Home | Contact Us | Site Map | Privacy | RSS
ID Theft First Aid

PIAs



PIAs

The FOIP Act provides the authority for the Information and Privacy Commissioner to comment on the implications for freedom of information or for protection of privacy of proposed legislative schemes or programs of public bodies. Privacy impact assessments are not mandatory under the FOIP Act, but are recommended for major projects that involve the collection, use or disclosure of personal information.

The HIA requires that the Information and Privacy Commissioner receive a privacy impact assessment for review and comment before a custodian implements proposed administrative practices and information systems relating to the collection, use or disclosure of individually identifying health information. Privacy impact assessments are mandatory under the HIA if the project fits the foregoing definition.

The Office of the Information and Privacy Commissioner has developed a Privacy Impact Assessment (PIA) process to assist organizations in reviewing the impact that the new project may have on the individual privacy. The process is designed to ensure that the public body or custodian evaluates the program or scheme to ensure compliance with the FOIP Act or HIA.

The PIA process requires a thorough analysis of potential impacts on privacy and a consideration of measures to mitigate or eliminate any such impacts. The privacy impact assessment is a due diligence exercise, in which the organization identifies and addresses potential privacy risks that may occur in the course of its operations.

While PIA's are focussed on specific projects, the process should also include an examination of organization-wide practices that could have an impact on privacy. Organizational privacy policy and procedures, or the lack of them, can be significant factors in the ability of the organization to ensure that privacy protecting measures are available for specific projects.

Because the onus always remains on the organization to ensure adequate levels of privacy protection, as required in the applicable legislation, the Commissioner will not "approve" a PIA submitted to him by an organization. Once satisfied that the organization has addressed the relevant considerations and is committed to the provision of the necessary level of privacy protection, the Commissioner will "accept" the PIA. Acceptance is not approval; it merely reflects the Commissioner's acceptance that the organization has made reasonable efforts to protect privacy. A PIA cannot be used to obtain a waiver of, or relaxation from, any requirement of the relevant legislation.

Physician Office System Program PIA listings

Alberta Netcare PIA listings 

PPMI PIA Listings 



Copyright 2009-2012 OIPC. All rights reserved.