Privacy Impact Assessments
List of Completed Privacy Impact Assessments
¶¡ÏãÔ°AV employees can access a list of completed PIAs through ¶¡ÏãÔ°AV's CAS single sign-on:
What is a Privacy Impact Assessment?
It’s essential that every employee, department, program and project at ¶¡ÏãÔ°AV is compliant with the protection of privacy requirements outlined in BC's Freedom of Information and Protection of Privacy Act ("FIPPA"). To ensure ¶¡ÏãÔ°AV's compliance, we use an important and legislated risk management and compliance tool called a Privacy Impact Assessment ("PIA").
A PIA determines if a new or changed university initiative (a system, project, program, policy or activity) will meet FIPPA’s protection of privacy requirements. The assessment identifies and addresses potential privacy and security issues before they become a problem, thus avoiding costly program, process or service redesign, privacy breaches and harm to institutional reputation.
How do PIAs work?
A PIA is a legislated requirement for each new or revised system, project, activity, program or policy at ¶¡ÏãÔ°AV.
Conducting PIAs is a shared responsibility and a joint effort between:
- the department or program area implementing the new initiative;
- the Access and Privacy program; and if applicable,
- Information Security.
A PIA will include gathering the following information:
- a description of the initiative and a list of the elements of personal information collected, used, and disclosed;
- identification of sensitive personal information that will be accessed or stored outside Canada;
- legal authorities for collection, use, and disclosure of the personal information;
- identification of privacy risks and a description of the mitigation strategies that have been or will be implemented;
- descriptions of the physical and technical security measures related to the initiative;
- explanation of procedures to ensure accuracy, correction and retention of personal information; and
- identification of any systematic disclosures of personal information.
When you’re ready to get started, schedule a meeting with a member of the Access and Privacy Program. You can then download and complete the Privacy Impact Assessment Form. Email the completed form to privacy@sfu.ca and a member of our team will contact you with next steps.
Privacy Impact Assessment Process
Phase 1
Consider the time needed to complete a PIA. Determine how much information you currently have and how much more you will need. Identify stakeholders and meet with a member of the Access and Privacy Program.
Phase 2
Begin liaising with stakeholders. Conduct further research, as needed. Obtain additional information from vendors, IT Services, etc.
Phase 3
A member of the Access and Privacy Program will assist you with identifying and mitigating possible risk factors.
Phase 4
The review process is iterative. Analysis of risks may reveal information gaps, which will require additional research and updates to the PIA.
Phase 5
The PIA receives approval from all stakeholders. Relevant departments are responsible for ensuring recommendations are completed.
Phase 1: Planning & Scoping
Determine if a PIA is needed
The first step in determining the type of PIA needed is to check whether one has already been completed here. If one has been completed, connect with the Privacy and Access Team to review the PIA and ensure the prior assessment covers your initiative. If a PIA has not already been done, complete a Pre-Assessment Questionnaire (PAQ). The PAQ quickly assesses the severity of any privacy-related risks of a proposed initiative. If you plan on engaging a service provider, locate their privacy policy and attach it to the PAQ. Share the results of the PAQ with a member of the Access and Privacy Program. It might be determined that an initiative does not trigger the application of BC's Freedom of Information and Protection of Privacy Act or, if it does, only minimal steps need to be taken to ensure compliance (i.e., it does not involve personal information). If the latter, we can simply provide you with advice on how best to proceed. However, if privacy risks are deemed to be in the medium to high range, then the PIA form will need to be completed.
The Access and Privacy Program currently consists of:
- Paul Hebbard, University Archivist and Coordinator of Information and Privacy, pgh@sfu.ca
- Ernest Soares, Privacy Legal Counsel, ernest_soares@sfu.ca
- Robert McLelland, Information and Privacy Archivist, robert_mclelland@sfu.ca
You can also send us an email to the role account privacy@sfu.ca.
Budget for time
The timeline to complete a PIA is dependent upon several factors, including: the complexity of the initiative; the extent to which relevant stakeholders, especially service providers are cooperative and transparent in how their systems collect, use, disclose and store personal information; the amount of effort and attention to detail the lead writer of the PIA invests in its completion; and whether sensitive personal information is stored outside of Canada. For all of these reasons, it is difficult to project an exact timeline, however we generally recommend that departments allow for two to three months in total.
Start Early
Planning for a PIA should begin at the very outset of an initiative. Do not wait until you have selected a software solution and are ready to sign a contract. Consult with a member of the Access and Privacy Program as soon as possible to discuss next steps in the process and how you can best prepare to see a PIA through to successful completion.
Understand Your Responsibilities
Departmental administrators are responsible for ensuring there is adequate lead time available to complete a PIA in relation to other project deadlines. Departmental administrators should also be prepared to delay implementation of a new initiative if a PIA is not completed or forgo implementation entirely if a PIA determines the initiative will not be in compliance with the privacy requirements of BC's Freedom of Information and Protection of Privacy Act.
Achieve compliance
Conducting a PIA is not a checklist exercise. It is a compliance and risk assessment process and a legislated responsibility under the Freedom of Information and Protection of Privacy Act. A proposed initiative may be assessed as non-compliant and, if so, may need to be rethought or abandoned. Don't assume that your initiative will not be affected by a PIA – another reason to start early and plan ahead.
Phase 2: Gathering Information & Contacting Relevant Parties
Gather PIA Inputs
Inputs into the PIA include a description of the purpose of the initiative; the types of personal information that will need to be collected and how it will be used and disclosed; and a description of the physical and technical security measures in place to protect the personal information. You can start gathering this information and adding it to the PIA even before the University has finalized a decision about the adoption of any new initiative.
Identify Key Stakeholders
Begin liaising with identified stakeholders. At the outset of an initiative that involves the adoption or alteration of a software system, arrange for support from IT Services. IT Services is instrumental in vetting the security risks associated with new systems. They can also be helpful in liaising with service providers, especially on technical questions. If an initiative involves an IT project charter, IT Service’s Digital Transformation Office will guide you in the writing of the PIA. Make sure to secure IT support before beginning an initiative.
Also identify any other relevant stakeholders such as departments that will participate directly in the initiative or departments that are tangentially involved (e.g., maintain a system that will need to integrate with a new application). Procurement may also play a role in preparing an RFP, depending upon the cost of the initiative, and service providers will often partner with the University to deliver solutions. Finally, Legal Counsel may need to review the terms and conditions of any agreement or contract with a service provider.
Phase 3: Analyzing & Mitigating Risks
Review Contractual Language
If your initiative involves the purchase or licensing of software or software-as-a-service, you may need to involve Legal Counsel in reviewing the language of the agreement or contract. Under FIPPA, service providers are considered "employees" of the University and the personal information their systems collect on behalf of the University must be handled in accordance with FIPPA. To that end, we ask service providers to accept that our standard Privacy Protection Schedule (PPS) be appended to all agreements and contracts. The PPS lists the inherited privacy obligations of service providers under FIPPA. Service providers, especially non-Canadian ones, often have concerns about assuming some or all of these obligations, requiring support from Legal Counsel in contract negotiations. Negotiations can be time consuming.
Identify Risks
A member of the Access and Privacy Program will assist you with identifying and mitigating possible risk factors. The most common risks involve the volume of personal information collected by an initiative, the sensitivity of that information, where the information is stored, the over retention of the information, use or disclosure of the information for secondary purposes, and the security implications of implementing a new system.
Adopt Mitigation Strategies
Risks need to be mitigated through such measures as adopting adequate technical, physical and procedural safeguards, contractual language, notification or consent mechanisms, and user training on basic privacy principles and best practices.
Phase 4: Additional Data Collection & Analysis as Needed
The PIA review process is iterative. Analysis of risks may reveal information gaps, which will require additional research; scope and functionality creep may impact privacy compliance; and service providers may not be forthcoming about their information handling practices. A PIA form can go through many drafts before it is completed and ready for sign-off. Be sure to budget for follow-ups and additional research after you submit your first draft of the PIA form.
Phase 5: Final Approval & Implementation of Recommendations
The PIA form is reviewed and signed by a member of the Access and Privacy Program, an ¶¡ÏãÔ°AV employee designated accountable for the PIA proportionate to the scope and risks of the initiative, the initiative lead, and typically, a reviewer from Information Security. The person designated accountable, as determined by the Access and Privacy Program, may be an ¶¡ÏãÔ°AV Vice-President. If a departmental administrator wants to proceed with implementation before a PIA is signed-off, they should consult with their VP first. Relevant departments are responsible for ensuring any conditions or recommendations made in the PIA are accounted for.