63.5. A public body must conduct a privacy impact assessment for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, release, keeping or destruction of personal information.
For the purposes of such an assessment, the public body must consult its committee on access to information and the protection of personal information from the outset of the project.
The public body must also ensure that the project allows computerized personal information collected from the person concerned to be released to him in a structured, commonly used technological format.
The conduct of a privacy impact assessment under this Act must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
2021, c. 252021, c. 25, s. 151.