Skip to main content
Privacy Horizon
Privacy Impact Assessment

Privacy Impact Assessment Services in Nova Scotia

Assess and document privacy risks in your programs and systems across Nova Scotia.

Nova Scotia's private-sector organizations are governed by Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA), with the Office of the Privacy Commissioner of Canada holding oversight responsibility. In the health sector, a separate provincial framework applies: the Personal Health Information Act (PHIA) governs how custodians collect, use, and disclose personal health information, and the Office of the Information and Privacy Commissioner for Nova Scotia — sometimes referred to as the Review Office — provides oversight in that domain. The two frameworks operate in parallel, not in sequence.

Conducting a Privacy Impact Assessment is the most effective way for a Nova Scotia organization to demonstrate that it takes PIPEDA's accountability principle seriously. The principle requires not just that you protect personal information, but that you are able to show you have the policies, procedures, and practices in place to do so — and that you applied those practices before a new system or data arrangement went forward. A PIA is not the only way to satisfy that standard, but it is the most comprehensive and the most defensible.

Privacy Horizon brings a structured methodology to the PIA process that is designed to surface the risks that organizations most commonly miss. Data flow mapping reveals how personal information actually moves through your systems — including the service providers, cloud platforms, and analytics tools embedded in your technology stack that process personal information as a side effect of doing their primary job. Risk identification then evaluates each flow and each processing activity against PIPEDA's ten fair information principles, flagging where collection may exceed purpose, where retention extends beyond necessity, or where accountability has been transferred to a vendor without adequate contractual protection.

The mitigation planning that follows is proportionate and practical — prioritized by risk severity, with controls matched to the sensitivity of the information at stake. For health-sector clients, our team works through the PHIA obligations in parallel, ensuring the assessment captures both frameworks where both apply.

Privacy & security regulation in Nova Scotia

Regulator: Office of the Information and Privacy Commissioner for Nova Scotia

In Nova Scotia, private-sector businesses are governed by Canada's federal privacy law, PIPEDA, overseen by the Office of the Privacy Commissioner of Canada. Personal health information held by custodians is separately governed by the Personal Health Information Act (PHIA), with oversight by the Office of the Information and Privacy Commissioner for Nova Scotia.

PIPEDAPersonal Information Protection and Electronic Documents Act

PIPEDA is Canada's federal private-sector privacy law. It sets out ten fair information principles governing how organizations collect, use, and disclose personal information in the course of commercial activity. It applies wherever a province has not enacted substantially similar legislation — and, even in provinces that have (Alberta, British Columbia, Québec), it continues to apply to federally regulated businesses such as banks, airlines, and telecommunications, and to personal information that flows across provincial or national borders.

Read the legislation

PHIA (Nova Scotia)Personal Health Information Act (Nova Scotia)

Nova Scotia's health-sector privacy law governing the collection, use, disclosure, retention and destruction of personal health information by custodians. It is deemed substantially similar to PIPEDA for health information custodians, and gives individuals access, correction and review rights. Oversight is by the Office of the Information and Privacy Commissioner for Nova Scotia (the Review Office). General commercial activity outside the health sector is governed by federal PIPEDA.

Read the legislation

What Privacy Impact Assessment includes

A privacy impact assessment (PIA) identifies and mitigates privacy risks before they become problems — and produces the documentation regulators and partners expect.

Data Flow Mapping

Understand how personal information moves through your systems.

Risk Identification

Surface privacy risks early, before launch.

Mitigation Planning

Concrete steps to reduce identified risks.

Regulator-Ready Documentation

Defensible records of your privacy diligence.

PHIA and Nova Scotia's Health Sector

Nova Scotia's Personal Health Information Act is deemed substantially similar to PIPEDA for health information custodians — meaning that, for those custodians, PHIA is the primary operative framework for personal health information. The Review Office (the IPC for Nova Scotia) enforces PHIA and has developed detailed expectations for how custodians should manage privacy risk, particularly in contexts where health information is shared with external parties or processed through digital systems. For health-sector organizations and the technology vendors that serve them, a PIA that addresses PHIA obligations directly — consent, access, disclosure, retention, and breach notification — is a material part of demonstrating compliance.

Cross-Sector Organizations and the PIPEDA Baseline

Many Nova Scotia businesses operate across sectors — a company that provides both a consumer service and a health platform, or a technology firm that serves both public-sector clients and private-sector customers. In those cases, both PIPEDA and PHIA may be relevant, but to different parts of the business. A PIA needs to be scoped correctly to reflect which framework applies to which data and which system. Privacy Horizon works through that scoping exercise carefully at the outset, ensuring that the assessment is neither over-broad (treating everything as health information) nor under-broad (missing the health-sector obligations that apply to part of the operation).

What's Protecting Your Business from the Next Threat?

Don't wait for a breach to expose your vulnerabilities. Let Privacy Horizon secure your data, ensure compliance, and build lasting trust.