Guidance for Privacy Impact Assessments

Answer the who, what, where, when, why and how of your initiative. Describe the initiative in full, including:

• What is the initiative
• Who is leading the initiative and who else is involved, including partners and stakeholders in and outside government
• Where will the initiative take place? For example,
  • Does the work happen online, in person, or both
  • Will there be public events
  • Will you hold meetings over the phone, face-to-face, or online
• When will the initiative take place?
  • Is this a one-time event
  • Will the initiative go on for a short time or for the foreseeable future
  • Do you have an end date planned
• Why are you doing the initiative?
  • What need does the initiative meet
• How will you carry out the initiative? For example,
  • Are you collaborating with another ministry over Microsoft Teams or other collaboration software
  • Are you emailing surveys to randomly chosen participants
  • Are you holding a public meeting

Think about how you described your initiative in question 1. In this PIA, are you assessing the whole initiative or just part of it?

Describe how much of the initiative you will assess in this PIA. For example, this PIA might focus on phase 1 to 3 of the initiative, or this PIA might focus on building a database but not using the database.

Question 3 is about what type of information you'll use in the initiative, especially personal information. Personal information or data can include identifiers like:

• Name
• Professional number (e.g. medical billing number, registered biologist number)
• Contact information, including home address
• Social Insurance Number
• Licence information (e.g. driver's licence number, hunting licence information)
• Personal Health Number

Think about the information you'll collect, use, store or share as part of your initiative and list it here. A major part of the PIA process is to make sure that you have authority under the Freedom of Information and Protection of Privacy Act (FOIPPA) to collect, use, store and disclose each of these pieces of information. Limit your collection of personal information to only what is necessary to complete the initiative.

Learn more about privacy principles (MS Word) for protecting personal information.

Personal information is any recorded information about an identifiable individual other than contact information. Personal information includes information that can be used to identify an individual through association or inference.

In addition to the unique identifiers discussed in question 3 above, personal information can include information that describes an individual or group, such as:

• Race or ethnicity
• Marital status
• Gender identity or sexual orientation
• Religious or political affiliation
• Income level

If you do have personal information involved in your initiative, talk to your MPO so they can help you make sure you have legal authority to collect, use, disclose or store personal information. You must have a specific purpose and authority under FOIPPA to collect each element of personal information as part of your initiative. Your MPO can also advise on limiting the collection of personal information and otherwise reducing risks to privacy in your initiative.

If you do not use personal information in your initiative:

• Go ahead to question 4 and answer it as best you can
• Contact your MPO. Your MPO will review your PIA or submit the PIA to Privacy, Compliance and Training Branch (PCT) at PIA.Intake@gov.bc.ca for review

Some initiatives that do not require personal information are at risk of collecting personal information inadvertently, which could result in an information incident (or privacy breach).

To answer this question, think about how you’ve designed your initiative to reduce the risk of collecting personal information. For example, if you are collecting opinions as part of a public engagement strategy, participants may offer personal information about themselves or others, even though you've instructed them not to. If you do inadvertently receive or collect personal information, what steps will you take to:

• Destroy it
• Return it
• Transfer it to the correct recipient

FOIPPA section 27.1 describes under what circumstances personal information is considered not collected, despite you having received it. As long as you do nothing with the personal information you receive other than read and delete or return it, or transfer it to the appropriate public body, you have not collected the information according to FOIPPA. However, if you take any other action, including storing the information or using it in your own work, under FOIPPA you have collected personal information without authorization and that is considered a privacy breach.

This exercise identifies how you reduce the risk that your initiative collects, uses or shares personal information in a way that is not authorized by FOIPPA.

For question 5, you need the list of personal information you identified in question 3. Break down the processes into single steps and think about how information moves through your project. Your MPO will help you figure out whether each step represents a collection, use or disclosure of personal information, and whether you have legal authority under FOIPPA for the way you’re working with personal information. At each step, include the role or title of the person involved and whether any partners external to government are involved.

Use the table to list the steps. You can organize your information into a diagram if you prefer.

Including a 'roles and responsibilities' table may be helpful if contractors are involved in your initiative to explain who does what and whether they are internal or external to government.

Limit Collection

As you work through the description of the information flows, consider whether each element of personal information is necessary for delivering your initiative, or whether you could collect less personal information without risking the success and efficacy of your initiative. Limiting the amount of personal information you collect is one of the 10 internationally recognized privacy principles.

Collect only the information you need for your initiative to work. Collecting more personal information than you need to do your work may lead to a privacy breach.

Under FOIPPA section 27(2), you must notify individuals when you collect their personal information directly from them.  

Whenever possible, position your collection notice so that people read it or hear it before they are asked for their information. For example, you can include a collection notice as part of the preamble to an online form or read it over the phone before you begin asking for information. If it’s not possible to put your collection notice at the top, position it where people have the best possible chance of hearing or reading it before giving their information so that they understand how you’ll use their information.

When you collect information from people, you must tell them:

• Your purpose for collecting personal information
• Your legal authority under FOIPPA or other legislation for collecting personal information
• Contact information for a person in the public body who can answer questions about why you're collecting personal information, how it's used and how people can update or correct their information

You can edit the following sample collection notice to suit your initiative.

We are collecting your personal information to [purpose]. If you have questions about our collection of your information, please contact us at [contact information].

We are collecting your personal information under section [e.g. 26(c)] of the Freedom of Information and Protection of Privacy Act.

Attach your collection notice to the PIA template directly under question 6 or as an appendix.

Read the collection notice guidance for more information.

You may not need a collection notice if:

• You collect personal information indirectly, meaning you get the information from another public body and not from the individual who owns the information
• You collect personal information for law enforcement
• You collect information by observing a person at a public event

FOIPPA section 27(3) and (4) tells you more about when you do not need a collection notice. If you determine that you do not need a collection notice, explain why.

This question helps identify whether you are storing personal information outside of Canada. If the answer is yes, you may have to complete Part 4 – Assessment of Disclosures Outside of Canada, depending on your answer to the remaining questions in Part 3.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

You were directed to this question because you indicated that the personal information in your initiative is stored outside of Canada. Be specific about the location where the personal information is stored. 

This question helps identify if your initiative involves sensitive personal information. If the answer is yes and you are storing sensitive personal information outside of Canada, you may have to complete Part 4 – Assessment of Disclosures Outside of Canada.

Whether personal information is sensitive can depend on context, including where and how the information is stored. The answer to question 9 depends on the context of your initiative.

For example, the make and model of the car you drive is personal information, but you might not consider it sensitive. However, if information about your car is stored in an online database that includes your address and is accessible by anyone, you probably want to make sure the information is adequately protected and secure.

If you’re not sure whether the personal information in your initiative is sensitive, ask your MPO for help or call the Privacy and Access Helpline at 250 356-1821 or email Privacy.Helpline@gov.bc.ca.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

FOIPPA section 33(2)(f) authorizes a public body to disclose personal information if the information is made available to the public under an enactment that authorizes or requires the information to be made public.

If you are using section 33(2)(f) as your authority under FOIPPA for disclosing personal information outside of Canada, make sure that the authority is listed in the personal information flow table with reference to the other legislation that applies. You do not need to complete Part 4 of the template. Skip ahead to Part 5: Security of Personal Information.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

In the table in the PIA template, you will capture the names of the service providers and where and how the sensitive personal information is being stored.

If you are using a cloud solution, there may be multiple cloud service providers involved in your initiative. Cloud solutions are typically considered to be made up of a ‘stack’ of infrastructure (IaaS), platform (PaaS) and/or software (SaaS) that might be operated by the same or different cloud service providers. For example, Software as a Service (SaaS) providers often offer services built on infrastructure (IaaS or Infrastructure as a Service) offered by a different cloud service provider.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

This should include reference to the location and method of storing the personal information (e.g. location of data: Atlanta, GA, USA. Method of storing data in Atlanta, GA, USA: e.g. specify that the information is stored in a data storage facility). If question 11 doesn’t apply to your initiative, answer question 12 and be specific about where and how the sensitive personal information is stored.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

Here you will describe what type of contract you rely on for your initiative (if applicable). For example, you might be contracting a cloud-based service specifically for your initiative, or you might be using an enterprise offering.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

Check with the person responsible for the contract(s) involved in your initiative if you're not sure whether you're using an enterprise offering. There may be a corporate PIA or other information to help you.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

A PIA may have been completed on the service you’re using that will help to inform your risk assessment. Call the Privacy and Access Helpline at 250 356‑1851 or email Privacy.Helpline@gov.bc.ca to find out whether there is a corporate PIA for this service.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

This question is about the controls you have in place to protect against unauthorized collection, use, disclosure or storage of sensitive personal information. These include preventing or managing access to sensitive personal information. These will help to inform your answers in the table in question 17. 

Describe technical, security, administrative and/or policy measures (e.g. the access controls that protect the sensitive personal information). If you are using a cloud-based service provider, include a description of controls at each layer in the stack (software level, platform level, infrastructure level).

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

This question is about how you will know if the sensitive personal information is accessed, including access by service providers. The answer should include a description of what information is available through logs and how the ministry will access logs (e.g. in real-time or by request).

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

Use the table to indicate the privacy risks, potential impacts and likelihood of occurrence and level of privacy risk. For each privacy risk identified, describe a privacy risk response that is proportionate to the level of risk posed. This may include reference to measures to protect the sensitive personal information (contractual, technical, security, administrative and/or policy measures) that you outlined in previous questions.

• Read Guidance on Disclosures Outside Canada for more help answering questions in Part 3 and 4

A digital tool, database or information system may leave personal information exposed or otherwise vulnerable to security threats. Security assessments are used on information systems and other digital tools to assess and document security risks, risk ratings and planned risk responses. An in-depth security assessment known as a STRA (Security Threat and Risk Assessment) results in a document called the statement of acceptable risk.

• Learn more about STRAs and when they’re required

Your Ministry Information Security Officer (MISO) can answer general questions on keeping information secure in your ministry. Contact your MISO if you need help determining good security practices for your initiative and if you need to conduct a security assessment.

If you expect to complete a security assessment during the development of your initiative, you do not have to answer the questions about technical security on the PIA template.

• Read the reasonable security rule in FOIPPA

This question is to identify how you reduce the risk that you store personal information in a computer system or physical location where unauthorized access can happen.

Technical records are records that are stored electronically, including but not limited to records stored:

• In a database
• On a LAN (local area network)
• On a hard drive
• On a mobile device or laptop

Technical security includes any digital or electronic system set up to keep your records secure, including:

• Using government firewalls
• Encrypting personal information before it is stored or transferred
• Relying on how your cloud service provider protects information in the cloud
• Using passwords to protect digital files and laptops

If your records are not stored on government servers, use this question to list technical security on the system where records are stored.

Physical records include but are not limited to:

• Paper records
• Film or video
• Photographs
• Audio recordings
• Maps

Physical security is anything you do to keep physical records safe and secure, including:

• Locking filing cabinets and rooms
• Having security guards that patrol the building
• Restricting access to rooms or buildings where information is stored
• Using alarm systems in the building or room where information is stored

If your physical records are not kept in government buildings with standard government security, use this question to list the physical security in the building and rooms in which records are kept.

This question identifies how you reduce the risk of unauthorized access to personal information.

To effectively protect privacy, access to personal information should be limited to employees who need the information to do their jobs. It is never appropriate to access another person’s information without legal authority, including accessing one’s own information or information on behalf of a friend or relative.

If you have methods for controlling and tracking access to personal information that are not listed in the table, add your methods to the list.

It is your responsibility to make sure that the personal information you collect, store, use and disclose is accurate and complete, especially if the information will be used to make a decision that affects an individual. Ways to make sure personal information is accurate and complete include verifying the information with the person it is about prior to recording it.

Question 22 is made up of three parts and is designed to help you ensure that you’re following your obligations under FOIPPA section 29.

FOIPPA section 29 states that a person can ask you to correct any of their personal information in your custody or control. If you cannot correct the record itself, you must make a note on the record (annotate the record). If you've disclosed the personal information to any other public body or third party in the last year, you must also notify them of any corrections you make.

Think about whether you use personal information in your initiative to make a decision about an individual. Examples of using personal information to make decisions include but are not limited to:

• Using a person's date of birth or income to decide whether a person qualifies for a benefit
• Using a person's employment history to decide whether they can move forward in a job competition
• Using a person's health information to decide the level and type of care they receive

Keeping information for one year after it is used to make a decision that affects an individual is the minimum requirement under FOIPPA. You may have other operational or administrative requirements that dictate how long records must be kept and when they must be disposed of. It’s important to maintain the records in your initiative according to an approved records schedule so that you comply with both FOIPPA and for ministries, the Information Management Act.

You can search for approved information schedules in the ARCS and ORCS libraries. If you're not sure whether your program area has an approved information schedule or if you want help creating one, contact your Government Records Officer.

The Information Management Act requires that you dispose of government information only in accordance with an approved information schedule or with the approval of the Chief Records Officer.

A personal information bank is a collection of personal information that is organized or searchable by the name of the individual or an identifying number, symbol or other identifier. A personal information bank can be a simple list of personal information. Personal information banks contain personal information that is:

• Linked to an identifiable individual
• Organized and capable of being retrieved by a personal identifier
• Normally compiled for a single purpose

Briefly describe your personal information bank and the ministries and organizations involved. The information you provide will be used to update the Personal Information Directory.

This question is to identify any risks that have not been contemplated by the other questions on the PIA template. Your MPO may be able to help you identify any additional risks. For each risk, identify how you will manage, mitigate or otherwise reduce the likelihood that the risk will occur or reduce the impact of the risk.

After you submit your PIA, you MPO may identify additional risks during their review. Your MPO will enter the risks into this table or request that you enter them. Your MPO will ask you to identify a risk reduction strategy for each additional risk.

• Work with your MPO to make sure the PIA is complete
• Determine whether you or your MPO will submit the PIA to the Privacy, Compliance and Training Branch (PCT)
• Submit the PIA to PIA.Intake@gov.bc.ca for review

PCT will assign a privacy advisor to review the PIA. The privacy advisor may determine that your PIA should be submitted to the Office of the Information and Privacy Commissioner for review and comment. The privacy advisor will create a summary of their review, sign the PIA and return it to you for signatures.

• Get signatures from your program area manager and your Assistant Deputy Minister (if the project involves personal information) or your Executive Director (if there is no personal information in your project)
• Get your Ministry Information Security Officer's (MISO) signature if the MISO reviewed or contributed to your PIA.

After everyone has signed, return the PIA to PCT. Your privacy advisor will list the PIA in the Personal Information Directory (PID).

You have completed your PIA and may start your project.

If at any stage you change how you collect, use, store or share personal information, complete an initiative update PIA.