- Records Management
- Digital preservation
Privacy Impact Assessments
List of Completed Privacy Impact Assessments
SFU employees can access a list of completed PIAs through SFU's CAS single sign-on:
What is a Privacy Impact Assessment?
It’s essential that every employee, department, program and project at SFU is compliant with the protection of privacy requirements outlined in BC's Freedom of Information and Protection of Privacy Act ("FIPPA"). To ensure SFU's compliance, we use an important and legislated risk management and compliance tool called a Privacy Impact Assessment ("PIA").
A PIA determines if a new or changed university initiative (a system, project, program, policy or activity) will meet FIPPA’s protection of privacy requirements. The assessment identifies and addresses potential privacy and security issues before they become a problem, thus avoiding costly program, process or service redesign, privacy breaches and harm to institutional reputation.
How do PIAs work?
A PIA is a legislated requirement for each new or revised system, project, activity, program or policy at SFU.
Conducting PIAs is a shared responsibility and a joint effort between:
- the department or program area implementing the new initiative;
- the Access and Privacy program; and if applicable,
- Information Security.
A PIA will include gathering the following information:
- a description of the initiative and a list of the elements of personal information collected, used, and disclosed;
- identification of sensitive personal information that will be accessed or stored outside Canada;
- legal authorities for collection, use, and disclosure of the personal information;
- identification of privacy risks and a description of the mitigation strategies that have been or will be implemented;
- descriptions of the physical and technical security measures related to the initiative;
- explanation of procedures to ensure accuracy, correction and retention of personal information; and
- identification of any systematic disclosures of personal information.
When you’re ready to get started, schedule a meeting with a member of the Access and Privacy Program. You can then download and complete the Privacy Impact Assessment Form. Email the completed form to email@example.com and a member of our team will contact you with next steps.
Privacy Impact Assessment Process
Consider the time needed to complete a PIA. Determine how much information you currently have and how much more you will need. Identify stakeholders and meet with a member of the Access and Privacy Program.
Begin liaising with stakeholders. Conduct further research, as needed. Obtain additional information from vendors, IT Services, etc.
A member of the Access and Privacy Program will assist you with identifying and mitigating possible risk factors.
The review process is iterative. Analysis of risks may reveal information gaps, which will require additional research and updates to the PIA.
The PIA receives approval from all stakeholders. Relevant departments are responsible for ensuring recommendations are completed.
Phase 1: Planning & Scoping
Determine if a PIA is needed
The Access and Privacy Program currently consists of:
- Paul Hebbard, University Archivist and Coordinator of Information and Privacy, firstname.lastname@example.org
- Erika Brimacombe, Privacy Legal Counsel, email@example.com
- Robert McLelland, Information and Privacy Archivist, firstname.lastname@example.org
You can also send us an email to the role account email@example.com.
Budget for time
The timeline to complete a PIA is dependent upon several factors, including: the complexity of the initiative; the extent to which relevant stakeholders, especially service providers are cooperative and transparent in how their systems collect, use, disclose and store personal information; the amount of effort and attention to detail the lead writer of the PIA invests in its completion; and whether sensitive personal information is stored outside of Canada. For all of these reasons, it is difficult to project an exact timeline, however we generally recommend that departments allow for two to three months in total.
Planning for a PIA should begin at the very outset of an initiative. Do not wait until you have selected a software solution and are ready to sign a contract. Consult with a member of the Access and Privacy Program as soon as possible to discuss next steps in the process and how you can best prepare to see a PIA through to successful completion.
Understand Your Responsibilities
Departmental administrators are responsible for ensuring there is adequate lead time available to complete a PIA in relation to other project deadlines. Departmental administrators should also be prepared to delay implementation of a new initiative if a PIA is not completed or forgo implementation entirely if a PIA determines the initiative will not be in compliance with the privacy requirements of BC's Freedom of Information and Protection of Privacy Act.
Conducting a PIA is not a checklist exercise. It is a compliance and risk assessment process and a legislated responsibility under the Freedom of Information and Protection of Privacy Act. A proposed initiative may be assessed as non-compliant and, if so, may need to be rethought or abandoned. Don't assume that your initiative will not be affected by a PIA – another reason to start early and plan ahead.
Phase 2: Gathering Information & Contacting Relevant Parties
Gather PIA Inputs
Inputs into the PIA include a description of the purpose of the initiative; the types of personal information that will need to be collected and how it will be used and disclosed; and a description of the physical and technical security measures in place to protect the personal information. You can start gathering this information and adding it to the PIA even before the University has finalized a decision about the adoption of any new initiative.
Identify Key Stakeholders
Begin liaising with identified stakeholders. At the outset of an initiative that involves the adoption or alteration of a software system, arrange for support from IT Services. IT Services is instrumental in vetting the security risks associated with new systems. They can also be helpful in liaising with service providers, especially on technical questions. If an initiative involves an IT project charter, IT Service’s Digital Transformation Office will guide you in the writing of the PIA. Make sure to secure IT support before beginning an initiative.
Also identify any other relevant stakeholders such as departments that will participate directly in the initiative or departments that are tangentially involved (e.g., maintain a system that will need to integrate with a new application). Procurement may also play a role in preparing an RFP, depending upon the cost of the initiative, and service providers will often partner with the University to deliver solutions. Finally, Legal Counsel may need to review the terms and conditions of any agreement or contract with a service provider.
Phase 3: Analyzing & Mitigating Risks
Review Contractual Language
If your initiative involves the purchase or licensing of software or software-as-a-service, you may need to involve Legal Counsel in reviewing the language of the agreement or contract. Under FIPPA, service providers are considered "employees" of the University and the personal information their systems collect on behalf of the University must be handled in accordance with FIPPA. To that end, we ask service providers to accept that our standard Privacy Protection Schedule (PPS) be appended to all agreements and contracts. The PPS lists the inherited privacy obligations of service providers under FIPPA. Service providers, especially non-Canadian ones, often have concerns about assuming some or all of these obligations, requiring support from Legal Counsel in contract negotiations. Negotiations can be time consuming.
A member of the Access and Privacy Program will assist you with identifying and mitigating possible risk factors. The most common risks involve the volume of personal information collected by an initiative, the sensitivity of that information, where the information is stored, the over retention of the information, use or disclosure of the information for secondary purposes, and the security implications of implementing a new system.
Adopt Mitigation Strategies
Risks need to be mitigated through such measures as adopting adequate technical, physical and procedural safeguards, contractual language, notification or consent mechanisms, and user training on basic privacy principles and best practices.
Phase 4: Additional Data Collection & Analysis as Needed
The PIA review process is iterative. Analysis of risks may reveal information gaps, which will require additional research; scope and functionality creep may impact privacy compliance; and service providers may not be forthcoming about their information handling practices. A PIA form can go through many drafts before it is completed and ready for sign-off. Be sure to budget for follow-ups and additional research after you submit your first draft of the PIA form.
Phase 5: Final Approval & Implementation of Recommendations
The PIA form is reviewed and signed by a member of the Access and Privacy Program, an SFU employee designated accountable for the PIA proportionate to the scope and risks of the initiative, the initiative lead, and typically, a reviewer from Information Security. The person designated accountable, as determined by the Access and Privacy Program, may be an SFU Vice-President. If a departmental administrator wants to proceed with implementation before a PIA is signed-off, they should consult with their VP first. Relevant departments are responsible for ensuring any conditions or recommendations made in the PIA are accounted for.