Conducting a privacy impact assessment (PIA) helps to identify and address potential privacy and security risks that may occur when processing personal or health information as part of an electronic information system, administrative practice, data-matching or in other circumstances where risks to privacy may result from the processing.
Generally, a PIA maps the flow of information in a proposed system or practice and identifies the legal authority permitting it. A PIA also identifies privacy and security risks and associated mitigating controls.
Custodians under the Health Information Act (HIA) and public bodies under the Protection of Privacy Act (POPA) are required in certain circumstances to complete a PIA and submit it to the Commissioner for review and comment (see below).
There is no such requirement in the Personal Information Protection Act (PIPA) for private sector organizations, although it is recommended that organizations complete a PIA as a best practice to mitigate any risks of non-compliance concerning the processing of personal information in electronic systems or administrative practices.
Custodians under HIA
Section 64 of the HIA requires custodians to submit PIAs to the Commissioner for review and comment prior to implementing administrative practices or information systems or changes to administrative practices or information systems that collect, use or disclose individually identifying health information. Certain custodians are required to submit PIAs in the circumstances specified in sections 46(1)(b) and 46(5)(a), 56.3 (3)(b), and 70(2) and (3) of HIA.
Please submit PIAs to our office by email via pia@oipc.ab.ca
If you need assistance in determining if you are required to submit a PIA under the HIA, see the HIA PIA section in the following document: PIA Submission Assessment Tool
For guidance on the required content of a PIA submission to the OIPC under the HIA, see the Privacy Impact Assessment Requirements Guide
Back to top of the page
Public Bodies under POPA
Public bodies are required to complete, or complete and submit, PIAs to the Commissioner under certain circumstances as prescribed under section 26(1) of POPA and the POPA Ministerial Regulation.
Please submit PIAs to our office by email via pia@oipc.ab.ca
If you need assistance in determining if you are required to submit a PIA under the POPA Ministerial Regulation, see the POPA PIA section in the following document: PIA Submission Assessment Tool
A PIA template and guidance on the required content of a PIA submission to the OIPC under POPA is available here: POPA PIA Template
To assist public bodies in the preparation of a PIA, a companion PIA Completion Guide is available here: POPA PIA Template Completion Guide
Back to top of the page
Private Sector Organizations under PIPA
Private sector organizations are not required to submit PIAs to the OIPC under PIPA. However, the OIPC encourages organizations to voluntarily submit PIAs to the OIPC when processing personal information may involve risks to privacy.
If you need assistance in determining whether to conduct a PIA, see the PIPA PIA section in the following document: PIA Submission Assessment Tool
For guidance on the required content of a PIA submission to the OIPC under PIPA, see the Privacy Impact Assessment Requirements Guide. Although this guide is tailored to HIA, its content can be adapted for use under PIPA.
Back to top of the page
PIA Registry
The following document lists all accepted PIAs since January 1, 2017:
The following documents list certain accepted PIAs prior to 2017:
Back to top of the page
