The only way for a public body or custodian to effectively assess and manage privacy risks for any project involving personal information is to conduct a privacy impact assessment (PIA). Completing a PIA enables them to identify any risks associated with the collection, use, or disclosure of personal information and to ensure the information is properly managed in compliance with the ATIPPA and HIPMA.

The value of having the office of the Information and Privacy Commissioner (IPC) review a PIA is as follows:

• A public body or custodian is able to draw on the experience of the IPC in interpreting and applying the Acts.
• It enables them to receive feedback from the IPC about whether the project poses risks to the privacy of information.
• It demonstrates their accountability for ensuring the risks to privacy associated with projects involving personal information are being appropriately managed.

We have developed the Privacy Impact Assessment Checklist to be used by public bodies and health custodians when submitting privacy impact assessments to our office. PIAs will not be accepted without a completed checklist and the necessary supplementary information. 

A privacy breach means the theft or loss of, or unauthorized use, disclosure, or disposal of personal information. The most common privacy breach is when the personal information of an individual, in the hands of a public body, is mistakenly disclosed, lost, or stolen. For example, when a laptop or memory stick containing personal information is stolen or personal information is mistakenly emailed to the wrong person. A privacy breach may also be the consequence of faulty business procedure or operational breakdown.

A security threat risk assessment (STRA) is the overall activity of assessing and reporting security risks for a given information system to make risk-based decisions. Like a PIA, a STRA maps out the data flows for a given information system to identify security risks, but with a particular lens on technical vulnerabilities.

Examples might include risks to the confidentiality, integrity, and availability of information stored in a system, as well as vulnerabilities related to malware, ransomware attacks, hacking, etc. The ATIPPA makes it mandatory for public bodies to conduct a STRA and submit it to our office for review before carrying out personal identity services (also known as digital ID), integrated services, data-linking activities, information management services, or a significant change to any of the above-noted types of information systems.