The PIAs have been embedded in Treasury Board guidance. My understanding from the Privacy Commissioner is that some departments do a lot of PIAs, while others do very few. They vary in quality a lot.
I did some analysis of PIAs a few years ago, and my conclusion was that they're virtually useless if they're just a statutory checklist to determine if something is legal. They're far more useful when the implications for privacy are considered in a broader context beyond the law and when agency officials are invested in the process of doing that analysis in a recurring way.
The analysis is submitted to the Privacy Commissioner, who gives some feedback, but the understanding is that if there are any subsequent changes to the program, the PIA itself has to be adjusted as a result. That's the kind of early warning system that I think produces an ounce of prevention, and should, in that perfect world, mitigate the chances of data breaches. It should encourage privacy by design. It should encourage the building in of protections at the outset of program development and service delivery, rather than putting them on at the end.
There are plenty of examples in Canada of very good PIAs that fit that model, including some that have been done in the area of border services, but so often they are brief checklists.