1. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620361

2. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620362 PRIVACY IMPACT ASSESSMENT FROM A REGULATORS POINT OF VIEW DONALD LEMIEUX EXECUTIVE DIRECTOR INFORMATION AND PRIVACY POLICY BRANCH TREASURY BOARD OF CANADA, SECRETARIAT

3. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620363 Privacy in Canada 1977 - Canadian Human Rights Act was promulgated - Part IV related to privacy rights 1983 – Privacy Act put in place 1989 – Policy on SIN and Data Matching 1993 - Policy on Privacy and Data Protection (SIN / Data Matching requirements integrated) 2001 – Personal Information Protection and Electronic Documents Act comes into force

4. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620364 Integrating programs and privacy The Policy (May 2002) was adopted to assure Canadians that their privacy would be taken into account when there are proposals for programs and services that raise privacy risks. A PIA requires federal institutions to consider the privacy issues of programs and services throughout the design, implementation and evolution of those initiatives. PIA is a core component of the federal governments privacy compliance regime.

5. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620365 Federal responsibilities Heads of institutions are responsible for ensuring that their organizations comply with the Privacy Act and by virtue the PIA Policy. Accountability for PIAs rests with departments. Treasury Board Secretariat is responsible for developing and interpreting privacy policy, including the PIA, providing advice to institutions, and monitoring compliance. PIA Policy has links to project approval and government funding for initiatives.

6. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620366 PIAs are not always completed in a timely manner. There is a need to more fully integrate PIAs into the management decision making process of federal institutions. PIA requirements are currently the same for all initiatives regardless of project type, magnitude, or risk. There is a need to streamline the PIA process. The cumulative effects of policies or programs involving personal information may not be apparent. Limited privacy consideration for projects involving multiple programs within institutions, inter-institutional and cross jurisdictional flow of personal information. Issues

7. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620367 Regulatory challenges How do we improve central oversight of the PIA process and ensure greater compliance with the PIA Policy? How do we limit administrative burdens on institutional program and privacy officials with respect to PIA requirements? How can we better assess the cumulative effects of government plans and priorities on an individuals privacy?

8. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620368 Solutions – Policy Suite Renewal Strengthening the link between the requirement to conduct a PIA and the law (the Privacy Act). Creating a better awareness and understanding of privacy risks through training and education. Using a risk based approach to streamline the PIA process (in particular for low impact initiatives). Enhancing the public reporting requirements for PIAs so as to improve transparency and oversight. Developing a central repository of PIAs and examining large scale programs (government-wide and across jurisdictions) for cumulative privacy effects.

9. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620369 Office of the Privacy Commissioner of Canada (OPC) OPC has oversight of federal privacy legislation in Canada, that is, the Privacy Act and PIPEDA OPC is also responsible for reviewing PIAs and providing advice and guidance to institutions to mitigate privacy risks Claude Beaul é will now provide greater detail with regard to the OPC s role and responsibilities.