Privacy+Impact+Assessment

=Privacy Impact Assessment=

Privacy risk is assessed with a tool called the Privacy Impact Assessment (PIA). It defines the risk management process for addressing privacy concerns and is usually applied when a new system or program is initiated, or when there is a significant change in the environment.

Privacy Impact Assessment is an iterative process that takes place throughout the lifecycle of a new system or program. Reports are often issued at two stages. The first is called the preliminary or conceptual PIA, and is conducted at the earliest stage of the project. The conceptual PIA will address the major policy and business issues that must be considered as the project progresses. The next report is often released after the design phase is complete but before implementation and addresses privacy functionality, business processes, operating procedures and implementation issues such as user training.

The components of an eHealth PIA are:

• A detailed description of the scope of the eHealth program and the environment into which it will be implemented; participants; relevant legislation, policy and standards; • A dataflow analysis including a business flow diagram and description and a detailed data flow diagram and table; • A privacy analysis – consideration of each of the Fair Information Practice principles that apply in the specific jurisdiction and their application to the eHealth program; • A privacy risk management plan including the identification of privacy risks and recommendations for risk mitigation; and • A communications strategy to communicate essential information to stakeholders.

The Treasury Board of Canada has published a [|Privacy Impact Assessment e-learning tool] on its website.

Many jurisdictions have issued policies and guidelines for the completion of PIAs. Links to these policies and guidelines is indicated below:


 * 1) Treasury Board of Canada [|Privacy Impact Assessment Policy] and [|Privacy Impact Assessment Guidelines]
 * 2) Alberta Information and Privacy Commissioner (Canada) [|PIA Template and Registry]
 * 3) Ontario Information and Privacy Commissioner (Canada) [|Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act]
 * 4) Ontario Government (Canada) [|Privacy Impact Assessment Guidelines]
 * 5) British Columbia Government (Canada) [|Privacy Impact Assessment Template]
 * 6) Australian Privacy Commissioner [|Privacy Impact Assessment Guide]
 * 7) White House Office of Management and Budget (USA) [|E-Government Act Section 208 Implementation Guidance]