In September, the Office of the Information and Privacy Commissioner (OIPC) of Alberta announced that changes were coming soon to the OIPC process for managing Privacy Impact Assessments (PIAs). These changes are now in effect, as of October 1st.
This affects custodians under the Health Information Act (HIA), public bodies under the Freedom of Information and Protection of Privacy Act (FOIP Act) and private sector organizations under the Personal Information Protection Act (PIPA).
Please read below for more information. You may also view our PIA Frequently Asked Questions page here.
Background on Privacy Impact Assessments (PIAs)
Privacy Impact Assessments (or PIAs) help to identify and address potential privacy risks that may occur in a project. A PIA is used for information systems, administrative practices and policy proposals that relate to the collection, use, or disclosure of individually-identifying health and personal information.
Custodians under HIA are required to submit PIAs to the OIPC for review and comment before implementing proposed new administrative practices or information systems (section 64, HIA). While public bodies under the FOIP Act and private sector organizations under PIPA are not required by law to submit PIAs to the OIPC, the OIPC highly recommends and encourages public bodies and organizations to voluntarily submit PIAs for review and comments.
What is changing?
- PIAs will no longer be accepted, conditionally accepted, or not accepted.
- Instead, PIAs will be reviewed and a closing letter with comments and recommendations will be issued.
- The OIPC will be reviewing PIAs as submitted.
- If the PIA submission is incomplete or insufficient, the OIPC will close the file and notify the submitter of that. Generally, the OIPC will not be asking additional questions as this causes delays in the review process; however, the submitter will be asked to consider re-submitting the PIA, especially for custodians under HIA, who are required to submit PIAs to the OIPC.
- PIAs received by our office prior to October 1, but the review has not yet been completed, will be reviewed under the new process. You may receive clarifying questions if the PIA reviewer has any. Closing letters will be issued and will include comments and recommendations, if required.
Why is this change being made?
- The change will better align with section 64(2) of the Health Information Act, which authorizes the Commissioner to review and comment on PIAs.
- The change is designed to better support privacy compliance by focusing on identifying and communicating compliance gaps to custodians, public bodies and organizations for remediation in a timely manner.
- PIA submissions to the OIPC have increased exponentially since the OIPC’s Privacy Impact Assessment Requirements Guide was first published in 2010. The current review process is no longer sustainable.
- The high volume of PIA submissions has led to a backlog of files, resulting in delays in reviewing and providing timely feedback to custodians, public bodies, and organizations.
- The changes to this process will increase efficiency in our reviews, enable timely resolution of PIA files, help reduce backlogs in processing these files, and allow the OIPC to allocate resources to PIA files that require increased attention.
- These changes align with the OIPC strategic priority, found in our 2024-2027 Business Plan, of enhancing internal processes to support our legislative mandate and to improve timelines.
Additional information
- Changes to the Privacy Impact Assessment Requirements Guide and the development of new PIA resources to assist custodians, public bodies and organizations in completing and submitting PIAs to the OIPC are in progress.
- New and updated PIA resources will be published on our website when completed. Please continue to use the existing Privacy Impact Assessment Requirements Guide while completing your PIAs.
- The OIPC looks forward to working with all parties to improve the timeliness and efficiency of its work in regard to these revised processes.