A new OPC Fact Sheet - Top Ten Do's and Don'ts for Privacy Impact Assessments ("PIA's") – was published on March 7, 2016. It purports to provide guidance with respect to the conduct of PIA's, but as we outline below, it lacks substance and timeliness: other, better resources are available for organizations seeking to better understand the process involved in conducting a PIA.
The March 7, 2016 OPC Fact Sheet, entitled Top Ten Do's and Don'ts for Privacy Impact Assessments, is intended to provide guidance with respect to the conduct of PIA's. A brief document of barely over two pages, the guidance – while not so titled - appears to be oriented to federal institutions which are required to provide a copy of all PIA's to both the Office of the Privacy Commissioner (the "OPC") and the Treasury Board Secretariat ("TBS"), under the 2010 TBS Directive on Privacy Impact Assessment – a Directive, we note, which was issued six years ago. In this regard, six of the ten – brief – recommendations expressly reference PIA submissions to the OPC and the TBS: public sector-specific content which will not be useful for private sector organizations seeking to conduct a privacy impact assessment.
To their credit, the OPC has often been proactive in issuing sensible informational documents for organizations seeking guidance on compliance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") (in contrast to the CRTC guidance regarding compliance with Canadian Anti-Spam Legislation ("CASL"), which guidance has often been sketchy and contradictory). However, it is not clear what additional utility this Top Ten document is intended to bring to the discussion regarding PIA's. The OPC issued the more fulsome guidance Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada in March 2011: five years ago. While overly focused on the ten privacy principles, and arguably of less practical guidance as to the actual process of conducting a PIA than the existing TBS PIA guidance (for example, see the Privacy Impact Assessment Guidelines), the Expectations document at least had the merit of consisting of more than ten pages of relative substance. Unfortunately this Fact Sheet does not have that merit.
Content of the PIA
Listing the top ten "do's and don'ts" set out in the guidance document is somewhat illustrative of the lack of substance of the document:
- Do — Start Early
- Do — Consider the Scope
- Don't — Forget to Read up
- Do — Meet Expectations
- Don't — Do it Alone
- Do — Remember the Technicalities
- Don't — Keep it to Yourself
- Don't — Forget to Put the Plan into Action
- Do — Keep it Fresh!
- Do — Get in Touch with OPC
Thus the question is, in reviewing the substance of the Fact Sheet, is there in any new content of value for private sector organizations seeking guidance re PIA's?
The Fact Sheet states that:
The PIA process facilitates early identification of privacy risks. In order to be effective, the mitigation measures identified in a PIA report must be implemented and tracked. PIAs should include detailed action plans for proposed mitigation measures, including timelines and target completion dates, as well as assign a specific position or individual with responsibility for implementation
The concept of including plans to implement mitigation measures is a core element of implementing PIA's: for example, see the Alberta Privacy Impact Assessment Requirements, under "Privacy Risk Assessment and Risk Mitigation Plans", whichrequires that the person conducting the PIA describe the speci?c privacy risks it have identi?ed for the project and how the person plans to mitigate them. Similarly, the TBS Privacy Impact Assessment Guidelines require that when high level risks are identified, additional documentation, including mitigation plans or strategies, will be required. In short, no effective PIA can omit mitigation plans to address risks. As a result, the Top Ten document does not add any insight regarding the need for a remedial plan to address privacy risks identified by a PIA.
The Fact Sheet also states that:
During the PIA process, it is important to consider how your program, product or initiative may impact others. Consulting with stakeholders both within and outside your organization can help ensure that all risks to privacy are identified.
Internal consultation with stakeholders of the organization in connection with a PIA is obviously best practice in any case. Interestingly, however, this recommendation in the Top Ten document does not provide any examples of external stakeholders which should be consulted, other than – in the case of institutions - conducting multi-institutional PIA'S. Certainly it would apply to third party contractors to the organization conducting the PIA, and if that is the intention, then consulting with/reviewing the practices of such third party contractors would again be an ordinary course feature of a PIA.
Will these new guidelines help companies with their PIA?
As suggested by the age of the existing PIA guidance which was available prior to the OPC release of this Top Ten document, best practices already dictate that when a new program, product or initiative, or material modification to same, which might affect the existing privacy regime in that organization is introduced by an organization, a PIA should be conducted. As a result, the question is what new useful content, if anything, does this Top Ten fact sheet bring to the table, in particular for private sector organizations seeking to conduct a PIA.
We would argue that this Top Ten document does not provide sufficient content to be useful for an organization seeking to conduct a PIA for the first time. Rather, we would refer such organizations to the following sources of guidance:
- The TBS PIA guidance, including the TBS Privacy Impact Assessment Guidelines
- The Alberta Office of the Information and Privacy Commissioner guidance Privacy Impact Assessment Requirements, as issued in 2010 and which, while older, is relatively robust guidance.
- The Ontario Office of the Information and Privacy Commissioner guidance Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act, which was also based on the Alberta guidance: while being tailored to the Ontario PHIPA, it is a helpful tool.
In summary: there is other, alternative content available which will better assist organizations this regard.
As a final note, the OPC is now deeply versed in the requirements of privacy impact assessments and could provide much useful guidance to organizations seeking to conduct same: unfortunately, this Top Ten document is not that guidance. We look forward to when the OPC does issue such a robust PIA guidance document.