Privacy Impact Assessments

What is a Privacy Impact Assessment?

It’s essential that every department, program and project at SFU is compliant with the protection of privacy requirements outlined in FIPPA. To ensure that we are, we use an important risk management and compliance tool called a Privacy Impact Assessment (PIA).

A PIA determines if a current or proposed university system, project, program or activity meets or will meet FIPPA’s protection of privacy requirements. The assessment identifies and addresses potential privacy and security issues before they become a problem—thus avoiding costly program, process or service redesign, privacy breaches and harm to institutional reputation.

How do privacy assessments work?

A Privacy Impact Assessment is needed each time a new system, project, activity, program or policy is initiated or revised at SFU.

Conducting PIAs is a shared responsibility and joint effort between the department or program area implementing the new initiative, the Privacy Management Program and the University Executive officer with ultimate responsibility for approving implementation.

A PIA will include gathering the following information:

  • a description of the software and a list of the elements of personal information collected or managed by the software;
  • identification of any personal information that will be accessed or stored outside Canada;
  • legal authorities for collection, use, access, disclosure, retention and disposition of the personal information;
  • identification of privacy risks and a description of the mitigations that have been or will be implemented;
  • descriptions of the physical and technical security measures related to the software;
  • explanation of procedures to ensure accuracy, correction and retention of personal information and
  • identification of any systematic disclosures of personal information.

When you’re ready to get started, schedule a meeting with an Information and Privacy Archivist to discuss your needs. You can then download and complete the Privacy Impact Assessment Form. Email the completed form to privacy@sfu.ca and a member of our team will contact you with next steps.

Privacy Impact Assessment Process

Phase 1

Consider the time needed to complete a PIA. Determine how much information you currently have and how much more you will need. Identify stakeholders and meet with a Privacy Officer.

Phase 2

Begin liaising with stakeholders. Conduct further research, as needed. Obtain additional information from vendors, IT Services, etc.

Phase 3

A Privacy Officer will assist you with identifying and mitigating possible risk factors.

Phase 4

The review process is iterative. Analysis of risks may reveal information gaps, which will require additional research and updates to the PIA.

Phase 5

The PIA receives approval from all stakeholders. Relevant departments are responsible for ensuring recommendations are completed.

Phase 1: Planning & Scoping

Determine if a PIA is needed

Not all initiatives that involve the collection, use and disclosure of personal information require a PIA. The first step in determining if a PIA is needed is to complete a Pre-Assessment Questionnaire (PAQ). The PAQ quickly assesses the severity of any privacy-related risks of a proposed initiative. If you plan on engaging a service provider, locate their privacy policy and attach it to the PAQ. You should share the results of the PAQ with an Information and Privacy Archivist who will make the final determination as to whether a PIA is needed after reviewing the PAQ and discussing the initiative with you. It might be determined that an initiative does not trigger the application of BC's Freedom of Information and Protection of Privacy Act or, if it does, only minimal steps need to be taken to ensure compliance (i.e. it is low risk). If the latter, we can simply provide you with advice on how best to proceed. However, if privacy risks are deemed to be in the medium to high range than a full-blown PIA will need to be completed. You will need to provide information on your initiative through a comprehensive PIA form that assesses privacy risks in detail.

Budget for time

The timeline to complete a PIA is dependent upon several factors, including: the complexity of the initiative; the extent to which relevant stakeholders, especially service providers are cooperative and transparent in how their systems collect, use, disclose and store personal information; the amount of effort and attention to detail the lead writer of the PIA invests in its completion; and whether personal information is stored or accessible from outside of Canada (e.g. in the Cloud). For all of these reasons, it is difficult to project an exact timeline, however we generally recommend that departments allow for two to three months in total. 

Start Early

Planning for a PIA should begin at the very outset of an initiative. Do not wait until you have selected a software solution and are ready to sign a contract. Consult with an Information and Privacy Archivist as soon as possible to discuss next steps in the process and how you can best prepare to see a PIA through to successful completion. 

Understand Your Responsibilities

Departmental administrators are responsible for ensuring there is adequate lead time available to complete a PIA in relation to other project deadlines. Departmental administrators should also be prepared to delay implementation of a new initiative if a PIA is not completed or forgo implementation entirely if a PIA determines the initiative will not be in compliance with the privacy requirements of BC's Freedom of Information and Protection of Privacy Act.

Achieve compliance

Conducting a PIA is not a checklist exercise. It's a compliance and risk assessment process and a legislated responsibility under the Freedom of Information and Protection of Privacy Act. A proposed initiative may be assessed as non-compliant and, if so, may need to be rethought or abandoned. Don't assume that your initiative will not be affected by a PIA – another reason to start early and plan ahead.

Phase 2: Gathering Information & Contacting Relevant Parties

Gather PIA Inputs

Inputs into the PIA include a description of the purpose of the initiative; the types of personal information that will need to be collected and how it will be used and disclosed; workflow diagrams; and a description of how different categories of individuals will be affected by the information collection (e.g. students, instructors, staff, alumni, donors, etc.). You can start gathering this information and adding it to the PIA even before the University has finalized a decision about the adoption of any new software system. 

Identify Key Stakeholders

Begin liaising with identified stakeholders. At the outset of an initiative that involves the adoption or alteration of a software system, arrange for support from IT Services. IT Services is instrumental in vetting the security risks associated with new systems. They can also be helpful in liaising with service providers, especially on technical questions. If an initiative involves an IT project charter, IT Service’s Digital Transformation Office will guide you in the writing of the PIA. Make sure to secure IT support before beginning an initiative.

Also identify any other relevant stakeholders such as departments that will participate directly in the initiative or departments that are tangentially involved (e.g. maintain a system that will need to integrate with a new application). Procurement may also play a role in preparing an RFP, depending upon the cost of the initiative, and service providers will often partner with the University to deliver solutions. Finally, Legal Counsel may need to review the terms and conditions of any agreement or contract with a service provider. 

Phase 3: Analyzing & Mitigating Risks

Review Contractual Language

If your initiative involves the purchase or licensing of software or software-as-a-service, you may need to involve Legal Counsel in reviewing the language of the agreement or contract. Under BC's Freedom of Information and Protection of Privacy Act(FIPPA) service providers are considered "employees" of the University and the personal information their systems collect on behalf of the University must be handled in accordance with FIPPA. To that end, we ask service providers to accept that our standard Privacy Protection Schedule (PPS) be appended to all agreements and contracts. The PPS lists the inherited privacy obligations of service providers under FIPPA. Service providers, especially non-Canadian ones, often have concerns about assuming some or all of these obligations, requiring support from Legal Counsel in contract negotiations. Negotiations can be time consuming.

Identify Risks

An Information and Privacy Archivist will assist you with identifying and mitigating possible risk factors. The most common risks involve the volume of personal information collected by an initiative, the sensitivity of that information, where the information is stored, the over retention of the information, use or disclosure of the information for secondary purposes, and the security implications of implementing a new system. 

Adopt Mitigation Strategies

Risks need to be mitigated through such measures as adopting adequate technical, physical and procedural safeguards, contractual language, notification or consent mechanisms, and user training on basic privacy principles and best practices.

Phase 4: Additional Data Collection & Analysis as Needed

The PIA review process is iterative. Analysis of risks may reveal information gaps, which will require additional research; scope and functionality creep may impact privacy compliance; and service providers may not be forthcoming about their information handling practices. A PIA can go through many drafts before it is completed and ready for sign-off. Be sure to budget for follow-ups and additional research after you submit your first draft of the PIA. 

Phase 5: Final Approval & Implementation of Recommendations

The PIA receives approval from all stakeholders. Relevant departments are responsible for ensuring recommendations made in the PIA are addressed in a timely manner. An SFU Vice-President will have final say as the delegated university officer with the powers to act for the head of the institution. VPs are authorized to approve the analysis and recommendations embodied in a PIA and SFU's implementation of the initiative. If a departmental administrator wants to proceed with implementation before a PIA is signed-off, they should consult with their VP first.

Associated Forms & Documents

Have a question about privacy impact assessments?

Visit our FAQ