Privacy Impact Assessments (PIAs)
A PIA is a structured risk analysis to carry out before launching a project involving personal information β not after.
What is a Privacy Impact Assessment (PIA)?
A Privacy Impact Assessment (PIA) is a structured risk-analysis process carried out before launching a project involving personal information. It aims to identify privacy risks and mitigate them from the design stage β the principle of "privacy by design."
When is a PIA mandatory?
The law requires a PIA to be carried out notably:
- For any project to acquire, develop or overhaul an information system involving personal information
- Before disclosing information outside Quebec (chapter 9)
- Before disclosing information without consent for study, research or statistical purposes
The scope must be proportionate to the risk
The law recognizes that not every PIA needs to be identical. A small, low-risk project calls for a light assessment; a project involving the health data of thousands of people calls for an in-depth analysis.
7 steps of a PIA
- Describe the project: purposes, data flows, stakeholders, technologies involved
- Map the information: nature, sensitivity, volume, retention period
- Identify the risks: unauthorized access, over-collection, unregulated disclosure, etc.
- Assess the severity and likelihood of each risk (Low / Medium / High)
- Define mitigation measures: encryption, minimization, access control, contracts
- Document the assessment and have it approved by the Privacy Officer
- Review the PIA if the project changes significantly
Simplified PIA grid
| Element | Description | Risk (L/M/H) | Mitigation measure |
|---|---|---|---|
| Data collected | |||
| Purpose | |||
| Retention | |||
| Disclosure to third parties | |||
| Hosting / location | |||
| Internal access |
See also chapter 13 for the full downloadable templates.
β PIA checklist
- β Do we have a reusable PIA template (see templates)?
- β Does the Privacy Officer formally approve PIAs?
- β Do we run a PIA before any new disclosure outside Quebec?
- β Do we run a PIA before any new information system?