Guidance for Privacy Impact Assessments

Last updated on January 9, 2023

Use this guidance to help you complete a privacy impact assessment (PIA) if you're starting a new system, project, program or activity ("initiative") in the B.C. government or the broader public sector.

If you're in the broader public sector, skip question 14 of the guidance as that question applies to ministries only.

Download the PIA template for ministries (Word, 64 KB) or non-ministry public bodies (Word, 51 KB). Read it over to get acquainted with the questions.

How to Use These Guidelines

The guidance contains 26 questions in 8 parts to mirror the PIA template layout. The guidance offers examples and prompts for thinking through how you can reduce risk and protect privacy in your project. 

You can expect to take several hours or a few days to answer all of the questions on the template, depending on

  • The complexity of your project
  • The type of information you're collecting, where it's stored and who you share it with

Read more about the PIA review process and principles for protecting privacy (MS Word).

Part 1 - General Information

Part 1 asks general questions about your project and the subject of this PIA. Answer in detail.

 

Question 1 - What is the initiative?

Answer the who, what, where, when, why and how of your initiative. Describe the initiative in full, including:

  • What is the initiative
  • Who is leading the initiative and who else is involved, including partners and stakeholders in and outside government
  • Where will the initiative take place? For example,
    • Does the work happen online, in person, or both
    • Will there be public events
    • Will you hold meetings over the phone, face-to-face, or online
  • When will the initiative take place?
    • Is this a one-time event
    • Will the initiative go on for a short time or for the foreseeable future
    • Do you have an end date planned
  • Why are you doing the initiative?
    • What need does the initiative meet
  • How will you carry out the initiative? For example,
    • Are you collaborating with another ministry over Microsoft Teams or other collaboration software
    • Are you emailing surveys to randomly chosen participants
    • Are you holding a public meeting
 

Question 2 - What is the scope of the PIA?

Think about how you described your initiative in question 1. In this PIA, are you assessing the whole initiative or just part of it?

Describe how much of the initiative you will assess in this PIA. For example, this PIA might focus on phase 1 to 3 of the initiative, or this PIA might focus on building a database but not using the database.

 

Question 3 - What are the data or information elements involved in your initiative?

Question 3 is about what type of information you'll use in the initiative, especially personal information. Personal information or data can include identifiers like:

  • Name
  • Professional number (e.g. medical billing number, registered biologist number)
  • Contact information, including home address
  • Social Insurance Number
  • Licence information (e.g. driver's licence number, hunting licence information)
  • Personal Health Number

Think about the information you'll collect, use, store or share as part of your initiative and list it here. A major part of the PIA process is to make sure that you have authority under the Freedom of Information and Protection of Privacy Act (FOIPPA) to collect, use, store and disclose each of these pieces of information. Limit your collection of personal information to only what is necessary to complete the initiative.

Learn more about privacy principles (MS Word) for protecting personal information.

 

Question 3.1 - Did you list personal information in question 3?

Personal information is any recorded information about an identifiable individual other than contact information. Personal information includes information that can be used to identify an individual through association or inference.

In addition to the unique identifiers discussed in question 3 above, personal information can include information that describes an individual or group, such as:

  • Race or ethnicity
  • Marital status
  • Gender identity or sexual orientation
  • Religious or political affiliation
  • Income level

If you do have personal information involved in your initiative, talk to your MPO so they can help you make sure you have legal authority to collect, use, disclose or store personal information. You must have a specific purpose and authority under FOIPPA to collect each element of personal information as part of your initiative. Your MPO can also advise on limiting the collection of personal information and otherwise reducing risks to privacy in your initiative.

If you do not use personal information in your initiative:

  • Go ahead to question 4 and answer it as best you can
  • Contact your MPO. Your MPO will review your PIA or submit the PIA to Privacy, Compliance and Training Branch (PCT) at PIA.Intake@gov.bc.ca for review
 

Question 4 - How will you reduce the risk of unintentionally collecting personal information?

Some initiatives that do not require personal information are at risk of collecting personal information inadvertently, which could result in an information incident (or privacy breach).

To answer this question, think about how you’ve designed your initiative to reduce the risk of collecting personal information. For example, if you are collecting opinions as part of a public engagement strategy, participants may offer personal information about themselves or others, even though you've instructed them not to. If you do inadvertently receive or collect personal information, what steps will you take to:

  • Destroy it
  • Return it
  • Transfer it to the correct recipient

FOIPPA section 27.1 describes under what circumstances personal information is considered not collected, despite you having received it. As long as you do nothing with the personal information you receive other than read and delete or return it, or transfer it to the appropriate public body, you have not collected the information according to FOIPPA. However, if you take any other action, including storing the information or using it in your own work, under FOIPPA you have collected personal information without authorization and that is considered a privacy breach.

 

If your initiative does not involve personal information and you have completed Part 1 of the template, you can submit your PIA to your MPO now. You're done!

 Part 2 - Collection, Use and Disclosure

Part 2 asks questions designed to help you think through the risks involved in collecting, using, storing and disclosing personal information, and how you can manage those risks. Remember that personal information always belongs to the person the information is about. When you collect or use personal information, you must keep it safe, use it only for the stated purpose, and restrict unauthorized access.

 

Question 5 - Collection, Use and Disclosure

This exercise identifies how you reduce the risk that your initiative collects, uses or shares personal information in a way that is not authorized by FOIPPA.

For question 5, you need the list of personal information you identified in question 3. Break down the processes into single steps and think about how information moves through your project. Your MPO will help you figure out whether each step represents a collection, use or disclosure of personal information, and whether you have legal authority under FOIPPA for the way you’re working with personal information. At each step, include the role or title of the person involved and whether any partners external to government are involved.

Use the table to list the steps. You can organize your information into a diagram if you prefer.

Including a 'roles and responsibilities' table may be helpful if contractors are involved in your initiative to explain who does what and whether they are internal or external to government.

Limit Collection

As you work through the description of the information flows, consider whether each element of personal information is necessary for delivering your initiative, or whether you could collect less personal information without risking the success and efficacy of your initiative. Limiting the amount of personal information you collect is one of the 10 internationally recognized privacy principles.

Collect only the information you need for your initiative to work. Collecting more personal information than you need to do your work may lead to a privacy breach.

 

Question 6 - Collection Notice

Under FOIPPA section 27(2), you must notify individuals when you collect their personal information directly from them.  

Whenever possible, position your collection notice so that people read it or hear it before they are asked for their information. For example, you can include a collection notice as part of the preamble to an online form or read it over the phone before you begin asking for information. If it’s not possible to put your collection notice at the top, position it where people have the best possible chance of hearing or reading it before giving their information so that they understand how you’ll use their information.

When you collect information from people, you must tell them:

  • Your purpose for collecting personal information
  • Your legal authority under FOIPPA or other legislation for collecting personal information
  • Contact information for a person in the public body who can answer questions about why you're collecting personal information, how it's used and how people can update or correct their information

You can edit the following sample collection notice to suit your initiative.

We are collecting your personal information to [purpose]. If you have questions about our collection of your information, please contact us at [contact information].

We are collecting your personal information under section [e.g. 26(c)] of the Freedom of Information and Protection of Privacy Act.

Attach your collection notice to the PIA template directly under question 6 or as an appendix.

Read the collection notice guidance for more information.

You may not need a collection notice if:

  • You collect personal information indirectly, meaning you get the information from another public body and not from the individual who owns the information
  • You collect personal information for law enforcement
  • You collect information by observing a person at a public event

FOIPPA section 27(3) and (4) tells you more about when you do not need a collection notice. If you determine that you do not need a collection notice, explain why.

 

 Part 3 - Storing Personal Information

 

Question 7 - Is any personal information stored outside of Canada?

This question helps identify whether you are storing personal information outside of Canada. If the answer is yes, you may have to complete Part 4 – Assessment of Disclosures Outside of Canada, depending on your answer to the remaining questions in Part 3.

 

Question 8 - Where are you storing the personal information involved in your initiative?

You were directed to this question because you indicated that the personal information in your initiative is stored outside of Canada. Be specific about the location where the personal information is stored. 

 

Question 9 - Does your initiative involve sensitive personal information?

This question helps identify if your initiative involves sensitive personal information. If the answer is yes and you are storing sensitive personal information outside of Canada, you may have to complete Part 4 – Assessment of Disclosures Outside of Canada.

Whether personal information is sensitive can depend on context, including where and how the information is stored. The answer to question 9 depends on the context of your initiative.

For example, the make and model of the car you drive is personal information, but you might not consider it sensitive. However, if information about your car is stored in an online database that includes your address and is accessible by anyone, you probably want to make sure the information is adequately protected and secure.

If you’re not sure whether the personal information in your initiative is sensitive, ask your MPO for help or call the Privacy and Access Helpline at 250 356-1821 or email Privacy.Helpline@gov.bc.ca.

 

Question 10 - Is the sensitive personal information being disclosed outside of Canada under FOIPPA section 33(2)(f)?

FOIPPA section 33(2)(f) authorizes a public body to disclose personal information if the information is made available to the public under an enactment that authorizes or requires the information to be made public.

If you are using section 33(2)(f) as your authority under FOIPPA for disclosing personal information outside of Canada, make sure that the authority is listed in the personal information flow table with reference to the other legislation that applies. You do not need to complete Part 4 of the template. Skip ahead to Part 5: Security of Personal Information.

 

Part 4 - Assessment for Disclosures Outside of Canada

You must complete this section if you are disclosing sensitive personal information to be stored outside of Canada. You will likely need help from your MPO to complete this section.

 

Question 11 - Is the sensitive personal information stored by a service provider?

In the table in the PIA template, you will capture the names of the service providers and where and how the sensitive personal information is being stored.

If you are using a cloud solution, there may be multiple cloud service providers involved in your initiative. Cloud solutions are typically considered to be made up of a ‘stack’ of infrastructure (IaaS), platform (PaaS) and/or software (SaaS) that might be operated by the same or different cloud service providers. For example, Software as a Service (SaaS) providers often offer services built on infrastructure (IaaS or Infrastructure as a Service) offered by a different cloud service provider.

 

Question 12 - Provide details on the disclosure, including where and how the personal information is stored

This should include reference to the location and method of storing the personal information (e.g. location of data: Atlanta, GA, USA. Method of storing data in Atlanta, GA, USA: e.g. specify that the information is stored in a data storage facility). If question 11 doesn’t apply to your initiative, answer question 12 and be specific about where and how the sensitive personal information is stored.

 

Question 13 - Describe the contractual terms in place (if applicable).

Here you will describe what type of contract you rely on for your initiative (if applicable). For example, you might be contracting a cloud-based service specifically for your initiative, or you might be using an enterprise offering.

 

Question 14 - Are you relying on an existing contract, such as an enterprise offering from the Office of the Chief Information Officer (OCIO)?

Check with the person responsible for the contract(s) involved in your initiative if you're not sure whether you're using an enterprise offering. There may be a corporate PIA or other information to help you.

 

Question 14.1 - Which enterprise service are you accessing?

A PIA may have been completed on the service you’re using that will help to inform your risk assessment. Call the Privacy and Access Helpline at 250 356‑1851 or email Privacy.Helpline@gov.bc.ca to find out whether there is a corporate PIA for this service.

 

Question 15 - What controls are in place to prevent unauthorized access to sensitive personal information?

This question is about the controls you have in place to protect against unauthorized collection, use, disclosure or storage of sensitive personal information. These include preventing or managing access to sensitive personal information. These will help to inform your answers in the table in question 17. 

Describe technical, security, administrative and/or policy measures (e.g. the access controls that protect the sensitive personal information). If you are using a cloud-based service provider, include a description of controls at each layer in the stack (software level, platform level, infrastructure level).

 

Question 16 - Please provide details about how you will track access to sensitive personal information

This question is about how you will know if the sensitive personal information is accessed, including access by service providers. The answer should include a description of what information is available through logs and how the ministry will access logs (e.g. in real-time or by request).

 

Question 17 - Describe the privacy risks for disclosures outside of Canada

Use the table to indicate the privacy risks, potential impacts and likelihood of occurrence and level of privacy risk. For each privacy risk identified, describe a privacy risk response that is proportionate to the level of risk posed. This may include reference to measures to protect the sensitive personal information (contractual, technical, security, administrative and/or policy measures) that you outlined in previous questions.

 

Part 5 - Security of Personal Information

Part 5 asks questions about how you'll protect personal information using physical and technical security. People, organizations and governments outside of your initiative should not be able to access the personal information you collect, use, store or disclose. You need to make sure that the personal information is safely secured in both physical and technical environments.

 

Question 18 - Does your initiative involve a digital tool, database or information system?

A digital tool, database or information system may leave personal information exposed or otherwise vulnerable to security threats. Security assessments are used on information systems and other digital tools to assess and document security risks, risk ratings and planned risk responses. An in-depth security assessment known as a STRA (Security Threat and Risk Assessment) results in a document called the statement of acceptable risk.

Your Ministry Information Security Officer (MISO) can answer general questions on keeping information secure in your ministry. Contact your MISO if you need help determining good security practices for your initiative and if you need to conduct a security assessment.

 

Question 18.1 - Do you or will you have a security assessment to help you ensure the initiative meets the reasonable security requirements of FOIPPA section 30?

If you expect to complete a security assessment during the development of your initiative, you do not have to answer the questions about technical security on the PIA template.

 

Question 19 - Are all digital records stored on government servers and are all physical records stored in government offices with government security?

This question is to identify how you reduce the risk that you store personal information in a computer system or physical location where unauthorized access can happen.

Technical records are records that are stored electronically, including but not limited to records stored:

  • In a database
  • On a LAN (local area network)
  • On a hard drive
  • On a mobile device or laptop

Technical security includes any digital or electronic system set up to keep your records secure, including:

  • Using government firewalls
  • Encrypting personal information before it is stored or transferred
  • Relying on how your cloud service provider protects information in the cloud
  • Using passwords to protect digital files and laptops

If your records are not stored on government servers, use this question to list technical security on the system where records are stored.

Physical records include but are not limited to:

  • Paper records
  • Film or video
  • Photographs
  • Audio recordings
  • Maps

Physical security is anything you do to keep physical records safe and secure, including:

  • Locking filing cabinets and rooms
  • Having security guards that patrol the building
  • Restricting access to rooms or buildings where information is stored
  • Using alarm systems in the building or room where information is stored

If your physical records are not kept in government buildings with standard government security, use this question to list the physical security in the building and rooms in which records are kept.

 

Question 20 - Controlling and Tracking Access

This question identifies how you reduce the risk of unauthorized access to personal information.

To effectively protect privacy, access to personal information should be limited to employees who need the information to do their jobs. It is never appropriate to access another person’s information without legal authority, including accessing one’s own information or information on behalf of a friend or relative.

If you have methods for controlling and tracking access to personal information that are not listed in the table, add your methods to the list.

 

Part 6 - Accuracy, Correction and Retention

Part 6 is about making sure that you make a reasonable effort to ensure the personal information you have on file is accurate and complete.

 

Question 21 - How will you make sure that the personal information is accurate and complete?

It is your responsibility to make sure that the personal information you collect, store, use and disclose is accurate and complete, especially if the information will be used to make a decision that affects an individual. Ways to make sure personal information is accurate and complete include verifying the information with the person it is about prior to recording it.

 

Question 22 - Requests for Correction

Question 22 is made up of three parts and is designed to help you ensure that you’re following your obligations under FOIPPA section 29.

FOIPPA section 29 states that a person can ask you to correct any of their personal information in your custody or control. If you cannot correct the record itself, you must make a note on the record (annotate the record). If you've disclosed the personal information to any other public body or third party in the last year, you must also notify them of any corrections you make.

 

Question 23 - Does your initiative use personal information to make decisions that directly affect an individual?

Think about whether you use personal information in your initiative to make a decision about an individual. Examples of using personal information to make decisions include but are not limited to:

  • Using a person's date of birth or income to decide whether a person qualifies for a benefit
  • Using a person's employment history to decide whether they can move forward in a job competition
  • Using a person's health information to decide the level and type of care they receive
 

Question 24 - Do you have an approved information schedule in place related to personal information used to make decisions?

Keeping information for one year after it is used to make a decision that affects an individual is the minimum requirement under FOIPPA. You may have other operational or administrative requirements that dictate how long records must be kept and when they must be disposed of. It’s important to maintain the records in your initiative according to an approved records schedule so that you comply with both FOIPPA and for ministries, the Information Management Act.

You can search for approved information schedules in the ARCS and ORCS libraries. If you're not sure whether your program area has an approved information schedule or if you want help creating one, contact your Government Records Officer.

The Information Management Act requires that you dispose of government information only in accordance with an approved information schedule or with the approval of the Chief Records Officer.

 

Part 7 - Personal Information Banks

A personal information bank (PIB) is a collection of personal information searchable by name or unique identifier.

 

Question 25 - Will your initiative result in a personal information bank?

A personal information bank is a collection of personal information that is organized or searchable by the name of the individual or an identifying number, symbol or other identifier. A personal information bank can be a simple list of personal information. Personal information banks contain personal information that is:

  • Linked to an identifiable individual
  • Organized and capable of being retrieved by a personal identifier
  • Normally compiled for a single purpose

Briefly describe your personal information bank and the ministries and organizations involved. The information you provide will be used to update the Personal Information Directory.

 

 Part 8 - Additional Risks

In Part 8, consider whether there are additional risks to personal information in your initiative that have not been addressed by the other questions in the template.

 

Question 26 - Additional Risks

This question is to identify any risks that have not been contemplated by the other questions on the PIA template. Your MPO may be able to help you identify any additional risks. For each risk, identify how you will manage, mitigate or otherwise reduce the likelihood that the risk will occur or reduce the impact of the risk.

After you submit your PIA, you MPO may identify additional risks during their review. Your MPO will enter the risks into this table or request that you enter them. Your MPO will ask you to identify a risk reduction strategy for each additional risk.

 

Part 9 - Signatures and Summary

 

Final Steps

  • Work with your MPO to make sure the PIA is complete
  • Determine whether you or your MPO will submit the PIA to the Privacy, Compliance and Training Branch (PCT)
  • Submit the PIA to PIA.Intake@gov.bc.ca for review

PCT will assign a privacy advisor to review the PIA. The privacy advisor may determine that your PIA should be submitted to the Office of the Information and Privacy Commissioner for review and comment. The privacy advisor will create a summary of their review, sign the PIA and return it to you for signatures.

  • Get signatures from your program area manager and your Assistant Deputy Minister (if the project involves personal information) or your Executive Director (if there is no personal information in your project)
  • Get your Ministry Information Security Officer's (MISO) signature if the MISO reviewed or contributed to your PIA.

After everyone has signed, return the PIA to PCT. Your privacy advisor will list the PIA in the Personal Information Directory (PID).

You have completed your PIA and may start your project.

If at any stage you change how you collect, use, store or share personal information, complete an initiative update PIA.