Québec PIA Checklist for New Systems - City Bylaw

Technology and Data Quebec 3 Minutes Read · published February 12, 2026 Flag of Quebec

Québec, Quebec public departments and vendors launching new systems that handle personal information should follow a clear Privacy Impact Assessment (PIA) process to meet municipal and provincial obligations. This guide explains the practical steps municipal staff, contractors and IT teams must take before deploying new databases, apps or surveillance systems. It identifies the legal framework, responsible offices, typical documents, timelines, and how to document mitigations and approvals so systems meet the standards expected by Québec public bodies and oversight authorities.[1] For policy guidance on privacy impact assessments see municipal practice and provincial rules discussed below.

Privacy Impact Assessment steps

Follow these practical steps when a project will collect, use, disclose or store personal information:

  • Initiate early: add PIA to project charter during concept and planning, before procurement or procurement specifications.
  • Scope data flows: list data elements, sources, retention and sharing partners; map where data travels and who controls it.
  • Assess risks: identify privacy risks, legal bases, and likelihood/severity of harms to individuals.
  • Design mitigations: apply technical and organizational controls such as minimization, encryption, access logging and retention schedules.
  • Record decisions: complete the PIA report, include sign-offs from the departmental head, legal counsel and IT security.
  • Approval and monitoring: obtain approvals before launch and schedule post-deployment review and auditing.
Conduct a PIA early to avoid costly redesigns and compliance issues.

Roles & responsibilities

  • Project sponsor: ensures PIA is resourced and approved.
  • Privacy officer or designated contact: leads assessment and record-keeping.
  • IT security/architects: implement technical mitigations and evidence of controls.
  • Legal counsel: advises on lawful bases and information-sharing agreements.

Penalties & Enforcement

The municipal-level requirement to perform a PIA typically arises from provincial privacy law and municipal policies. Specific monetary fines for failing to complete a PIA are not commonly listed on municipal policy pages; where monetary penalties exist they are set by statute or bylaw and must be checked in the controlling instrument. For the provincial legal framework on access and protection of personal information see the Act respecting access to documents held by public bodies and the protection of personal information.[1]

  • Fines: not specified on the cited page for an explicit PIA omission; consult the cited law and municipal bylaws for monetary penalties and ranges.
  • Escalation: first and repeat offence escalation rules are not specified on the municipal policy pages and may be enforced under broader access/protection legislation or specific bylaws.
  • Non-monetary sanctions: orders to cease processing, corrective measures, requirement to delete or notify affected individuals, and court actions are possible under provincial oversight.
  • Enforcer: oversight may involve the provincial oversight body for access and privacy and municipal enforcement offices; complaints and inspections routes are available at municipal privacy pages and provincial authorities.[2]
  • Appeals: appeal or review routes depend on the enforcing instrument; time limits for appeals are not specified on the cited municipal pages and must be confirmed in the statute or bylaw that imposed the sanction.
If a bylaw or statute imposes specific fines, the text will specify amounts and appeal time limits.

Applications & Forms

Many municipalities do not publish a separate PIA application form; instead departments use an internal PIA template or the privacy officer accepts the completed report and supporting documentation. If no form is published on the municipal site, state "no form is required or none is officially published" and keep the PIA report with project records.[2]

FAQ

When is a PIA required?
A PIA is required for new systems or major changes that collect, use or disclose personal information and when risks to privacy are non-trivial.
Who must sign off the PIA?
The department head and the designated privacy officer or legal counsel should sign the PIA; IT security sign-off is recommended.
How long should records be kept?
Retention periods depend on the purpose and applicable retention bylaws or schedules; document retention decisions in the PIA.

How-To

  1. Identify the project and trigger: confirm whether the new system handles personal information and requires a PIA.
  2. Complete the PIA template: map data flows, list risks, and propose controls with responsible owners.
  3. Review and approve: obtain departmental head, privacy officer and IT security approvals before procurement.
  4. Implement and monitor: put technical controls in place and schedule a post-deployment review within six months.

Key Takeaways

  • Start PIAs early in project planning to reduce risk.
  • Keep clear records of decisions, approvals and mitigations.

Help and Support / Resources

  1. [1] Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels (LegisQuébec)
  2. [2] Ville de Québec - Protection des renseignements personnels and departmental privacy pages

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data