The Treasury Board of Canada Secretariat, which is responsible for developing and overseeing federal government-wide policies, recently announced a major overhaul to how institutions conduct privacy impact assessments.
These updates are arguably the most significant since the PIA Policy was introduced in 2002.
New standard. A new Standard on Privacy Impact Assessmentisbaked into Appendix C of the Directive on Privacy Practices. The old PIA directive has been rescinded.
Privacy checklist. Front-end work is a major focus in the new standard to help weave privacy into the overall governance of a project or program. A new step has been added — conducting a privacy checklist prior to initiating a PIA, with a mandatory form. This helps the institution's privacy team determine and document whether there is a need for a PIA, a protocol or neither.
Criteria expansion. Triggers for PIAs have been expanded and modernized, including scenarios like the use of new or modified information technologies that process personal information, the involvement of third parties or contractors, and the use of automated decision systems.
Template overhaul. The PIA template has been completely revamped, and its use is mandatory. The new, more user-friendly form raises issues better reflecting current privacy challenges — things privacy professionals have tried to include in PIAs via workarounds and deviations from the old form.
Multi-institutional coordination. Multi-institutional PIAs can be challenging in terms of process and accountability. There's now a formalized approach to conduct them more effectively and responsibly. Submitting a privacy checklist to TBS and the Office of the Privacy Commissioner of Canada for these ahead of time is among the requirements.
PIB accountability. There is an emphasis on personal information banks and, by virtue, the role of TBS. PIBs were invented in the 1970s and have never been that exciting. But knowing what personal information you collect, why, what you do with it, how it can be accessed and how you communicate all that is at the heart of good privacy management and transparency in government. The standard clarifies how institutions engage TBS and prepare, update or terminate PIBs — and again there are mandatory forms.
Web transparency. Also on transparency, institutions need to use a new form for publishing their PIA web summaries, ensuring they describe the program or activity, why a PIA was done, any risks identified, and mitigation measures implemented. Web summaries can help to see if others have tackled similar issues. Currently, if they exist at all, they are too often just copied and pasted risk charts from the old directive, which is not very helpful.
Risk documentation. The risk identification and categorization in the former directive was useful, and PIA recommendations would address any residual risks. But a requirement to document, review and update risk mitigation measures annually, or as the risks are mitigated, takes it further.
Privacy protocols. Privacy protocols have been around for a while, but the old directive mentions the term exactly once. Now there is clarity that privacy protocols, which are a lot more simple than PIAs, must be used for nonadministrative uses of personal information. In other words, they are for uses of personal information that do not result in decisions being made about people. This is good news for institutions sometimes conducting elaborate PIAs to address privacy issues, even for nonadministrative uses. There is not a form, but the standard spells out what needs to be included.
Compliance deadline. Not to bury the headline, but the new standard has already come into effect, and those subject to it must start using the new standard and forms now. There is some wiggle room on a couple aspects: Institutions have until 10 Oct. 2025 to produce PIBs and PIAs for existing programs or activities that use personal information for an administrative purpose when there is no PIB already in place or when a PIA has not yet been done.
I still remember when TBS, the OPC and others were drafting the original PIA Policy around 23 years ago. Adapting to the new standard will probably take some time, so hopefully TBS and OPC will recognize that and work collaboratively with institutions to address any kinks.
For this to work well, institutions must start early and be proactive in updating their personal information inventories, bringing their PIBs up to date, preparing privacy checklists and protocols, and developing PIAs for programs that should already be in place. And for any new initiative, they will need to apply the new standard and tools.
On the flipside, organizations responsible for reviewing submissions will need to be responsive and offer constructive feedback within reasonable timeframes, keeping in mind that the initiatives behind PIAs often represent concrete innovations aimed at improving service to Canadians.
Anne-Marie Hayden is a privacy consultant at nNovation.
