Privacy impact assessments (PIAs) are often required for new initiatives that involve the collection, use and/or disclosure of personal information. It is important to understand what a PIA is, when one is required, and what steps are involved in completing a PIA.
- What is a PIA?
- When is a PIA required?
- What steps are involved in completing a PIA?
PIAs promote compliance with the privacy protection responsibilities under The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP) and The Health Information Protection Act (HIPA). They take a close look at how organizations protect personal information and/or personal health information as it is collected, used, disclosed, stored and ultimately disposed of. PIAs encourage transparency and accountability, and contribute to continued public confidence in the way organizations manage personal information.
This page and resources are intended to serve as guidelines to assist organizations in ensuring privacy protection is a core consideration when a project is planned and implemented. Employees are encouraged to consult with their Access and Privacy Contact to determine when a PIA is required. Each organization has a designated Access and Privacy Contact.
See below to learn more about PIAs, or refer to the Privacy Impact Assessment Guidelines for further detailed information.
What is a PIA?
A PIA is a process used to assess and manage the impacts of a program or service on individual privacy, and to ensure compliance with privacy protection rules and responsibilities. PIAs are a tool used to identify and evaluate privacy risks and their impacts and help mitigate or reduce them to an acceptable level. PIAs are designed to describe and document what personal information and personal health information is collected, how it is collected, used, transmitted and stored, how and why it can be shared, and how it is protected, retained and destroyed.
“Personal health information” means personal health information as defined in subsection 2(m) of The Health Information Protection Act.
“Personal information” means personal information as defined in section 24 of The Freedom of Information and Protection of Privacy Act or section 23 of The Local Authority Freedom of Information and Protection of Privacy Act.
When is a PIA required?
Although a PIA can be completed at any stage, to avoid delays in project implementation, it is important to begin a privacy analysis at the earliest stage of development. This will help to ensure privacy risks are fully understood and provide an opportunity to influence the project design from a privacy perspective. Organizations are encouraged to engage their Access and Privacy Contact at the onset of project development.
While there is no legislative requirement to complete a PIA, organizations should consider a privacy analysis when:
- a project, program or application is new and privacy impacts have not been examined in detail before;
- an existing project, program or application undergoes a change or redesign;
- privacy implications have not been considered in the past and/or no legal review has been done;
- the project involves one or more partners;
- the personal information involved in the project is particularly sensitive (the Government of Saskatchewan’s Guide for Information Protection Classification may be helpful when considering the sensitivity of personal information).
When determining if a PIA is required, it may be helpful to complete the Preliminary Privacy Analysis Worksheet, also attached as Appendix A of the Privacy Impact Assessment Guidelines. This assessment will assist organizations in assessing the privacy implications of a project and in determining if a PIA should be conducted. If a decision is made to not undertake a PIA based on this analysis, a record of that decision and the supporting rationale should be retained. If a full PIA is undertaken, the work done in completing the preliminary analysis can be used to complete a PIA.
What steps are involved in a PIA?
Step 1 - Preliminary Analysis and Project Planning
The first step is to determine if a PIA is required for the project by completing a preliminary analysis of the type of information involved. Begin by creating a list of all information and data elements included in your project. Additionally, you should gather and consider:
- Any relevant/previous PIAs already completed around this project;
- Any legislation, including FOIP and/or HIPA, that is relevant to the project;
- Any relevant business documents such as the Project Charter (which describes what the nature of the project, how it will be approached and lists all partners and stakeholders);
- Information about data involved in the project (where it is stored, how it is accessed, how access is controlled, where the data flows, etc.);
- Any records retention schedules for the project;
- Any relevant agreements (Information Sharing Agreements, Memorandums of Understanding, Research Agreements, etc.); and
- Information about any processes required to obtain approval from program managers and executive leadership.
You should then document the who, what, where, when, why and how questions about the project:
- Who is involved in this project?
- What is the project and its purpose and benefits?
- Where is the project taking place (i.e., online, in person, or paper based)?
- When is the project occurring?
- Why is the project happening?
- How is the project being implemented?
Based on the above, and in consultation with your Access and Privacy Contact, you will need to determine if a PIA is warranted. Should it be determined a PIA is not required, the assessment of this decision should be documented and retained.
When a decision is made to conduct a PIA, planning must be undertaken to determine the scope of the PIA, resources required and projected timelines. Other considerations should be given to issues such as records management, if the project is a Common Integrated Service as defined in the FOIP Regulations, LA FOIP Regulations, HIPA Regulations, and the Youth Drug Detoxification and Stabilization Act Regulations and if the project involves data linking.
Step 2 – Project Analysis
Project analysis considers how personal information will be collected, used, disclosed, retained, secured and disposed of against the legislative authorities for each specific activity. The analysis further considers who has custody or control of the information, how it flows and what technology will be used for each activity. To complete the project analysis you will need to gather and consider:
- All project related background information such as but not exclusive to, project business case, any Memorandums of Understanding, agreements, previous PIAs or assessments, training materials, policies, it designs, etc;
- All relevant business processes - this should be documented including technical processes, administrative functions, policy and ongoing monitoring of the program, system or process;
- Who has possession and/or control of the information;
- The roles and responsibilities of those involved in the project;
- How the personal information flows through the business processes and technology from collection to final disposition; and,
- If technology being used or developed by the project have privacy implications.
Step 3 - Privacy Analysis
In this step, privacy risks and impacts are identified and analyzed. A privacy impact is any negative outcome on identifiable individuals, groups, organizations or institutions that is the result of an unmitigated privacy risk. To carry out your privacy analysis you will:
- Identify potential privacy impacts/risks;
- Analyze the risks against the likelihood of the risk occurring, resources to address the privacy impact, and the impact of the risk should it occur. The tables found in Appendices C and D of the Privacy Impact Assessment Guidelines can be used in assessing the likelihood and potential impacts of a privacy risk;
- Identify privacy solutions to eliminate or mitigate each privacy risk to a level that is acceptable by the project manager. This will include any administrative, technical or physical safeguards intended to address the privacy risk and protect:
- Develop a strategy based on identified solutions to mitigate and manage the privacy risks, including identifying parties responsible for implementing the solutions and monitoring the privacy impact;
- Consider how privacy breaches will be managed; and,
- Have an Information Sharing Agreement prepared if your project shares personal information with other organizations or partners.
Step 4 – The Report
The PIA report template included in Appendix B of the Privacy Impact Assessment Guidelines, or other preferred formats should be used to compile the information obtained in the previous steps. Prior to approval, the report should be reviewed by all partners to ensure accuracy and address any questions or concerns. You may also wish to discuss consultation with the Office of the Information and Privacy Commissioner (IPC) with your Access and Privacy Contact.
Once finalized, the PIA should be approved and signed off by the appropriate authority for the project. Typically, this review would include:
- The senior person for the program area (such as an Assistant Deputy Minister or Executive Director);
- The senior person in charge of information technology systems (such as an Assistant Deputy Minister or Executive Director) ;
- The Privacy Officer – see Access and Privacy Contacts by Institution
Mitigation strategies should be implemented and privacy impacts should continue to be monitored and assessed; it may be necessary to update the PIA as the project develops to ensure the assessment reflects the current situation. A copy of the completed and signed PIA should be retained in the program or business area and by the Access and Privacy Contact.
Forms and Documents
- Privacy Impact Assessment Guidelines
- Preliminary Privacy Analysis Worksheet
- Access and Privacy Contacts by Institution