Privacy Impact Assessments (PIAs) are a critical compliance and governance tool, which can help organizations to ensure that new projects and personal information processing activities comply with applicable privacy and data protection requirements across Canada.
In some circumstances, a PIA is mandated by legislation. In particular, the issue of PIAs gained prominence in the private sector last year when three new requirements of Quebec's Act respecting the protection of personal information in the private sector came into force, as follows:
- Cross-Border Transfers. A PIA must be conducted prior to communicating personal information outside Quebec, or if a person or body outside Quebec will be entrusted with the task of collecting, using, communicating or keeping personal information on behalf of a person carrying on an enterprise in Quebec.
- New Systems. A PIA must be conducted for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.
- Research & Statistics. A PIA must be conducted in order to communicate personal information (without consent) to another person or body that wants to use the information for study or research purposes or for the production of statistics.
However, these are not the only PIA requirements in Canada. A number of public sector and health sector data protection statutes also require PIAs in certain circumstances. For example, without limitation, PIAs are sometimes required under British Columbia's Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165, Quebec's Act respecting Access to documents held by public bodies and the Protection of personal information, CQLR c A-2.1, and Alberta's Health Information Act, RSA 2000, c H-5. In addition, PIAs are sometimes required or recommended by relevant regulatory authorities.
Although PIAs are not mandatory under all Canadian privacy and data protection laws, they should form part of every organization's privacy compliance program. Privacy issues and data breaches frequently lead to regulatory investigations, complaints from relevant individuals (e.g., employees, customers or members of the public), negative media attention, and even litigation. These risks can be materially reduced by evaluating and mitigating privacy risks, implementing privacy by design, identifying and remediating any use of deceptive design patterns (e.g., patterns that influence, manipulate or coerce individuals to make privacy-related decisions that are not in their best interests), and ensuring that personal information is handled securely and in compliance with relevant laws. All of these goals can be accomplished by conducting a PIA before any problems arise, and ideally during the design and development stage of any new initiative involving personal information.
PIAs do not need to be complicated. The Quebec Act provides that PIAs must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. A similar approach can be taken to PIAs that are not strictly mandated by statute. Fulsome, formal PIAs are generally recommended for high risk activities, such as those involving:
- new or invasive technologies, such as artificial intelligence, location tracking and other forms of surveillance;
- sensitive information, such as biometrics, genetic and health information, financial information, and information protected by human rights legislation; or
- vulnerable persons, such as children, the elderly, the disabled, or marginalized persons.
However, for lower risk activities, even an informal assessment can help an organization to identify and mitigate privacy risks.
Action Items
To get PIAs right, your organization should: (1) evaluate whether it is subject to any legislation and/or contractual terms that mandate PIAs, and if so, ensure that it understands when a PIA is required; (2) develop a process for carrying out PIAs in an efficient and effective manner; (3) document its policy on PIAs, including the factors relevant to determining when a PIA will be conducted; (4) develop an intake checklist for business units and other stakeholders to inform the privacy officer / privacy office of new projects and intended data processing activities, so that a decision can be made regarding whether a PIA is necessary or recommended in the circumstances; (5) provide training to business leaders and stakeholders, to ensure they understand the importance of PIAs and to obtain buy-in and lay the groundwork for collaboration in the PIA process; (6) develop one or more standard form of PIA report(s), based on the type(s) of PIAs that your organization will need to conduct; (7) develop a process to ensure that the organization follows through on the results of a PIA, including a system for accountability, oversight and reporting on any resulting action items; and (8) develop and implement appropriate retention periods and processes for completed PIA report(s).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.