ARTICLE
8 January 2026

Privacy Impact Assessments, Rebooted

LL
Lerners LLP

Contributor

Lerners LLP logo
Lerners LLP is one of Southwestern Ontario’s largest law firms with offices in London, Toronto, Waterloo Region, and Strathroy. Ours is a history of over 90 years of successful client service and representation. Today we are more than 140 exceptionally skilled lawyers with abundant experience in litigation and dispute resolution(including class actions, appeals, and arbitration/mediation,) corporate/commercial law, health law, insurance law, real estate, employment law, personal injury and family law.
Explore Firm Details
The Information and Privacy Commissioner of Ontario ("IPC") regularly releases guidance material designed to help organizations meet their privacy obligations under provincial privacy legislation...
Canada Privacy
Nadia Jandali Chao
Your Author LinkedIn Connections
Nadia Jandali Chao’s articles from Lerners LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in Middle East
  • with readers working within the Banking & Credit, Insurance and Healthcare industries

The Information and Privacy Commissioner of Ontario ("IPC") regularly releases guidance material designed to help organizations meet their privacy obligations under provincial privacy legislation, including the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). One key resource is the Privacy Impact Assessment Guide for Ontario Public Institutions (the "Guide"), which provides detailed direction to FIPPA and MFIPPA institutions on how to conduct Privacy Impact Assessments ("PIAs").

A PIA is a proactive risk management tool that helps identify and mitigate privacy and security risks associated with the collection, use, retention, and disclosure of personal information. It also supports institutional accountability by ensuring compliance and reducing exposure to privacy breaches.

The Guide has been in place since 2015 but was recently updated to reflect significant amendments to FIPPA that took effect on July 1, 2025. The most significant change is that PIAs are now legally required for all institutions subject to FIPPA, whereas previously they were encouraged as best practice. All institutions subject to FIPPA are now legally required to complete a PIA before collecting any personal information and update it whenever there is a substantial change in the purpose for which personal information is used or disclosed. This marks a shift from an optional governance tool to a statutory compliance requirement. Furthermore, although municipal institutions are not subject to FIPPA, the Guide states that "municipal institutions are strongly encouraged to conduct PIAs to assess, prevent, and mitigate risks in accordance with this guide." As such, MFIPPA institutions should also follow the direction set out in the Guide.

This bulletin highlights the key updates introduced in the latest version of the IPC's PIA guide and what they mean for institutions moving forward.

A High-Level Overview of How the Guide Has Changed

The July 2025 FIPPA amendments introduced new statutory PIA requirements. The practical importance of the updated Guide lies in its explanation of how to operationalize these requirements. The revised Guide is more compliance-focused and prescriptive than before. It integrates the new FIPPA requirements into each stage of the PIA process, expands the checklists and report templates to include the mandatory content, and provides more detailed direction on documenting necessity, legal authority, information flows, access controls, retention, safeguards, and risk prevention and mitigation measures. It also increases the emphasis on third-party service providers and record-keeping.

Key Changes

  1. The Guide now embeds and explains the statutory PIA obligations under FIPPA.

    The updated Guide incorporates the new statutory PIA requirements in section 38 of FIPPA. It reorganizes the guidance so that the statutory obligations are reflected in the PIA workflow, including when PIAs must be completed (before collection), when they must be updated (before significant purpose changes), and what institutions must be prepared to show (a written PIA that can be produced to the IPC on request). While these obligations technically only apply to FIPPA institutions, the IPC has made it clear that municipal institutions are also expected to conduct PIAs in accordance with the Guide.
  1. The Guide is more prescriptive about what a "good" PIA must document.
    Written PIAs for FIPPA institutions must now include detailed elements outlined in section 38 of FIPPA, such as the purpose and legal authority for collecting personal information, the types and sources of data, who will have access, any restrictions, retention periods, and the safeguards in place. They must also outline risks to individuals and the measures the institution will adopt to prevent and mitigate privacy breaches, ensuring compliance and accountability under section 38(3) of FIPPA. The updated Guide strengthens and expands the supporting tools (Appendices B–D) with detailed prompts and examples, enabling a PIA to function as a structured record of both compliance and risk management. Examples of new or more explicit documentation expectations include:
    • Clarifying scope: emphasizing that PIA considerations extend beyond "recorded" information, including situations where personal information is collected orally. Although "personal information" is defined in s. 1 of FIPPA as "recorded information," for the purposes of ss. 38, 39, and 40(5), that term also includes unrecorded information, and as such, the PIA requirements apply.
    • Documenting necessity: not just the purpose of collection, use, and disclosure, but also why each category of personal information is necessary to achieve that purpose.
    • Documenting legal authority: prompting teams to identify the authority relied on for the project and for the relevant personal information practices.
    • Documenting access by role: moving from a general description of who will have access to requiring position titles for officers, employees, consultants, or agents who will access personal information.
    • Documenting limitations and restrictions: prompting teams to identify any limitations or restrictions imposed on collection, use, or disclosure.
    • Documenting safeguards and risks: prompting teams to explain the safeguards, practices, and measures that will be used to protect personal information and to summarize any risks to individuals in the event of a theft, loss, or unauthorized use or disclosure.
    • Documenting retention with greater specificity: prompting teams to describe retention periods (including in the checklist) and how long personal information will be retained.
    • A more detailed PIA report template: Appendix D now reflects the required content areas and prompts for risks to individuals, prevention or mitigation measures, priorities and timelines, and where the final approved PIA report will be stored.
  1. The Guide places stronger emphasis on identifying risks and implementing preventive and mitigating measures upfront.

    The Guide places strong emphasis on clearly outlining privacy impacts and risks, such as those affecting individuals if their data is stolen, lost, or improperly disclosed, and turning these findings into actionable steps. It frames risk prevention and mitigation steps as a "to-do list" that should be approved, assigned, and generally implemented before collecting personal information. It also stresses the importance of documenting approvals and maintaining supporting documentation in project files so it can be accessed and provided to the IPC as needed.
  1. The Guide outlines clearer direction on when and how to update PIAs for "significant changes."

    The previous guide only advised updating PIAs when necessary, whereas the updated Guide is directly tied to the new section 38(5) of FIPPA. The Guide clarifies that:
    • Any significant change in the purpose for which personal information is used or disclosed requires an updated PIA.
    • Updates must be completed before implementing the change.
    • Updates must include the proposed change to the purpose (and why the personal information is necessary for the new purpose), and any additional steps to prevent or mitigate risks.
  1. The Guide offers expanded guidance on third parties and contracting.

    The updated Guide more prominently integrates third-party considerations into the PIA process (including scoping, roles and responsibilities, information flows, and safeguards). It also directs readers to the IPC's new guidance on third-party contracting and related topics (such as de-identification), reinforcing that PIAs should address vendor and partner risks and accountability.

Recommendations

These changes reflect the shift from best practice to a formal legal requirement for FIPPA institutions. Municipal institutions, while not legally bound, should also adopt these practices to strengthen governance, maintain public trust, and align with IPC expectations.

The requirement to conduct a PIA before collecting personal information, and to implement mitigation steps upfront, serves as a pre-flight checklist for handling sensitive data. In other words, you must prove the system is safe and compliant before the information takes off. Regular monitoring of privacy impacts is also necessary to ensure that risks continue to be identified and managed effectively throughout the life cycle of a product or service. Furthermore, in accordance with the new requirement in FIPPA (section 38(6)), the Guide states that FIPPA institutions must provide a PIA to the IPC upon request, enhancing oversight and accountability associated with this activity.

As such, FIPPA and MFIPPA institutions should re-evaluate their PIA practices to ensure they can meet and demonstrate compliance with the new requirements. Some steps to consider are as follows:

  • Develop and implement a PIA Policy that covers various aspects, including when a PIA is necessary, the required content, the risk assessment methodology, the parties responsible for its completion and approval, and mandatory review periods for any PIA.
  • Build the PIA process into standard workflows (e.g., procurement, gating processes, or product roadmaps).
  • Develop a PIA template. This will make the process more accessible, efficient and ensure consistency in approach.
  • Train staff on PIA requirements.
  • Develop a PIA log or register to track and monitor the status of PIAs.
  • Create a central repository for all completed PIAs to ensure they are easily accessible, as needed (including in response to a request by the IPC).
  • Ensure PIA approvals are properly recorded and retained.
  • Ensure all action items identified in a PIA to address a risk are appropriately assigned and monitored to ensure completion.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Nadia Jandali Chao
Nadia Jandali Chao
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More