Privacy Impact Assessments: Frequently Asked Questions
What is a Privacy Impact Assessment (PIA)?
A PIA is a compliance and risk management tool used to identify and address potential privacy and security concerns. A PIA will include:
- a description of the software and a list of the elements of personal information collected or managed by the software;
- identification of any personal information that will be accessed or stored outside Canada;
- legal authorities for collection, use, access, disclosure, retention and disposition of the personal information;
- identification of privacy risks and a description of the mitigations that have been or will be implemented;
- descriptions of the physical and technical security measures related to the software;
- explanation of procedures to ensure accuracy, correction and retention of personal information;
- identification of any systematic disclosures of personal information.
What is considered personal information?
FIPPA considers any recorded information about an identifiable individual to be personal information. This may include a person's name, birthdate, address, citizenship, educational, employment or medical history, identifying personal numbers, opinions, etc.
When is a PIA required?
A PIA is needed each time a new system, project, activity, program or policy is initiated or revised at SFU.
How can I confirm that I need to complete a PIA?
How do I begin completing a PIA?
Who is involved in the PIA process and what are their responsibilities?
The University Archivist or designated Privacy Officer advises on and reviews the PIA prior to recommending it for approval.
The relevant departmental administrator ensures adequate lead time to complete the PIA form before preparing and submitting it to the Privacy Officer.
Vendors and/or IT Services assist the administrator with gathering information needed to ensure the accuracy of the form's contents.
A member of SFU's executive team grants final approval.
What is needed to approve a PIA?
In order for a PIA to be approved, it must be in compliance with FIPPA and its regulations and obtain high-level approval at SFU (see Policy I10.02 Schedule A Delegation of Authority Under the Freedom of Information and Protection of Privacy Act).
Once approved, the system, project, activity, program or policy outlined in the PIA must be used exactly as described in the PIA. If there is to be any deviation, an update or another PIA needs to be completed for modified use.
Why is a PIA required and what happens if I do not complete one?
A PIA allows for the identification and construction of privacy and security requirements in advance, which aids in avoiding costly redesigns of systems, projects, activities, programs and policies.
Since a PIA is a legal requirement of British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA), not completing one results in non-compliance with legal and regulatory requirements.
Where can I find summaries of SFU's completed PIAs?
SFU employees can find completed PIA summaries here.
Who can I contact for more information?
Send us an email at firstname.lastname@example.org if you have any questions or concerns.