Newport Thomson

November 2025, A Major Shift in Privacy Compliance

If your organization is a provincial government body in Ontario, the rules just changed. As of July 1, 2025, conducting Privacy Impact Assessments (PIAs) isn’t just a best practice anymore, it’s the law.

Who Does This Affect?

This applies to all provincial institutions subject to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA). That includes:

• Provincial ministries and agencies
• Provincially-funded institutions like universities and colleges
• Hospitals and other healthcare organizations under FIPPA
• Provincial Crown corporations

Municipal institutions under MFIPPA aren’t legally required to do PIAs yet, but the writing’s on the wall. The smart money says: start now anyway.

What Changed?

Ontario passed Bill 194 (the Strengthening Cyber Security and Building Trust in the Public Sector Act), which turned privacy best practices into legal requirements. Here’s what provincial institutions must now do:

Before You Collect Personal Information, You Must:

1. Complete a written PIA that includes:
   • Why you’re collecting the information and why it’s necessary
   • Your legal authority to collect it
   • What types of personal information you’re collecting
   • Where it’s coming from
   • Who will have access to it (by position title)
   • How long you’ll keep it
   • What security measures you’ll use
   • What risks people face if there’s a breach
   • What steps you’ll take to prevent breaches and protect people

2. Implement your risk prevention measures before you start collecting (with limited exceptions, describe how you plan to protect the data)
3. Update your PIA before making significant changes to how you use or disclose the information
4. Provide your PIA to the Privacy Commissioner when requested

The Bottom Line: No More “We’ll Fix It Later”

Here’s the shift: You can’t just identify privacy risks anymore. You have to actually address them before you start collecting personal information. No more launching first and fixing things later.

Think of it like building safety inspections. You wouldn’t open a building without passing inspection. Now you can’t launch a program that collects personal information without demonstrating you’ve built in privacy protections.

Why This Matters (Even If You’re Not Covered Yet)

Private sector organizations: Pay attention.

What starts in the public sector rarely stays there. Here’s why you should care:

1. The trend is clear: Privacy requirements are tightening everywhere. What’s mandatory for government today often becomes expected (or required) for private companies tomorrow.
2. Your customers already expect it: When government sets the bar, public expectations rise. People will increasingly ask: “If my government has to do PIAs, why doesn’t my bank/employer/service provider?”
3. Competitive advantage: Early adopters will differentiate themselves. When PIAs become mandatory for private sector (and let’s be honest, that’s a “when,” not an “if”), you’ll already be ahead.
4. Quebec’s already there: Law 25 requires private sector organizations to conduct Privacy Impact Assessments. Ontario often follows Quebec’s lead on privacy matters.

Making This Practical

A PIA doesn’t have to be complicated. For simple projects, it might just be:

• A clear explanation of what you’re doing and why
• Confirmation you have legal authority
• A list of what could go wrong
• Concrete steps to prevent those things from happening

For complex projects involving sensitive information, yes, you’ll need more depth. But the principle is the same: think first, build second, launch third.

The Real Message Here

Privacy by design isn’t optional anymore, at least not in Ontario’s public sector. The government is saying: “Privacy protection is so important that you must document your thinking and implement safeguards before you start handling people’s personal information.”

That’s actually a good thing. Better to spot the holes before you fall through them.

For provincial institutions: Get familiar with the new PIA requirements now. Build PIA reviews into your project timelines. Make friends with your privacy officer.

For municipal institutions: Start practicing now. When the requirement extends to you (not if, but when), you’ll be ready.

For private sector organizations: Watch and learn. Build the muscle memory now. When the requirement comes, and it will, you’ll thank yourself for getting ahead of it.

Taking time to plan for privacy success isn’t another headache. It’s the fastest route to trustworthy, sustainable operations that your customers can trust.