Security // Privacy Impact Assessment
A Privacy Impact Assessment (or “PIA”) is a process that helps organizations to identify, measure, and mitigate the risks associated with the introduction of a new program or service. PIAs also help to anticipate and avoid the reputational risks attached to a new product offering. When properly performed, a PIA allows project managers to fully consider the privacy impacts of a program or service, before that program or service is rolled out.
Privacy Impact Assessments are mandatory for federal institutions implementing new or substantially modified programs involving personal information. PIAs must be submitted to the Office of the Privacy Commissioner (OPC) for review, and to the Treasury Board of Canada Secretariat (TBS) for approval. Although the performance of a Privacy Impact Assessment is not mandatory for private-sector organizations, they are considered an industry best practice and are employed by many of the world’s leading companies.
Ensuring that privacy protection is a core consideration in the design, development and operation of new programs and services involving personal information is more important than ever. The introduction of new technologies, together with the widespread use and sharing of personal information across borders has created new threats to an individual’s privacy. Individuals not only want to be informed of how their personal information is to be used, they want to be assured that it will be properly protected.
Conducting a PIA is a great way for an organization to evaluate its personal information handling practices, and to pinpoint privacy concerns in the design and development of new systems, programs and services. The purpose of a PIA is to evaluate an organization’s awareness of how it handles consumer and employee information, and to allow organizations to identify, monitor and mitigate privacy risks, as they arise, throughout the development and growth of the organization and its products.
When properly performed, a PIA helps to: