Vancouver City Privacy Impact Assessment Guide

Vancouver, British Columbia public bodies must assess privacy risks for new technologies, data uses and bylaw-driven programs. This guide explains when a Privacy Impact Assessment (PIA) is advisable for City of Vancouver projects, key steps to complete a PIA, enforcement and appeals, and where to find official forms and contacts for both the City and the provincial Office of the Information and Privacy Commissioner (OIPC). It is written for municipal project owners, IT teams, privacy leads and legal counsel who need a practical, step-by-step municipal perspective on privacy due diligence.

When a PIA Is Required

Municipal projects that collect, use, disclose or retain personal information, or that introduce new surveillance, sensor networks, data-sharing, automated decision systems or cloud-hosted services, should consider a PIA. A PIA is a structured assessment of privacy risks and mitigations and may be required by internal City policy or applicable provincial guidance.

• Assess projects that introduce new personal data flows, such as CCTV, licence plate readers, or sensor networks.
• Include third-party vendors and cloud services in the assessment scope.
• Trigger a PIA early in procurement or design to inform contract and bylaw drafting.

Core PIA Steps

The PIA process documents why personal information is needed, identifies risks, evaluates legal authority and proposes mitigation. Typical municipal PIA steps are:

1. Map the data: what is collected, retained, disclosed, and by whom.
2. Identify legal authority: bylaw, municipal function, or provincial statute.
3. Assess privacy risks and propose mitigations like minimization, retention limits, access controls.
4. Document approvals: project owner, privacy officer, legal review, and council if required.
5. Plan transparency: public notices, signage, and information on City web pages.

Penalties & Enforcement

Enforcement for privacy issues affecting municipal projects in Vancouver is primarily handled through provincial processes and City administrative controls. For City practices and access-to-information administration see the City of Vancouver Access and Privacy pages City of Vancouver 2 0Access and Privacy^[1]. The provincial Office of the Information and Privacy Commissioner (OIPC) provides oversight and guidance on PIAs and privacy compliance OIPC PIA guidance^[2].

• Monetary fines: specific municipal fine amounts for privacy breaches are not specified on the cited pages.
• Administrative actions: OIPC can investigate, make findings and issue orders requiring compliance; the City can apply internal corrective actions.
• Court remedies: judicial review or court action is available where statutory orders or rights are at issue; exact procedures are set out by provincial statute and OIPC guidance.
• Complaint pathway: members of the public may file complaints with the OIPC and the City’s access/privacy contact; see Help and Support below.
• Escalation: first, administrative remediation; repeat or systemic failures may lead to OIPC orders or court action; specific escalation fines or schedules are not specified on the cited pages.

Applications & Forms

The City publishes information on access and privacy programs and how to contact the City Access and Privacy team; an official PIA template or public PIA registry is not specified on the cited City page. For formal public complaints or review, the OIPC provides complaint forms and procedures on its site. For internal project PIAs, project teams should consult the City privacy contact for any City-specific template or requirement.^[1]

Action Steps for Project Teams

• Begin a PIA during project planning and procurement.
• Engage City legal and the Access and Privacy team early for authority and template guidance.
• Contractually require vendor privacy controls and data residency where applicable.
• Publish clear public notices for surveillance or data collection activities.

FAQ

What triggers a PIA for a Vancouver project?

A PIA is triggered by new collection or use of personal information, surveillance, sensor networks, automated decision systems, or major data-sharing arrangements; consult the City Access and Privacy office for City-specific triggers.^[1]

Who enforces privacy compliance for City projects?

Provincial oversight is provided by the OIPC, and the City enforces internal policies through its Access and Privacy team; the OIPC can investigate complaints and issue orders.^[2]

Where do I submit a complaint about a privacy breach?

Submit an initial complaint to the City Access and Privacy contact and file with the OIPC if the matter requires provincial review; see the Help and Support section for links.

How-To

1. Identify project scope and stakeholders and notify the City Access and Privacy team.
2. Map personal information flows and document legal authority for each data use.
3. Assess risks and select mitigations such as minimization, encryption, and retention limits.
4. Obtain required approvals, complete the PIA record, and include privacy terms in contracts.
5. Publish transparency notices and set monitoring and review dates.

Key Takeaways

• Start PIAs early in project design to shape requirements and contracts.
• OIPC oversight complements City enforcement; remediation and orders are possible.

Help and Support / Resources

• City of Vancouver e2a0Access and Privacy
• City of Vancouver e2a0Bylaws & enforcement
• Office of the Information and Privacy Commissioner for BC
• City of Vancouver e2a0Planning & development contacts

1. [1] City of Vancouver e2a0Access and Privacy
2. [2] Office of the Information and Privacy Commissioner for BC e2a0PIA guidance