Do you regularly do privacy impact assessments? For the most part, they are not required in any Canadian privacy law (unlike what’s coming in Europe with the GDPR), but they have long been touted as a go-to tool. When done properly, they can be an instrumental piece of an organization’s privacy management program. They can also be life-savers because when you analyze a new or changing program’s impact on privacy, it has the notable result of often identifying risks that can go unnoticed. At worst, if something goes wrong, it can at least show some accountability.

I’m knee-deep helping clients with two PIAs this week. We have a self-imposed deadline of getting them done by the end of the month, so it’s all hands on deck.

One of the PIAs is for a federal government department that is embarking on a new program that requires vast amounts of personal information in order to work. They clearly meet the threshold under the Privacy Act for collecting this information, but what strikes me is the breadth or vastness of the information that is going to feed the program. We all expect our governments to work efficiently and to avail themselves of the newest and most proficient technology, but do we realize that when we demand this service from our government we are essentially saying, “Yes, boldly move forward with big data”?

Are we really aware of the privacy issues and potential consequences? The good news is, these organizations opted to do PIAs. From what I understand, too many are either opting not to or not even contemplating it in the first place.

On another note, the Toronto Star wrote an article this week based on information it obtained from the OPC through an access request. It’s a good article that describes the tensions between government's use of big data and our outdated privacy laws. You should read it, or at least the summary below. Oh, that and a ton of other news, too.

It will give you something to do as a break from that PIA you’re working on ... right?