Privacy Reviews & Privacy Impact Assessments

Privacy reviews and privacy impact assessments may be conducted as part of the process of developing business programs and computer systems. The benchmark used for these reviews may include the federal Privacy Act, one of the many provincial freedom of information and protection of privacy acts, the Canadian Standards Association's Model Code for the Protection of Personal Information, or Canada's new Personal Information Protection and Electronic Documents Act (also referred to as Bill C-6).

The implications of poorly or improperly designed business programs or computer systems are significant. For example, under the Ontario Freedom of Information and Protection of Privacy Act, the Information and Privacy Commissioner may order an institution to cease a collection of personal information or to destroy personal information that has already been collected, if the collection contravenes the Act.

Of equal importance is the cost to incorporate the privacy requirements in the later stages of the program and systems development life cycle. For example, it is estimated to cost up to 1000 times more to retrofit new requirements into an existing computer system, when compared to identifying and accommodating the functions at the user requirements stage. Privacy reviews conducted throughout the project life cycle incorporate the necessary privacy requirements without unnecessary cost or change in project scope.

The reports delivered from these privacy reviews are used by program executives and steering committees to ensure that their fiduciary obligations are being fulfilled. For example, in the federal government, the Enhanced Management Framework requires departments to identity and mitigate risks. Privacy reviews would mitigate the risk of potential non-conformance of a Privacy Act requirements.

These privacy impact analyses are not legal reviews - you can and should seek legal advice as well. These analyses differ from a legal analysis in that they focus on building cost-effective privacy-friendly business practices. On the other hand, a legal review will focus on a strict interpretation of the legal requirements with a view to limiting liability. The latter activity sometimes results in privacy policies and contracts that force clients into privacy-hostile business practices.

If your strategic direction is to capitalize on privacy-friendly business practices as a means to gain market share, you need a privacy impact assessment as well the legal review.


Back to Services