To Be Completed by the Business Area Responsible for the Initiative

Privacy Assessment Form

/

Privacy Assessment

#
Initiative Title:
Date Initiated:
Privacy & Freedom of Information Officer contact information:
Part 1: General Information

To be completed by the business area responsible for the initiative:

Estimated implementation date:
Responsible division/business area:
Business owner contact information (person responsible for the initiative):
Project Manager contact information (if applicable):
Legal consultant for business area:

Revision History:

Version # / Version Date / PA # / RequestedBy / Revision Description
#
#
Why do I need to do a Privacy Assessment (PA)?
Privacy Assessments (PA) are required when implementing or upgrading any City of Regina initiative (program, project, service, application, software upgrade, etc.) to ensure personal, confidential and third party data/information collected, used, shared and stored by the City is protected. A PA identifies privacy and security risks and provides the opportunity to mitigate those risks prior to implementation.
What if the initiative does not involve personal, third party or confidential information?
You are required to complete Part 1 (General) and 2 (SPQA) of the PA to ensure all initiatives are accurately assessed and documented indicating there are no potential privacy concerns.
Definitions
Confidential Information: Confidential information may include information that is: solicitor/client privileged; dealt with during in-camera meetings; proposed plans; policies or projects that have not yet been made public; trade secrets; proprietary to the City ; or information that may harm the economic interests of the City.
Data: Data includes information that is produced or stored by a computer and is usually used to calculate, analyze or plan.
Express Consent: Express consent can be given orally or in writing by the individual to whom the personal information belongs. Consent can be given by the individual or an authorized representative (i.e. legal guardian, power of attorney, etc.) It is an agreement by the customer for the collection, use and disclosure of their personal information, typically when acquiring or accepting a product or service. Written consent is better because it provides documentation as proof that consent has been given. Consent given orally should be documented by the business area in the appropriate file or database.
Implied Consent:Implied consent is when a customer presents themselves to a business area to acquire a product or service. For example, when a customer wants to sign up for a water account, there is certain personal information required for obtaining that service.
Information:Information is what a record contains. It is also a term used to refer to the content of electronic databases or applications. Regardless of the form, all recorded information in the possession or under the control of the City is a record.
Initiative:A standard term used to represent a program, project, service, application, software upgrade, etc.
LAFOIPP: The Local Authority Freedom of Information and Protection of Privacy Act.
Personal Information:Personal informationincludes personal information about an identifiable individual.
Personal information may include, but is not limited to: information about: race, nationality, religion; gender; family or marital status; age; birth date; place of origin; education; employment or criminal history; sexual orientation; financial information (tax information, assets, liabilities, net worth, financial activities, credit worthiness, disability or other financial transactions); health care or health history, health services number; social insurance number; driver’s license number; employee id; home address; telephone number; email; the views or opinions of someone about that person; information about the physical or mental condition of an individual; personal information gathered by monitoring or tracking an individual’s activities electronically (i.e. surveillance, computer chip technology, fingerprints/retinal identification, DNA, GPS) along with a host of other information.
Some examples that personal information does not include are: information that appears on a business card, such as company name, name of employee, company contact information, etc.; public employee salaries; or where specific information has been removed or “de-identified”, such as name or address or other unique identifiers such as account number, so the individual to whom the remaining information belongs cannot be identified.
Safeguards:This is how the City protects information and mitigates privacy risk by securing information through system processes, policies and business procedures and physical security. Physical safeguards include restricting access to a business area using locks, access cards, keypads; locking cabinets and desks, locking computers when leaving them, disposing of information using secured confidential shred bins, etc. Technological safeguards include secured networks, encrypted data, access trails, transferring information through a virtual privacy network (VPN), etc. Administrative safeguards include policies and procedures and can be anything from the City’s Privacy Policy to the Confidentiality Declaration to business rules on faxing, emailing or how and where to store personal information.
Third Party Information: Third party information includes information about a person or unincorporated entity other than the City or an individual requesting the information. For example, third party information may include but is not limited to: information that is proprietary to a third party; may divulge trade secrets; is financial, commercial, scientific, technical or labour relations information obtained in confidence; information that could result in financial loss or gain; information that may prejudice the competitive position of or interfere with contractual or other negotiations of the third party.

Please complete:

Description:Provide an overview with as much detail as possible of the initiative: purpose; data/information flow pertaining to personal, confidential or third party information collected, used, shared or stored; where the information will be stored (on City servers onsite or at an off-site location).
Scope:Describe what part or phase of the initiative this PA covers. Also describe any related elements of the initiative outside of the scope of this PA, which may require a separate assessment.

Page 1 of 3

G:\Taxonomy\ITM\T\8000s Admin\8400 FormsManagement\8400-55 Originals\Privacy Assessment\PrivacyAssessment v1.0.doc