Privacy Planning Tool for IT Projects

5.4
Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) is undertaken during the planning and implementation of a program or system. It involves a detailed consideration of appropriate and effective measures to ensure compliance with Part 2 of the FOIP Act. In Alberta, PIAs are submitted to the Office of the Information and Privacy Commissioner for review and acceptance. The Commissioner does not approve PIAs, but acceptance indicates that the flow of information contemplated under the proposed program or system is in compliance with the provisions of the FOIP Act, that risks have been assessed and the public body has a plan to mitigate the risks.

A PIA is not mandatory under the FOIP Act when a public body proposes to enter into a contract relating to a program or service that involves personal information. However, it is a good practice to complete a PIA for any contract involving the collection, use or disclosure of personal information, unless only business contact information was involved and the personal information would not be stored outside Alberta or Canada.

In cases where a new contractual arrangement involves the collection, use, disclosure, protection, retention and disposal of sensitive personal information, or where the contract may require the processing or storage of personal information outside Alberta, a public body should conduct a PIA to ensure that the impact of the contractual arrangement is fully evaluated. The PIA should be conducted prior to the tendering process so that any privacy requirements can be reflected in that process.

TIP A public body that is a custodian for the purposes of Alberta’s Health Information Act (HIA) or that is considering entering into an agreement with a custodian should bear in mind that a custodian is required, under section 64 of the HIA, to prepare a PIA prior to implementing any administrative practices or information systems that may affect the privacy of an individual’s health information. The planning process should allow time for the development and review of the PIA.

For consideration of when a PIA is needed, see section 9.3 of FOIP Guidelines and Practices, published by Access and Privacy, Service Alberta. For a detailed explanation of the PIA process and requirements, see the documentation available on the Commissioner’s website at www.oipc.ab.ca.

Related sections of this Guide	Chapter
Contracting for service delivery	2.6
Public–private partnerships (P3s)	2.8
Joint service delivery agreements	2.10
Processing or storage of personal information outside Alberta	4.2
IT outsourcing contracts	4.3
Contracts involving sensitive personal information	4.4
Use and retention of information about common clients	4.6
Drafting the contract: Protection of privacy	6.3; esp. cl. Ff, Ii, Jj

5.5
Assessing Privacy Capabilities of Smaller Contractors

The PIA process is designed to ensure a public body can comply with its privacy obligations. Part 1 of the PIA relates to the prospective contractor. Some public bodies have developed an assessment tool, which is a simplified version of Part 1 of the PIA, to allow prospective contractors to assess their privacy and security capabilities. This approach is considered particularly useful for small and medium-sized organizations. The questions can be made very specific, which makes it easier for smaller contractors to respond. Also, the questions can be designed for specific types of organization and to address specific risks associated with the particular contract.

There are a number of areas that should be considered in determining a contractor’s information privacy and security capability. The following are some of the key factors.

The contractor’s operational context, including

• 
  the number of staff, including students and volunteers,
  
• 
  the use of subcontractors, including subcontractors that work off-site,
  
• 
  the number of locations in which the contractor operates and the location of the facilities used by the contractor (especially locations outside Alberta),
  
• 
  the contractor’s IT system,
  
• 
  the contractor’s business continuity planning, and
  
• 
  the privacy legislation applicable to the contractor.
  

The contractor’s privacy framework, including

• 
  the position of the contractor’s privacy officer within the organization’s reporting structure,
  
• 
  the contractor’s information privacy and security policies (including training requirements, confidentiality provisions, and penalties for breach of organizational policies),
  
• 
  the contractor’s program for training staff on privacy,
  
• 
  the contractor’s practices with respect to the collection of personal information (including notification, obtaining consent where applicable), as well as processes used to limit the use and disclosure of personal information to authorized purposes,
  
• 
  the contractor’s ability to provide access to an individual’s personal information,
  
• 
  verification procedures used by the contractor to ensure the accuracy of information,
  
• 
  the contractor’s ability to correct personal information in its records and to track disclosures, and
  
• 
  protocols for breaches of privacy or security.
  

The contractor’s general ability to safeguard physical and electronic records from unauthorized access and duplication, and from perils such as theft, computer hacking, fire, flood, power interruption, to provide backup and off-site storage, and to manage record retention and disposal in a secure manner. These capabilities may be assessed through a review of the following areas of the contractor’s operations.

• 
  IT security (especially important if the contractor is authorized to input data directly or to access the public body’s IT system), including provisions to control access (for example, role-based access, user ID and password controls), barrier technology (for example, firewalls, virus protection), data transmission technology, and use of access logs and audit trails,
  
• 
  physical security of buildings, record storage, work areas, and office equipment (for example, fax machines, photocopiers, computers), and
  
• 
  administrative security, especially in the management of human resources, including practices relating to recruitment, ongoing training in privacy and security, and termination.
  

Public bodies may also need to address the protection of personal information in relation to the specific service provider by other means. Contract clauses that address specific risks will be an important part of that process. Chapter 6 provides a number of model contract clauses developed for this purpose.

If the proposed contract presents a high level of risk – especially if there is a need for assurance that a contractor has the capacity to comply with contractual obligations – the public body may need to conduct a full-scale PIA. If the contract is awarded, the public body may need to consider contractual clauses to address specific risks identified during the assessment process. Chapter 6 provides model contractual clauses.

Related sections of this Guide	Chapter
Fee-for-service contracts	2.5
Privacy Impact Assessment (PIA) Drafting the contract: Protection of privacy	5.4 6.3; esp. cl. Bb–Gg.1

Download 0.57 Mb.

Share with your friends: