Privacy Impact Assessments

What's a Privacy Impact Assessment?

A Privacy Impact Assessment (PIA) is an evaluative tool used to identify and mitigate privacy issues associated with University projects - existing, redesigned, or new - such as programs, services, systems, and policies.

A PIA examines how personal and personal health information is collected, used, disclosed, protected, and destroyed, to help ensure projects are compliant with laws governing protection of privacy such as FIPPA and PHIA.

What's the value of a PIA?

A PIA is of benefit to any project that involves the collection, use, disclosure, or protection of personal or personal health information. Performing a PIA:

  • Facilitates overall project success. Privacy issues that are not handled properly can undermine the project's effectiveness, lead to privacy breaches and fines, and damage the University's reputation.
  • Helps to keep the project on time and budget. System adjustments necessitated by privacy issues may be considerably expensive especially when addressed late in the development stage.
  • Provides a resource to inform subsequent policy decisions, proactively address new or renewed projects, assist with procurement decisions, and audit and monitor compliance with privacy measures.
  • Creates a privacy-sensitive culture and encourages the integration of privacy best practices into all operations.
  • Provides a reference should individuals question personal information practices.

What's involved in performing a PIA?

A PIA begins with a meeting between the office wishing to conduct the PIA and the Information and Privacy Officer. The purpose of this meeting is to share general information about the proposed project and the PIA process. Next, the office will be asked to complete a form providing information about the project and also complete a PIA questionnaire. These documents will be used to highlight some of the potential privacy concerns that may exist with the proposed project. Finally, a follow-up meeting will be scheduled to discuss the results of the questionnaire and plan mitigation strategies to effectively manage and lessen potential privacy risks.

For more information or to schedule a meeting, contact the Information and Privacy Officer.