Privacy Impact Assessments: Frequently Asked Questions

What is a Privacy Impact Assessment (PIA)?

A PIA is a compliance and risk management tool used to identify and address potential privacy and security concerns. A PIA will include:

  • a description of the software and a list of the elements of personal information collected or managed by the software;
  • identification of any personal information that will be accessed or stored outside Canada;
  • legal authorities for collection, use, access, disclosure, retention and disposition of the personal information;
  • identification of privacy risks and a description of the mitigations that have been or will be implemented;
  • descriptions of the physical and technical security measures related to the software;
  • explanation of procedures to ensure accuracy, correction and retention of personal information;
  • identification of any systematic disclosures of personal information.

What is considered personal information?

FIPPA considers any recorded information about an identifiable individual to be personal information. This may include a person's name, birthdate, address, citizenship, educational, employment or medical history, identifying personal numbers, opinions, etc.

When is a PIA required?

A PIA is needed each time a new system, project, activity, program or policy is initiated or revised at SFU.

How can I confirm that I need to complete a PIA?

Complete the six questions in the Pre-assessment Questionnaire. If you need any assistance, contact us at privacy@sfu.ca

How do I begin completing a PIA?

Start by scheduling a meeting with a Privacy Officer to discuss your needs. You can then download the Privacy Impact Assessment Form. Once you've filled in the necessary information, email it to privacy@sfu.ca. A Privacy Officer will contact you with further information.

Who is involved in the PIA process and what are their responsibilities?

The University Archivist or designated Privacy Officer advises on and reviews the PIA prior to recommending it for approval.

The relevant departmental administrator ensures adequate lead time to complete the PIA form before preparing and submitting it to the Privacy  Officer.

Vendors and/or IT Services assist the administrator with gathering information needed to ensure the accuracy of the form's contents.

A member of SFU's executive team grants final approval.

What is needed to approve a PIA?

In order for a PIA to be approved, it must be in compliance with FIPPA and its regulations and obtain high-level approval at SFU (see Policy I10.02 Schedule A Delegation of Authority Under the Freedom of Information and Protection of Privacy Act).

Once approved, the system, project, activity, program or policy outlined in the PIA must be used exactly as described in the PIA. If there is to be any deviation, an update or another PIA needs to be completed for modified use.

Why is a PIA required and what happens if I do not complete one?  

A PIA allows for the identification and construction of privacy and security requirements in advance, which aids in avoiding costly redesigns of systems, projects, activities, programs and policies.

Since a PIA is a legal requirement of British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA), not completing one results in non-compliance with legal and regulatory requirements.

Where can I find summaries of SFU's completed PIAs?

SFU employees can find completed PIA summaries here.  

Who can I contact for more information?

Send us an email at privacy@sfu.ca if you have any questions or concerns.

Privacy Impact Assessment Workflow

Phase 1
Consider the time needed to complete a PIA. Determine how much information you currently have and how much more you will need. Identify stakeholders and meet with a Privacy Officer.
 
Phase 2
Begin liaising with stakeholders. Conduct further research, as needed. Obtain additional information from vendors, IT Services, etc.
 
Phase 3
A Privacy Officer will assist you with identifying and mitigating possible risk factors.
 
Phase 4
The review process is iterative. Analysis of risks may reveal information gaps, which will require additional research and updates to the PIA.
 
Phase 5
The PIA receives approval from all stakeholders. Relevant departments are responsible for ensuring recommendations are completed.