PRIVACY ASSESSMENT

Privacy assessment can take multiple forms.  The most well-known is the privacy impact assessment (PIA), a process with which Excela has considerable experience.

Excela's president, Alec Campbell, developed the privacy impact assessment process in use in Alberta's Office of Information and Privacy Commissioner from 2001 to 2010. That process was later adapted by the Ontario and Saskatchewan commissioners for use in those provinces. Excela assisted in the development of the Alberta Commissioner's Health Information Act PIA requirements, which replaced the original PIA process in 2010.

We have prepared PIAs and PIA methodologies for organizations in the Government of Canada, Newfoundland and Labrador, Ontario and Alberta, in both the public and private sectors. Excela can undertake privacy impact assessments for individual projects, for entire organizations, or on any scale in between.  We have particular expertise in the preparation of PIAs for initiatives involving information technology.

The PIA is not the only form of privacy assessment. PIAs are excellent risk management tools when properly undertaken. However, they are complex exercises that require considerable privacy expertise to complete. Simpler privacy assessments, sometimes called privacy checklists, can be valuable to determine whether a complete privacy impact assessment is required. Such checklists can be implemented as online questionnaires, spreadsheets, or paper checklists. Excela has developed privacy checklists for use in Newfoundland, Ontario, Alberta and the federal government, among others. Checklists can be developed for use in any public or private sector organization, operating under any privacy legislation.  Excela's privacy checklists refer specifically to the governing privacy legislation, ensuring that major risks of non-compliance are identified.  They require no privacy expertise to complete; any project manager or business unit manager can complete one.  Privacy checklists can provide automated responses or they can be forwarded to the organization's privacy officer for review and comment.

The most thorough and complex form of privacy assessment is the privacy audit. Usually conducted at the level of the business process, privacy audits may be undertaken in response to privacy breaches, to validate privacy policies and procedures, as part of a commissioner's investigation, or to obtain a thorough point-in-time description of the organization's privacy practices and risks. Privacy audits are time consuming and require privacy expertise, but they can be essential in some circumstances. The best known privacy audit framework is the Generally Accepted Privacy Practices (GAPP) of the Chartered Professional Accountants of Canada and its American counterpart. Other privacy audit frameworks are also available. Excela can conduct privacy audits based on the GAPP framework, other available frameworks, or a custom framework developed specifically for the organization or business process to be audited.

Excela recommends a privacy governance model for most larger organizations. A privacy governance model combines privacy policies and standards, compliance checklists, privacy impact assessments and periodic privacy compliance reviews or audits.  We can design a cost-effective privacy governance model for your organization to minimize privacy risks.