What to know about the new Canadian government PIA standard

The Treasury Board of Canada Secretariat, which is responsible for developing and overseeing federal government-wide policies, recently announced a major overhaul to how institutions conduct privacy impact assessments.

These updates are arguably the most significant since the PIA Policy was introduced in 2002.

New standard. A new Standard on Privacy Impact Assessment is baked into Appendix C of the Directive on Privacy Practices. The old PIA directive has been rescinded.

Privacy checklist. Front-end work is a major focus in the new standard to help weave privacy into the overall governance of a project or program. A new step has been added — conducting a privacy checklist prior to initiating a PIA, with a mandatory form. This helps the institution's privacy team determine and document whether there is a need for a PIA, a protocol or neither.

Criteria expansion. Triggers for PIAs have been expanded and modernized, including scenarios like the use of new or modified information technologies that process personal information, the involvement of third parties or contractors, and the use of automated decision systems.

Template overhaul. The PIA template has been completely revamped, and its use is mandatory. The new, more user-friendly form raises issues better reflecting current privacy challenges — things privacy professionals have tried to include in PIAs via workarounds and deviations from the old form.

Multi-institutional coordination. Multi-institutional PIAs can be challenging in terms of process and accountability. There's now a formalized approach to conduct them more effectively and responsibly. Submitting a privacy checklist to TBS and the Office of the Privacy Commissioner of Canada for these ahead of time is among the requirements.