Language selection


OPC updates guide to the privacy impact assessment process

March 4, 2020

Privacy Act Bulletins (formerly Privacy Commissioner Alerts) are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector.

Assessing potential privacy risks is more important than ever in today’s increasingly complex environment.

Privacy impact assessments (PIAs) are a critical tool to help federal public sector institutions ensure that they meet their legal requirements under the Privacy Act and also address or mitigate privacy impacts before launching an initiative.

The OPC is launching updated guidance – Expectations: OPC’s Guide to the Privacy Impact Assessment Process – on effectively managing privacy risks as part of the PIA process.

Guidance highlights

Key elements of the guidance include:

  • Concepts related to PIAs, including their purpose and when they are required.
  • Practical instructions for each phase of the PIA process.
  • Clarification of the OPC’s role in the PIA process and expectations with respect to the PIA reports.
  • A list of risk factors to consider during the risk assessment phase, and a roadmap for high-risk programs.
  • Relevant legal and policy requirements, questions to consider, as well as risk and mitigation examples, for each of the ten privacy principles against which an institution should assess its programs.

Under the Treasury Board Secretariat Directive on Privacy Impact Assessment, institutions must undertake PIAs for programs and activities when personal information is used or intended to be used in a decision-making process directly affecting individuals; substantial modifications are made to existing programs or activities where personal information is used or intended to be used for an administrative purpose; and contracting out or transferring programs or activities to another level of government or to the private sector results in substantial modifications to the program or activities.

Here to help: Consult our Government Advisory Directorate

We encourage institutions to consult our Government Advisory Directorate long before they finalize their PIA report. The OPC is happy to engage in informal discussions and to answer questions and provide advice to institutions early in the development, and throughout the lifecycle of programs and activities.

PIAs do not have to be overly complex and burdensome. We hope the revised guide will make the process easier for all federal institutions.

For more information, please contact the OPC’s Government Advisory Directorate at

Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.

Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):


Date modified: