Privacy Impact Assessments

A Privacy Impact Assessment (PIA) identifies and evaluates the potential effects on privacy of a project, initiative, or proposed system or scheme. In general, it is best practice to conduct a preliminary PIA (PPIA) prior to starting a full PIA; the information contained in the PPIA may indicate that a full PIA report is needed.

The ATIPPA, 2015 requires departments and the executive branch of government to complete a PIA or PPIA during the development of a program or service. Further, if the PIA involves a common or integrated program or service, the minister must notify the OIPC regarding this program at an early stage of development. Once a PIA in relation to a common or integrated program or service is developed, it must be submitted to the OIPC for the Commissioner’s review and comment.

While not all public bodies are required to conduct PPIAs and PIAs, it is good practice. In addition, while it is not required that the OIPC review all PIAs, this Office would welcome the opportunity to review and provide comments on any PIA that is conducted by a public body.