Privacy Impact Assessments
A privacy impact assessment (PIA) is a series of questions or a checklist designed to help a board of education assess its compliance with the privacy requirements of LAFOIP (view the PIA checklist and worksheet).
The use of a PIA is not required by legislation, but is recognized as an effective way for an organization to determine whether or not it is complying with legislative requirements. It can be a learning tool for those involved in a project who might not otherwise consider the privacy implications of what they are doing.
Conducting a PIA is also a good opportunity for a board to show that it is taking reasonable efforts to meet its legislative responsibilities.
The PIA can be used:
- when developing a new program;
- when revising an ongoing program; or
- as a review of existing practices and procedures.
Stakeholders involved in a PIA may include:
- User /Group requesting
- Requires “primary contact” to coordinate info collection
- Technology Department
- Rep/Contact info from vendor offering service/software
- Many have own privacy policies; dovetail with PIA
- Others have no contact; can only reference published policies (eg. Google)
In many cases the Office of the Saskatchewan Information and Privacy Commissioner will also refer to a PIA when it conducts an investigation as a result of a complaint made against a local authority.
“The completion of an effective and meaningful PIA requires a dialogue between the author of the PIA and those with a vested interest or involvement with the proposed or existing information systems, technology, policy/procedure, or program being evaluated.”
– Office of the Saskatchewan Information and Privacy Commissioner
Some things to consider when completing a PIA:
- Depersonalize what you can; only record what you must
- involve IT early
- can become ‘techie’ fast; security is often layered
- Challenge vendors for clarity
- Keep good records
- include time-stamped vendor privacy policies, they often change/evolve