Privacy Impact Assessments: The Next Generation?
A couple of weeks ago, Chantal Bernier, Assistant Privacy Commissioner of Canada, made a presentation in Toronto that included something that strikes me as a positive and noteworthy development. It was about how the federal Office of the Privacy Commissioner of Canada (“OPC”) now looks at privacy impact assessments (“PIAs”).
Canadian jurisdictions, whether by policy or law, generally require PIAs to be performed on any new initiative that involves the processing of personal information by a public sector entity or, in some instances, by health information custodians.
PIAs typically follow a methodology that requires an analysis of data elements and data flows, followed by a series of questionnaires, usually based on the CSA Code’s 10 privacy principles. The balance of a PIA is comprised of risk identification and mitigation recommendations. Ideally, the identified risks are transferred to the organization’s privacy risk register and systematically addressed. At a minimum, however, PIAs do provide Privacy Commissioners with an idea as to what is going on “out there” in government.
So the upshot is that PIAs, because of the questions asked, invariably become focused on business process/risk and compliance with the limited, prescriptive provisions found in applicable statutes. However, current practices do not commonly support any meaningful human rights or ethical assessment of the impact that an initiative may have upon the individual, to balance off against the more quantitative, flat legislative analysis. The current process is, for all intent and purpose, a “minimum compliance” approach to assessing impacts on privacy. One that, perhaps, fails to realize the proactive, “privacy by design” opportunities that could readily be derived from a thorough analysis of an initiative.
Which brings me back to AC Bernier’s remarks. In the course of the presentation, it was revealed that the OPC adds another layer of analysis: a Charter analysis using a test found in the Supreme Court of Canada case of R. v. Oakes. The importance of Oakes is that it contains an analytical framework for s.1 of the Canadian Charter of Rights and Freedoms, which provides that legislation can impose reasonable limitations on rights and freedoms if it can be demonstrably justified in a free and democratic society.
As civil rights lawyers will tell you, Charter rights in Canada are not absolute. Without getting into the facts of Oakes, the Supreme Court presented a two-pronged test that any limitation of rights and freedoms (remembering that privacy is a Charter right) must meet.
The first criteria is that:
“… the objective, which the measures responsible for a limit on a Charter right or freedom are designed to serve, must be “of sufficient importance to warrant overriding a constitutionally protected right or freedom”…The standard must be high in order to ensure that objectives which are trivial or discordant with the principles integral to a free and democratic society do not gain s. 1 protection. It is necessary, at a minimum, that an objective relate to concerns which are pressing and substantial in a free and democratic society before it can be characterized as sufficiently important.”
The second criteria is a three part “proportionality” test:
“First, the measures adopted must be carefully designed to achieve the objective in question. They must not be arbitrary, unfair or based on irrational considerations. In short, they must be rationally connected to the objective. Second, the means, even if rationally connected to the objective in this first sense, should impair “as little as possible” the right or freedom in question…Third, there must be a proportionality between the effects of the measures which are responsible for limiting the Charter right or freedom, and the objective which has been identified as of “sufficient importance”.
In other words, any initiative that affects the privacy of Canadians must have a rational connection to the policy objective, involve a minimal impairment of rights and demonstrate proportionality between the means and the ends.
If I’ve interpreted AC Bernier’s remarks correctly, the OPC has moved beyond PIAs that demonstrate compliance with the Privacy Act and “layered in” an examination of the underlying basis for undertaking any initiative that might affect privacy. If that’s the case, then I commend the OPC’s new approach because government now has to justify any intrusion into the privacy of Canadians when conducting PIAs.
I don’t know if provincial Privacy Commissioners have adopted a similar approach but, if they haven’t, then I would ask them to do so.