Of course, the first thing I wanted to write about today was how ridiculously cold it is in Ottawa and how I am so over winter. I know, I know, we’re Canadians and we aren’t supposed to complain about it, but it’s hard not to when my eye lids actually freeze shut! I saw a cartoon the other day that said: "Why do I live in a place where the air hurts my face?" Right now, despite being a pretty patriotic guy, I agree!
I suppose it's a good time to hibernate and get work done... There's a silver lining! One of the things I do a fair amount is help clients get through the PIA process. In some cases, we simply advise a team of privacy professionals who are undertaking the exercise themselves and they just want to bounce ideas off us. In other cases, we do the bulk of the work and produce the actual PIA report. It’s neat work and I appreciate the opportunity to do it. After doing several PIA engagements per year for the past few years, I’ve learned a lot about the nuanced differences in our privacy laws. Whether it be the level of detail found in New Brunswick’s health information protection law or the fine points that need to be looked at if you’re submitting your PIA to the OPC for review, there are no two PIA projects that are identical. I've heard some say it can be cookie cutter work but, in my humble opinion, if you do it well, it shouldn't be.
While training some privacy pros recently, we talked about the PIA process and how, typically, it is used more in the public sector than the private sector. I suppose this is not all that surprising considering the disparity we see when it comes to the level of resources dedicated to privacy in the public sector versus the private sector. I mean, it seems to me that there are generally more people doing privacy work in the public sector than in the private sector and it’s not surprising that our laws and governmental policies emphasize the need for PIAs for that sector.
Will PIAs ever really catch on in the private sector? I’d love to hear your thoughts. As it is, there is the ever-emphasized accountability principle that is found in our private sector laws. Will this principle ever be interpreted as requiring the private sector to more regularly engage in the PIA process? Isn't doing a solid PIA for something an excellent measure in demonstrating accountability? When done well (and this doesn't mean they have to be huge and unwieldy bricks) they can be efficient ways of dealing with privacy issues before they become problems.
Now, if only completing the next PIA would somehow magically turn up the heat outside—then I suspect I’d be even busier this time of year!
If you want to comment on this post, you need to login.