On September 22, 2023, the CAI introduced a new Privacy Impact Assessment (PIA) guide. We will see that in many instances, this guide goes beyond what is required by law. The opening section states, however, that the purpose of the guide is not to burden organizations with additional obligations, but to assist them in accomplishing effective PIAs. The CAI expressly states that organizations are not obliged to follow or apply their guide to the letter.
A previous guide had been drafted by the CAI in 2021, but it did not reflect the recent changes made by the Act to Modernize the Statutes Respecting the Protection of Personal Information (Law 25) that came into force on September 22, 2023. Likewise, the new guide does not consider bills or legislation that have not yet come into force, notably the Act Respecting Health and Social Services Information ("Law 5", formerly known as Bill 3).
The new guide is largely similar to the old one, albeit with a few changes. It addresses the general approach, applicable to all PIAs in its main body, and addresses specificities applicable to particular kinds of PIAs in the appendices (e.g., for communication outside Quebec, the acquisition, development or overhaul of an information system or electronic service delivery system involving personal information, and for communication without the consent of the persons concerned to a person or body wishing to use the information for study or research purposes or for the production of statistics).
The review of the CAI's new guide as well as the drafting of the present bulletin was done from the perspective of the private sector.
Below are our answers to the private sector's top 10 questions when it comes to doing PIAs in Quebec:
1. When do PIAs need to be done?
The Act respecting the protection of personal information in the private sector, as amended by Law 25, (Private Sector Act) provides for three situations in which organizations must conduct a PIA:
(1) At the outset of a project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.
(2) Before communicating personal information outside Quebec.
(3) Before communicating personal information to a third party, without the consent of the concerned individual, to use the information for study or research purposes or for the production of statistics.
While the CAI affirms that these situations warrant a PIA, we will see that they attempt to stretch when PIAs should be conducted.
2. Do I really need to do a PIA?
Unlike the old guide, where a PIA was suggested as a good practice, with the coming into force of the Private Sector Act, a PIA is required in the 3 situations mentioned above.
While the CAI does not disagree, they seem to suggest conducting a PIA for any project, technological or otherwise, that may involve the collection, use, disclosure, retention or destruction of personal information. This broad stance goes well beyond the 3 prescribed situation in the Private Sector Act.
The CAI has drawn up a decision tree, below, to help organizations decide if they should conduct a PIA. Organizations must keep in mind that conducting a PIA outside of 3 situations prescribed by the Private Sector Act is a choice, not an obligation.
3. Who is responsible for carrying out PIAs?
While the Private Sector Act remains ambiguous in stating that "a person carrying on an enterprise must conduct a privacy impact assessment," the CAI's guide attempts to provide clarity by stating: "It is the organization holding the personal information that is responsible for carrying out the PIA." However, ambiguity remains as the CAI does not define "holding" personal information, nor does the Private Sector Act introduce the notion of data controllers and data processors as found in the European Union's General Data Protection Regulation (GDPR). Regardless, organizations may enlist the help of third parties (e.g., suppliers) at various stages of the process if need be.
4. Should PIAs be done retroactively?
In response to the silence of the Private Sector Act on this topic, the CAI takes the position that there is no obligation to retroactively conduct a PIA under Law 25, which is in line with parliamentary debates. In other words, if the project was already "finalized" (i.e., the conclusion of a data sharing agreement or the implementation of information systems) on the effective date, organizations are not required to complete a PIA retroactively.
Despite this, a PIA will be required (1) if the project is modified (e.g., amendments to the agreement, system redesign, etc.); and (2) if the project involves the communication of personal information outside Quebec after September 22, 2023, even if the transfer was initiated prior to that date.
5. Are there PIA templates available?
The Private Sector Act is unclear as to whether it is necessary to document all PIAs and in what form.
The CAI suggests a generic PIA report template that is not adapted to special kinds of PIAs which must take into account additional factors (e.g., communicating personal information outside Quebec or for research purposes). Nevertheless, organizations may adapt this generic template to their own needs. The template includes a specific section for these "specific criteria to be assessed by the PIA."
The CAI seems to be of the position that PIAs and PIA reports are distinct: "Although it is possible to carry out a PIA without formally documenting it, you should be able to explain and justify your PIA process." Practically, it is unclear how organizations would be able to demonstrate the completion of a PIA, and compliance with the Private Sector Act, without a PIA report.
In the section on what the report should contain, several elements have been added compared to the old guide and legal requirements, including:
- A summary of consultations, if any.
- An assessment of the criteria for sensitivity, purpose, quantity, distribution and support of personal information, and a justification of the depth of analysis (breadth of the PIA).
- A categorization of the risks identified for the individuals concerned.
6. Who should be involved in the PIA process?
The Private Sector Act provides that the Privacy Officer should be consulted at the outset of any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information. Even if this is implied, and might be common practice to involve the Privacy Officer for the other two kinds of PIA, the Act does not make this clear, unlike the CAI, which stipulates that the Privacy Officer is required to be consulted as part of any PIA. The Act is silent, however, on whom else should be part of the PIA process.
The CAI's guide suggests consulting other groups of people depending on the scope of the project and the scale of the assessment, namely project managers, legal, HR, customer service, board of directors, service providers, and subcontractors.
Consultation with IT and cyber security professionals is also crucial to identifying the project's technical risks.
7. How do I determine the scope of my PIA?
According to the Private Sector Act, PIAs "must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored."
While the CAI affirms that "the scope of the PIA may vary depending on the size of the project, its objectives, the nature of the personal information involved and the manner in which it is used and disclosed", it does not offer guidance on when a "lean" or "extensive" PIA would be warranted or what they should concretely entail.
In addition, the CAI recommends including a data flow diagram and a data inventory in a PIA. While these complex and costly initiatives may be valuable to certain projects, neither is required by the Private Sector act.
8. How do I assess the project's risk level and proportionality?
The Private Sector Act does not provide a clear metric for determining the risk posed by a project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information to the privacy of the individuals concerned.
For the transfer of data outside Quebec, the only indication that seems to be provided in the Private Sector Act is that the information may be communicated if the assessment establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information. As for the communication of personal information for study purposes, the PIA must conclude that the elements set out in the Act are met before communication can take place.
In the absence of established risk assessment frameworks within an organization, the CAI suggests assessing risk based on the potential severity of the consequences of an event and the probability of its occurrence.
CAI's generic PIA template includes a section for assessing the privacy risks generated by the project and their consequences for the individuals concerned. The risks are divided into several categories: risks of collection, risks of use, risks of communication, risks of retention, destruction and/or anonymization, and a section for residual risks. As mentioned above, when assessing the level of each identified risk, it is the "potential severity of the consequences" of an event and its "probability" that are evaluated. Once the severity and probability of risks have been estimated, they should be assigned an overall risk level. If a rating is to be used, the CAI suggests using a risk level grid where the severity rating would be multiplied by the probability rating.
The CAI also suggests in its PIA template that organizations should present the strategies put in place to mitigate these risks, as well as an analysis of the effect of these measures on the residual level of risk. It is additionally stipulated that each residual risk should have a person responsible for implementing the measures identified, and for managing the adverse event should it materialize.
Where the Private Sector Act does not determine how to assess the proportionality of a project, the CAI provides clear guidance. An organization will be required to "assess proportionality throughout the PIA process and the implementation of that project." It adds that "proportionality will be found if: (1) there is a rational link between your objectives and the project, i.e., it is an effective means of achieving the objective; (2) the invasion of privacy is minimal, or if there are no effective less intrusive alternatives; if (3) the tangible benefits outweigh the consequences or harm to the individuals concerned."
The CAI also suggests reviewing the proportionality of the project after completing the risk management exercise, by asking the following questions: "in the light of your PIA as a whole, does the solution you are proposing to achieve your objectives still seem proportional, given the residual risks? In the event of a complaint by a data subject or an audit by a supervisory body, will you be prepared to answer the Commission's questions about whether your solution is proportionate?"
9. How do I determine whether the personal information transferred outside Quebec would receive "adequate protection" and what are the "generally recognized principles regarding the protection of personal information"?
The Private Sector Act provides that personal information may be communicated outside Quebec if the PIA "establishes that it would receive adequate protection, in particular in light of generally recognized principles regarding the protection of personal information."
a. Adequate protection
The CAI suggests that it is a protection that offers legal guarantees (i.e., the legal regime of the state of destinations offers such) and contractual guarantees (i.e., there is a written agreement with the recipient organization) that respects all the generally recognized principles of protection principles that are appropriate to the sensitivity and purpose of the information involved, which seems to echo the criteria set out in the Private Sector Act.
b. Generally recognized principles regarding the protection of personal information
The Private Sector Act does not define these terms, although many privacy laws and other significant privacy documents, such as the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines, the U.S. Federal Trade Commission's Fair Information Practice Principles (FIPPs), and the principles underlying laws such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the GDPR, incorporate certain common privacy principles.
Without being exhaustive, the CAI's list includes the following principles:
- Accountability
- Identifying purposes
- Limiting collection
- Consent
- Protection by design and by default
- Limiting use, disclosure and retention
- Accuracy
- Security
- Openness
- Rights of data subjects
- Recourse
10. What do I do with my completed PIA?
One of the important points that the CAI makes throughout its guide, which doesn't seem to have been taken from the Private Sector Act, is that a PIA, once required under the Private Sector Act, must continuously be reviewed throughout the life of the project. Indeed, the CAI states: "Protecting personal information is not a one-time task: the PIA is only effective if it evolves continuously, and must be reviewed as necessary, throughout the life of the project."
Finally, the CAI encourages organizations to publish abridged versions of completed PIA reports on their website. We have reservations about this practice, which is not required by the Private Sector Act, as potential effects on the publishing organization are unclear.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.