(PIAs)
What is a Privacy Impact Assessment
A privacy impact assessment (PIA) is a risk management tool for assessing how activities with personal information affect the privacy of individuals by identifying privacy and security risks or impacts and how to address them. PIAs demonstrate good privacy practices, identify areas for mitigation and improvement, and support trust in institutional activities with personal information.
When is a PIA required
A PIA must be completed before collecting personal information or making significant changes to existing programs, systems, or activities that involve personal information. This includes new activities, programs, services, or technologies, as well as modifications to existing processes that alter how personal information is handled.
What is Personal Information
Personal information is information about identifiable individuals, such as students, community members, and event participants. Personal information includes all information about an identifiable individual, such as race, national or ethnic origin, colour, religion, age, sex, sexual orientation, identifying numbers, contact details, academic records, and financial information.
Frequently Asked Questions (FAQs)
A privacy impact assessment (PIA) is a risk management tool for assessing how activities with personal information affect the privacy of individuals by identifying privacy and security risks or impacts and how to address them. PIAs demonstrate good privacy practices, identify areas for mitigation and improvement, and support trust in OCAD’s activities with personal information.
Personal information is information about identifiable individuals, such as students, community members, and event participants. Personal information includes all information about an identifiable individual, comprising race, national or ethnic origin, colour, religion, age, sex, sexual orientation, identifying numbers, contact details, academic records, and financial information.
PIAs are a tool and a process to verify that our work with personal information at OCAD U follows and upholds legal privacy requirements and is safe and secure.
This includes making sure that we collect only the right personal information necessary for official purposes, that we notify individuals of those purposes, and that we only use and disclose personal information for those purposes or consistent ones, or as required by law.
A key purpose of PIAs is to identify and mitigate privacy risks during the design and planning of activities, before personal information is collected.
Another purpose of PIAs is to assess any planned or proposed changes to existing activities, to assess those for privacy risks, and to mitigate any new risks before the changes are made.
It is now a requirement under the Freedom of Information and Protection of Privacy Act to conduct a PIA before collecting personal information. Failure to do so is a breach of OCAD U’s duties under the legislation. The requirement to conduct PIAs applies to all who work at and act for OCAD.
The time needed to complete a PIA is determined by the complexity of the project or activity being assessed, including how much personal information is involved, the functions of the project, and technology that it may involve.
A simple PIA for an activity that collects one or two types of personal information from a small number of individuals and does not involve complex technology might take a few days to complete, but an assessment of a complex new system that uses personal information of many individuals and extensive technology could take several weeks to complete.
The Privacy Office always welcomes your questions and will support you comprehensively, including:
- Helping to determine whether your project or activity requires a PIA
- Performing the PIA with information that you provide or obtain
- Identifying privacy risks and mitigations
- Helping you comply with privacy protection requirements
- Ongoing support and consultation as your projects progress
A PIA is a “living document” and process, which should be started before projects or activities involving personal information are launched, and which should be approved before personal information is collected.
The PIA should track with the project/activity through its lifespan, and should be updated as the activity changes and also as new mitigations are implemented to mitigate any new risks for those changes.
Every activity that collects PI should have a PIA that is referenced and updated every time there is a change.
Most research activities will not require a PIA, as FIPPA does not apply to most research records. Also, research activities involving human subject information should be approved by a research ethics board, which among other factors, must consider consent, privacy and confidentiality, and other implications of the research, consistent with the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (second edition) (TCPS 2) (2022) requirements.
When research is combined with other activities, such as teaching or outreach, those other activities may require a PIA.
Context is very important, so we ask that you kindly consult the Privacy Office to be sure before starting any new activity that collects personal information. We will help you determine whether a PIA is required.
Activities carried out only for a labour relations or employment purpose will generally not require a PIA, as FIPPA does not apply to most information about labour relations or employment-related matters. However, there are exceptions to this principle.
Additionally, operational activities that collect personal information generally require a PIA. This can be the case even when the activity has some connection to labour relations or employment.
Again, context is very important, so we ask that you kindly check in with the Privacy Office before you start any activity that collects personal information. We will help you determine whether a PIA is required.
The project owner is the University official or individual who is institutionally responsible for the project or activity. For some in-class pedagogic activities, this can be the instructor or professor, and for major projects, it will be the leader or administrator who is responsible for the activity or project.
Completed PIAs and PIA reports are OCAD U records. Before sharing one, please consult with the Privacy Office at the contact information set out below. The Privacy Office will work with you and it may be possible to share some PIA documentation or specific information as appropriate. Again, please consult with the Privacy Office before sharing any PIA materials.
A PIA report is produced by the Privacy Office in consultation the project owner or lead. The PIA report sets out any residual privacy risks that have not or cannot be mitigated for acceptance or rejection by OCAD leadership. Once this step has been completed, the project or activity may go ahead or may need to be revised to further mitigate privacy or security issues.
As project owner or lead, you will have a copy of the final PIA report.
The Privacy Office may make PIA reports available as useful for common activities. Please check in with us to ask about your activity.
The Privacy Office will support you and to answer your questions. Please do not hesitate to contact the Manager, Privacy at:
Khellon Q. Roach, Ph.D.
Manager, Privacy (c/o Office of the President)
OCAD University
100 McCaul Street, Toronto, Canada M5T 1W1