Privacy Implementation Notice 2025-02: Use of the Office of the Privacy Commissioner’s Privacy Impact Assessment Online Form

1. Effective date

This implementation notice takes effect on July 9 2025.

2. Authorities

This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Purpose

This implementation notice is meant to encourage institutions to use the Office of the Privacy Commissioner of Canada’s (OPC’s) Privacy Impact Assessment (PIA) online submission form to meet their obligation to submit PIAs, Personal Information Banks (PIBs) and privacy protocols to the OPC and the Treasury Board of Canada Secretariat (TBS).

4. Context

Federal institutions subject to the Privacy Act are required to submit PIAs to the OPC and TBS under section C.2.2.12 of the Directive on Privacy Practices. Federal institutions are also required to submit PIBs to TBS for registration, modification, termination and transfers pursuant to 4.2.10 of the Directive on Privacy Practices and section 71 of the Privacy Act. In cases where privacy protocols are used to register, modify or transfer a PIB, they must also be submitted to TBS and the OPC, under 4.2.19 of the Directive on Privacy Practices.

The Directive on Privacy Practices was updated in October 2024 to incorporate the Standard on Privacy Impact Assessment, which replaces the former Directive on Privacy Impact Assessment. The standard includes mandatory PIA requirements and references a mandatory template that institutions must use when conducting PIAs.

5. Guidance

Federal institutions are strongly encouraged to use the OPC’s PIA online submission form as the preferred method for submitting PIAs, PIBs and privacy protocols to TBS and the OPC. While not mandatory, this method is highly recommended for its efficiency and effectiveness. The exception may be when submitting minor PIB modifications to TBS, which the OPC may not necessarily need to receive.

The online submission form can receive documents up to Protected B. To submit documents classified above Protected B, contact the OPC at SCG-GA@priv.gc.ca and TBS at ippd-dpiprp@tbs-sct.gc.ca directly.

Data inputted through the online form will be automatically sent to both TBS and the OPC. A copy of the PIA and/or PIB will also be sent to the reporting institution with the OPC file number.

For more information on PIA, PIB and privacy protocol requirements, institutions should review the Directive on Privacy Practices.

6. Application

This implementation notice applies to the government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.

7. References

• Privacy Act
• Directive on Privacy Practices

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries at questions@tbs-sct.gc.ca for information about this implementation notice.

Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data Division at ippd-dpiprp@tbs-sct.gc.ca for information about this implementation notice.