Skip to main content
Privacy Horizon
Privacy Impact Assessment

Privacy Impact Assessment Services in Manitoba

Assess and document privacy risks in your programs and systems across Manitoba.

Manitoba's private-sector organizations operate under Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA), administered by the Office of the Privacy Commissioner of Canada. Health information is governed by a distinct provincial framework: The Personal Health Information Act (PHIA) applies to health trustees — hospitals, physicians, pharmacies, and health agencies — and oversight falls to the Manitoba Ombudsman. The two frameworks cover different populations and different sectors, and organizations that sit at the intersection of health and commerce need to understand where each one applies.

A Privacy Impact Assessment under PIPEDA is not a statutory requirement in the way it is under Québec's Law 25 — but it is the primary mechanism through which an organization can demonstrate that it has met PIPEDA's accountability principle in practice. The OPC expects organizations to be able to show that they thought seriously about privacy risks before a new system launched or a data-sharing arrangement began, and that they took steps to address the risks they found. A documented PIA is that demonstration.

Privacy Horizon conducts PIAs for Manitoba organizations that are planning system changes, entering new data-sharing relationships, expanding their use of customer information, or simply working through what PIPEDA actually requires of them. Our process starts with data flow mapping — a complete, accurate picture of how personal information enters and moves through your organization, including the third-party relationships and cross-border pathways that are easy to overlook in a fast-moving business environment. That map drives everything that follows: the risk identification, the prioritized mitigation plan, and the documentation.

For Manitoba organizations in the healthcare space, PHIA adds a distinct layer of complexity. The consent, access, and notification requirements under PHIA are specific and technical, and the Manitoba Ombudsman has developed clear expectations for what responsible data handling looks like in that context. Our assessments address both PIPEDA and PHIA obligations where both apply, so nothing is left to assumption.

Privacy & security regulation in Manitoba

Regulator: Manitoba Ombudsman

In Manitoba, private-sector businesses are governed by Canada's federal privacy law, PIPEDA, overseen by the Office of the Privacy Commissioner of Canada. Personal health information held by trustees such as hospitals, clinics and pharmacies is separately governed by The Personal Health Information Act (PHIA), with oversight by the Manitoba Ombudsman.

PIPEDAPersonal Information Protection and Electronic Documents Act

PIPEDA is Canada's federal private-sector privacy law. It sets out ten fair information principles governing how organizations collect, use, and disclose personal information in the course of commercial activity. It applies wherever a province has not enacted substantially similar legislation — and, even in provinces that have (Alberta, British Columbia, Québec), it continues to apply to federally regulated businesses such as banks, airlines, and telecommunications, and to personal information that flows across provincial or national borders.

Read the legislation

PHIA (Manitoba)The Personal Health Information Act (Manitoba)

Manitoba's health-sector privacy law, in force since December 11, 1997. It governs how trustees collect, use, disclose, retain and safeguard personal health information, gives individuals access and correction rights, and requires trustees to notify the Manitoba Ombudsman of privacy breaches in defined circumstances. Oversight is by the Manitoba Ombudsman. It does not govern general commercial activity, which falls under federal PIPEDA.

Read the legislation

What Privacy Impact Assessment includes

A privacy impact assessment (PIA) identifies and mitigates privacy risks before they become problems — and produces the documentation regulators and partners expect.

Data Flow Mapping

Understand how personal information moves through your systems.

Risk Identification

Surface privacy risks early, before launch.

Mitigation Planning

Concrete steps to reduce identified risks.

Regulator-Ready Documentation

Defensible records of your privacy diligence.

PIPEDA Accountability in a PHIA Environment

Manitoba's health-technology sector operates in a space where PIPEDA and PHIA both matter, but apply to different things. PIPEDA governs general commercial activity — a health-tech company's handling of customer or employee data, its vendor relationships, its marketing practices. PHIA governs the handling of personal health information by trustees and those acting on their behalf. If your organization both provides health services and runs a commercial operation, both frameworks are relevant and your PIA needs to reflect both. Privacy Horizon works through that intersection carefully, ensuring your assessment accurately captures where each law applies and what it requires.

Practical Documentation for Smaller Teams

Many Manitoba businesses are mid-sized organizations that do not have a dedicated privacy function. The PIA process can feel intimidating without in-house legal or compliance expertise — but it does not have to be. Privacy Horizon is built around making rigorous, regulator-ready assessments accessible to organizations that are running lean. We handle the methodology, the documentation framework, and the regulatory interpretation. You provide operational context. The output is a clear, usable assessment that your leadership can understand and your counsel can defend — without requiring months of internal effort.

What's Protecting Your Business from the Next Threat?

Don't wait for a breach to expose your vulnerabilities. Let Privacy Horizon secure your data, ensure compliance, and build lasting trust.