Privacy Law and Policy Reporter
The Privacy Law & Policy Reporter first covered the subject of privacy impact assessment (PIA) in depth in July 1996. Since then some half a dozen detailed articles, and several news items, have been published. However, 2002 may be the year ,when PIA really ‘comes of age’. The Canadian Federal Government’s decision in April to make PIA compulsory was merely the most significant step in a year of noteworthy developments. It is timely to briefly survey something of what has been happening in the last 12 months in ,the Asia Pacific region and beyond.
In late December 2001 the Federal Privacy Commissioner issued guidelines for the use by agencies of public key infrastructure (PKI). Guideline 3 stated:
Agencies should undertake a privacy impact assessment before implementing a new PKI system or significantly revising or extending an existing PKI system.
Commentary to the guidelines, and ,an appendix, were devoted to describing PIA and what purpose it might serve. A sample PIA checklist was included as a starting point to stimulate discussion of the process and analysis that agencies may undertake to assess privacy risks.
Over recent years some federal agencies in Canada have undertaken, or commissioned, PIAs of important new systems. For example, Health Canada finalised ‘A Privacy Impact Assessment of the Non-insured Health Benefits Program (NIHB) of the First Nations and Inuit Health Branch’ ,in April 2002. Such PIA has been at the initiative of each agency on a voluntary basis. However, as recently reported, Canada’s Federal Govern-ment has become the first national government in the world to make ,PIA mandatory.
PIA has been undertaken in Alberta, British Columbia and Ontario for several years. Two recent developments are outlined below.
British Columbia — in April 2002 the Freedom of Information and Protection of Privacy Act was amended to place PIA on a statutory footing. The amendments define ‘privacy impact assessment’ and provide that the head of a Ministry may be required to conduct an assessment in accordance with the directions of the Minister responsible for the Act.
Alberta — on 31 July 2002 the Office of the Information and Privacy Commissioner of Alberta officially launched its new website at <www.oipc.ab.ca>. Of particular significance is the fact that the site has a searchable registry of all PIAs that have been accepted by the Commissioner. The Health Information Act, which came into force in April 2001, requires that ,a report on a PIA be delivered to the Privacy Commissioner for review and comment before a custodian implements proposed administrative practices and information systems relating to the collection, use or disclosure of individually identified health information.
In March 2002 the NZ Privacy Commissioner released a new Privacy Impact Assessment Handbook at the 3rd Asia Pacific Forum on Privacy ,and Data Protection. The Handbook builds on earlier NZ work on PIA and has as its genesis a project for the Hong Kong Privacy Commissioner for Personal Data. The Handbook focuses on the practical what, why, who, which, when and how of PIA. Its methodology and structure for privacy impact reports is less prescriptive than the templates and checklists developed for use by various Canadian governments, as it is hoped that the Handbook will be equally useful for public and private bodies.
In April 2002 the UK Cabinet Office released a much anticipated report Privacy and data-sharing: The way forward for public services to some adverse comment from privacy advocates. However, the report has a silver lining in that recommendation 19 advocates the use of PIA to promote more consistent decision making across public services on privacy and data sharing issues. PIA is seen as suitable to initiate an open dialogue with the public and with stakeholders around new data-sharing initiatives. Annex D outlines an analytical framework and the role of PIA in that framework. The report remains under study by the UK Government and the Lord Chancellor’s Department is looking in detail at PIA. l
Blair Stewart is Assistant Commissioner, Office of the Privacy Commissioner, New Zealand. He is also on the editorial board of PLPR.
 Office of the Federal Privacy Commissioner, Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to Communicate or Transact with Individuals December 2001 <www.privacy.gov.au/publications/pki.doc>.
 Greenleaf, ‘Canada makes privacy impact assessments compulsory’ 8(10) 2002 PLPR 190 at 191.