Skip to main content
Privacy Horizon
Privacy Impact Assessment

Privacy Impact Assessment Services in Ontario

Assess and document privacy risks in your programs and systems across Ontario.

Ontario is home to a disproportionate share of Canada's financial services firms, health-technology companies, and enterprise software providers — and each of those sectors carries a distinct privacy risk profile. Private-sector organizations operating in Ontario are governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), overseen by the Office of the Privacy Commissioner of Canada. Health information custodians — hospitals, physicians, pharmacies, and the organizations that serve them — face an additional layer of obligation under Ontario's Personal Health Information Protection Act, 2004 (PHIPA), enforced by the Information and Privacy Commissioner of Ontario.

A Privacy Impact Assessment is the primary mechanism through which Ontario organizations demonstrate that they identified privacy risks before deploying a new system, entering a data-sharing arrangement, or expanding how they use personal information. Under PIPEDA's accountability principle, the obligation to protect personal information does not disappear when you hand data to a vendor or a partner — and a well-constructed PIA is how you document that you exercised due diligence before making that transfer.

Privacy Horizon works with Ontario organizations across sectors to build PIAs that are thorough, methodologically sound, and written for the people who need to act on them. We trace data flows from the point of collection through every system, service provider, and cross-border pathway. We identify the gaps — unclear retention policies, consent mechanisms that do not match how data is actually being used, third-party contracts that shift liability without shifting risk — and we produce a prioritized mitigation plan tied to timelines your team can realistically meet.

For health-sector clients, PHIPA adds material complexity. The consent and access requirements under PHIPA are specific, and the IPC has developed detailed expectations for what a PIA in that context should address. Our team includes advisors with deep health-sector experience who understand where PIPEDA and PHIPA intersect and where they diverge — so your assessment reflects both frameworks accurately, not one at the expense of the other.

Privacy & security regulation in Ontario

Regulator: Information and Privacy Commissioner of Ontario (IPC)

Ontario organizations operate under federal PIPEDA for commercial activity, with health-sector custodians additionally governed by PHIPA and overseen by the Information and Privacy Commissioner of Ontario.

PIPEDAPersonal Information Protection and Electronic Documents Act

PIPEDA is Canada's federal private-sector privacy law. It sets out ten fair information principles governing how organizations collect, use, and disclose personal information in the course of commercial activity. It applies wherever a province has not enacted substantially similar legislation — and, even in provinces that have (Alberta, British Columbia, Québec), it continues to apply to federally regulated businesses such as banks, airlines, and telecommunications, and to personal information that flows across provincial or national borders.

Read the legislation

PHIPAPersonal Health Information Protection Act, 2004

PHIPA governs how health information custodians in Ontario — a defined, closed list of providers such as hospitals, physicians, and pharmacies — collect, use, and disclose personal health information. It establishes consent rules and individual access rights, and requires custodians to notify affected individuals at the first reasonable opportunity following a breach, and to report to the Information and Privacy Commissioner of Ontario in the circumstances the Act prescribes.

Read the legislation

What Privacy Impact Assessment includes

A privacy impact assessment (PIA) identifies and mitigates privacy risks before they become problems — and produces the documentation regulators and partners expect.

Data Flow Mapping

Understand how personal information moves through your systems.

Risk Identification

Surface privacy risks early, before launch.

Mitigation Planning

Concrete steps to reduce identified risks.

Regulator-Ready Documentation

Defensible records of your privacy diligence.

PIPEDA Accountability and PHIPA Dual Obligations

Ontario organizations in the health-technology space often underestimate the reach of PHIPA. The Act applies to health information custodians — a defined list — but also to those who act as agents on their behalf. If your platform stores, processes, or transmits personal health information on behalf of a custodian, your contractual and technical obligations are shaped by PHIPA as well as PIPEDA. Our PIAs address both frameworks in the same assessment, so nothing falls through the gap between them. The Information and Privacy Commissioner of Ontario enforces both laws and has a track record of investigating systems where a proper impact assessment was never conducted.

Built for Ontario's Commercial and Tech Sectors

Beyond healthcare, Ontario's technology and financial services industries handle personal information at significant scale — account data, transaction histories, behavioral analytics, and cross-border data flows that involve US cloud providers and international partners. PIPEDA's accountability principle requires that you have appropriate contractual protections in place whenever personal information is transferred to a third party for processing. A PIA documents that you mapped those flows, identified where accountability could be lost, and put controls in place before the transfer happened. For organizations building products or services for Canadian consumers, that documentation is central to your compliance position.

What's Protecting Your Business from the Next Threat?

Don't wait for a breach to expose your vulnerabilities. Let Privacy Horizon secure your data, ensure compliance, and build lasting trust.