Personal Information Inventories
The Personal Information Inventory (PII) is a vital stage in any privacy compliance program, as it permits an organization to identify the nature, extent, sensitivity, location and format of its personal information holdings. This, in turn, provides a basis for the assessment of the organization’s compliance with privacy laws, regulations and policies to which it is subject, and permits the development of appropriate internal privacy compliance policies and procedures.
How It Is Done
We perform PIIs in two phases:
Phase One – Documentation Review/Analysis and Preparation of Inventory Questionnaire
We identify, review and analyse any documents made available by the organization relating to personal information under its control, and describe these materials in a user-friendly table format designed to both preserve a record of our pre-inventory research and to provide a starting point for the fact gathering portion of the inventory. We then prepare an inventory questionnaire template, customized to reflect the organization’s specific privacy law and policy environments, which is designed to gather additional information from designated personnel about the nature and location of, and dealings with, personal information under the custody/control of the organization.
Phase Two – Conduct Inventory, Analyze Responses and Report
If helpful to the organization, we participate in the delivery of the Inventory questionnaire to designated personnel. Thereafter, we consolidate and interpret the survey responses, while liaising as appropriate with operational, records management, information management, information technology and legal personnel. As required, we will conduct follow-up interviews with key program staff to clarify responses and/or to glean additional information. We then produce an Inventory Report describing the organization’s personal information holdings. The Report is accompanied by a PowerPoint slide deck describing key Inventory findings that is suitable for internal briefings. This process also enables the production of a corporate-wide information flow diagram with links to consent mechanisms and personal information uses, disclosures and retention plans.
We have participated in the performance of PIIs for organizations ranging from large (e.g. Public Health Agency of Canada) to the very small (e.g. small professional partnerships). For feedback from our satisfied customers, see our client testimonials. Let us put our experience to work for you. Contact us today to discuss your personal information inventory needs.
CPSI produced a personal information inventory for our Privacy Working Group that has served as an invaluable building block for our privacy compliance program.—Leo N.J. Maisonneuve - CIDA