NRM SDLC - Privacy

Last updated on December 20, 2023

Protecting the privacy of personal information is a legislative requirement.

 

Privacy Impact Assessment (PIA) (Mandatory)

A Privacy Impact Assessment (PIA) is completed to ensure a system, and the activities involved with a system, are in compliance with the Freedom of Information and Protection of Privacy Act (FOIPPA). More specifically, a PIA is used to assess the collection, use, disclosure, storage, protection, accuracy, and retention of personal information, and ensure it is in compliance with FOIPPA.

Standards/Guidelines

Section 69 (5) of FOIPPA requires you to conduct a PIA. You need a PIA to determine whether your project involves personal information, and if so, how you'll protect the information. A PIA must be completed for any new system, application or tool. In addition, if a system, application or tool is to be changed, a new PIA will need to be submitted to outline the specific changes occurring to the system, application or tool.

A PIA should be drafted by a product owner, project manager, or another individual with a strong understanding of the information and activities involved with their system.

An example of the PIA workflow for the NRM SDLC:

  • Initiation Phase: PIA initiated
  • Requirements Phase: PIA refined further
  • Design Phase: PIA is finalized and ready for signatures by phase end
  • Test Phase: PIA is fully signed before Moving to Deployment and Implementation Phase

A draft PIA is started during the Initiation Phase to identify potential risks and impacts of collecting, using, and disclosing personal information. A final PIA is required in the Design phase and is a requirement to move to the Production environment through the Change Management process.

Ultimately, a PIA should be completed prior to moving a system to a production environment. Each project is unique and not all follow the same methodology to deliver, so the above workflow may not apply in all cases. For assistance with completing a PIA, or to submit a PIA for review, please contact the natural resource ministry (NRM) Information Privacy team.

Supporting Documentation

*See Part 3 of FOIPPA for more information on the collection, use, disclosure, storage, protection, accuracy and retention of personal information.

Deliverable Requisite

A Privacy Impact Assessment is mandatory for all project complexity levels.

​

Contact information

Please contact us via email for any inquiries related to the SDLC.

NRIDS Standards Enquiries
NRIDS.Standards@gov.bc.ca