Privacy Impact Assessments
Protecting privacy is more than just upholding the law, it also involves taking a proactive approach to safeguarding the public’s personal and personal health information. Manitoba Ombudsman has a user-friendly privacy impact assessment (PIA) to help public bodies and/or trustees to think about privacy when evaluating an existing or proposed program/activity.
A PIA is a process that an organization can use to identify and address potential privacy risks when contemplating a new, or evaluating an existing, program, service or activity. The PIA process examines potential impacts to privacy and considers reasonable measures to lessen these impacts.
It is our intent that this PIA tool will assist organizations in identifying potential privacy risks and as a result, they will be in a better position to address those risks early on. This PIA tool is not intended to replace any processes you may already have or be a substitute for complying with FIPPA and PHIA. Our office encourages you to review the information gathered through this process with an access and privacy representative (access and privacy coordinator, privacy officer, lawyer, etc.) so that you can address specific privacy requirements.
What is a privacy impact assessment (PIA)?
A PIA is a process that an organization can use to identify and address potential privacy risks when contemplating a new, or evaluating an existing, program, service or activity. The PIA process examines potential impacts to privacy and considers reasonable measures to lessen these impacts.
When should I complete a privacy impact assessment?
You should consider completing a PIA for any new systems, projects, programs, services or activities that may involve personal (health) information. If your initiative will not involve the collection, use or disclosure of personal (health) information, consult your access and privacy representative to determine whether a PIA is recommended. For example, a PIA may be useful in assessing risks regarding personal (health) information that has been de-identified (a record in which identifying information has been removed).
Does Manitoba law require that a PIA be completed?
No, it is not currently a legal requirement under FIPPA and PHIA to complete a PIA. However, some organizations may have policies in place that require a PIA be completed in some circumstances. A PIA is recommended to:
- Determine when and how a project will impact privacy
- Assist organizations in exercising due diligence
- Address any privacy risks
- Save time and money by identifying privacy issues early in the design stage
- Assure the public that their personal (health) information will be managed and safeguarded appropriately
The full 12-page PIA includes the following sections:
- Introduction and Acknowledgments
- Frequently Asked Questions
- Before Getting Started
- Privacy Impact Assessment Tool (questionnaire)
- Appendices
Tools:
Privacy Impact Assessment (PIA) Guidance Tool
PIA Tool Questions – Fillable Form
PIA Questionnaire Only