New Ontario Privacy Impact Assessment Guideline

The Information and Privacy Commissioner of Ontario (IPCO) has just released an updated version of its Planning for Success: Privacy Impact Assessment Guide for Ontario’s Public Institutions.

The new 2025 edition replaces the earlier 2015 version and reflects the major amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) introduced by Bill 194, which came into effect on July 1, 2025.

This update is significant, reflecting the new reality that FIPPA expressly requires provincial institutions to complete a written privacy impact assessment (PIA) before collecting personal information. And although municipal institutions are not covered by the new mandatory PIA requirement, IPCO strongly encourages municipal institutions to conduct PIAs to assess, prevent and mitigate risks using the same PIA guidance as well.

This article summarizes the most important changes between the 2015 and 2025 versions of the guideline and explains how these changes may affect your institution’s privacy management practices.

Overview of the 2025 Update

The 2025 guideline implements the new legal requirements introduced by Bill 194, making several longstanding privacy best practices mandatory for provincial institutions when collecting, using, retaining, or disclosing personal information and introducing a some new steps as well. It expands a number of key concepts, sets out the new statutory content requirements for PIAs, and places greater emphasis on keeping PIAs current throughout the project lifecycle.

Key Differences Between the 2015 and 2025 Guides

1. Mandatory PIAs for Provincial Institutions

The most consequential change is that PIAs are now legally required under Part III of FIPPA. Provincial institutions must complete a written PIA before collecting personal information and implement the necessary risk-mitigation steps before collection can begin.

The 2015 guide described PIAs as an important risk-management tool but did not reference any statutory obligation to conduct one.

2. Required Content of a PIA

The 2025 guide sets out the mandatory elements that a PIA must contain. These requirements come directly from section 38(3) of FIPPA, as amended by Bill 194.

A compliant PIA must include the following information about the personal information the institution intends to collect:

• the purpose for collecting, using, or disclosing the personal information, and an explanation of why the information is necessary to achieve that purpose
• the legal authority for the intended collection, use, and disclosure
• the types of personal information to be collected and, for each type, how it will be used or disclosed
• the sources from which the personal information will be collected
• the position titles of the officers, employees, consultants, or agents who will have access to the personal information
• any limitations or restrictions that apply to the collection, use, or disclosure
• the period of time the personal information will be retained, consistent with section 40(1) of FIPPA
• the administrative, technical, and physical safeguards that will protect the personal information, along with a summary of any risks to individuals in the event of a theft, loss, or unauthorized use or disclosure
• the steps the institution will take to prevent or reduce the likelihood of such a theft, loss, or unauthorized use or disclosure, and the steps to mitigate risks to individuals if such an incident occurs (these are referred to as the PIA’s “prevention and mitigation steps”)
• any additional information that may be prescribed in regulation

It is strongly recommended that institutions consult FIPPA s.38(3) directly for the precise wording of each of the requirements above.

There is some overlap here with the 2015 guidance, which encouraged many of these practices, but they were not legally required at that time.

3. Application to Both Recorded and Unrecorded Personal Information

The updated guideline reflects FIPPA’s newly expanded definition of personal information for PIA purposes. PIAs now apply to both recorded and unrecorded personal information. This change arises from section 38(1) of FIPPA, added by Bill 194, which broadens the previous definition of personal information in the PIA context to capture information regardless of whether it exists in recorded form.

This expansion did not exist in the 2015 version.

4. Requirement to Implement Prevention and Mitigation Steps Before Collection

Under the 2025 framework, the risk-prevention and mitigation steps mentioned above must generally be implemented before an institution begins collecting personal information. This requirement comes from the new section 38(4) of FIPPA, added by Bill 194, which makes implementation of these steps mandatory unless a prescribed exception applies. (That said, in accordance with section 38(4), if it is not possible to implement the steps prior to collecting the personal information, they may be implemented within a reasonable time after collecting the information.)

The 2015 guide encouraged institutions to identify and address privacy risks, but it did not expressly require mitigation measures to be in place before any collection of personal information could occur.

5. Requirement to Update PIAs When Project Purposes Change

The new guideline reflects the statutory obligation in section 38(5) of FIPPA, added by Bill 194, which requires provincial institutions to update a PIA before making any significant change to the purpose for which personal information is used or disclosed. When an update is required, the institution must also include any additional prevention and mitigation steps needed to address new or increased risks.

By contrast, the 2015 guide recommended updating PIAs as part of routine project monitoring, but it did not identify any legal triggers or mandatory timing for doing so.

6. Requirement to Provide PIAs to IPCO Upon Request

Provincial institutions must now provide their PIAs to the IPCO when requested, as per section 38(6) of FIPPA.

This new obligation had no equivalent in the 2015 guide.

7. Updated Templates and Checklists

The 2025 guideline includes an expanded PIA report template aligned with the new statutory content requirements. Several questionnaires and checklists have been revised to reflect broader concepts (including unrecorded personal information and mandatory mitigation requirements).

The 2015 appendices are similar but less detailed and should now be considered obsolete.

Conclusion

The 2025 edition of IPCO’s PIA guideline marks a major development in Ontario’s privacy landscape. For provincial institutions, PIAs are no longer optional best practices but mandatory compliance requirements under FIPPA. And while municipal institutions are not subject to the new statutory obligation, IPCO’s updated guidance reinforces that PIAs remain an important tool for identifying risks, improving program design, and demonstrating accountability.

Institutions should take time to review the new guideline and update internal systems and procedures accordingly. The expanded definition of personal information, the required PIA content under section 38(3), and the new triggers for updating and implementing mitigation steps will all have practical implications for day-to-day operations.

If your institution is looking for support adapting to the new PIA framework, or would benefit from tools to assist with preparing privacy impact assessments, I encourage you to contact FOI Assist for more information about how FOI Assist can help.