Recently I was browsing the Treasury Board’s guidance on privacy impact assessments for the federal public sector (yes, that’s what I do for fun), and I came across a rather innocuous little tidbit about something called a “privacy protocol.”
Have you ever heard of one of these?
Apparently, it is, ostensibly, a PIA’s slimmer, cheaper cousin.
It’s something an organization can use to identify and address privacy issues when a program involves personal information but does not involve making a decision about the people whose information is implicated. They’re quicker to undertake, shorter, and pretty efficient at identifying and mitigating privacy issues.
This, my friends, is a hidden gem. Why isn’t the government shouting about these things from the rooftops?
The problem is that there is virtually no information or guidance on how to do one of these properly.
I’ve had the pleasure of working with some clients who have developed privacy protocols that I think work quite well. And, upon reflection, I think they are a tool that could easily be adopted by the private sector as well.
Maybe this is a solution that will help organizations get over their reluctance of conducting full-blown PIAs. Doing privacy properly doesn’t always need to be difficult. Let’s talk more about these privacy protocols. And let’s see some guidance on them, too.
If you want to comment on this post, you need to login.