Drafting Privacy Impact Assessments in 2025

A woman sits at a beach reading about Freedom of Information on her laptop.

Update as of November 13, 2025: The Information and Privacy Commissioner of Ontario just released a new 2025 edition of its Privacy Impact Assessment guide. Learn the latest in today’s FOI Assist Knowledge Base article: New Ontario Privacy Impact Assessment Guideline

Privacy Impact Assessments (PIAs) have taken on new significance in Ontario following Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. Schedule 2 of Bill 194 amended the Freedom of Information and Protection of Privacy Act (FIPPA) to establish legislated PIA requirements in section 38(3). As of July 1, 2025, these changes have now come into effect.

The new requirements are mandatory for provincial institutions under FIPPA (such as ministries, provincial agencies, colleges, universities, and hospitals). Municipal institutions governed by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) are not yet subject to the new statutory PIA mandate. However, the Information and Privacy Commissioner of Ontario (IPCO) has long recommended that municipal institutions prepare PIAs as well, and has continued to reinforce this recommendation in its most recent guidance.

Today’s article explains how to draft PIAs “right now”, as of the second half of 2025, using the best currently available resources, while ensuring compliance with the new legislative requirements.

Legislative foundation: FIPPA s.38(3) to (6)

Under section 38(3) of FIPPA, before collecting personal information, the head of a FIPPA institution must ensure a written privacy impact assessment is prepared The phrasing of this requirement in s.38(3) leaves room for exceptions to be introduced by regulation, though currently, no such regulations exist.

Per FIPPA s.38(6), institutions must be prepared to provide a copy of their completed PIAs to IPCO upon request.

Although there is currently no parallel statutory requirement that compels MFIPPA institutions to prepare PIAs or to provide them to IPCO, IPCO has recently confirmed it expects such institutions to conduct PIAs to assess and mitigate privacy risks as well.

PIA content checklist

In accordance with s.38(3) of FIPPA, a compliant written PIA must, at minimum, address:

  • Purpose and necessity
  • Legal authority
  • Types and sources of personal information
  • Intended uses and disclosures
  • Access roles (who will have access)
  • Limits and restrictions on access
  • Retention period
  • Safeguards and risks (including a summary of risks if a theft, loss or unauthorized use/disclosure occurs)
  • Specific steps to prevent and mitigate those risks
  • Other information as prescribed

It is strongly recommended that institutions consult FIPPA s.38(3) directly for the precise wording of each of the requirements above.

IPCO’s previous guidance

While IPCO has previously provided step-by-step PIA guidance, unfortunately, its most substantive materials pre-date Bill 194. Updated guidance and recommendations are currently in the process of being developed. In the meantime, institutions can use IPCO’s existing guidance in conjunction with the new statutory requirements to prepare a complaint PIA.

Planning for Success: Privacy Impact Assessment Guide (2015). This remains a practical walkthrough of PIA steps and documentation. Institutions should continue to use it, but in combination with section 38(3)’s mandatory elements.

PIA Worksheet and Checklist. The IPCO PIA worksheet, which includes a detailed checklist, is still a useful reference for structuring a PIA. However, it does not include the new statutory requirements and must be supplemented accordingly.

IPCO’s recent updates

IPCO Update on Bill 194. IPCO recently published an update outlining who is covered, what must be included, when to complete or update a PIA, and how the changes interact with breach reporting and safeguarding obligations. The update confirms the July 1, 2025 in-force date and clarifies that MFIPPA was not amended.

IPCO: Protecting personal information in the public sector. This relatively recent guidance document explains that all institutions subject to FIPPA are now expressly required to prepare PIAs before collecting personal information.

With respect to municipal institutions, the IPCO guidance states:

Municipal institutions subject to MFIPPA should continue to conduct PIAs to assess and mitigate privacy risks. While MFIPPA has not been amended to expressly require PIAs, municipal institutions should proactively conduct them to strengthen privacy protections and comply with other legal requirements where applicable. 

The new guidance sets out an updated list of requirements for PIAs which closely resembles the new requirements set out in s.38(3). Notably, IPCO draws no distinction here between its recommendations for PIAs prepared by provincial institutions under FIPPA and those prepared by municipal institutions covered by MFIPPA. It seems safe to conclude IPCO will have similar expectations for PIAs prepared by either type of institution.

FOI Assist backgrounder

In anticipation of the passing of Bill 194, FOI Assist has previously published an introduction to PIAs with links to additional resources.

Independent commentary

Until IPCO’s tools are fully refreshed, external legal commentaries are useful for understanding the changes. Summaries from firms such as Borden Ladner Gervais highlight the new PIA requirements, breach-reporting duties, safeguard obligations, and expanded IPCO powers. Overviews such as these can aide institutions in confirming their understanding and help to brief leadership.

Recommended drafting approach (as of now)

  1. Start with IPCO’s Planning for Success Guide and Worksheet. Treat IPCO’s materials as the process map: they walk you through identifying risks, consulting stakeholders, and documenting mitigations. This remains a solid workflow for structuring a PIA. Alternatively, use your institution’s existing PIA templates and precedents as a starting point.
  2. Layer in the statute. Once your draft PIA is structured, measure it directly against the requirements in FIPPA section 38(3). Confirm that every legislated element is present and that timing obligations (before collection, before purpose changes, and within a reasonable time for mitigations) are met.
  3. Verify with IPCO’s latest guidance and external commentary. IPCO guidance and independent analyses of Bill 194 can help you confirm your understanding of how the new legislative requirements fit into Ontario’s broader privacy framework, and provide context you can share with decision-makers.
  4. MFIPPA institutions: follow the same best practices. Even though MFIPPA does not yet impose statutory PIA requirements, municipal institutions should structure their PIAs using the same steps outlined above, given IPCO’s most recent guidance and its oversight role over both provincial and municipal institutions.

Looking ahead

Two open questions to watch:

  • How closely will IPCO’s updated guidelines reflect the new legislative requirements? I would expect them to track section 38(3) closely, ideally with refreshed templates and examples. Elements from IPCO’s earlier guidelines that aren’t set out in FIPPA s.38(3) may be re-framed as recommendations or retired altogether.
  • Will there be new regulations which prescribe additional PIA details? Section 38(3) allows for “other prescribed information,” so institutions should be prepared to monitor for regulatory updates.

For now, a hybrid approach—using IPCO’s existing guidance as a starting framework, while cross-checking with FIPPA section 38(3) as the mandatory baseline—appears to be the most reliable path to compliance in 2025.

Key takeaways

Until IPCO publishes fully updated tools, provincial and municipal institutions in Ontario should build their PIAs using IPCO’s existing guidance while checking against FIPPA section 38(3) to 38(5) for the mandatory elements, timelines, and mitigation steps introduced by Bill 194. FIPPA institutions should be adopting the new requirements as a matter of legislative compliance, while MFIPPA institutions should be voluntarily adopting the same standards as best practice.

The FOI Assist Software

If you find articles like this one helpful, you’ll appreciate the even greater support offered by the FOI Assist software. Developed by an experienced Ontario FOI lawyer, the software includes built-in checklists, templates, and compliance tools to help ensure your institution’s FOI process is consistent, well-organized, and fully documented—reducing the risk of appeals and putting your institution in the best position to succeed.

To learn more or to request a demonstration, contact FOI Assist today.

Posted

in

by

Justin Petrillo

Tags:

, , , , , ,

Comments

Leave a comment