The Minister of Technology, Innovation and Citizens’ Services has issued a ministerial order providing directions to public bodies that are not government ministries on conducting Privacy Impact Assessments (PIAs) under the Freedom of Information and Protection of Privacy Act. A PIA is an assessment of the privacy risks presented by a current or proposed enactment, system, project, program or activity conducted by a public body.
Since amendments to the FIPPA in 2011, PIAs have been mandatory for all public bodies, not just government ministries. PIAs should be conducted:
- for a proposed system, project, program or activity during its development;
- for a current system, project, program or activity (if not done already); and
- for any proposed revision(s) to a system, project, program or activity during its development.
Additionally, PIAs for public bodies that are not ministries must be provided to the Information and Privacy Commissioner for review and comment in certain circumstances.
As in previous communications from the government on PIAs, the new ministerial directions and associated publications contemplate that PIAs should be completed in a wide variety of circumstances, including when no personal information is being collected, used or disclosed.
The new ministerial directions focus on the PIA process, providing a list of substantive issues to be addressed in a PIA including a detailed description of the project, identification of privacy risks, and descriptions of the physical and technical security measures associated with the project.