Privacy Impact Assessments

Each as unique as your data

A privacy impact assessment (PIA) is one of the critical tools for being able to provide robust assurances to stakeholders and, quite frankly, to have a sense of control over personally sensitive information.

This is not a one-size-fits-all exercise. A properly done PIA report will not only identify existing and potential risks to privacy in the project or program being reviewed but will also provide recommendations that are contextually appropriate to your organisation.

A good PIA will be based on the appropriate legislation (it's surprising how many provincial PIAs I've seen that refer to PIPEDA, instead of FIPPA, as the applicaple legislation for example), will identify the data that is in scope of the assessment, and will build demonstrable links between business processes, sensitive data, risks to that data, and recommendations to address the risks. If the evaluations you have seen do not have these elements and these links, you may not be entirely happy with the results.

I base my assessments on each client's unique context and requirements. As a result, each PIA does not apply a pre-built template that may or may not be appropriate, but is instead a living document built in collaboration with each stakeholder. This enables the organisation to 'own' the assessment and its' remediation, rather than seeing it as an external imposition.