Privacy as a process: Streamlining the Privacy Impact Assessment
Context and questions
British Columbia has strict laws governing the collection and protection of citizen’s private information. Government ministries and other public bodies must collect, use, disclose, store and dispose of personal information appropriately to protect personal privacy.
A Privacy Impact Assessment (PIA) is completed before the start of every new program or policy initiative. The PIA is a process that helps evaluate and manage privacy impacts and ensure compliance with privacy protection obligations.
Completing a PIA is a legislative requirement. To meet the requirement, the Privacy, Compliance and Training Branch (PCT) must review each PIA submission. In 2010, PCT received 125 submissions. In 2018, they received 950. Over that time, submissions have become more complex. The key users of the PIA service - Ministry Privacy Officers and ministry program staff, as well as PCT - are looking to streamline the privacy assessment process.
The Privacy, Compliance and Training Branch worked through a service design process to understand the needs and expectations of users and stakeholders and improve the PIA process.
Working together, the Service Design Team and PCT staff approached the project in three distinct phases.
- Desk and field research. The team completed a jurisdictional scan to understand how other public bodies were completing privacy assessments. Next, they created a stakeholder interview plan. Interview subjects included ministry service partners and privacy experts.
- Zeroing in on opportunities. Research interviews revealed many challenges and opportunities the team could pursue. An in-depth workshop helped the team zero in on an approach— reimagine PIAs through process-level changes.
- Co-designing a future vision. The team brought staff together from the PCT head office and privacy officers from ministries to design together. The co-design sessions focused on aligning staff to shared service principles. Working from the principles, the team then identified supports and alternate processes to improve the PIA process.
Outcomes that matter
Bringing the team together. A visioning exercise with key participants in the PIA process gave everyone an opportunity to express frustrations, settle misunderstandings, and agree on a joint direction for moving forward. And the shared service principles gave PCT staff the confidence and support to move forward with making changes to the PIA process.
A clear north star. With a detailed future state service map in hand, PCT staff are well-equipped to implement changes and they know what resources are required to truly make those changes a reality.
Thinking like a user. The PCT staff participated in user research and workshops throughout the service design process. These activities put the user at the centre and highlighted how PCT staff can continue to look at their service from start to finish and make decisions with their users in mind.