Privacy Impact Assessments

Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is a policy process to identify, assess, and mitigate potential privacy risks before they happen.

When you need one

Institutions need to develop and update a PIA anytime:

  • an initiative uses or intends to use personal information to make a decision about an individual, or
  • there is a substantial change to the way personal information is, or will be, used to make a decision about an individual. This can include your initiative contracting out or transferring any part of the initiative

Privacy tip: Your privacy expert may ask you to answer a few short questions to determine if you need a PIA.

If your initiative doesn’t make decisions about an individual, but does collect and/or use personal information, consult your privacy experts to determine if any privacy assessment, such as a privacy protocol, or other deliverables are needed.

Scenario: Do I need to update my PIA?


Samira, a program advisor, is working on a benefits program that’s moving their traditionally paper-based application process online.


The new application portal requires people to create an account in order to submit their application to the initiative. Samira needs to know whether she needs to update any of her privacy deliverables.


Her privacy officer explains that since there is a significant change to the way information is being collected, she’ll need to update her PIA.

What’s required

All PIAs must include:

  • the name and brief description of the initiative
  • what personal information you're collecting, such as name, phone number, etc.
  • your legal authority to collect, use, and share the personal information
  • how you're collecting personal information, such as by paper, video, audio, etc.
  • a diagram of how personal information will move to deliver the program
  • an analysis of how personal information will be handled, who will have access to it and how it will be shared
  • where the personal information will be stored, for how long and how it will be deleted
  • a completed Risk Area Identification and Categorization (Appendix C- Core PIA)
  • a summary analysis of the risk(s) and recommendations for their mitigations

General process

  • reach out to your privacy experts
  • complete all the required sections of the PIA
  • your privacy expert will help determine if you need a Personal Information Bank (PIB)
  • your privacy experts can review your PIA, determine any risks in your plan, and help develop mitigation strategies
  • if you need a PIB, you should send it for approval with the PIA
  • get the PIA approved and signed off, as appropriate within your institution, and send a copy to the Office of the Privacy Commissioner of Canada and the Treasury Board Secretariat
  • all these steps need to be completed before the launch of the initiative

When to update and review

Your PIA should be continuously reviewed and updated any time there are changes to your initiative. Always contact your departmental privacy expert to assist you in determining which parts of the PIA need updating.

Related links:

Page details

Date modified: