The Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies such as UBC to conduct a Privacy Impact Assessment (PIA) for all new or substantially modified systems, projects, programs or activities (hereinafter referred to as “Projects”). A PIA is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign. UBC has developed the following process to comply with this requirement.
Summary of PIA Process
1. Use the PIA Project Risk Classification Tool to determine your Project’s privacy and security risk classification. You only need to use the Tool for Projects that involve the collection, use or disclosure of personal information.
2. Email the completed Tool to PIA.PROCESS@ubc.ca for review by central privacy and security staff.
3. If your Project’s risk classification is Low or Medium, you do not need to wait for sign-off by privacy and security staff, but you are required to comply with all applicable privacy and security standards, which are contained in the Privacy Fact Sheets and the Information Security Standards. Examples of commonly identified privacy and security issues are set out in the following document: Key Privacy and Security Risks & What “Good” Looks Like.
4. If your Project’s risk classification is High or Very High, central privacy and security staff will send you a questionnaire to complete. You should not proceed until you have received sign-off from these staff.
Frequently Asked Questions
Q: What issues are addressed in a PIA?
A: The PIA process assesses the treatment of “personal information”, which is defined as “any recorded information about identifiable individuals, with the exception of the names and business contact information of employees, volunteers and service providers”. Here are examples of questions that are asked in the PIA process:
- What is our legal authority to collect, use and disclose the personal information?
- Is the personal information stored within Canada?
- How is the personal information protected from unauthorized use or disclosure?
- How long is the personal information retained?
Q: How much time and effort does a PIA take to complete?
A: UBC’s risk-based approach to PIAs results in more extensive assessments of higher risk projects to ensure key risks are identified and appropriate action is taken. These higher-risk projects will require the involvement of central privacy and security staff who will review the PIA forms you submit and will provide guidance and assistance to help you meet compliance requirements. Higher-risk projects typically take several weeks to approve, though they may take longer in complex cases.
In addition, all high-risk PIAs that involve data-linking between public bodies or agencies have to be sent to the provincial Information and Privacy Commissioner for review. It is uncertain how long this review process will take, so you should budget plenty of time in these cases.
Conversely, while lower-risk projects will still need to comply will all relevant UBC privacy and security standards (including Privacy Fact Sheets, the Information Security Standards, and the “Key Security and Privacy Risks & What “Good” Looks Like” document), there is no need for you to wait for an independent assessment by central privacy and security personnel.
Q: When do I have to use the PIA Project Risk Classification Tool?
A: You must use the PIA Project Risk Classification Tool if you are responsible for a new Project or an existing Project that is being substantially modified (a “Project” is any system, project, program or activity that supports University business). Here are some examples of substantial modifications that would require you to use the PIA Project Risk Classification Tool:
- new types of personal information will be collected
- significant changes will be made to the way personal information is used or disclosed
- personal information will be linked with information from third parties
- system access is being changed so that new categories or groups of individuals will have access to personal information
- storage or access to personal information is being moved outside Canada
- management or security of the personal information will be outsourced
- the retention period for personal information will be changed
Q: Do I have to complete the PIA Project Risk Classification Tool for operational systems?
A: No. The PIA Project Risk Classification Tool was not intended to be used for systems that are already operational, unless they have been substantially modified. Operational processes and systems are evaluated using a different process.
Q: Are research projects treated differently?
A: Yes. The PIA Project Risk Classification Tool is not required for research projects. Research at UBC must, however, comply with any standards for security and privacy prescribed by research funding agencies and ethics boards.
Q: Where do I go for more information about privacy or security?