106. A body must conduct a privacy impact assessment for any project to acquire, develop or overhaul technological products or services or an electronic service delivery system where the project involves the collection, keeping, use, communication or destruction of information held by the body.
It must also ensure that such a project allows computerized information collected from the person concerned to be communicated to the person in a structured, commonly used technological format.
The assessment referred to in the first paragraph must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
Where the acquisition, development or overhaul project concerns a certified product or service that was the subject of a privacy impact assessment during its certification process, that assessment stands in lieu of the assessment required under the first paragraph.
2023, c. 52023, c. 5, s. 106.