Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) is a structured risk management methodology that looks at the environment in which your app or device will operate, how it is used, and how data flows through the technical and business processes. A PIA will help you understand the privacy risks associated with your products and services. You do not want to over-engineer your app or device. A PIA will help identify real hotspots where privacy and security countermeasures may be needed. A PIA is also an important marketing tool because it demonstrates to your customers that your business prioritizes privacy.

Privacy Impact Assessments (PIAs) demonstrate to customers, stakeholders, and regulators that your business is applying the appropriate privacy due diligence to your products and services. Several certifications require PIAs to prove privacy due diligence, including Ontario’s MD electronic medical record certification and OTN and Ontario Health’s virtual visit verification. Many customers require PIAs as part of their vendor assessment to complete the sales process. PIAs are also helpful to your internal team so that your company understands the data it is bringing in and any associated risks.

A Privacy Impact Assessment (PIA) ensures that:

• Senior executives have access to the information they need to make fully informed policy, system design, and/or procurement decisions
• Accountability for privacy issues is clearly incorporated into the roles and responsibilities of project managers and sponsors
• The protection of privacy is included in the core criteria for business projects and related project activities
• Gaps are identified and remedial steps necessary to improve privacy protection in pre-existing programs or systems are identified and implemented

Yes, we conduct Privacy Impact Assessments (PIAs) for our clients’ products and services, and we can also update a past PIA.

The PIA report includes the following major components:

• Privacy Readiness Assessment: A comprehensive gap analysis checklist based on the Canadian Standards Association’s (CSA’s) model code for the protection of personal information and applicable privacy legislation. It is a key input into the evaluation of current safeguards and vulnerabilities.
• Executive Summary: A brief description of the initiative and a summary of the principal findings of the PIA, including safeguards, residual risks, and recommendations. The Executive Summary is often released to regulators, customers, and auditors as evidence of privacy due diligence.
• Background and Context: Describes the initiative at a high level, including a description of the system, benefits to customers and consumers, and the external regulatory, business, and economic environments. 
• Regulatory and Legislative Analysis: A survey of privacy laws and regulations for each government jurisdiction in which the system or program will operate. The analysis identifies applicable regulatory requirements and provides a current assessment of compliance with those requirements. Recommendations for bringing the initiative into compliance are included.
• Organizational Privacy Assessment: Considers the adequacy of organizational privacy controls mandated by legislation and regulatory authorities. This includes information governance, policies and procedures, contracts with third parties, privacy and security training, monitoring and audit, breach management, and protocols.
• Solution Privacy Assessment: Considers the adequacy of privacy and security controls associated with the technical and business solution. This includes a detailed review of the solution architecture, development of a data inventory, and a detailed mapping of dataflows for each business process. The assessment also considers the adequacy of mandated privacy requirements such as data residency, consent management, patient access to personal information, and audit functionality.
• Privacy Risk Assessment – Considers the impact and likelihood of various threat scenarios associated with the solution. The analysis will determine the severity of the risks and make recommendations to manage those risks.
• Conclusions and Recommendations – Summarizes the findings of the PIA, including observations, risks, and recommendations, and will prioritize the recommendations.