Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a process used to evaluate and manage privacy impacts and to ensure compliance with privacy protection rules and responsibilities.
For government, completing a PIA is a legislative requirement. You must complete a PIA when you are developing or changing an enactment, system, project, program or activity. A PIA can make the difference between an initiative that invades privacy and one that enhances it. A PIA must still be completed even if you determine that there is no personal information being collected, used or disclosed.
The PIA Process
To complete a PIA:
- Select the appropriate PIA template.
- Complete the template, providing as much plain language detail as possible. If you believe no personal information is involved in your initiative, stop after Part I. Make sure to involve your ministry privacy officer in the process.
- Submit your PIA for initial assessment to the Privacy, Compliance and Training Branch, following the instructions in the template. Timelines for review will be provided by the privacy analyst upon submission.
- Revise your PIA based on the initial assessment and recommendations.
- Submit your revised PIA to the Privacy, Compliance and Training Branch for final review and sign-off.
- Obtain the necessary signatures of your program manager and your security officer (if applicable). For files that contain personal information, obtain a signature from your assistant deputy minister for final review and sign-off. For files that don’t contain personal information, obtain a signature from your executive director for final review and sign-off.
- Submit a complete and signed version of your PIA to the Privacy, Compliance and Training Branch and keep a copy for your records.
There are six types of PIA templates: