Privacy Impact Assessment Process (PIA)

Background Information


What is Personal Information?

Do I need to complete a PIA?

Consultations with OCIO on Specific Questions

PIA Form (Ministries)
PIA Form (Public Bodies)
PIA Appendix A - Collection Authorities (555 kb)
PIA Appendix B - Use Authorities (471 kb)
PIA Appendix C - Disclosure Authorities (548 kb)

PIA Guidelines (PDF 2.7MB)

Directions to the heads of government ministries on conducting PIAs (PDF 256KB)
Directions to the heads of Public Bodies that are not government ministries on conducting PIAs (PDF 297KB)


This PIA replaces all previous versions of the GMOP PIA as well as the OIPC form dated December 1998.  It should be noted that the completion of a PIA by a public body does not preclude the OIPC from investigating a complaint or commenting on a matter covered by the PIA or the PIA itself.

In order to provide a wide range of public services, government collects and maintains personal information of British Columbians. Government must manage this personal information in accordance with the legislative requirements of the Freedom of Information and Protection of Privacy Act (FOIPPA). If a public body is developing a program, legislation, system, or any other initiative that involves personal information, the privacy protection provisions of FOIPPA apply. Individual public bodies are responsible for the personal information in their custody or under their control, even if the personal information is in the custody of arms length service providers or contractors.  In all government initiatives, privacy protection should be seen as a design objective, not an obstacle to overcome.

A Privacy Impact Assessment (PIA) is a foundation tool/process designed to ensure compliance with government’s privacy protection responsibilities.  In accordance with section 69(5) of FOIPPA, ministries must complete a PIA using the PIA form. The PIA is intended to support government business objectives, including electronic government initiatives. If used as part of normal business processes, the PIA can ensure that privacy requirements are identified and satisfied in a timely and cost efficient manner. The PIA can make the difference between a privacy invasive and a privacy enhancing initiative, without compromising business objectives or adding significant costs. The PIA process is also designed as an educational tool, since participation in privacy impact assessments promotes privacy awareness.  It is important that a PIA be completed during the early developmental stages of any program, system or other initiative as a component of the project/business plan.

For further guidance on privacy principles upon which to base day-to-day decisions regarding the management of personal information in ministry program areas, please refer to the Guide to Good Privacy Practices.


This PIA can be completed in MS Word format.  For more information about the completion of a Privacy Impact Assessment, contact the Privacy Helpline at 250 356-1851 or


FOIPPA provides a simple but very broad definition of personal information: “recorded information about an identifiable individual” other than contact information. It is important to note that personal information includes information that can be linked back to or can identify a specific individual through association or inference. For example, generic information about an individual (e.g., ethnic origin) could be linked to one or more individuals if they lived in a small town with a limited number of people with that ethnic background.

The following is a non-exhaustive list of examples of personal information:

  • the individual’s name, address or telephone number;
  • the individual’s race, national or ethnic origin, colour or religious beliefs or associations;
  • the individual’s age, sex, sexual orientation, marital status or family status;
  • an identifying number, symbol or other particular assigned to the individual;
  • the individual’s fingerprints, blood type or inheritable characteristics;
  • information about the individual’s health care history, including a physical or mental disability;
  • information about the individual’s educational, financial, criminal or employment history;
  • anyone else’s opinions about the individual; and,
  • the individual’s personal views or opinions, except if they are about someone else. 


A PIA needs to be completed for all new and existing enactments, systems, programs, projects and activities. A PIA should still be completed even if you determine that there is no personal information being collected, used or disclosed. When there is no personal information involved the PIA process is significantly shorter and easier as you will only have to complete the first section of the PIA before sending it to for review and sign off. 

Please note that personal information can be collected directly from an individual or indirectly from another source (more questions on this issue will be provided later).


Even though the revised PIA has been designed with a view to being completed, at least in part, by program staff, there are a number of questions in the PIA where consultations with OCIO is recommended. For assistance contact the Privacy Helpline at 250 356-1851 or