Absolutely.
Privacy impact assessments, in my mind, are an important tool for a culture of privacy, for a culture where privacy is top of mind. We are designing tools for organizations that are meeting many obligations and facing pressures. Time is limited for decision-makers and I understand that, but having that framework is about getting into this habit of asking questions: What is the impact on privacy? How large is it? How necessary is it? What is my purpose? Why do I need this information? Do I need as much? What are the safeguards we're putting in? All of this risk assessment, the identification of mitigation tools and the identification of proportionality create a culture of privacy and a culture of privacy by design, and in the ideal scenario, it means that my office doesn't need to be involved—or very little—because we're informed of it; we're notified. We then look at it and we're satisfied, or we provide some advice. It doesn't give rise to situations where there is a complaint, a concern or a sense of mistrust, or where questions are being asked.
This is good, in my mind, for everyone. It ensures the protection of privacy for Canadians, ensures organizations can achieve their goals and ensures there's trust in society so Canadians can feel they can use these tools and participate as digital citizens.