Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Using privacy impact assessments to evaluate new initiatives [2000] PLBIRp 7; (2000) 52 Privacy Laws and Business International Report 10

Using privacy impact assessments

to evaluate new initiatives

PRIVACY IMPACT ASSESSMENTS can be useful in reviewing how a new legal scheme or programme affects the privacy of an individual. Robert Clark, the Privacy Commissioner of the Canadian province of Alberta, encourages assessments in the public sector.

Alberta's Freedom of Information and Protection of Privacy Act entitles the Privacy Commissioner to comment on the privacy implications of proposed public sector legislative schemes or programmes. The Privacy Commissioner's office has now developed a Privacy Impact Assessment (PIA) process in order to help organisations carry out the task.

The success of PIAs depends on how eager public bodies are to seek an assessment of their projects; PIAs are not compulsory. Even if a PIA is conducted, public bodies still have to comply with all aspects of the Act. However, in the health sector, PIAs have been made obligatory. The Health Information Act requires that a PIA will be undertaken for any new programme dealing with the personal health information of Albertans.

ORGANISATIONS START THE WORK

PIAs are conducted by the public bodies themselves, and assessed by the Commissioner's staff. However, if the project evaluated is very complex or includes sensitive data, outside experts may be used. The PIA must include the following elements:

o assessing the privacy impact

o the legal framework of the project

o the public benefit of the project

o timing, and

o whether there are any less privacyinvasive alternatives for achieving the same objectives.

Public bodies need to describe which personal data are being collected, processed and disclosed. Most importantly, organisations are required to outline whether the planned programme will present any threats to privacy.

It is also necessary to describe the existing level of privacy, for example, whether the organisation complies with any codes of conduct, standards or policies.

PIA REQUIRES A DESCRIPTION OF THE USE OF DATA

A more detailed description is required of compliance with the Privacy Act's provisions. For example, with regard to collecting personal information, organisations have to describe the information which will be collected directly from the individual. In cases of indirect collection, organisations are required to clarify why the information cannot be collected directly, and describe the method of indirect collection.

Also, a PIA needs to include a description of how individuals will be notified of the collection of their personal data, its intended use, and which agencies will have access to the information.

Once an organisation's PIA has been accepted by the Privacy Commissioner's office, the PIA will be filed in the office's public library. The Privacy Commissioner's office emphasises that PIAs are living documents, and they would expect organisations to inform the office of any further changes.

PIAs can also have other uses. The Privacy Commissioner, Robert Clark, envisages that PIAs can be utilised as a starting point should the office be requested to conduct an investigation into a breach of privacy.

HEALTH SECTOR PIA ACCEPTED

The Privacy Commissioner has already accepted a PIA for a drug profile system. The system allows emergency department personnel to be able to access the Alberta Blue Cross (health insurance) database which contains prescription information.

The programme will affect persons who are 65 years of age or older, and are registered in the Alberta Blue Cross Group benefit plan for senior citizens. The patients will be asked for their consent for allowing access to their medical data. The information is sent encrypted, and access in an emergency department is allowed only to specific personnel who have the authority to see the details.

In addition, the personnel will be able only to read and print out the information. They will not be able to alter the data. Disclosure logs are kept to facilitate future audits and for comparison between the disclosures that have taken place and the patients' consent forms.

The Privacy Commissioner's opinion on this PIA was that the impact on privacy was minimal as patients' consent would anyway be required each time they arrive for treatment, and when emergency services staff access their data on the database.

OTHER PROVINCES ARE ALSO USING PIAS

In Canada, PIAs are also used in the provinces of Ontario and British Columbia. In Ontario, PIAs are required for approval and funding of major information and information technology (I&IT) projects that affect consumers' privacy and the management of personal information in the provincial government.

The government of Ontario has adopted guidelines for assessing I&IT projects. These guidelines help provincial ministries to identify projects for which a PIA may be required, and provide a step-by-step process for completing a PIA (see http://www.gov.on.ca/MBS/english/fip/pia).

The assessment tool is still quite new, and the Ontario government is waiting to see how it can be applied to real cases. Examples of initiatives that are likely to require a PIA include those involving:

o the creation or modification of databases containing personal information, particularly where the information is sensitive and/or includes a significant number of people

o identification and authentication schemes, especially proposals for multi-purpose identifiers or those that make use of biometrics

o constraining or eliminating existing opportunities for anonymity or pseudonymity through programme redesign, and

o the use of smart cards.

British Columbia has also developed a model assessment and a blank assessment form (see http:www.oipcbc.org/publications/pia). They are intended for use by public bodies.

The Office of the Information and Privacy Commissioner of Alberta can be contacted at

410, 9925 - 109th

Street, Edmonton, AB T5K 2J8,

Tel: + 1 780 422 6860

Fax: + 1 780 422 5682

E-mail: ipcab@planet.eon.net.

There is more information available on PIAs at the office’s website:

http://www.oipc.ab.ca.

For more information about the drug profile system, and copies of the privacy assessment made for it, contact

Michael Evans, Alberta

Wellnet, Tel: + 1 780 415 1688, or

Garth Norris, Alberta Health and

Wellness, Tel: + 1 780 427 7164.