Use this guidance to help you complete a privacy impact assessment (PIA) if you're starting a new system, project, program or activity ("initiative") in the B.C. government or the broader public sector.
If you're in the broader public sector, skip question 14 of the guidance as that question applies to ministries only.
Download the PIA template for ministries (Word, 64 KB) or non-ministry public bodies (Word, 51 KB). Read it over to get acquainted with the questions.
The guidance contains 26 questions in 8 parts to mirror the PIA template layout. The guidance offers examples and prompts for thinking through how you can reduce risk and protect privacy in your project.
You can expect to take several hours or a few days to answer all of the questions on the template, depending on
Read more about the PIA review process and principles for protecting privacy (MS Word).
Part 1 asks general questions about your project and the subject of this PIA. Answer in detail.
Question 1 - What is the initiative?
Answer the who, what, where, when, why and how of your initiative. Describe the initiative in full, including:
Question 2 - What is the scope of the PIA?
Think about how you described your initiative in question 1. In this PIA, are you assessing the whole initiative or just part of it?
Describe how much of the initiative you will assess in this PIA. For example, this PIA might focus on phase 1 to 3 of the initiative, or this PIA might focus on building a database but not using the database.
Question 3 - What are the data or information elements involved in your initiative?
Question 3 is about what type of information you'll use in the initiative, especially personal information. Personal information or data can include identifiers like:
Think about the information you'll collect, use, store or share as part of your initiative and list it here. A major part of the PIA process is to make sure that you have authority under the Freedom of Information and Protection of Privacy Act (FOIPPA) to collect, use, store and disclose each of these pieces of information. Limit your collection of personal information to only what is necessary to complete the initiative.
Learn more about privacy principles (MS Word) for protecting personal information.
Question 3.1 - Did you list personal information in question 3?
Personal information is any recorded information about an identifiable individual other than contact information. Personal information includes information that can be used to identify an individual through association or inference.
In addition to the unique identifiers discussed in question 3 above, personal information can include information that describes an individual or group, such as:
If you do have personal information involved in your initiative, talk to your MPO so they can help you make sure you have legal authority to collect, use, disclose or store personal information. You must have a specific purpose and authority under FOIPPA to collect each element of personal information as part of your initiative. Your MPO can also advise on limiting the collection of personal information and otherwise reducing risks to privacy in your initiative.
If you do not use personal information in your initiative:
Some initiatives that do not require personal information are at risk of collecting personal information inadvertently, which could result in an information incident (or privacy breach).
To answer this question, think about how you’ve designed your initiative to reduce the risk of collecting personal information. For example, if you are collecting opinions as part of a public engagement strategy, participants may offer personal information about themselves or others, even though you've instructed them not to. If you do inadvertently receive or collect personal information, what steps will you take to:
FOIPPA section 27.1 describes under what circumstances personal information is considered not collected, despite you having received it. As long as you do nothing with the personal information you receive other than read and delete or return it, or transfer it to the appropriate public body, you have not collected the information according to FOIPPA. However, if you take any other action, including storing the information or using it in your own work, under FOIPPA you have collected personal information without authorization and that is considered a privacy breach.
If your initiative does not involve personal information and you have completed Part 1 of the template, you can submit your PIA to your MPO now. You're done!
Part 2 asks questions designed to help you think through the risks involved in collecting, using, storing and disclosing personal information, and how you can manage those risks. Remember that personal information always belongs to the person the information is about. When you collect or use personal information, you must keep it safe, use it only for the stated purpose, and restrict unauthorized access.
Question 5 - Collection, Use and Disclosure
This exercise identifies how you reduce the risk that your initiative collects, uses or shares personal information in a way that is not authorized by FOIPPA.
For question 5, you need the list of personal information you identified in question 3. Break down the processes into single steps and think about how information moves through your project. Your MPO will help you figure out whether each step represents a collection, use or disclosure of personal information, and whether you have legal authority under FOIPPA for the way you’re working with personal information. At each step, include the role or title of the person involved and whether any partners external to government are involved.
Use the table to list the steps. You can organize your information into a diagram if you prefer.
Including a 'roles and responsibilities' table may be helpful if contractors are involved in your initiative to explain who does what and whether they are internal or external to government.
Limit Collection
As you work through the description of the information flows, consider whether each element of personal information is necessary for delivering your initiative, or whether you could collect less personal information without risking the success and efficacy of your initiative. Limiting the amount of personal information you collect is one of the 10 internationally recognized privacy principles.
Collect only the information you need for your initiative to work. Collecting more personal information than you need to do your work may lead to a privacy breach.
Under FOIPPA section 27(2), you must notify individuals when you collect their personal information directly from them.
Whenever possible, position your collection notice so that people read it or hear it before they are asked for their information. For example, you can include a collection notice as part of the preamble to an online form or read it over the phone before you begin asking for information. If it’s not possible to put your collection notice at the top, position it where people have the best possible chance of hearing or reading it before giving their information so that they understand how you’ll use their information.
When you collect information from people, you must tell them:
You can edit the following sample collection notice to suit your initiative.
We are collecting your personal information to [purpose]. If you have questions about our collection of your information, please contact us at [contact information].
We are collecting your personal information under section [e.g. 26(c)] of the Freedom of Information and Protection of Privacy Act.
Attach your collection notice to the PIA template directly under question 6 or as an appendix.
Read the collection notice guidance for more information.
You may not need a collection notice if:
FOIPPA section 27(3) and (4) tells you more about when you do not need a collection notice. If you determine that you do not need a collection notice, explain why.
Question 7 - Is any personal information stored outside of Canada?
This question helps identify whether you are storing personal information outside of Canada. If the answer is yes, you may have to complete Part 4 – Assessment of Disclosures Outside of Canada, depending on your answer to the remaining questions in Part 3.
You were directed to this question because you indicated that the personal information in your initiative is stored outside of Canada. Be specific about the location where the personal information is stored.
Question 9 - Does your initiative involve sensitive personal information?
This question helps identify if your initiative involves sensitive personal information. If the answer is yes and you are storing sensitive personal information outside of Canada, you may have to complete Part 4 – Assessment of Disclosures Outside of Canada.
Whether personal information is sensitive can depend on context, including where and how the information is stored. The answer to question 9 depends on the context of your initiative.
For example, the make and model of the car you drive is personal information, but you might not consider it sensitive. However, if information about your car is stored in an online database that includes your address and is accessible by anyone, you probably want to make sure the information is adequately protected and secure.
If you’re not sure whether the personal information in your initiative is sensitive, ask your MPO for help or call the Privacy and Access Helpline at 250 356-1821 or email Privacy.Helpline@gov.bc.ca.
Question 10 - Is the sensitive personal information being disclosed outside of Canada under FOIPPA section 33(2)(f)?
FOIPPA section 33(2)(f) authorizes a public body to disclose personal information if the information is made available to the public under an enactment that authorizes or requires the information to be made public.
If you are using section 33(2)(f) as your authority under FOIPPA for disclosing personal information outside of Canada, make sure that the authority is listed in the personal information flow table with reference to the other legislation that applies. You do not need to complete Part 4 of the template. Skip ahead to Part 5: Security of Personal Information.
You must complete this section if you are disclosing sensitive personal information to be stored outside of Canada. You will likely need help from your MPO to complete this section.
Question 11 - Is the sensitive personal information stored by a service provider?
In the table in the PIA template, you will capture the names of the service providers and where and how the sensitive personal information is being stored.
If you are using a cloud solution, there may be multiple cloud service providers involved in your initiative. Cloud solutions are typically considered to be made up of a ‘stack’ of infrastructure (IaaS), platform (PaaS) and/or software (SaaS) that might be operated by the same or different cloud service providers. For example, Software as a Service (SaaS) providers often offer services built on infrastructure (IaaS or Infrastructure as a Service) offered by a different cloud service provider.
Question 12 - Provide details on the disclosure, including where and how the personal information is stored
This should include reference to the location and method of storing the personal information (e.g. location of data: Atlanta, GA, USA. Method of storing data in Atlanta, GA, USA: e.g. specify that the information is stored in a data storage facility). If question 11 doesn’t apply to your initiative, answer question 12 and be specific about where and how the sensitive personal information is stored.
Question 13 - Describe the contractual terms in place (if applicable).
Here you will describe what type of contract you rely on for your initiative (if applicable). For example, you might be contracting a cloud-based service specifically for your initiative, or you might be using an enterprise offering.
Question 14 - Are you relying on an existing contract, such as an enterprise offering from the Office of the Chief Information Officer (OCIO)?
Check with the person responsible for the contract(s) involved in your initiative if you're not sure whether you're using an enterprise offering. There may be a corporate PIA or other information to help you.
Question 14.1 - Which enterprise service are you accessing?
A PIA may have been completed on the service you’re using that will help to inform your risk assessment. Call the Privacy and Access Helpline at 250 356‑1851 or email Privacy.Helpline@gov.bc.ca to find out whether there is a corporate PIA for this service.
Question 15 - What controls are in place to prevent unauthorized access to sensitive personal information?
This question is about the controls you have in place to protect against unauthorized collection, use, disclosure or storage of sensitive personal information. These include preventing or managing access to sensitive personal information. These will help to inform your answers in the table in question 17.
Describe technical, security, administrative and/or policy measures (e.g. the access controls that protect the sensitive personal information). If you are using a cloud-based service provider, include a description of controls at each layer in the stack (software level, platform level, infrastructure level).
Question 16 - Please provide details about how you will track access to sensitive personal information
This question is about how you will know if the sensitive personal information is accessed, including access by service providers. The answer should include a description of what information is available through logs and how the ministry will access logs (e.g. in real-time or by request).
Question 17 - Describe the privacy risks for disclosures outside of Canada
Use the table to indicate the privacy risks, potential impacts and likelihood of occurrence and level of privacy risk. For each privacy risk identified, describe a privacy risk response that is proportionate to the level of risk posed. This may include reference to measures to protect the sensitive personal information (contractual, technical, security, administrative and/or policy measures) that you outlined in previous questions.
Part 5 asks questions about how you'll protect personal information using physical and technical security. People, organizations and governments outside of your initiative should not be able to access the personal information you collect, use, store or disclose. You need to make sure that the personal information is safely secured in both physical and technical environments.
Question 18 - Does your initiative involve a digital tool, database or information system?
A digital tool, database or information system may leave personal information exposed or otherwise vulnerable to security threats. Security assessments are used on information systems and other digital tools to assess and document security risks, risk ratings and planned risk responses. An in-depth security assessment known as a STRA (Security Threat and Risk Assessment) results in a document called the statement of acceptable risk.
Your Ministry Information Security Officer (MISO) can answer general questions on keeping information secure in your ministry. Contact your MISO if you need help determining good security practices for your initiative and if you need to conduct a security assessment.
Question 18.1 - Do you or will you have a security assessment to help you ensure the initiative meets the reasonable security requirements of FOIPPA section 30?
If you expect to complete a security assessment during the development of your initiative, you do not have to answer the questions about technical security on the PIA template.
Question 19 - Are all digital records stored on government servers and are all physical records stored in government offices with government security?
This question is to identify how you reduce the risk that you store personal information in a computer system or physical location where unauthorized access can happen.
Technical records are records that are stored electronically, including but not limited to records stored:
Technical security includes any digital or electronic system set up to keep your records secure, including:
If your records are not stored on government servers, use this question to list technical security on the system where records are stored.
Physical records include but are not limited to:
Physical security is anything you do to keep physical records safe and secure, including:
If your physical records are not kept in government buildings with standard government security, use this question to list the physical security in the building and rooms in which records are kept.
Question 20 - Controlling and Tracking Access
This question identifies how you reduce the risk of unauthorized access to personal information.
To effectively protect privacy, access to personal information should be limited to employees who need the information to do their jobs. It is never appropriate to access another person’s information without legal authority, including accessing one’s own information or information on behalf of a friend or relative.
If you have methods for controlling and tracking access to personal information that are not listed in the table, add your methods to the list.
Part 6 is about making sure that you make a reasonable effort to ensure the personal information you have on file is accurate and complete.
Question 21 - How will you make sure that the personal information is accurate and complete?
It is your responsibility to make sure that the personal information you collect, store, use and disclose is accurate and complete, especially if the information will be used to make a decision that affects an individual. Ways to make sure personal information is accurate and complete include verifying the information with the person it is about prior to recording it.
Question 22 - Requests for Correction
Question 22 is made up of three parts and is designed to help you ensure that you’re following your obligations under FOIPPA section 29.
FOIPPA section 29 states that a person can ask you to correct any of their personal information in your custody or control. If you cannot correct the record itself, you must make a note on the record (annotate the record). If you've disclosed the personal information to any other public body or third party in the last year, you must also notify them of any corrections you make.
Question 23 - Does your initiative use personal information to make decisions that directly affect an individual?
Think about whether you use personal information in your initiative to make a decision about an individual. Examples of using personal information to make decisions include but are not limited to:
Question 24 - Do you have an approved information schedule in place related to personal information used to make decisions?
Keeping information for one year after it is used to make a decision that affects an individual is the minimum requirement under FOIPPA. You may have other operational or administrative requirements that dictate how long records must be kept and when they must be disposed of. It’s important to maintain the records in your initiative according to an approved records schedule so that you comply with both FOIPPA and for ministries, the Information Management Act.
You can search for approved information schedules in the ARCS and ORCS libraries. If you're not sure whether your program area has an approved information schedule or if you want help creating one, contact your Government Records Officer.
The Information Management Act requires that you dispose of government information only in accordance with an approved information schedule or with the approval of the Chief Records Officer.
A personal information bank (PIB) is a collection of personal information searchable by name or unique identifier.
Question 25 - Will your initiative result in a personal information bank?
A personal information bank is a collection of personal information that is organized or searchable by the name of the individual or an identifying number, symbol or other identifier. A personal information bank can be a simple list of personal information. Personal information banks contain personal information that is:
Briefly describe your personal information bank and the ministries and organizations involved. The information you provide will be used to update the Personal Information Directory.
In Part 8, consider whether there are additional risks to personal information in your initiative that have not been addressed by the other questions in the template.
Question 26 - Additional Risks
This question is to identify any risks that have not been contemplated by the other questions on the PIA template. Your MPO may be able to help you identify any additional risks. For each risk, identify how you will manage, mitigate or otherwise reduce the likelihood that the risk will occur or reduce the impact of the risk.
After you submit your PIA, you MPO may identify additional risks during their review. Your MPO will enter the risks into this table or request that you enter them. Your MPO will ask you to identify a risk reduction strategy for each additional risk.
Final Steps
PCT will assign a privacy advisor to review the PIA. The privacy advisor may determine that your PIA should be submitted to the Office of the Information and Privacy Commissioner for review and comment. The privacy advisor will create a summary of their review, sign the PIA and return it to you for signatures.
After everyone has signed, return the PIA to PCT. Your privacy advisor will list the PIA in the Personal Information Directory (PID).
You have completed your PIA and may start your project.
If at any stage you change how you collect, use, store or share personal information, complete an initiative update PIA.