Canada: Privacy Impact Assessments — Answering Your Top Questions

The Act respecting the protection of personal information in the private sector, as amended by Law 25, (Private Sector Act) provides for three situations in which organizations must conduct a PIA:

(1) At the outset of a project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.

(2) Before communicating personal information outside Quebec.

(3) Before communicating personal information to a third party, without the consent of the concerned individual, to use the information for study or research purposes or for the production of statistics.

While the CAI affirms that these situations warrant a PIA, we will see that they attempt to stretch when PIAs should be conducted.

Unlike the old guide, where a PIA was suggested as a good practice, with the coming into force of the Private Sector Act, a PIA is required in the 3 situations mentioned above.

While the CAI does not disagree, they seem to suggest conducting a PIA for any project, technological or otherwise, that may involve the collection, use, disclosure, retention or destruction of personal information. This broad stance goes well beyond the 3 prescribed situation in the Private Sector Act.

The CAI has drawn up a decision tree, below, to help organizations decide if they should conduct a PIA. Organizations must keep in mind that conducting a PIA outside of 3 situations prescribed by the Private Sector Act is a choice, not an obligation.

While the Private Sector Act remains ambiguous in stating that "a person carrying on an enterprise must conduct a privacy impact assessment," the CAI's guide attempts to provide clarity by stating: "It is the organization holding the personal information that is responsible for carrying out the PIA." However, ambiguity remains as the CAI does not define "holding" personal information, nor does the Private Sector Act introduce the notion of data controllers and data processors as found in the European Union's General Data Protection Regulation (GDPR). Regardless, organizations may enlist the help of third parties (e.g., suppliers) at various stages of the process if need be.

In response to the silence of the Private Sector Act on this topic, the CAI takes the position that there is no obligation to retroactively conduct a PIA under Law 25, which is in line with parliamentary debates. In other words, if the project was already "finalized" (i.e., the conclusion of a data sharing agreement or the implementation of information systems) on the effective date, organizations are not required to complete a PIA retroactively.

Despite this, a PIA will be required (1) if the project is modified (e.g., amendments to the agreement, system redesign, etc.); and (2) if the project involves the communication of personal information outside Quebec after September 22, 2023, even if the transfer was initiated prior to that date.

The Private Sector Act is unclear as to whether it is necessary to document all PIAs and in what form.

The CAI suggests a generic PIA report template that is not adapted to special kinds of PIAs which must take into account additional factors (e.g., communicating personal information outside Quebec or for research purposes). Nevertheless, organizations may adapt this generic template to their own needs. The template includes a specific section for these "specific criteria to be assessed by the PIA."

The CAI seems to be of the position that PIAs and PIA reports are distinct: "Although it is possible to carry out a PIA without formally documenting it, you should be able to explain and justify your PIA process." Practically, it is unclear how organizations would be able to demonstrate the completion of a PIA, and compliance with the Private Sector Act, without a PIA report.

In the section on what the report should contain, several elements have been added compared to the old guide and legal requirements, including:

1. A summary of consultations, if any.
2. An assessment of the criteria for sensitivity, purpose, quantity, distribution and support of personal information, and a justification of the depth of analysis (breadth of the PIA).
3. A categorization of the risks identified for the individuals concerned.

The Private Sector Act provides that the Privacy Officer should be consulted at the outset of any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information. Even if this is implied, and might be common practice to involve the Privacy Officer for the other two kinds of PIA, the Act does not make this clear, unlike the CAI, which stipulates that the Privacy Officer is required to be consulted as part of any PIA. The Act is silent, however, on whom else should be part of the PIA process.

The CAI's guide suggests consulting other groups of people depending on the scope of the project and the scale of the assessment, namely project managers, legal, HR, customer service, board of directors, service providers, and subcontractors.

Consultation with IT and cyber security professionals is also crucial to identifying the project's technical risks.

According to the Private Sector Act, PIAs "must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored."

While the CAI affirms that "the scope of the PIA may vary depending on the size of the project, its objectives, the nature of the personal information involved and the manner in which it is used and disclosed", it does not offer guidance on when a "lean" or "extensive" PIA would be warranted or what they should concretely entail.

In addition, the CAI recommends including a data flow diagram and a data inventory in a PIA. While these complex and costly initiatives may be valuable to certain projects, neither is required by the Private Sector act.

The Private Sector Act does not provide a clear metric for determining the risk posed by a project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information to the privacy of the individuals concerned.

For the transfer of data outside Quebec, the only indication that seems to be provided in the Private Sector Act is that the information may be communicated if the assessment establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information. As for the communication of personal information for study purposes, the PIA must conclude that the elements set out in the Act are met before communication can take place.

In the absence of established risk assessment frameworks within an organization, the CAI suggests assessing risk based on the potential severity of the consequences of an event and the probability of its occurrence.

CAI's generic PIA template includes a section for assessing the privacy risks generated by the project and their consequences for the individuals concerned. The risks are divided into several categories: risks of collection, risks of use, risks of communication, risks of retention, destruction and/or anonymization, and a section for residual risks. As mentioned above, when assessing the level of each identified risk, it is the "potential severity of the consequences" of an event and its "probability" that are evaluated. Once the severity and probability of risks have been estimated, they should be assigned an overall risk level. If a rating is to be used, the CAI suggests using a risk level grid where the severity rating would be multiplied by the probability rating.

The CAI also suggests in its PIA template that organizations should present the strategies put in place to mitigate these risks, as well as an analysis of the effect of these measures on the residual level of risk. It is additionally stipulated that each residual risk should have a person responsible for implementing the measures identified, and for managing the adverse event should it materialize.

Where the Private Sector Act does not determine how to assess the proportionality of a project, the CAI provides clear guidance. An organization will be required to "assess proportionality throughout the PIA process and the implementation of that project." It adds that "proportionality will be found if: (1) there is a rational link between your objectives and the project, i.e., it is an effective means of achieving the objective; (2) the invasion of privacy is minimal, or if there are no effective less intrusive alternatives; if (3) the tangible benefits outweigh the consequences or harm to the individuals concerned."

The CAI also suggests reviewing the proportionality of the project after completing the risk management exercise, by asking the following questions: "in the light of your PIA as a whole, does the solution you are proposing to achieve your objectives still seem proportional, given the residual risks? In the event of a complaint by a data subject or an audit by a supervisory body, will you be prepared to answer the Commission's questions about whether your solution is proportionate?"

The Private Sector Act provides that personal information may be communicated outside Quebec if the PIA "establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information."

a. Adequate protection

The CAI suggests that it is a protection that offers legal guarantees (i.e., the legal regime of the state of destinations offers such) and contractual guarantees (i.e., there is a written agreement with the recipient organization) that respects all the generally recognized principles of protection principles that are appropriate to the sensitivity and purpose of the information involved, which seems to echo the criteria set out in the Private Sector Act.

b. Generally recognized principles regarding the protection of personal information

The Private Sector Act does not define these terms, although many privacy laws and other significant privacy documents, such as the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines, the U.S. Federal Trade Commission's Fair Information Practice Principles (FIPPs), and the principles underlying laws such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the GDPR, incorporate certain common privacy principles.

Without being exhaustive, the CAI's list includes the following principles:

• Accountability
• Identifying purposes
• Limiting collection
• Consent
• Protection by design and by default
• Limiting use, disclosure and retention
• Accuracy
• Security
• Openness
• Rights of data subjects
• Recourse

One of the important points that the CAI makes throughout its guide, which doesn't seem to have been taken from the Private Sector Act, is that a PIA, once required under the Private Sector Act, must continuously be reviewed throughout the life of the project. Indeed, the CAI states: "Protecting personal information is not a one-time task: the PIA is only effective if it evolves continuously, and must be reviewed as necessary, throughout the life of the project."

Finally, the CAI encourages organizations to publish abridged versions of completed PIA reports on their website. We have reservations about this practice, which is not required by the Private Sector Act, as potential effects on the publishing organization are unclear.