Privacy in the 21st Century primarily focuses on the control and use of information.
Canada has a strong legislative and policy framework on privacy based on 10 universal privacy principles.
Canadians want the GoC to provide services through GOL, but are concerned about the provision of these services and the possible impact on privacy.

The privacy of Canadians is governed by two federal Acts of general application (Privacy Act and Personal Information Protection and Electronics Documents Act), various provincial Freedom of Information and Privacy Acts, and a variety of other more specific federal and provincial statutory provisions.
The Treasury Board was responsible for developing the Policy on Privacy Impact Assessments (PIAs) and the associated Guidelines document.
All provinces and territories have privacy legislation which may have an impact on completing a PIA when there is a significant cross-jurisdictional data exchange.

PIAs are a comprehensive process designed to help GoC institutions determine if there are privacy-related issues with a program or service.
PIAs involve four steps—Project Initiation, Data Analysis, Privacy Analysis and Privacy Impact Assessment Report—and are generally required when there is: an increase in the amount of personal information being collected; a broadening of the client target population; or, a significant change in the technology used to collect and protect personal information.
Preliminary PIAs are often used when there isn't enough information to complete a full PIA or if there is doubt as to whether or not privacy is a concern.
PIAs are important for a number of reasons—reducing non-compliance; avoiding costly redesign of programs and/or services; assuring the public of safeguarding privacy; and, assisting in informed decision-making.

Do a PIA if there is:
- A new or increased collection, use or disclosure of personal information
- A broadening of target populations
- Shift from direct to indirect collection of information
- An expansion of information collection
- New data matching or increased sharing of information between programs or across sectors or institutions
- A significant change in the business process or system used to hold information
- Contracting or devolution of programs or services
- Creation of new or extended use of common personal identifiers
- Anticipated negative public response.
A lot of people can be involved in the PIA process—ADMs, ATIP staff, legal and privacy experts, systems and IT staff and the Office of the Privacy Commissioner.

Deputy Ministers and other Heads of Institutions are responsible for ensuring compliance with the Privacy Act, regulations and associated policies, including the PIA Policy. They also are responsible for approving and signing off on the PIA.
The Office of the Privacy Commissioner has oversight of both the Privacy Act and PIPEDA. This office is also responsible for reviewing PIAs and providing advice and guidance on privacy-related matters.
The Treasury Board developed the PIA Policy and associated Guidelines. TBS is also responsible for monitoring compliance through a variety of mechanisms (e.g., project approval and funding).
Institutions are responsible for developing PIAs and ensuring that their collection, use and disclosure of personal information respects the Privacy Act and universal privacy principles. They must also publish the results of their PIAs.
The PIA team consists of privacy and legal experts, program managers, systems and IT managers, and communications strategists and each plays a specific role in the creation of a PIA.