Privacy Impact Assessment Steps - London Ontario Bylaw Guide

Technology and Data Ontario 3 Minutes Read · published February 12, 2026 Flag of Ontario

This guide explains how to conduct a Privacy Impact Assessment (PIA) for city projects in London, Ontario, and how municipal rules, access to information obligations and provincial privacy law affect project design. It is written for project managers, planners, IT and legal staff working with municipal systems and data. Use the steps below to assess privacy risks, document mitigations, and refer to official City of London guidance and provincial resources when deciding whether a formal PIA is required or when consulting external reviewers.

Overview — When to do a PIA

Carry out a PIA when a project collects, stores, links or discloses personal information about residents or staff, when new technology is introduced, or when existing systems are repurposed. Early assessment reduces redesign costs and legal exposure. Consult the City of London’s access and privacy pages for local contact and submission guidance City of London - Access & Privacy[1].

Step-by-step PIA process

  • Identify stakeholders and data flows: list data fields, sources, recipients and retention periods.
  • Map privacy risks: unauthorized access, inappropriate disclosure, inaccurate data and linkage risks.
  • Design mitigations: minimize collection, use access controls, encryption, logging and retention limits.
  • Document findings in a PIA report with residual risk ratings and recommended actions.
  • Consult internal legal/records teams and submit to the City’s Access & Privacy contact if required by policy.
  • Where provincial oversight applies, consider the Information and Privacy Commissioner of Ontario guidance on PIAs IPC PIA toolkit[2].
Begin the PIA at project inception to avoid costly redesigns later.

Penalties & Enforcement

Enforcement and penalties for privacy breaches affecting municipal records are governed by municipal policies together with provincial statutes; responsibilities include preventing unauthorized disclosure, correcting errors, and responding to access requests. The City of London handles local complaints and access requests through its Access & Privacy contact point City of London - Access & Privacy[1], and the Information and Privacy Commissioner of Ontario provides oversight and appeal functions at the provincial level IPC PIA toolkit[2].

  • Fines and monetary penalties: not specified on the cited page for municipal PIA procedures; consult the provincial statute for statutory offences where applicable Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)[3].
  • Escalation: first and repeat offence ranges not specified on the cited City pages; provincial remedies and orders are set out under MFIPPA and IPC orders MFIPPA[3].
  • Non-monetary sanctions: orders to correct practices, mandatory reviews, production of records, and court enforcement; specifics are available via provincial IPC orders and MFIPPA provisions IPC PIA toolkit[2].
  • Enforcer and complaint pathway: City of London Access & Privacy handles local complaints; appeals and binding orders may be issued by the Information and Privacy Commissioner of Ontario.
  • Appeals and review: appeals to the IPC are subject to statutory timelines in MFIPPA; specific time limits for appeals are not specified on the cited City guidance and should be confirmed on the MFIPPA text MFIPPA[3].
If you discover a breach, notify the City’s Access & Privacy contact immediately.

Applications & Forms

The City publishes Access to Information request forms and submission instructions on its website; use the City of London request form for FOI/MFIPPA access requests. Fee details or specific PIA submission forms for municipal projects are not specified on the City page and may be provided on request by the Access & Privacy office City of London - Access & Privacy[1].

How-To

  1. Start: Convene stakeholders and define scope, purpose and legal authorities for the project.
  2. Inventory: List data elements, sources, retention, and sharing partners.
  3. Assess: Rate likelihood and impact of privacy harms and identify controls.
  4. Document: Produce a PIA report summarizing risks, mitigations and residual risk acceptance.
  5. Review: Obtain internal approvals and, where required, submit to the City’s Access & Privacy contact or legal counsel.
  6. Monitor: Implement controls, schedule audits, and update the PIA when significant changes occur.

FAQ

Do all projects need a PIA?
Not all projects require a formal PIA; perform an initial screening and proceed to a full PIA if the project handles personal information, involves new technology, or increases data linkage risks.
Who enforces compliance?
The City of London manages local access and privacy matters; the Information and Privacy Commissioner of Ontario reviews complaints and can issue binding orders under provincial law.
Where do I submit an access request or privacy complaint?
Submit access requests and privacy complaints using the City of London Access & Privacy contact page or forms; appeals and oversight are handled by the IPC where applicable.

Key Takeaways

  • Do PIAs early to reduce risk and redesign costs.
  • Document decisions and retain PIA records for audit and oversight.

Help and Support / Resources

  1. [1] City of London — Access to Information & Privacy
  2. [2] Information and Privacy Commissioner of Ontario — PIA toolkit
  3. [3] Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data