Privacy Impact Assessments: The Next Generation?
A couple of weeks ago, Chantal Bernier, Assistant Privacy Commissioner of Canada, made a presentation in Toronto that included something that strikes me as a positive and noteworthy development. It was about how the federal Office of the Privacy Commissioner of Canada (“OPC”) now looks at privacy impact assessments (“PIAs”).
Canadian jurisdictions, whether by policy or law, generally require PIAs to be performed on any new initiative that involves the processing of personal information by a public sector entity or, in some instances, by health information custodians.
PIAs typically follow a methodology that requires an analysis of data elements and data flows, followed by a series of questionnaires, usually based on the CSA Code’s 10 privacy principles. The balance of a PIA is comprised of risk identification and mitigation recommendations. Ideally, the identified risks are transferred to the organization’s privacy risk register and systematically addressed. At a minimum, however, PIAs do provide Privacy Commissioners with an idea as to what is going on “out there” in government.
So the upshot is that PIAs, because of the questions asked, invariably become focused on business process/risk and compliance with the limited, prescriptive provisions found in applicable statutes. However, current practices do not commonly support any meaningful human rights or ethical assessment of the impact that an initiative may have upon the individual, to balance off against the more quantitative, flat legislative analysis. The current process is, for all intent and purpose, a “minimum compliance” approach to assessing impacts on privacy. One that, perhaps, fails to realize the proactive, “privacy by design” opportunities that could readily be derived from a thorough analysis of an initiative.
Which brings me back to AC Bernier’s remarks. In the course of the presentation, it was revealed that the OPC adds another layer of analysis: a Charter analysis using a test found in the Supreme Court of Canada case of R. v. Oakes. The importance of Oakes is that it contains an analytical framework for s.1 of the Canadian Charter of Rights and Freedoms, which provides that legislation can impose reasonable limitations on rights and freedoms if it can be demonstrably justified in a free and democratic society.
As civil rights lawyers will tell you, Charter rights in Canada are not absolute. Without getting into the facts of Oakes, the Supreme Court presented a two-pronged test that any limitation of rights and freedoms (remembering that privacy is a Charter right) must meet.
The first criteria is that:
“… the objective, which the measures responsible for a limit on a Charter right or freedom are designed to serve, must be “of sufficient importance to warrant overriding a constitutionally protected right or freedom”…The standard must be high in order to ensure that objectives which are trivial or discordant with the principles integral to a free and democratic society do not gain s. 1 protection. It is necessary, at a minimum, that an objective relate to concerns which are pressing and substantial in a free and democratic society before it can be characterized as sufficiently important.”
The second criteria is a three part “proportionality” test:
“First, the measures adopted must be carefully designed to achieve the objective in question. They must not be arbitrary, unfair or based on irrational considerations. In short, they must be rationally connected to the objective. Second, the means, even if rationally connected to the objective in this first sense, should impair “as little as possible” the right or freedom in question…Third, there must be a proportionality between the effects of the measures which are responsible for limiting the Charter right or freedom, and the objective which has been identified as of “sufficient importance”.
In other words, any initiative that affects the privacy of Canadians must have a rational connection to the policy objective, involve a minimal impairment of rights and demonstrate proportionality between the means and the ends.
If I’ve interpreted AC Bernier’s remarks correctly, the OPC has moved beyond PIAs that demonstrate compliance with the Privacy Act and “layered in” an examination of the underlying basis for undertaking any initiative that might affect privacy. If that’s the case, then I commend the OPC’s new approach because government now has to justify any intrusion into the privacy of Canadians when conducting PIAs.
I don’t know if provincial Privacy Commissioners have adopted a similar approach but, if they haven’t, then I would ask them to do so.
Michael, am I also to assume that the “proportionality” test could also undermine the Crowns current “lawful access” provisions?
Hey Michael, great post. Having conducted a few PIAs for public sector bodies, I am in complete agreement that the methodologies for these assessments tend to focus on business process issues relating to the ‘prescriptive provisions’ contained in the various privacy statutes. In the best case, a PIA gives a thorough examination of the various business processes/information-flows, considering them in the context of the various statutory provisions. In the worst case, vendors are content to merely parrot legislation without conducting much of a detailed risk analysis.
Stepping back from the various issues surrounding PIA methodology, I have to agree wholeheartedly with your observation that public sector organizations should be considering the broader normative issues, including ethics and the balancing of interests/rights.
I would not stop there, however. In addition to considering the impacts on an individual, a macro-level analysis of impacts should be undertaken. For example, one might consider the effects of a program on particular groups (ethnic, cultural, religious). Given the myriad of PI-laden systems in use in the public sector, one could ask whether a given initiative will contribute to the loss of privacy though a ‘thousand cuts’. Even if a given system/program is only minimally intrusive, the presence of multiple such systems/programs could threaten privacy interests, particularly where data matching is permitted.
The Oakes framework is an interesting choice. On the plus side, it explicitly introduces a balancing tests between the objectives of an initiative and the various norms and rights at play. There is a fair amount of jurisprudence in existence, and most lawyers are familiar with the approach from first year constitutional law.
On the other hand, one might ask whether Oakes is specific enough for the task at hand. Given my organization’s focus on health care, I wonder if Oakes would have much ‘bite’ on our various programs. If we are looking at the effect of our initiatives on individuals, the various statutory instruments already contain provisions limiting secondary uses and requiring us to collect only the minimal amount of information necessary. Typically, the purpose of our projects is straight-forward and uncontroversial. I would be interested to hear your opinion on where a test like this would be useful in a health care context.
At any rate, this is a step in the right direction. In my opinion, there are at least two improvements that have to be made with respect to PIAs. First, there has to be some consideration of the broader issues at play. Second, privacy professionals have to adopt some of the semi-formal techniques and tools from systems/software engineering and business analysis.
I was delighted to attend a “How to conduct PIAs” seminar delivered by Yvon Gauthier recently. His emphasis was not on the formulaic completion of preset questionnaires, but much to my delight, a careful balancing of interests, considering the proportionality test in his deliberations.
I am very glad to discover that there are folks out there trying to make PIAs reflect genuine analysis of impacts than a pro-forma evaluation of corporate risk.