What is a PIA?
A privacy impact assessment (PIA) is a process that assists public bodies in identifying and managing the privacy risks arising from new or substantially changed projects, initiatives, systems, and processes that collect, use, disclose, secure, or store personal information.
Completing a PIA is a legal requirement for all public bodies under S.69 (5.3) of the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA requires public bodies to conduct a PIA on any new initiative, or when there is a significant change to an existing initiative, involving the collection, use, disclosure, or security of personal information.
In addition to being a legal requirement, PIAs help to identify deficiencies in privacy protection. It can assist management in making informed decisions and avoid privacy breaches by ensuring that Vancouver Island University (the University) is complying with FIPPA. The PIA demonstrates accountability by including privacy as part of the design of new initiatives or systems.
What is Personal Information
Personal information is defined as any recorded information about an identifiable individual, other than business contact information. Personal information includes, but is not limited to, name, birth date, gender identity, marital status, financial information, health information, educational history, unique identifier numbers, etc. Personal information also includes information that can be used to identify an individual through association or reference.
Business contact information is information used to contact an individual at a place of business such as the individual’s name, position name or title, business telephone number, business address, business email, and business fax number.
When to Complete a PIA
PIAs should be completed during the initial development of any new system or program or prior to any significant change being made to an existing system or program.
The PIA must be completed and signed off by the University’s Head or designate, prior to the implementation or launch date of a new initiative or system.
Data-linking Program / Common or Integrated Program or Activity
If the initiative involves a data-linking program or common or integrated program or activity, as defined by FIPPA, the University must notify the Office of the Information and Privacy Commissioner of British Columbia (OIPC) at an early stage of the development of the PIA.
Data-linking means the linking, temporarily or permanently, of two or more data sets using one or more common keys. A data-linking program means a program of a public body that involves data-linking of at least one data set in the custody or under the control of a public body is linked with a data set in the custody or under the control of one or more other public bodies or agencies without the consent of the individuals whose personal information is contained in the data set.
A common or integrated program or activity is defined as a program that provides one or more services through a public body and one or more other public bodies or agencies working collaboratively, or one public body working on behalf of one or more other public bodies or agencies and is confirmed by regulation as being a common or integrated program or activity.
Who is Responsible for a PIA
PIAs should be drafted by the program manager responsible for the implementation of the initiative, system, or program. The University’s Privacy Officer/Head or delegate is responsible for the approval of the PIA ensuring compliance with FIPPA before implementation. In developing a PIA, the project manager must work closely with the Privacy Officer and, when necessary, the Information Technology Department.
How to Write a PIA
A PIA template that includes instructions on how to complete it can be accessed here.
Questions
If you have any questions regarding this Guide or the completion of a Privacy Impact Assessment, please contact PIA@viu.ca.
Additional Resources
Freedom of Information and Protection of Privacy Act: https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/96165_00
BC Government PIA website: http://www.cio.gov.bc.ca/cio/priv_leg/foippa/pia/pia_index.page