NRM SDLC - Privacy

Last updated on December 20, 2023

Protecting the privacy of personal information is a legislative requirement.

Privacy Impact Assessment (PIA) (Mandatory)

A Privacy Impact Assessment (PIA) is completed to ensure a system, and the activities involved with a system, are in compliance with the Freedom of Information and Protection of Privacy Act (FOIPPA). More specifically, a PIA is used to assess the collection, use, disclosure, storage, protection, accuracy, and retention of personal information, and ensure it is in compliance with FOIPPA.

Standards/Guidelines

Section 69 (5) of FOIPPA requires you to conduct a PIA. You need a PIA to determine whether your project involves personal information, and if so, how you'll protect the information. A PIA must be completed for any new system, application or tool. In addition, if a system, application or tool is to be changed, a new PIA will need to be submitted to outline the specific changes occurring to the system, application or tool.

A PIA should be drafted by a product owner, project manager, or another individual with a strong understanding of the information and activities involved with their system.

An example of the PIA workflow for the NRM SDLC:

Initiation Phase: PIA initiated
Requirements Phase: PIA refined further
Design Phase: PIA is finalized and ready for signatures by phase end
Test Phase: PIA is fully signed before Moving to Deployment and Implementation Phase

A draft PIA is started during the Initiation Phase to identify potential risks and impacts of collecting, using, and disclosing personal information. A final PIA is required in the Design phase and is a requirement to move to the Production environment through the Change Management process.

Ultimately, a PIA should be completed prior to moving a system to a production environment. Each project is unique and not all follow the same methodology to deliver, so the above workflow may not apply in all cases. For assistance with completing a PIA, or to submit a PIA for review, please contact the natural resource ministry (NRM) Information Privacy team.

Supporting Documentation

*See Part 3 of FOIPPA for more information on the collection, use, disclosure, storage, protection, accuracy and retention of personal information.

Deliverable Requisite

A Privacy Impact Assessment is mandatory for all project complexity levels.

Useful Links

NRS Standards and Templates Inventory

Contact information

Please contact us via email for any inquiries related to the SDLC.

NRIDS Standards Enquiries
NRIDS.Standards@gov.bc.ca

Did you find what you were looking for?

The B.C. Public Service acknowledges the territories of First Nations around B.C. and is grateful to carry out our work on these lands. We acknowledge the rights, interests, priorities, and concerns of all Indigenous Peoples - First Nations, Métis, and Inuit - respecting and acknowledging their distinct cultures, histories, rights, laws, and governments.

More topics

NRM SDLC - Privacy

Standards/Guidelines

Supporting Documentation

Deliverable Requisite

Contact information