Auditing Privacy Impact Assessments: The Canadian Experience

Abstract

In early 2007, the Office of the Privacy Commissioner of Canada (OPC) embarked on a project to measure the extent to which privacy issues arising from government operations were being appropriately managed. The audit, titled Assessing the Privacy Impacts of Programs, Plans and Policies, was the first of its kind in Canada and, to the best of our knowledge, the only comprehensive evaluation of the implementation of privacy impact assessments (PIAs) worldwide. It was an important initiative, not only for its findings – many of which can be applied crossjurisdictionally – but also for its salutary effects on PIA practices government-wide. While the primary objective of the audit was to assess compliance with the government’s policy on PIAs, it has served as importantly to promote an understanding of PIAs as an effective risk management tool.