Yes, I definitely think the policy should be legislated, but I don't want a whole bunch of cookie-cutter PIAs every time they change the personal information system. Any significant personal information system at Health Canada or Service Canada or Revenue Canada--whatever they're called nowadays--should have a privacy impact assessment done so that Canadians who are interested can go to the website and find out, “Oh, this is what they do with my personal information.”
My favourite client is the Canadian Institute for Health Information. They have 18 major databases. They're kind of the Statistics Canada for health, as you likely know. They have 18 privacy impact assessments on their website, www.CIHI.ca, under privacy and data protection. I wrote the first drafts of each of them with the staff. One is about therapeutic abortions. CIHI has a therapeutic abortion database? Yes, it does. Does it have identifiable data? No. Does it have very strong security provisions? Is it audited? Is it monitored? Yes. Does it exist for good purposes? Yes. And if you don't think it exists for good purposes, you can fight with them.
The PIA is the story of a database. Why does it exist? What are its purposes? Why do you need this in the first place? Is it rational? What personal information do you collect? What personal information do you disclose? Do you get consent? What security provisions do you have in place?
I always end up with a privacy report card, measuring the thing against the ten privacy principles. I've done it for the Assembly of First Nations regional health survey, which is in the field at the moment. I sometimes give actual grades to it--for example, 72% on security, 85% for consent or accountability.