This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 6

Privacy Impact Assessments (PIAs)

A PIA is a structured risk analysis to carry out before launching a project involving personal information β€” not after.

6.1 Β· Definition

What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment (PIA) is a structured risk-analysis process carried out before launching a project involving personal information. It aims to identify privacy risks and mitigate them from the design stage β€” the principle of "privacy by design."

6.2 Β· Triggers

When is a PIA mandatory?

The law requires a PIA to be carried out notably:

  • For any project to acquire, develop or overhaul an information system involving personal information
  • Before disclosing information outside Quebec (chapter 9)
  • Before disclosing information without consent for study, research or statistical purposes
Common real-world case: switching to any new SaaS software (CRM, HR, accounting) hosted outside Quebec triggers a mandatory PIA.
6.3 Β· Proportionality

The scope must be proportionate to the risk

The law recognizes that not every PIA needs to be identical. A small, low-risk project calls for a light assessment; a project involving the health data of thousands of people calls for an in-depth analysis.

6.4 Β· Process

7 steps of a PIA

  1. Describe the project: purposes, data flows, stakeholders, technologies involved
  2. Map the information: nature, sensitivity, volume, retention period
  3. Identify the risks: unauthorized access, over-collection, unregulated disclosure, etc.
  4. Assess the severity and likelihood of each risk (Low / Medium / High)
  5. Define mitigation measures: encryption, minimization, access control, contracts
  6. Document the assessment and have it approved by the Privacy Officer
  7. Review the PIA if the project changes significantly
6.5 Β· Practical tool

Simplified PIA grid

ElementDescriptionRisk (L/M/H)Mitigation measure
Data collected
Purpose
Retention
Disclosure to third parties
Hosting / location
Internal access

See also chapter 13 for the full downloadable templates.

βœ“ PIA checklist

  • ☐ Do we have a reusable PIA template (see templates)?
  • ☐ Does the Privacy Officer formally approve PIAs?
  • ☐ Do we run a PIA before any new disclosure outside Quebec?
  • ☐ Do we run a PIA before any new information system?