1. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620361

2. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620362 PRIVACY IMPACT ASSESSMENT FROM A REGULATOR’S POINT OF VIEW DONALD LEMIEUX EXECUTIVE DIRECTOR INFORMATION AND PRIVACY POLICY BRANCH TREASURY BOARD OF CANADA, SECRETARIAT

3. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620363 Privacy in Canada 1977 - Canadian Human Rights Act was promulgated - Part IV related to privacy rights 1983 – Privacy Act put in place 1989 – Policy on SIN and Data Matching 1993 - Policy on Privacy and Data Protection (SIN / Data Matching requirements integrated) 2001 – Personal Information Protection and Electronic Documents Act comes into force

4. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620364 Integrating programs and privacy The Policy (May 2002) was adopted to assure Canadians that their privacy would be taken into account when there are proposals for programs and services that raise privacy risks. A PIA requires federal institutions to consider the privacy issues of programs and services throughout the design, implementation and evolution of those initiatives. PIA is a core component of the federal government’s privacy compliance regime.

5. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620365 Federal responsibilities Heads of institutions are responsible for ensuring that their organizations comply with the Privacy Act and by virtue the PIA Policy. Accountability for PIAs rests with departments. Treasury Board Secretariat is responsible for developing and interpreting privacy policy, including the PIA, providing advice to institutions, and monitoring compliance. PIA Policy has links to project approval and government funding for initiatives.

6. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620366 PIAs are not always completed in a timely manner. There is a need to more fully integrate PIAs into the management decision making process of federal institutions. PIA requirements are currently the same for all initiatives regardless of project type, magnitude, or risk. There is a need to streamline the PIA process. The cumulative effects of policies or programs involving personal information may not be apparent. Limited privacy consideration for projects involving multiple programs within institutions, inter-institutional and cross jurisdictional flow of personal information. Issues

7. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620367 Regulatory challenges How do we improve central oversight of the PIA process and ensure greater compliance with the PIA Policy? How do we limit administrative burdens on institutional program and privacy officials with respect to PIA requirements? How can we better assess the cumulative effects of government plans and priorities on an individual’s privacy?

8. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620368 Solutions – Policy Suite Renewal Strengthening the link between the requirement to conduct a PIA and the law (the Privacy Act). Creating a better awareness and understanding of privacy risks through training and education. Using a risk based approach to streamline the PIA process (in particular for low impact initiatives). Enhancing the public reporting requirements for PIAs so as to improve transparency and oversight. Developing a central repository of PIAs and examining large scale programs (government-wide and across jurisdictions) for cumulative privacy effects.

9. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #620369 Office of the Privacy Commissioner of Canada (OPC) OPC has oversight of federal privacy legislation in Canada, that is, the Privacy Act and PIPEDA OPC is also responsible for reviewing PIAs and providing advice and guidance to institutions to mitigate privacy risks Claude Beaul é will now provide greater detail with regard to the OPC ’ s role and responsibilities.

10. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203610 PRIVACY IMPACT ASSESSMENT (PIA) WORKSHOP Part A: Getting Started Claude Beaulé Privacy Consultant, Quebec, Canada September 27, 2007

11. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203611 Introduction Role and responsibilities of the Office of the Privacy Commissioner of Canada (OPC) under Canada’s Privacy Impact Assessment (PIA) Policy, which took effect May 2002. OPC’s PIA review process and the challenges posed by the implementation of the PIA Policy. Capacity of the OPC to respond to PIA challenges

12. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203612 PIA Policy Requirements to conduct PIAs (or preliminary PIAs if warranted) for all new or modified programs or services that raise privacy issues; to consult with the OPC at the early stages of the development of new programs and initiatives; to provide copies of their final PIAs to the OPC before they implement programs or services; and to publish the results of their PIAs on their department websites. The Government of Canada PIA Policy requires federal departments and agencies:

13. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203613 Role of the OPC Under the PIA Policy, the OPC is mandated to receive final copies of PIAs, and may provide comments and recommendations if warranted. The provision of advice to submitting departments and agencies remains at the discretion of the Privacy Commissioner.

14. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203614 Role of the OPC (cont’d) The role of the OPC is not to approve or reject projects that are described in PIAs, but to assess whether or not departments have done a good job of evaluating the impacts on the protection of personal information and that their projects and activities are respectful of the privacy rights of Canadians. By reviewing PIAs, the OPC is able to provide advice and guidance to institutions and identify solutions to eliminate or mitigate potential privacy risks. In some cases, the OPC may make recommendations for significant changes.

15. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203615 OPC’s review of PIAs In conducting its review, the OPC assesses the PIA report for: 1. 1.Completeness rationale and legal authority for the project; description of the business process; description of the personal information involved and data flow;

16. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203616 OPC’s review of PIAs (cont’d) description of the information security infrastructure associated with the project; inclusion of necessary background documentation (e.g., TRAs, MOUs, contracts, etc.); an implementation schedule for the project; an action plan to address privacy issues; and a communications strategy, where appropriate.

17. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203617 OPC’s review of PIAs (cont’d) 2. Quality of the Privacy Analysis that all the salient privacy risks and the associated implications of those risks have been correctly identified in the report; and that the proposed remedies or mitigation strategies to deal with those risks are reasonable and appropriate.

18. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203618 OPC’s review of PIAs (cont’d) If the OPC concludes at the end of its review that the PIA lacks certain data or that the privacy risks have not been adequately considered or dealt with, it will inform the department. The OPC may provide comments and recommendations to the department. However, the final decision on whether to implement those recommendations rests with the department.

19. 29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERENCE #6203619 General comment In my view, the most significant benefit that can be attributed to the PIA Policy is : “the increased awareness among government personnel at all levels of the importance of privacy and how it impacts on their day-to-day functions.” Privacy is truly becoming a core consideration in the conception, design, and implementation of federal government programs and services, which is the purpose of the PIA Policy.