Protecting the privacy of personal information is a legislative requirement.
Privacy Impact Assessment (PIA) (Mandatory)
A Privacy Impact Assessment (PIA) is completed to ensure a system, and the activities involved with a system, are in compliance with the Freedom of Information and Protection of Privacy Act (FOIPPA). More specifically, a PIA is used to assess the collection, use, disclosure, storage, protection, accuracy, and retention of personal information, and ensure it is in compliance with FOIPPA.
Section 69 (5) of FOIPPA requires you to conduct a PIA. You need a PIA to determine whether your project involves personal information, and if so, how you'll protect the information. A PIA must be completed for any new system, application or tool. In addition, if a system, application or tool is to be changed, a new PIA will need to be submitted to outline the specific changes occurring to the system, application or tool.
A PIA should be drafted by a product owner, project manager, or another individual with a strong understanding of the information and activities involved with their system.
An example of the PIA workflow for the NRM SDLC:
A draft PIA is started during the Initiation Phase to identify potential risks and impacts of collecting, using, and disclosing personal information. A final PIA is required in the Design phase and is a requirement to move to the Production environment through the Change Management process.
Ultimately, a PIA should be completed prior to moving a system to a production environment. Each project is unique and not all follow the same methodology to deliver, so the above workflow may not apply in all cases. For assistance with completing a PIA, or to submit a PIA for review, please contact the natural resource ministry (NRM) Information Privacy team.
*See Part 3 of FOIPPA for more information on the collection, use, disclosure, storage, protection, accuracy and retention of personal information.
A Privacy Impact Assessment is mandatory for all project complexity levels.
​
Please contact us via email for any inquiries related to the SDLC.