Privacy Impact Assessments
A privacy impact assessment (PIA) is a step-by-step review process to make sure you protect the personal information you collect or use in your project. You’ll work with privacy experts to identify, evaluate and manage privacy risks.
Why You Need a PIA
Section 69 (5) of the Freedom of Information and Protection of Privacy Act (FOIPPA) requires you to conduct a PIA. You need a PIA to determine whether your project involves personal information and if so, how you'll protect the information you collect or use in your project.
Personal information belongs to the person it's about. As public servants, we must protect any personal information we collect, use, store and share. Doing a PIA can help you protect privacy and build public trust by being clear about what information you're collecting, who has access to it, and where and how it's stored.
- Learn more about privacy principles for keeping information safe in B.C.
5 Steps to Completing a PIA
Step 1: Download the PIA Template
Step 3: Submit for Review
Step 4: Get Signatures
Step 5: Start Your Project
Choose the PIA template that’s right for you. The template you need depends on the work you’re doing.
Starting a new project or program
Use the PIA template (Word, 233 KB) for a new project or program in the B.C. government. Read through the questions and complete part 1.
Changing a project or program
Use the PIA update template (Word, 77 KB) if you're changing the way you collect, use, store or share personal information in a project that has already been through a privacy impact assessment. You'll need the previous PIA number.
Drafting or amending legislation or regulations
Use the LPIA template (Word, 41 KB) for legislation and the RPIA template (Word, 77 KB) for regulations. Learn about doing a PIA for draft or amended legislation or regulations.
Using an online tool that has already been assessed
Find out which commonly used online tools have already been assessed in the list of corporate privacy impact assessments. If the tool you'd like to use has already been assessed, use a corporate PIA checklist.
Doing a PIA in the broader public sector
If you work in the broader public sector and you're starting a project, use the PIA template for non-ministry public bodies (Word, 233 KB). Complete your PIA with your organization's privacy officer, if you have one.
Contact your Ministry Privacy Officer (MPO) as early as possible in your project to get expert help with your PIA. You may also need to include
- Subject matter experts
- Technical support
- Project vendors
- Other project teams
- Your Ministry Information Security Officer (MISO)
When you're finished with the template, you and your MPO will submit it to a privacy analyst at the Privacy, Compliance and Training Branch (PCT) for review. The analyst will work with you and your MPO to finalize the PIA. The analyst may ask questions or suggest changes to the content.
PCT will sign the template when the analyst is satisfied that you have identified and will manage privacy risks. PCT make take longer to review more complex PIAs.
After PCT signs, the analyst will return the template to you to get signatures. When all the required signatures are in place, return the PIA to the PCT analyst. The analyst will file the PIA in the Personal Information Directory.
Start your project after your PIA is complete.
- Work to reduce the privacy risks you identified
- Monitor your project for future risks to privacy
- If you change the way you collect, use, store or share personal information in your project, update your PIA