Privacy Impact Assessments

A privacy impact assessment (PIA) is a process of analysis that helps to identify and address potential privacy risks that may occur in the operation of a new or redesigned project. A PIA is meant for proposed legislative schemes, administrative practices and/or information systems that relate to the collection, use or disclosure of individually identifying personal or health information.

Legislative Requirements

Section 64 of the Health Information Act (HIA) requires submission of a PIA for review by the OIPC.

The submission of a PIA to the OIPC is voluntary for public bodies and private sector organizations. There are no PIA requirements under the Freedom of Information and Protection of Privacy Act and Personal Information Protection Act. The OIPC encourages public bodies and private sector organizations to submit PIAs for projects that involve the collection, use and disclosure of personal information, particularly with respect to information sharing initiatives involving multiple parties.

Completing a PIA

The Privacy Impact Assessment Requirements guide was developed to assist in the process of completing a PIA.

Review of PIAs

PIAs received by the OIPC undergo an initial assessment to determine whether the submission is complete (i.e. the sections required for a PIA are present; see the Privacy Impact Assessment Requirements guide).

If the submission is complete, the PIA will be assigned to a manager for review. Due to current case volume, the assignment may take up to 12 months. (This timeline does not apply to PIAs subject to an expedited process, such as the Netcare Expedited PIA Process.)

Incomplete submissions are returned to the public body, custodian or private sector organization.

Important to note, the OIPC does not "approve" a PIA submitted to the office. Once satisfied that the public body, custodian or private sector organization has addressed the relevant privacy considerations the OIPC will "accept" the PIA which acknowledges that reasonable efforts to protect privacy have been made. A PIA cannot be used to obtain a waiver of or relaxation from any requirement of the relevant legislation.

If you have detailed questions about submitting a PIA please contact the office.

PIA Registry

The following documents list all accepted PIAs since January 1, 2017: 

Lists of accepted PIAs each year are available from the Annual Reports webpage.

We also have archived lists.