A privacy impact assessment is really a due diligence tool whereby the organization thinking of putting in place a new program or tool that can have privacy impacts is required to assess the impacts and look at the risks and document them, and think of solutions to mitigate those risks, in consultation with my office. It's a very powerful tool that is a good practice and is good for everybody. It's good for citizens, who are going to have better privacy protections, and it's good for the departments, because they get advice and are seen to be getting advice from a neutral regulator. This is absolutely something that should be done in all cases and before new tools and new programs happen. In reality, that doesn't always happen, which is why it should be a legal requirement, in my view.
On May 1st, 2024. See this statement in context.