CRA Privacy Impact Assessment (PIA) Directive

Ce document existe aussi en français sous le titre Directive de l'ARC sur l'évaluation des facteurs relatifs à la vie privée (ÉFVP).

This document is available in multiple formats on request. Please send an email to Alternate-media/Format substitut.

Effective date

This directive takes effect on June 11, 2007.

Related policy

This directive flows from Treasury Board Secretariat's Privacy Impact Assessment Policy and the 10 privacy principles contained in the Personal Information Protection and Electronic Documents Act.

This directive is supplemented by the CRA's PIA Procedures.

Introduction

The CRA is committed to protecting the privacy and confidentiality of the personal information under its control.

This includes the Privacy Impact Assessment (PIA) process, which is a Government of Canada initiative that requires privacy issues to be considered when new or substantially modified activities are being planned. This can apply to technology, information systems, initiatives, policies, programs, and services.

When conducting a PIA, managers shall consult the appropriate functional authorities about similar processes that must also be undertaken, including:

• threat risk assessments (Security Directorate, Finance and Administration Branch);
• statements of sensitivity (Security Directorate, Finance and Administration Branch); and
• information management risk assessments (Statistics and Information Management Directorate, Corporate Strategies and Business Development Branch).

Application

This directive applies to all CRA employees.

Definitions

• ATIP Oversight Review Committee: (formerly the PIA Review Committee) Among other duties, this Committee examines PIA and Preliminary PIA Reports. The Committee is comprised of DG-level representatives from each headquarters branch and is chaired by the Director of the ATIP Directorate.
• Personal information: any recorded information about an identifiable individual (see full definition in Section 3 of the Privacy Act ).
• Privacy Impact Assessment (PIA): a process that helps determine whether new or substantially modified activities meet the basic privacy requirements defined in the Privacy Act.
• PIA Report: the documented evaluation of a new or substantially modified activity in terms of privacy risks and their implications, as well as possible options and recommendations to avoid or mitigate the risks.
• PIA Summary: a brief, non-technical description that is made available on the CRA Web site and that summarizes the results of the PIA process for a given activity.
• Preliminary PIA (PPIA) Report: when the detailed information needed for a full PIA Report is not yet available, a PPIA Report can be prepared to help the ATIP Oversight Review Committee determine whether a full PIA will be required.

Objective

To ensure that privacy issues are considered during the design, redesign, delivery, and evaluation of any CRA activity that involves the collection, retention, use, disclosure, or disposal of personal information.

Requirements

This directive must be applied in conjunction with the legislation and documents listed in the References section.

• Analysis and documentation: Prior to their implementation, new or substantially modified activities will be examined in terms of protecting personal information. Branches and regions will prepare a PIA Report — and sometimes a PPIA Report — to identify possible risks to the protection of personal information, as well as ways to avoid or mitigate those risks.
• Review of documents: The ATIP Oversight Review Committee will examine PIA and PPIA Reports. Based on members' expertise, the Committee will provide guidance on how the affected branch and/or region should proceed in terms of the privacy aspects of the new or substantially modified activity.
• Information sharing: A brief, non-technical summary of each PIA Report will be published on the CRA Web site.
• Office of the Privacy Commissioner: The CRA will provide final PIA Reports to the Office of the Privacy Commissioner and will respond to any advice provided by the Office.

Roles and responsibilities

Commissioner

The Commissioner is responsible for promoting awareness of the TBS Privacy Impact Assessment Policy and of this CRA directive.

The Commissioner is responsible for integrating and balancing privacy interests with other legislative and policy requirements.

The Commissioner is ultimately responsible for determining whether a CRA initiative has sufficient potential impact on individual privacy to warrant the development of a PIA Report.

Assistant Commissioners

Assistant Commissioners are responsible for supporting the Commissioner in the discharge of the PIA-related responsibilities described above. Assistant Commissioners must ensure their senior managers are aware of the TBS policy and this CRA directive.

The Assistant Commissioner of each headquarters branch nominates a Director General to serve on the ATIP Oversight Review Committee.

Regional Assistant Commissioners engage with their headquarters counterparts to identify privacy issues related to activities that are sanctioned by CRA headquarters but that are administered and overseen by regional staff.

ATIP Oversight Review Committee

The ATIP Oversight Review Committee monitors and provides corporate oversight on significant emerging access and privacy issues affecting the CRA. The Committee brings objective, horizontally based expertise to bear on all PIA or PPIA Reports reviewed by its members, as well as on key privacy issues relating to existing or new federal government policies and initiatives.

The Committee promotes the exchange of information and best practices about managing privacy issues, including their impact on related programs and services.

Director, Access to Information and Privacy (ATIP) Directorate, Public Affairs Branch

Through the Program Support and Training Group, the ATIP Director provides privacy-related guidance to branch and regional officials throughout the PIA process.

The Director ensures that:

• the technical content and format of PIAs are confirmed;
• copies of approved PIAs and PPIAs that have not resulted in a full PIA are forwarded to the Commissioner's office;
• approved PIAs are forwarded to the Office of the Privacy Commissioner; and
• that summaries of approved PIAs are published on the CRA Web site.

The Director chairs the ATIP Oversight Review Committee.

Headquarters managers

Managers at headquarters are responsible for identifying activities that have privacy implications and, when they consider it appropriate, for raising potential PIA issues with their branch management team and with their branch representative on the ATIP Oversight Review Committee.

Managers are responsible for completing the PPIA and/or PIA Reports for identified activities, liaising with their branch's ATIP Oversight Review Committee representative and with concerned regional managers.

Regional managers

Managers in the regions are responsible for identifying activities that have privacy implications and for flagging potential PIA issues to their region's management team and to the affected program branch (when the functional authority at headquarters is unclear, managers shall contact ATIP for assistance).

When appropriate, regional managers are responsible for completing the PPIA Report in conjunction with the affected program branch.

Monitoring and evaluation

The Public Affairs Branch (PAB) is responsible for monitoring compliance with this directive and for evaluating its effectiveness and adherence to the relevant Treasury Board policies, with support from the Corporate Audit and Evaluation Branch and in conformity with CRA policies.

Review

The Public Affairs Branch is responsible for the scheduled review of this directive every five years and for any ad hoc reviews and revisions required prior to the scheduled review.

References

The CRA's PIA Directive flows from Treasury Board Secretariat's Privacy Impact Assessment Policy and is supplemented by the CRA's PIA Procedures.

PAB's Policies and related documents page offers a complete list of legislation, Treasury Board policies, and CRA policies and guidelines related to communications and public affairs.

This PIA Directive must be applied in conjunction with the following, which explore topics of particular relevance to privacy and PIAs:

Legislation

• Personal Information Protection and Electronic Documents Act
• Privacy Act

Public Affairs Branch policies and guidelines

• PIA Procedures

Other CRA policies and guidelines

• Information Management Policy
• Security Policy

Government of Canada policies and guidelines

• Privacy and Data Protection Policy
• Privacy Impact Assessment Audit Guide Checklist
• Privacy Impact Assessment Policy
• Project Approval Policy
• Risk Management policies and publications

Enquiries

Questions about this directive should be directed to the Director, Access to Information and Privacy (ATIP) Directorate, Public Affairs Branch.