Demystifying Privacy Impact Assessments (PIAs)

Since September 22, 2023, private businesses have been required to undertake Privacy Impact Assessments (PIAs) in a number of situations provided for by law. The new version of the Act respecting the protection of personal information in the private sector¹ (ARPPIPS) has introduced not only significant penalties for failure to comply with its obligations, but also new concepts such as the PIA that warrant a closer look

What is a PIA?

The PIA plays a key role in the ARPPIPS, as it is an essential tool for businesses, particularly due to its mandatory nature. Despite its incorporation into the ARPPIPS, the Act does not provide a specific definition for PIA.

A PIA is a risk-assessment tool whose chief objective is to identify issues relating to the protection of personal information, thereby enabling mitigating measures to be identified where necessary. As a result, conducting a PIA ensures that businesses:

• Are aware of the privacy risks that exist within their organization
• Consider the pros and cons as well as appropriate mitigation measures
• Monitor the aforementioned risks through practical means

Consequently, while conducting these assessments may appear to be an additional burden, organizations must view PIAs as useful and necessary so as to prevent monetary penalties or reputational harm arising from breaches of the law.

Moreover, the ARPPIPS does not specify how a PIA should be carried out. Nor does it indicate whether it is necessary to document all PIAs or what form such assessments should take. Nevertheless, since assessments must be carried out repeatedly, and since conducting a single PIA may require enlisting help from several parties (including the privacy officer, legal team, security team, and external suppliers), businesses would do well to adopt a basic PIA model tailored to their specific situation, containing all the information they need to document and enabling them to proceed efficiently.

When should a PIA be conducted?

Prior to the enactment of the new requirements in September 2023, PIAs were considered good practice only. The ARPPIPS, however, now makes it compulsory to conduct such an assessment in three instances:

• Prior to launching any project involving the acquisition, development or restructuring of an information system or electronic service delivery system that involves the collection, use, disclosure, retention or destruction of personal information (including the acquisition of a new payroll management system, development of a mobile application, installation of surveillance cameras, launch of an advertising campaign or use of artificial intelligence)
• Prior to disclosing personal information outside Québec, which is a common occurrence given how few businesses or their suppliers site their servers exclusively in the province
• Prior to disclosing personal information to a third party that wishes to use it for study, research or statistical purposes, without the consent of the individuals concerned

It is worth noting, however, that the obligation to carry out a PIA is not retroactive. Hence, any project completed as of September 22, 2023 and any disclosure of personal information outside Québec prior to that date are not subject to this assessment.

How should a PIA be conducted?

Faced with this new obligation and in the absence of clear directives from the ARPPIPS on a preferred method, Commission d’accès à l’information (the CAI) released its updated Guide d’accompagnement (the Guide), which is designed primarily as a source of information and which includes a model PIA report. (The Guide is available in French only.)

These documents aim to support organizations that are subject to the ARPPIPS and required to conduct PIAs by means that provide a structure for the assessment and an understanding of various concepts. The steps put forward by the CAI are as follows:

1. Description of the project and its scope: This introductory section provides an overview of the project, its objectives, and so on.

2. Roles and responsibilities: This section identifies the stakeholders involved. Depending on the size of the business, these may vary from regulatory compliance advisors to information security advisors, for example.

3. Personal information involved and scope of the assessment: This section enables the identification of the personal information involved and the categories of people whose information is involved (for example, employees, customers, and so on). In this section, the CAI asks organizations to justify the scope of the PIA being carried out. It should be kept in mind that the ARPPIPS states that the PIA “must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.”²

• While the CAI does not specifically state what criteria should be applied in determining if a PIA is proportionate or not, it is possible that a project involving sensitive personal information (for example, health information, biometric information or information about minors) or linked to artificial intelligence would justify a more detailed assessment. Conversely, a new project involving very little personal information that is not very sensitive (for example, only a few first names, surnames and contact details) should not be the subject of an extensive and exhaustive assessment.

4. Compliance with obligations and principles relating to the protection of personal information: While the CAI states that the purpose of this section is to assess compliance with the applicable provisions, unlike its counterpart in France, Commission nationale de l’informatique et des libertés, it does not provide a specific list of applicable obligations or privacy factors to be complied with in its recommended assessment model. Hence, in this third section of the assessment, it would be up to businesses to raise the legal obligations to which they are subject and assess the compliance of the activities in question:

• Does the project comply with applicable legislation on the protection of personal information?
• Is the business able to identify potential threats and the consequences of such threats for the people concerned?
• Can the business introduce mitigation measures to reduce the probability or impact of a previously identified risk?

It is primarily at this stage that support from a member of our team may be required. While the CAI Guide delves into many of the other steps, as far as legal insight is concerned, seeking the help of legal professionals may well be worthwhile.

5. Identifying risks and mitigation strategies: This section should describe the project’s privacy risks and identify suggested mitigation measures. This is also where risk matrices, such as the one below, may prove useful. This matrix qualifies the level of risk in accordance with the probability of occurrence and the severity of the potential consequences.