Thank you.
Section 5.1 of the directive on privacy impact assessment provides that a privacy impact assessment must be done for “new or substantially modified programs and activities involving the creation, collection and handling of personal information”.
My three questions are these: Could you explain the process that allows you to make a clear distinction between a new and existing program or activity? Second, could you explain the process that allows you to determine if modifications made to a program involving the creation, collection and handling of personal information are important enough to require a PIA? Finally, if you have doubts regarding the application of the directive on privacy impact assessment, do you consult the Treasury Board to clarify the application of its directive?
Qujannamiik.