Ottawa Privacy Impact Assessment Rules for Third-Party Apps

In Ottawa, Ontario, municipal projects that involve third-party applications must follow the City of Ottawa's privacy and information-management expectations to protect resident data. This guide explains when a Privacy Impact Assessment (PIA) is required, who enforces the rules, practical steps for procurement teams and vendors, and how to respond to complaints. It references the City of Ottawa guidance and provincial privacy oversight so project leads can act promptly and in compliance.^[1][2]

When a PIA Is Required

Ottawa requires privacy review for systems, services, or contracts that collect, use, disclose, or host personal information on behalf of the City, including third-party mobile or web applications integrated with municipal systems or handling resident data. Projects that introduce new data flows, change retention or sharing practices, or engage cloud or off-shore processing typically trigger a PIA.^[1]

• Projects with new personal data collection or sharing.
• Any contract with an external vendor processing City personal information.
• Integrations that alter system architecture or data hosting locations.
• Major changes to retention, access, or disposal of records.

How Ottawa and Ontario Oversee PIAs

The City of Ottawa's Privacy Office coordinates PIAs, with Information Technology Services and procurement teams ensuring contract clauses and security obligations are applied. Provincial oversight and PIA best practices are set out by the Information and Privacy Commissioner of Ontario (IPC), which provides guidance on scope and methodology.^[1][2]

Penalties & Enforcement

The City of Ottawa enforces privacy and information-management requirements through its Privacy Office, IT Security, and procurement compliance processes. Specific monetary fines for PIA-related breaches are not specified on the cited City of Ottawa page; enforcement typically focuses on corrective orders, contract remedies, and referral to provincial authorities where warranted.^[1]

• Monetary fines: not specified on the cited page.^[1]
• Escalation: first internal remedial actions, then contract sanctions or termination; referral to the IPC where statutory issues arise.^[1]
• Non-monetary sanctions: compliance orders, mandatory audits, contract suspension or termination, data remediations, and court actions as applicable.^[2]
• Enforcer contact: City of Ottawa Privacy Office and the IPC of Ontario for provincial enforcement and advice.^[1][2]

Appeals and review routes: administrative review through the City’s internal complaint process and, where statutory authority applies, complaints to the IPC of Ontario. Time limits for filing complaints with the IPC are governed by provincial rules and may vary; see the IPC guidance for procedural deadlines.^[2]

Applications & Forms

The City of Ottawa provides a PIA process coordinated by the Privacy Office; where a formal PIA questionnaire or template is required it is published by the City. If a specific PIA form or fee is not available on the City page, state that a published form is "not specified on the cited page" and contact the Privacy Office for the latest template and submission instructions.^[1]

Practical Steps for Project Leads

• Start privacy screening at project inception and document decisions.
• Complete the City PIA template or screening checklist and submit to the Privacy Office.
• Include standard contract clauses for security, breach notification, and data location in vendor agreements.
• Allocate budget for remediation, independent security testing, and potential audits.

Common Violations

• Failure to perform a PIA when new personal data flows are introduced.
• Inadequate contractual safeguards for third-party processors.
• Unauthorized data sharing or cross-border transfers without approvals.

FAQ

Who must complete a PIA for a third-party app?

The City project lead or vendor must complete a PIA when the app collects, stores, or processes personal information on behalf of the City; consult the Privacy Office for scope.^[1]

How long does a PIA review take?

Review time varies by complexity; simple screenings may be days while full PIAs can take weeks—start early in planning and procurement.

Where do I submit the PIA?

Submit the PIA to the City of Ottawa Privacy Office as directed on the City privacy pages or via the Privacy Office contact channels.^[1]

How-To

1. Screen the project to determine if personal information is involved.
2. Contact the City of Ottawa Privacy Office for the current PIA template and guidance.^[1]
3. Complete the PIA including data flows, risk assessment, and mitigation measures.
4. Submit the PIA to the Privacy Office and address any follow-up questions or corrective actions.
5. Incorporate required contract clauses and implement technical and administrative controls before go-live.

Key Takeaways

• Start privacy screening early in procurement.
• Coordinate with the City Privacy Office for templates and review.
• Enforcement focuses on corrective orders and contract remedies rather than published municipal fines.

Help and Support / Resources

• City of Ottawa - Privacy and access to information
• City of Ottawa - Access to Information and Privacy
• Information and Privacy Commissioner of Ontario

1. [1] City of Ottawa - Privacy and access to information
2. [2] Information and Privacy Commissioner of Ontario - Privacy Impact Assessments
3. [3] Ontario Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)