Privacy Impact Assessment Process (PIA)

Background Information

Format

What is Personal Information?

Do I need to complete a PIA?

Consultations with Privacy Experts on Specific Questions

PIA Form 

PRIVACY IMPACT ASSESSMENT

  • Basic Information
  • Descriptive Information
  • Personal Information Collection
    (1) Authorization for Collection
    (2) How will the personal information be collected?
    (3) Notification to collect information
  • Use of Personal Information
  • Disclosure of Personal Information
  • Accuracy and Correction of Personal Information
  • Security Arrangements for the Protection of Personal Information
  • Retention of Personal Information
  • Director/Manager of Information and Privacy (DMIP) or FOIPP Coordinator Review
  • Signatures

- To initiate new PIA form click here.

BACKGROUND

This PIA replaces all previous versions of the GMOP PIA as well as the OIPC form dated December 1998.  It should be noted that the completion of a PIA by a public body does not preclude the OIPC from investigating a complaint or commenting on a matter covered by the PIA or the PIA itself.

In order to provide a wide range of public services, government collects and maintains personal information of British Columbians. Government must manage this personal information in accordance with the legislative requirements of the Freedom of Information and Protection of Privacy Act (FOIPP Act). If a public body is developing a program, legislation, system, or any other initiative that involves personal information, the privacy protection provisions of the FOIPP Act apply. Individual public bodies are responsible for the personal information in their custody or under their control, even if the personal information is in the custody of arms length service providers or contractors.  In all government initiatives, privacy protection should be seen as a design objective, not an obstacle to overcome.

A Privacy Impact Assessment (PIA) is a foundation tool/process designed to ensure compliance with government’s privacy protection responsibilities.  In accordance with section 69(5) of the FOIPP Act, ministries must complete a PIA using the PIA form. The PIA is intended to support government business objectives, including electronic government initiatives. If used as part of normal business processes, the PIA can ensure that privacy requirements are identified and satisfied in a timely and cost efficient manner. The PIA can make the difference between a privacy invasive and a privacy enhancing initiative, without compromising business objectives or adding significant costs. The PIA process is also designed as an educational tool, since participation in privacy impact assessments promotes privacy awareness.  It is important that a PIA be completed during the early developmental stages of any program, system or other initiative as a component of the project/business plan.

For further guidance on privacy principles upon which to base day-to-day decisions regarding the management of personal information in ministry program areas, please refer to the Guide to Good Privacy Practices.

- To initiate new PIA form click here.

FORMAT

This PIA can be completed in MS Word format.  For more information about the completion of a Privacy Impact Assessment, consult the IM/IT Privacy and Legislation Branch or your FOIPP Coordinator or your ministry's Director or Manager of Information and Privacy (DMIP).

- To initiate new PIA form click here.

WHAT IS PERSONAL INFORMATION?

The FOIPP Act provides a simple but very broad definition of personal information: “recorded information about an identifiable individual” other than contact information. It is important to note that personal information includes information that can be linked back to or can identify a specific individual through association or inference. For example, generic information about an individual (e.g., ethnic origin) could be linked to one or more individuals if they lived in a small town with a limited number of people with that ethnic background.

The following is a non-exhaustive list of examples of personal information:

  • the individual’s name, address or telephone number;
  • the individual’s race, national or ethnic origin, colour or religious beliefs or associations;
  • the individual’s age, sex, sexual orientation, marital status or family status;
  • an identifying number, symbol or other particular assigned to the individual;
  • the individual’s fingerprints, blood type or inheritable characteristics;
  • information about the individual’s health care history, including a physical or mental disability;
  • information about the individual’s educational, financial, criminal or employment history;
  • anyone else’s opinions about the individual; and,
  • the individual’s personal views or opinions, except if they are about someone else. 

- To initiate new PIA form click here.

DO I NEED TO COMPLETE A PIA?

A PIA needs to be completed for all new initiatives. If you determine that there is no personal information being collected, used or disclosed, you should document that you have reviewed the initiative and have made this determination by completing Section 1 below, Basic Information. This is the only section of the PIA that should be completed if the initiative contains no personal information and sign-off is not required.

Please note that personal information can be collected directly from an individual or indirectly from another source (more questions on this issue will be provided later).

- To initiate new PIA form click here.

CONSULTATIONS WITH PRIVACY EXPERTS ON SPECIFIC QUESTIONS?

Even though the revised PIA has been designed with a view to being completed, at least in part, by program staff, there are a number of questions in the PIA where consultations with privacy experts are recommended if not required.  These questions have been designated with an asterisk in the margin. 

- To initiate new PIA form click here.