Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

The privacy life cycle: Tips for minimizing privacy risks and safeguarding personal information

October 27, 2025

Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal government. We encourage you to share this information with colleagues.

Building privacy considerations into the life cycle of a technology, program or service – from the moment that personal information is collected, through its use, storage and eventual disposal – can support and enable responsible innovation, increase confidence in the program or service, and ensure compliance with the Privacy Act.

Earlier this year, the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board Secretariat (TBS) gave a presentation to more than 1,000 government participants about protecting personal information within the life cycle of a program or activity. A video of the presentation is available on the OPC website. Here are some key takeaways:

Before collecting personal information

  • Determine the legal authority for your initiative before collecting any personal information.
  • For initiatives that are more complex, or involve more sensitive personal information, consider the impact on individuals’ right to privacy by conducting tests of necessity, effectiveness, proportionality, and minimal intrusiveness.
  • Conduct a Privacy Impact Assessment (PIA) for any initiatives where required under section C.2.2.9 of the TBS Directive on Privacy Practices.
  • Ensure that you have Information Sharing Agreements in place when you are planning to share personal information, as well as contracts with privacy-protective clauses when contracting out to a third party the collection, use or retention of personal information.
  • Refer to TBS’s policy suite and guidance documents to guide the development of your program or activity.
  • Consult with the TBS Privacy and Responsible Data Division and the OPC Promotion and Engagement Directorate. We are here to help!

While collecting personal information

  • Transparency is a fundamental principle of the Privacy Act and the policy framework that supports it. Transparency helps to build trust.
  • Whether it is personal information of the public, or public servant employee information, institutions are required to be clear about what personal information they are collecting, why, and how it will be used and shared.
  • Ensure that there are clear Privacy Notices in place that meet the requirements of section 4.2.20 of the TBS Directive on Privacy Practices.
  • Keep your Info Source chapter and Personal Information Banks (PIBs) up to date.
  • Publish summaries of your PIAs on your institutional website to ensure that the public can understand how programs and activities have been assessed, and what your institution is doing to mitigate risks to personal information.

After collecting personal information

  • There is an obligation for institutions to safeguard personal information and to take steps to help reduce the risk of breaches.
  • If a breach does occur, it is whether there is a real risk of significant harm that determines the appropriate response.
  • In 2025, the OPC launched a privacy breach risk self-assessment online tool available on its website that institutions can use to assess whether the breach is likely to create a real risk of significant harm to individuals.
  • The TBS Privacy Breach Management Toolkit provides a practical guide to managing privacy breaches.
  • Once the breach is resolved, it is important to learn from it and adapt to address any shortcomings that led to the breach.
  • Institutions subject to the Privacy Act are required to report incidents to TBS and the OPC in accordance with the TBS directive. Reporting a breach and learning from it helps prevent similar breaches from occurring at your institution but also in other institutions through sharing of best practices.

If your institution is looking for more in-depth advice, please do not hesitate to contact the OPC Promotion and Engagement Directorate or the TBS Privacy and Responsible Data Division.

Resources

Contacts

Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.

Date modified: