Ombudsman releases privacy impact assessment process to help ensure compliance with Manitoba's information privacy lawsReturn to listing
Oct 29, 2003
In a Special Report to the Manitoba Legislature, "Respecting Privacy: A Compliance Review Tool for Manitoba's Information Privacy Laws", Ombudsman Barry Tuckett says that the requirements of Manitoba's information privacy legislation need to be better known, more fully considered, and more systematically applied than is now the case. To help this process along, the Ombudsman's Office is introducing a privacy compliance self-assessment process that may be used by Manitoba public bodies and personal health information trustees in their management of the personal and personal health information entrusted to them.
Central purposes of The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA) are to control the collection of personal and personal health information and to protect against the unauthorized use, disclosure, and destruction of this information. The Acts also provide for an independent review of the decisions of public bodies and personal health information trustees by the Manitoba Ombudsman.
To give a sense of the assessment process, the report includes the "Checklist at a Glance", which is one part of this new privacy tool kit. It is a summary form of the full "Checklist" which, in turn, is accompanied by a "Guide" to undertaking a privacy compliance self-assessment. The assessment process may be used for proposed programs and practices of public bodies and trustees, and for developing policies or legislation. It may also be applied to existing programs and practices.
"As we note in our Special Report, survey data indicate that a majority of Manitobans believe that personal privacy is being seriously eroded," said Mr. Tuckett. He also commented in the report that "the implications of a privacy breach, or simply the perception of a breach, may have significant consequences for individuals, business, and government."
"As anecdotal evidence," he said, "one has only to look at the frequency of privacy breaches being reported around the country and the concerns for privacy rights that are being expressed." A clear intention of Manitoba 's privacy laws is to prevent breaches of information privacy before they occur. "Use of a privacy impact assessment process by Manitoba public bodies and health information trustees should reduce the risks of people's personal information being compromised and enhance public trust and confidence in how this information is being managed," said Mr. Tuckett.
Undertaking privacy impact assessments has become a generally accepted "best practice" for both the public and private sectors of our society. "The potential costs of noncompliance with statutory information privacy requirements are high," said Mr. Tuckett, "either in terms of the loss of privacy for individuals and the public in general or in view of the expenses entailed by revamping programs or legislation that did not take into account privacy requirements on a timely basis before being introduced or implemented."
While use of the new Privacy Compliance Tool is voluntary, it is an obligation of public bodies and personal health information trustees to be in compliance with the privacy laws. The tool is a helpful due diligence process that can be applied systematically to assess compliance with intricate statutory requirements.
Mr. Tuckett also said that the current public review of FIPPA and PHIA by the government should include consideration of the value of making privacy impact assessments an integral part of the Acts. "Several other jurisdictions in Canada have made privacy impact assessments a requirement by legislation or, more often, as a matter of public policy," he said.
The Compliance Review Tool will be made available on the Office's web site. The Office is working on a shorter compliance tool that may be used by trustees subject to PHIA, and is also considering the possibility of offering some workshops for public bodies and health information trustees on undertaking privacy compliance reviews.
Created in 1970, the Office of the Manitoba Ombudsman exists to promote fairness, equity and administrative accountability through independent and impartial investigation of complaints and legislative compliance reviews. An Access and Privacy Division, created in 1998, investigates complaints and reviews compliance under The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act.