PRIVACY IMPACT ASSESSMENT FROM A REGULATOR S S POINT OF VIEW



Similar documents
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Office of the Executive Council. activity plan

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

BUSINESS PLAN

Privacy and Security Framework, February 2010

Access to Information and Privacy

Status Report of the Auditor General of Canada to the House of Commons

Human Resources and Skills Development Canada Departmental Privacy Policy

Cloud Computing: Trust But Verify

Strategy for Management in Canadian Jurisdictions

Protecting Saskatchewan data the USA Patriot Act

Helpful Tips. Privacy Breach Guidelines. September 2010

Cloud Computing: Legal Risks and Best Practices

Government of Canada Cyber Security Event Management Plan (formerly GC IT Incident Management Plan)

NBC MANAGEMENT ACTION PLAN PLAN D ACTION DE CCBN

The Government of Canada Action Plan to Reform the Administration of Grant and Contribution Programs

Self-Assessment of a Comprehensive Privacy Programme: A Tool for Practitioners

Passenger Protect Program Transport Canada

INVESTMENT PLANNING AND PRIORITY SETTING: Management Approaches to Resource Allocation

LEGISLATIVE COUNCIL BRIEF. Insurance Companies Ordinance (Chapter 41) INSURANCE COMPANIES (AMENDMENT) ORDINANCE 2015 (COMMENCEMENT) NOTICE 2015

Privacy Law in Canada

How To Manage Risk At Atb Financial

PIPEDA and Online Backup White Paper

Accountability: Data Governance for the Evolving Digital Marketplace 1

5581/16 AD/NC/ra DGE 2

The proposed Fourth Money Laundering Directive

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Economic Development Programs. Prepared by:

New Regulations and Mortgage Document Management: What it Means for Mortgage Servicers

HEALTH INFORMATION ACT (HIA) BILL QUESTIONS AND ANSWERS

Issues Paper Managing General Agencies Life Insurance Distribution Model

Doing Business in Canada. SCG Legal Annual Meeting Vancouver, British Columbia September 2015

Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls

DRAFT Report on Office of the Superintendent of Financial Report on Institutions Office of the Superintendent of Financial

How To Get A Non-Profit Organization To Support A Caberta Power Plant Plant

Framework for Cooperative Market Conduct Supervision in Canada

Info Source. Sources of Federal Government and Employee Information Vancouver Fraser Port Authority. Table of Contents

The Manitoba Child Care Association PRIVACY POLICY

PUBLIC SERVICE COMMISSION AUDIT REPORTS 2012

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

OFFICE OF THE PRIVACY COMMISSIONER OF CANADA. Audit of Human Resource Management

ROLE OF THE AGENCY IN THE DISTRIBUTION OF LIFE/HEALTH INSURANCE PRODUCTS

How To Ensure Health Information Is Protected

Insurance Industry Expertise

Final Audit Report. Audit of the Human Resources Management Information System. December Canada

Title V Preventing Fraud and Abuse. Subtitle A- Establishment of New Health and Human Services and Department of Justice Health Care Fraud Positions

Legislative Council Panel on Financial Affairs

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

Code of Conduct for Mobile Money Providers

Audit of Financial Reporting Controls

Audit of the Policy on Internal Control Implementation

How To Write A Listing Policy For A Species At Risk Act

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET

GAO ELECTRONIC GOVERNMENT ACT. Agencies Have Implemented Most Provisions, but Key Areas of Attention Remain

Legislative Language

Privacy and Cloud Computing for Australian Government Agencies

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

Review of Building the Canadian Advantage: a Corporate Social Responsibility Strategy for the Canadian International Extractive Sector

Red Tape Reduction Action Plan

Taking care of what s important to you

Service Alberta BUSINESS PLAN

Gaps and Duplicative Requirements, August 30, 2013, available at

The USA Patriot Act Government Briefing. Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004

PROVINCE OF BRITISH COLUMBIA. Summary Review. Anti-Money Laundering Measures at BC Gaming Facilities

Crown Agency Risk Management and Internal Controls

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Workforce planning in the public service : Calculating numbers and compensation costs in the Government of Canada

AN INTRO TO. Privacy Laws. An introductory guide to Canadian Privacy Laws and how to be in compliance. Laura Brown

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

Proposed Guidance on Insider Order Marking

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

Transcription:

29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 1

PRIVACY IMPACT ASSESSMENT FROM A REGULATOR S S POINT OF VIEW DONALD LEMIEUX EXECUTIVE DIRECTOR INFORMATION AND PRIVACY POLICY BRANCH TREASURY BOARD OF CANADA, SECRETARIAT 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 2

Privacy in Canada 1977 - Canadian Human Rights Act was promulgated - Part IV related to privacy rights 1983 Privacy Act put in place 1989 Policy on SIN and Data Matching 1993 - Policy on Privacy and Data Protection (SIN / Data Matching requirements integrated) 2001 Personal Information Protection and Electronic Documents Act comes into force 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 3

Integrating programs and privacy The Policy (May 2002) was adopted to assure Canadians that their privacy would be taken into account when there are proposals for programs and services that raise privacy risks. A PIA requires federal institutions to consider the privacy issues of programs and services throughout the design, implementation and evolution of those initiatives. PIA is a core component of the federal government s privacy compliance regime. 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 4

Federal responsibilities Heads of institutions are responsible for ensuring that their organizations comply with the Privacy Act and by virtue the PIA Policy. Accountability for PIAs rests with departments. Treasury Board Secretariat is responsible for developing and interpreting privacy policy, including the PIA, providing advice to institutions, and monitoring compliance. PIA Policy has links to project approval and government funding for initiatives. 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 5

Issues PIAs are not always completed in a timely manner. There is a need to more fully integrate PIAs into the management decision making process of federal institutions. PIA requirements are currently the same for all initiatives regardless of project type, magnitude, or risk. There is a need to streamline the PIA process. The cumulative effects of policies or programs involving personal information may not be apparent. Limited privacy consideration for projects involving multiple programs within institutions, inter-institutional and cross jurisdictional flow of personal information. 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 6

Regulatory challenges How do we improve central oversight of the PIA process and ensure greater compliance with the PIA Policy? How do we limit administrative burdens on institutional program and privacy officials with respect to PIA requirements? How can we better assess the cumulative effects of government plans and priorities on an individual s privacy? 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 7

Solutions Policy Suite Renewal Strengthening the link between the requirement to conduct a PIA and the law (the Privacy Act). Creating a better awareness and understanding of privacy risks through training and education. Using a risk based approach to streamline the PIA process (in particular for low impact initiatives). Enhancing the public reporting requirements for PIAs so as to improve transparency and oversight. Developing a central repository of PIAs and examining large scale programs (government-wide and across jurisdictions) for cumulative privacy effects. 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 8

Office of the Privacy Commissioner of Canada (OPC) OPC has oversight of federal privacy legislation in Canada, that is, the Privacy Act and PIPEDA OPC is also responsible for reviewing PIAs and providing advice and guidance to institutions to mitigate privacy risks Claude Beaulé will now provide greater detail with regard to the OPC s role and responsibilities. 29e CONFÉRE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS CONFERE #62036 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information