy principles and to identify privacy risks. All of the questions in the Privacy Analysis will not be relevant to every proposal or may not reflect all the considerations that will be important for a particular proposal. The Privacy Analysis can and should be modified where necessary to ensure that all relevant questions are considered.

The Privacy Analysis framework and questions are based on the Model Code for the Protection of Personal Information approved and published by the Standards Council of Canada as a National Standard in 1996. The Privacy Analysis questions are also focused on the privacy and other statutory and policy requirements of the jurisdictions involved in the proposal.

The Privacy Analysis uses the series of questions based on the CSA Code and its details, the data flow analysis from the Data Tables and jurisdictional legislative and policy requirements to:

• measure privacy compliance with the Code's principles, legislative and policy requirements
• identify privacy implications and risks.

Each question will need to have supporting information in the "discussion" section to support the "yes" or "no" response in the privacy analysis. For example, question 1.1 asks if PIA responsibility is assigned. A "yes" response would then indicate in the discussion section the name and other information about the responsible individual. A "no" response would be supported in the discussion section by an explanation of why an individual has not been assigned.

The ten privacy principles of the CSA Standard are:

• Accountability,
• Identifying Purposes,
• Limiting Collection,
• Consent,
• Limiting Use, Disclosure, and Retention,
• Accuracy,
• Safeguards,
• Openness,
• Individual Access, and
• Challenging Compliance

Each of the principles is listed in the following analysis. The complete CSA Code containing both the privacy principles and the supporting details for each principle is contained in the Appendices.

Principle 1: Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

Questions for Analysis

Discussion:

Principle 2: Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Questions for Analysis

Discussion:

Principle 3 - Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

Questions for Analysis

Discussion:

Principle 4 - Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Questions for Analysis

Discussion:

Principle 5 - Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purpose other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Questions for Analysis

Discussion:

Principle 6: Accuracy

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Questions for Analysis

Discussion:

Principle 7: Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Questions for Analysis

Discussion:

Principle 8: Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Questions for Analysis

Discussion:

Principle 9: Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Questions for Analysis

Discussion:

Principle 10: Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Questions for Analysis

Discussion:

PART 6: PRIVACY IMPACT ASSESSMENT: RISK MANAGEMENT PLAN

The Privacy Risk Management Plan is the third component of the privacy impact assessment process. The Plan builds on the Data Analysis and the Privacy Analysis. The Risk Management Plan will have a number of components. The Plan can be modified depending on the nature of the cross-jurisdictional service delivery proposal.

The Privacy Analysis will identify the nature of the privacy implications and risks associated with the proposal. The Risk Management Plan is a policy level discussion of the electronic service delivery proposal, the privacy implications and risks associated with the proposal and options, recommendations or solutions to resolve the risks.

The Risk Management Plan is a technical document in that it measures privacy requirements that are generated from each jurisdiction's privacy law and as well as other statutory and policy requirements. The Plan also measures privacy in the context of broader, nationally and internationally recognized privacy principles. These privacy principles are found in the CSA Model Code for the Protection of Personal Information. The analysis of the broader privacy principles will lead to an understanding of the environment in which the cross-jurisdictional electronic service delivery proposal is being made and of public expectations with regard to privacy.

One of the key goals of the privacy impact assessment process is to provide jurisdictions and senior management with the information necessary to make informed policy and system design and/ or procurement decisions. The decisions are based on an understanding of the privacy implications and risks and of the options available for mitigating the risks.

When preparing the summary of the results of the PIA it is essential to communicate clearly the privacy risks or possible risks that have been identified through the PIA process, particularly where those risks have not been successfully addressed through system design or policy measures.

The Risk Management Plan should convey the following information:

• a description of the cross-jurisdictional electronic service delivery proposal including jurisdictions and programs involved, objectives, timing and key milestones, resources, public benefits and pointers to detailed information about the proposal;
• an identification of the jurisdictional privacy law references and other statutory references and policies dealing with privacy relevant to the proposal, including a legislative correspondence chart if appropriate;
• an identification of the specific privacy risks associated with the proposal;
• the options, solutions and/ or recommendations for addressing or mitigating the privacy risks, with implications where relevant;
• the references to and a description of public opinion or expectations regarding privacy that may have a bearing on the proposal;
• any residual risk that cannot be addressed through the options;
• any information on similar proposals and privacy risks from other jurisdictions and how the risks were handled;
• an outline of a privacy communications strategy, if appropriate.

Appendix A: Canadian Standards Association Model Code for the Protection of Personal Information

CAN/ CSA Q830 96

Model Code for the Protection of Personal Information

1. Scope

1.1
This model code describes the minimum requirements for the protection of personal information. Any applicable legislation must be considered in implementing these requirements.

1.2
This Standard may be applied to all personal information. Provided the minimum requirements are met, organizations may tailor this Standard to meet their specific circumstances. For example, policies and practices may vary, depending upon whether the personal information relates to members, employees, customers, or other individuals.

1.3
The objective of this Standard is to assist organizations in developing and implementing policies and practices to be used when managing personal information.

2. Definitions

2.1
The following definitions apply in this Standard:
Collection - the act of gathering, acquiring, or obtaining personal information from any source, including third parties, by any means.

Consent - voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Disclosure - making personal information available to others outside the organization.

Organization - a term used in the model code that includes associations, businesses, charitable organizations, clubs, government bodies, institutions, professional practices, and unions.

Personal information - information about an identifiable individual that is recorded in any form.

Use - refers to the treatment and handling of personal information within an organization.

3. General Requirements

3.1
The ten principles that make up this Standard are interrelated. Organizations adopting this Standard shall adhere to the ten principles as a whole.

3.1.1
Organizations may tailor this Standard to meet their particular circumstances by

1. defining how they subscribe to the ten principles;
2. developing an organization specific code; and
3. modifying the commentary to provide organization specific examples.

3.1.3
Although the following clauses use prescriptive language (i.e., the words "shall" or "must"), this document is a voluntary standard. Should an organization choose to adopt the principles and general practices contained in this Standard, the clauses containing prescriptive language become requirements. The use of the word "should" indicates a recommendation.

4. Principles

4.1 Principle: Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

4.1.1
Accountability for the organization's compliance with the principles rests with the designated individual( s), even though other individuals within the organization may be responsible for the day-today collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).

4.1.2
The identity of the individual(s) designated by the organization to oversee the organization's compliance with the principles shall be made known upon request.

4.1.3
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization should use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

4.1.4
Organizations shall implement policies and practices to give effect to the principles, including

1. implementing procedures to protect personal information;
2. establishing procedures to receive and respond to complaints and inquiries;
3. training staff and communicating to staff information about the organization's policies and practices; and
4. developing information to explain the organization's policies and procedures.

4.2 Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

4.2.1
The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual Access principle (Clause 4.9).

4.2.2
Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfill these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified.

4.2.3
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.

4.2.4
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. For an elaboration on consent, please refer to the Consent principle (Clause 4.3).

4.2.5
Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.

4.2.6
This principle is linked closely to the Limiting Collection principle (Clause 4.4) and the Limiting Use, Disclosure, and Retention principle (Clause 4.5).

4.3 Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.

4.3.1
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).

4.3.2
The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

4.3.3
An organization may not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.

4.3.4
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special interest magazines might be considered sensitive.

4.3.5
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual's name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual's request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.

4.3.6
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).

4.3.7
Individuals can give consent in many ways. For example:

1. an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
2. a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
3. consent may be given orally when information is collected over the telephone; or
4. consent may be given at the time that individuals use a product or service.

4.3.8
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization should inform the individual of the implications of such withdrawal.

4.4 Principle 4 - Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

4.4.1
Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified. Organizations should specify the type of information collected as part of their information handling policies and practices, in accordance with the Openness principle (Clause 4.8).

4.4.2
The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.

4.4.3
This principle is linked closely to the Identifying Purposes principle (Clause 4.2) and the Consent principle (Clause 4.3).

4.5 Principle 5 - Limiting Use, Disclosure, and Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

4.5.1
Organizations using personal information for a new purpose shall document this purpose (see Clause 4.2.1).

4.5.2
Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods.

4.5.3

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

4.5.4
This principle is closely linked to the Consent principle (Clause 4.3), the Identifying Purposes principle (Clause 4.2), and the Individual Access principle (Clause 4.9).

4.6 Principle 6 - Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.6.1
The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

4.6.2
An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

4.6.3
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

4.7 Principle 7 - Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

4.7.1
The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

4.7.2

The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.

4.7.3
The methods of protection should include

1. physical measures, for example, locked filing cabinets and restricted access to offices;
2. organizational measures, for example, security clearances and limiting access on a "need-to-know" basis; and
3. technological measures, for example, the use of passwords and encryption.

4.7.4
Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.

4.7.5
Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).

4.8 Principle 8 - Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

4.8.1
Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals should be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

4.8.2
The information made available shall include

1. the name/ title and address of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;
2. the means of gaining access to personal information held by the organization;
3. a description of the type of personal information held by the organization, including a general account of its use;
4. a copy of any brochures or other information that explain the organization's policies, standards, or codes; and
5. what personal information is made available to related organizations (e. g., subsidiaries).

4.8.3
An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.

4.9 Principle 9 - Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, an organization may not be able to provide access to the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal security, or commercial proprietary reasons, and information that is subject to solicitor client or litigation privilege.

4.9.1
Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization should provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.

4.9.2
An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.

4.9.3
In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization should provide a list of organizations to which it may have disclosed information about the individual.

4.9.4
An organization shall respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

4.9.5
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

4.9.6
When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge should be recorded by the organization. When appropriate, the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.

4.10 Principle 10 - Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

4.10.1

The individual accountable for an organization's compliance is discussed in Clause 4.1.1.

4.10.2
Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint process should be easily accessible and simple to use.

4.10.3
Organizations shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint mechanisms. A range of these mechanisms may exist. For example, some regulatory bodies accept complaints about the personal information handling practices of the companies they regulate.

4.10.4
An organization shall investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.

Appendix B: Data Flow Tables

MGS home | central site | feedback | search | site map | français
About the Ministry | Services for Business | Services for Individuals
Employment in the OPS | Information Technology | Archives of Ontario | Related Sites

Telephone Service: For general ministry information, call (416) 326-8555 or Toll free 1-800-268-1142 (in Ontario).
For consumer information and advice: (416) 326-8800 or Toll free1-800-889-9768.
TTY/Teletypewriter users only: (416) 325-3408 or Toll free 1-800-268-7095.

Please send your comments, feedback and inquiries to: Info.MGCS@ontario.ca

© Copyright 2008 Queen's Printer for Ontario

Privacy | External Links Disclaimer.