Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
If you read the Canada Dashboard Digest this week, you'll see there's a news story about the federal government institution responsible for immigration making mistakes, some with devastating effects, with respect to the mishandling of the personal information of asylum seekers. Among the criticisms: they didn't complete a privacy impact assessment.
It's particularly interesting that Radio Canada takes the time to explain what PIAs are and why they're important. Some of the day-to-day aspects of privacy work aren't always seen as newsworthy.
Seeing this story this week reminded me that it was last October when the Treasury Board of Canada Secretariat launched a massive overhaul of the approach federal government departments and agencies have to take when they conduct PIAs in a new PIA standard.
Now, I say "have to take" but let's remember PIAs are required in federal government policy, but they are not baked into law, although there have been calls to make them legally mandatory when and if the Privacy Act is eventually updated.
Still, if you don't do one, you could be called out like the immigration department in this week's story.
There were quite a few changes in the new standard, like an overhaul of templates and making their use mandatory, a formalized approach for multi-institutional PIAs — something that really stands out as a need in this week's news story — new risk documentation and the triggers for a PIA in the first place.
My team and I have been working with the new approach for the past year and, while it does take some getting used to, it is much better than what we had before, where we had to come up with so many workarounds to address modern issues.
In tandem with the changes from TBS, the Office of the Privacy Commissioner of Canada, which reviews and gives feedback on PIAs, seems to have updated its guide to the PIA process to better reflect the new standard.
If you work for a federal department or agency, remember that most of the new requirements came into effect last year, which means you've all been following them, right? The Treasury Board gave everyone a full year — until mid-October 2025, basically a month from now — to catch up on some of the requirements. In particular, it gave organizations time to complete personal information banks and PIAs for existing programs and activities that should have them in place, but currently don't.
I don't know how seriously TBS is pushing this deadline, nor do I know what they will do if departments and agencies don't meet it. But the announcement last year created a little spark that has motivated a good number of organizations to improve their privacy management hygiene, reassess what privacy practices need a closer examination, analyze the personal data they collect and use, and evaluate the clarity and transparency of their disclosures.
If you work in government, I'd love to hear what your experience has been like trying to comply with the new standard. Have you found the process easier in terms of doing the work and dealing with the central agency and regulator? Feel free to reach out on LinkedIn.
Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
