1 David H. Flaherty, "Towards the year 2000: The Emergence of Surveillance Societies in the Western World," the keynote address to the opening session of the International Data Protections Commissioners' Annual Meeting, Quebec, Quebec, September 22, 1987.

2 See Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell University Press, Ithaca and London, 1992).

3 One of the earliest references that I have found to Privacy impact assessments comes from a Privacy Issues Form in Christchurch, New Zealand, on June 13, 1996 (which I in fact attended and participated in). The presenters were Blair Stewart of the New Zealand Privacy Commissioner's office and Elizabeth Longworth, a leading N.Z. privacy practitioner. I also note that I wrote, in September, 1995, an essay entitled: "Provincial Identity Cards: A Privacy-Impact Assessment." I can document the use of the term "privacy impact statement" as early as the 1970s. Stewart published a series of excellent short articles on privacy impact assessments in Privacy Law & Policy Reporter, vol. 3 (1996), 61-64, 134-38 and vol. 5/8 (1999), 147-49. These reflected, from a critical perspective, his experience with the process in New Zealand.

4 I am indebted for this point, and other suggestions, to my former colleagues, Lorrainne Dixon and Bill Trott.

5 I used these specific headings to prepare a recent Privacy impact assessment. The re-organization of the final product resulted in only 7 broad headings: introduction and overview; description; data collection; disclosure and use of data; privacy standards and security measures; conclusions; and sources.

6 This particular privacy impact assessment is a simple model of what can be done; it can be found at http://www.hlth.gov.bc.ca/waitlist/privacy.html

7 In an ideal world, any personal information system should have its own privacy impact assessment available for continuing updating and revision. But, given the amount of work required to complete a competent privacy impact assessment, I am reluctant to be too dogmatic on this point. The issue is much more clear cut for any privacy-intensive organization that collects and uses significant amounts of personal data.

8 See David H. Flaherty, Protecting Privacy In Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States (University of North Carolina Press, Chapel Hill, NC, 1989), pp. 57, 385-91.

9 See Treasury Board Canada, "Model Cross-Jurisdiction Privacy impact assessment Guide," (Draft, October, 1999); Ontario, "Privacy impact assessment Guidelines," (March, 2000, 83pp.), http://www.gov.on.ca/MBS/English/fip/pia/; U.S. Internal Revenue Service, "Model Information Technology Privacy impact assessment," (Version 1.3, December 17, 1996, 17pp.), available at http://www.cio.gov/docs/IRS.htm This U.S. model contains a help list of "privacy questions" to guide those preparating an initial privacy impact assessment for review with the IRS's Privacy Advocate. The Ontario Management Board of Cabinet now requires a privacy impact assessment of any submission to it from a government department "seeking approval to begin the detailed design phase or to request funding approval for product acquisition or system development work." (p. 6) It also has lists of helpful questions associated with each component of the privacy impact assessment.

10 What I find especially appealing about ISTA's "Guidelines" is that they include within the Privacy impact assessment Form some sample language under each box on the form as an assist to someone having to fill it out. See www.ista.gov.bc.ca.

11 See www.oipcbc.org/policies/privacy impact assessments

12 The Ontario Management Board Guidelines state: "The end result of a privacy impact assessment process is documented assurance that all privacy issues have been appropriately identified and either adequately addressed or, in the case of outstanding privacy issues, brought forward to senior management for further direction." (p. 25)

13 The Ontario Management Board Guidelines state: "While the completion of a full and detailed privacy impact assessment may only be possible at later stages in the system development and acquisition phase, the privacy impact assessment is best approached as an evolving document which will grow increasingly detailed over time." (p. 11)

14 The Alberta Information and Privacy Commissioner issued two press releases in August 1999 announcing his "acceptance" of two Privacy impact assessment submitted to his office by Alberta Health and Wellness and alberta we//net. They are located under `reports,' and `privacy impact assessments' on the office's web site: www.oipc.ab.ca

15 In his final annual report as Privacy Commissioner of Canada, Bruce Phillips drew attention to some data protection problems with a massive research data base maintained by HRDC. When his press release give pride of place to an issue that was otherwise buried in the bowels of the annual report, the media and Opposition political parties in Parliament picked up on the issue and made it front-page news for almost two weeks. An initially defensive Minister subsequent ordered the literal destruction of the linkage devices that had made the data base possible. Many thousands of Canadians simultaneously demanded to know what information was held about them in the data base in question.