Canada's Guidelines Can Aid U.S. Firms
Those of you who do business in Canada or with Canadians should be aware that our neighbor to the north is phasing in comprehensive privacy rules that will cover private and public activities. The law is the Personal Information Protection and Electronic Documents Act.
I don't intend to describe the features of PIPEDA other than to note that it is based on the Model Privacy Code from the Canadian Standards Association. That code was a consensus document with support from nearly everyone in the privacy debate.
The CSA Model Code, which was essentially enacted into law in PIPEDA, includes 10 privacy principles that look much like Fair Information Practices. In other words, the Canadian law is similar to national privacy laws in Europe and elsewhere. Canada also has a Privacy Act, an older law that applies only to federal agencies.
The Canadian government recently issued a tool for assessing the effect of privacy on government activities. It calls for a Privacy Impact Assessment. In the United States, the IRS issued a PIA governing its own information activities several years ago, and it is used by other agencies as well.
The Canadian PIA is a detailed guide to evaluating the privacy effects of government programs, and most of it can be applied easily to any activity affecting privacy. There is an accessible and free privacy assessment guide in English and French at tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist_e.html.
You will find two documents at the Web site. The first describes the basic requirements of Canada's PIA policy and defines the roles of agency heads and other players. Ignore this document, which is useful only to Canadian bureaucrats.
The second document offers PIA guidelines, and it is worth a look. Completing a PIA is not a requirement of Canadian law, even for Canadian companies, but it is useful. If you want to figure out how to approach privacy, the PIA is a good start.
The PIA calls for a four-step process. The first is a determination of whether to conduct a PIA at all. If an activity collects, uses or discloses personal information, then the PIA applies.
The second step calls for a data flow analysis. This describes how data is collected, used, stored and disclosed. If you create an input-output diagram for personal data, you are likely to discover that the data is used and shared in many non-obvious ways.
It is particularly important to understand what happens to personal data. Do you think that you never disclose data outside your company? Even if you don't have outside lawyers, regulators or record storage facilities, you still face the possibility of a cop showing up with a search warrant or a litigator presenting you with a subpoena.
The third step is a privacy analysis. The Canadian guidelines include lengthy questionnaires that help identify major privacy risks and vulnerabilities. Working through these issues is helpful, even if you decide you don't need to worry about everything.
The last step is the creation of a privacy impact assessment report that contains an evaluation of the privacy risks as well as strategies to reduce those risks.
Two things about the Canadian guidelines are noteworthy. First, they offer a lot of detail. Separate sets of questionnaires cover federal activities and cross-jurisdictional activities. In each case, basic principles are identified and broken down into detailed issues to be evaluated.
Second, the guidelines recognize that a PIA evaluation must be a cooperative process requiring different skills to identify and assess privacy implications.
If you do business in Canada, working through the details of the PIA provides an introduction to Canadian private sector law. It won't, however, tell you anything about U.S. law. Take it as an organized way to begin to assess privacy. That's useful no matter where your company does business.