@INFO.POLICY: For the latest in privacy, look north
- By Robert Gellman
- Sep 04, 2002
Our neighbors to the north recently re-leased a new and helpful tool for assessing the impact of government activities on privacy. The Privacy Impact Assessment from the Canadian government is a sophisticated guide to such assessments.
That's right. It's from Canada. Don't assume that something from Canada can't be relevant. The privacy establishment in Canada is at least a generation ahead of anything happening here, so show some respect. Most of the Canadian PIA can easily be applied to U.S. activities.
If you deal with information systems that affect personal privacy, you may already be familiar with the IRS' Privacy Impact Assessment. That PIA has been around for a few years and remains useful, but it is no longer a cutting-edge document.
The Canadian PIA consists of two documents. The first is too local to be of interest. It describes basic requirements and defines the roles of agency heads and other players.
The second document offers PIA guidelines, and it is definitely worth a look even though Canada has different privacy laws.
Canada's PIA calls for a four-step process. The first step is a determination whether to conduct a PIA at all. If an activity collects, uses or discloses personal information, then the PIA applies.
The second step calls for a data flow analysis. The analysis describes how data is collected, used, stored and disclosed. Creating a complete input-output diagram for personal data will likely reveal data uses that you didn't think of at first blush.
The third step is a privacy analysis. The Canadian guidelines include several lengthy questionnaires that help identify major privacy risks and vulnerabilities.
The last step is the creation of a privacy impact assessment report, which contains a documented evaluation of the privacy risks and strategies that will reduce or mitigate those risks.
The Canadian guidelines are so good because they offer lots of detail. Separate sets of questionnaires cover federal activities and cross-jurisdictional activities. Basic principles are broken down into detailed issues for evaluation.
The privacy guidelines also recognize that a PIA must be a cooperative process requiring different skills and players. One size does not fit all. The PIA process is intended to be adapted to fit a particular application. That's why it will also work for U.S. activities.
Canadian privacy law differs in some ways from the U.S. Privacy Act of 1974. But the differences are not that important when figuring out how a government program will affect privacy. Many privacy principles work more or less the same way at the assessment stage.
The PIA comes from the Treasury Board, Canada's equivalent of the Office of Management and Budget. Maybe OMB should take a lesson here and be a little more direct on Privacy Act implementation.
Find the Canadian privacy documents at www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist_e.html
in English, or in French'in case you feel the urge to evaluate privacy en francais. Robert Gellman is a Washington privacy and information policy consultant. E-mail him at email@example.com.