Act 25 – Demystifying privacy impact assessments with the CAI’s new tools

With most provisions of the Act to modernize legislative provisions as regards the protection of personal information (Act 25) having just come into effect on September 22, public bodies and enterprises (organizations) will now need to conduct privacy impact assessments (PIA) during various projects that involve personal information. A PIA is an impact analysis that takes all personal information of the persons concerned into consideration to prevent the mismanagement of that information and ensure its protection throughout the project.

To help organizations, the Commission d’accès à l’information (CAI) published a guide (available in French only) that walks them through conducting a PIA. The guide describes the steps of a PIA and details various factors that must be considered in this analysis, including the specific considerations that apply in different situations. Interestingly, even though a PIA is mandatory in some contexts, Act 25 does not specifically indicate how it should be conducted. The CAI guide is therefore only intended for information purposes. 

Recommended steps

In its guide, the CAI summarizes the steps to be taken when conducting a PIA, which it emphasizes must begin early on in the project so that the assessment can be completed before the project is implemented. There are four steps to a PIA:

1. Determining whether an assessment is necessary

A PIA is mandatory in certain cases, notably the acquisition, development or overhaul of an information system or electronic service delivery system involving personal information or in cases where personal information will be released outside Quebec. 

Regardless of the situation, the CAI believes it is good practice to conduct a PIA whenever a project involves personal information.

2. Preparing a PIA

A PIA is preceded by a preparatory phase, in which questions are raised regarding the project and its scope, the personal information concerned and the organization’s privacy obligations.

The CAI repeatedly stresses the importance of a PIA being proportionate to the project and to the personal information concerned. When preparing a PIA:

• the project and its goals must be clearly defined;
• the scope of the PIA must be determined;
• the roles and responsibilities of the organization holding the information and the parties that will be consulted must be defined;
• the information must be inventoried and mapped out to reveal its nature, sensitivity, quantity and purpose, as well as to illustrate what route the personal information will take and at what point the information and project stakeholders will interact;
• the scope of the PIA must be assessed; 
• the organization’s obligations pursuant to provincial, federal or foreign legislation, organizational practices and international standards must be prepared. 

3. Analyzing and evaluating privacy 

In this step, the factors that could impact the privacy of the persons concerned are analyzed using the information obtained in the previous step. The privacy factors that will be assessed are:

• The project’s compliance with the applicable legislation regarding the protection of personal information:
  • To assess this factor, the project must be checked to see whether it satisfies the previously identified privacy obligations, legal and otherwise.
  • These obligations must be satisfied throughout the life cycle of the personal information, from its collection to its destruction.
• The risks of privacy breaches resulting from the project and assessment of their potential impact:
  • To assess this factor, organizations must identify what poses a potential threat to the personal information throughout the project, the impact of these threats on the persons concerned, as well as the cause, severity and likelihood that these threats will materialize.
  • This step helps paint a picture of the potential risks and their level.
• Implementation of strategies to prevent or mitigate these risks:
  • In light of the risks identified in the previous step, the organization must consider strategies to prevent or mitigate these risks, notably by minimizing their potential impacts or the likelihood that they will materialize. 
  • Once these strategies are implemented, the organization will reassess the severity of the risks identified to see whether the risk level associated with the personal information is acceptable and proportionate to the organization’s project.

4. Reporting on the assessment

For this last step, the CAI warns organizations that they should be able to explain and justify the PIA’s findings, notably in the context of an inspection or investigation. To achieve this, it is recommended that a report be drafted and frequently updated. The CAI guide indicates what this report should contain and how it should be disseminated. The CAI also published a model PIA report (in French only) to help organizations prepare one. 

In essence, the CAI guide provides organizations with valuable guidance and insight on how to complete their PIAs, and the information is accompanied by examples, diagrams and questions to help them in that task. The guide is grounded in the principles of prevention, privacy protection, and the project’s proportionality to the privacy risks in a constantly shifting environment.

The authors would like to thank Marie-Dominique Simard, articling student, for contributing to this legal update.