Privacy Impact Assessments (PIAs): What, Who, Why, When, How and Where Jeannette Van Den Bulk and Troy Taillefer Presentation to the LGMA on October 17, 2013
Information and Privacy Commissioner is an independent Officer of the Legislature Elizabeth Denham is B.C. s Information and Privacy Commissioner The Office of the Information and Privacy Commissioner (OIPC): conducts reviews and investigations to ensure compliance with the FOIPP Act mediates FOI disputes comments on FOI and privacy implications of proposed legislative schemes or public body programs 2
Legislation, Privacy and Policy Branch of the Office of the Chief Information Officer (OCIO) What we do: Responsible for the Freedom of Information and Protection of Privacy Act (FOIPPA), Personal Information Protection Act (PIPA), Document Disposal Act (DDA), and Electronic Transactions Act (ETA) and all policy, standards and directives that flow from them. Leading strategic privacy initiatives across government Establishing government policy, standards and guidelines on access and privacy issues Providing services, training, support and leadership to assist ministries and other public bodies in complying with the FOIPP Act * As of October 1 we have processed 392 Ministry PIAs in 2013, with a projection of over 500 by year end. 3
1. Understand the purpose and value of a Privacy Impact Assessment (PIA) What Who Why 2. Understand the PIA Process When How Where 3. PIA Resources 4
PIAs are a lot of work for no useful purpose PIAs only stop us from implementing useful programs; they do nothing to enable them PIAs result in increased costs for proposed initiatives PIAs cause initiatives to be redesigned and delayed 5
An assessment that is conducted by a public body to determine if a current or proposed enactment, system, project program or activity meets or will meet the requirements of Part 3 of this Act. (FOIPPA s. 69 (1)) A risk management tool that: identifies potential privacy issues and impacts, allowing correction and mitigation, thus avoiding costly program, service, or process redesign. 7
PIAs need to be done by: Ministries Other Public bodies A person who knows the initiative (e.g. program or system) well is often the best person to describe it and set out the information flows within the PIA Do not need to be a privacy expert 8
Applies to the public sector in BC: Ministries of the Province, Crown Corporations, Agencies, Boards, Commissions Local public bodies (local government bodies, health care bodies, municipal police and educational bodies) Governing bodies of professional organizations (e.g., teachers, doctors, nurses, lawyers, engineers) 9
Amendments to the FOIPP Act in 2011 made it a legal requirement for ministries and other public bodies to conduct PIAs in accordance with the directions of the Minister responsible for this Act [69 (5) and (5.3)] Section 69 (5) The head of a ministry must conduct a privacy impact assessment in accordance with the directions of the minister responsible for this Act. Section 69 (5.3) The head of a public body that is not a ministry must conduct a privacy impact assessment in accordance with the directions of the minister responsible for this Act 10
A PIA is an information and risk management tool that helps you to: Meet and exceed legal requirements relating to privacy and access Mitigate privacy risk and loss of reputation and trust Examine your processes; make informed policy, operations and system design decisions Anticipate the public s reaction to a given initiative Prevent avoidable problems that: Result in regulatory repercussions Lead to public/client backlash Impact systems, processes or practices Educate and increase awareness of privacy issues 11
13 During the development phase of a new program, project, system, legislation, technology, or other initiative; OR Before the implementation of a significant change to an existing program, project, system, technology or information system, or legislation takes place; OR For all significant existing programs/initiatives Whether personal information is, is not, or could be collected, used or disclosed!
Personal information means recorded information about an identifiable individual other than contact information (Schedule 1 definition in the FOIPP Act) Examples of your personal information: Race, national/ethnic origin, skin colour Religious or political beliefs or associations Age, sex, sexual orientation, marital status Fingerprints, blood type, DNA information, biometrics Health care, educational, financial, criminal, employment history Opinions (unless it is your opinion about someone else) 14
Providing a service through a different medium (e.g. online) Development of a new blog or Facebook site to increase engagement Using service providers to deliver services Integrated service delivery involving more than one public body Marketing initiative involving the collection of customer information through contests and/or surveys Use of video surveillance for security purposes New enactment 15
The Ministry template for a PIA can be found on the OCIO s website http://www.cio.gov.bc.ca/cio/priv_leg/foippa/pia/pia_index.page Ministries are required to use this template Other public bodies may use it (but are not required to) and can modify the template to better suit their needs Private organizations may also use the template and modify it 16
Contact information for individual qualified to answer questions about the PIA Description/Purpose/Objective of the initiative Potential impacts of the proposal Details of any previous PIAs or privacy assessments done on the initiative Description of the elements of personal information that will be collected, used, and/or disclosed and the nature and sensitivity of the personal information Description of the linkages and flows of personal information 17
Analysis of the FOIPPA authorities allowing collection, use, and/or disclosure for the initiative Description of procedures in place to enable an individual to correct or annotate their personal information Analysis of security and storage of personal information Description of retention of personal information PIA signed off by individuals with primary responsibility for privacy (and security where relevant) on the initiative 18
Public bodies can send their PIAs to the OIPC to the attention of the Commissioner by: Email at info@oipc.bc.ca; Letter to PO Box 9038 Stn Prov Govt Victoria, BC V8W 9A4 19
Public body initiatives that involve data-linking or a common or integrated program or activity must notify the OIPC at an early stage of development as required by s. 69(5.5) of FOIPPA If your initiative involves either data-linking or a common or integrated program you must submit your PIA to the OIPC for review and comment [s. 69(5.4)] 20
OIPC Phone: 250 387-5629 Email: info@oipc.bc.ca Website: http://www.oipc.bc.ca/ 21 Legislation, Privacy and Policy, OCIO Privacy and Access Helpline: 250 356-1851 Email: Privacy.Helpline@gov.bc.ca Website: http://www.cio.gov.bc.ca/cio/priv_leg
PIA Template http://www.cio.gov.bc.ca/local/cio/priv_leg/documents/foippa/pia_form.doc PIA Initiative Update Template http://www.cio.gov.bc.ca/local/cio/priv_leg/documents/foippa/pia_initiativeupdate.doc 23
25
Example: The Ministry of Underwater Archaeology will be setting up a blog as a new citizen engagement tool. The Ministry will use its existing website as the platform. Blog posts will be written by ministry staff and invited experts, and comments will be welcome from citizens. 26
Examples: Name, age, address, email, phone number, educational history, employment history, health information, financial information, photos, comments on a blog, or information specific to a subject area, like stumpage totals, fish license numbers, or visitor centre stats. 27
28
29
30
31
32
Risk Mitigation Table Risk Mitigation Strategy Likelihood Impact 1. Employees could access personal information and use or disclose it for personal purposes Oath of Employment Low High 2. Request may not actually be from client (i.e. their email address may be being used by someone else) Implementation of identification verification procedures Low High 3. Client s personal information is compromised when being transferred to the service provider Transmission is encrypted and over a secure line Low High 4. Inherent risks in sending personal information to a client via email Policy developed to inform clients of risk and ask if they would like the information via a different medium, such as through the mail Medium Medium 33
In order to allow individuals the ability to exercise their information rights with knowledge of how their information will be used, they must be notified of the collection. Section 27(2) of the FOIPP Act requires that the individual from whom personal information is being collected is told: (a) the purpose for collecting it, (b) the legal authority for collecting it, and (c) the title, business address and business telephone number of an officer or employee of the public body who can answer the individual's questions about the collection. 34
35 Personal information is collected by the Ministry of Parapsychology under the authority of s. 26(c) of the Freedom of Information and Protection of Privacy Act for the purposes of evaluating their ghost hunting initiative. Should you have any questions about the collection of this personal information please contact: Ghost Buster Analyst 123 Nice Street Anywhere, BC Phone: 250-131-3131
Example: Document encryption User access profiles: need-to-know role-based access Audit logs 36
1 year rule Reasonable opportunity for access Minimum standard Do you have an approved schedule? How will records be kept in the meantime? Ministry Records Officer 37
PIAs are a lot of work for no useful purpose PIAs only stop us from implementing useful programs; they do nothing to enable them PIAs result in increased costs for proposed initiatives PIAs cause initiatives to be redesigned and delayed 38
PIAs serve many useful purposes Address privacy concerns and ensure privacy compliance Assist in implementing privacy-enhancing initiatives Increase awareness and understanding of privacy issues within the organization PIAs enable new privacy enhanced initiatives and prevent potential privacy disasters that could result in loss of public confidence and trust PIAs can be used to avoid costs, surprises and embarrassment by building in privacy at the design stage. PIAs conducted in the design phase allow any privacy issues to be identified, addressed, changed or mitigated. 39
40
Legislation, Privacy and Policy Branch policies, guidelines and forms: http://www.cio.gov.bc.ca/cio/priv_leg/foippa/guides_forms/guide_index.page? List of Ministry Information Security Officers: http://www.cio.gov.bc.ca/cio/informationsecurity/miso/miso.page List of Records Officers: http://www.gov.bc.ca/citz/iao/records_mgmt/contact_us/ministry_records_officers.html The Freedom of Information and Protection of Privacy Act: http://www.bclaws.ca/eplibraries/bclaws_new/document/id/freeside/96165_00 BC Office of the Information and Privacy Commissioner: http://www.oipc.bc.ca/ Early notice and PIA procedures for public bodies: http://www.oipc.bc.ca/guidance-documents/1434 41
OIPC Phone: 250 387-5629 Email: info@oipc.bc.ca Website: http://www.oipc.bc.ca/ OCIO Privacy and Access Helpline 250 356-1851 Privacy.Helpline@gov.bc.ca 42