Why Privacy Impact Assessments (PIA) are Completed
CMHC completes Privacy Impact Assessments to ensure compliance with the requirements set out in the Privacy Act, Treasury Board of Canada Secretariat (TBS) policies and directives, and privacy best practices.
In line with the Privacy Act, PIAs are completed for any new, revised or outsourced programs or activities. PIAs help us embed privacy into the design of our activities by understanding the risks associated with new or redesigned programs and making privacy a key consideration before they are launched.
PIAs are used as a risk management tool to help us identify areas of privacy risk in our activities and implement remediation plans to reduce risks to an acceptable level.
We assigned priority ratings to all identified deficiencies/findings as either a “high” or “low” priority based on the criteria below, which was based on our industry knowledge and privacy experience in dealing with TBS, considering the Privacy Act, TBS Guidelines and regulatory expectations:
A high priority means that the finding must be remediated or addressed as soon as possible to reduce the risk posed to CMHC and/or the privacy rights of the individual to an acceptable level within CMHC’s risk appetite.
Immediate remediation of the finding is required as there is a high degree of certainty that the failure to remediate will lead to:
- Non-compliance with the law or contrary to regulatory expectations and/or TBS guidelines;
- Reputational damage to CMHC or area under review; or
- Significant and/or adverse regulatory scrutiny or fines and/or negative media attention.
A low priority means that there is low residual risk of harm. The remediation of the finding is not required by law or regulation, however it is recommended as an area of enhancement. It is intended to provide CMHC with additional information to assist in developing best practices for the area or process under review.
The low priority is categorized given that the:
- Finding can only lead to limited financial, legal, reputational, human consequence or impact in the area under review; or
- Deviation from policy or procedure represents a change in business process but doesn’t violate the law or is contrary to regulatory expectations (i.e. policy is no longer applicable and requires updating).
- Area under review requires routine management attention to reduce exposure(s), and is warranted to assist in the overall efficiency of the process.
For more information:
If you would like more information about this PIA, please contact:
700 Montreal Road