What is a PIA?
A privacy impact assessment (PIA) is a process that assists public bodies in identifying and managing the privacy risks arising from new or substantially changed projects, initiatives, systems, and processes that collect, use, disclose, secure, or store personal information.
Completing a PIA is a legal requirement for all public bodies under S.69 (5.3) of the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA requires public bodies to conduct a PIA on any new initiative, or when there is a significant change to an existing initiative, involving the collection, use, disclosure, or security of personal information.
In addition to being a legal requirement, PIAs help to identify deficiencies in privacy protection. It can assist management in making informed decisions and avoid privacy breaches by ensuring that Vancouver Island University (the University) is complying with FIPPA. The PIA demonstrates accountability by including privacy as part of the design of new initiatives or systems.
What is Personal Information?
Personal information is defined as any recorded information about an identifiable individual, other than business contact information. Personal information includes, but is not limited to, name, birthdate, gender identity, marital status, financial information, health information, educational history, unique identifier numbers, etc. Personal information also includes information that can be used to identify an individual through association or reference.
Business contact information is information used to contact an individual at a place of business such as the individual’s name, position name or title, business telephone number, business address, business email, and business fax number.
When to Complete a PIA
PIAs should be completed during the initial development of any new system or program or prior to any significant change being made to an existing system or program.
The PIA must be completed and signed off by the University’s Head or designate, prior to the implementation or launch date of a new initiative or system.
How long does it take to wrtie a PIA?
Please budget four to eight weeks for your PIA timeline. PIAs frequently involve reading in-depth privacy and security policies, liaisoning with service providers, and collaborating with the VIU Privacy Office. For software purchases, there may additional Security Threat and Risk Assessments (STRAs) that can add to the timeline. Howver, the timeline can be shortened depending on how much you can contribute before sending to the Privacy Office for review.
Who is Responsible for a PIA
PIAs should be drafted by the manager responsible for the implementation of the initiative, system, or program. The University’s Privacy Officer is responsible for the approval of the PIA ensuring compliance with FIPPA before implementation. In developing a PIA, the project manager must work closely with the Privacy Officer and, when necessary, the Information Technology Department.
How to Write a PIA
The BC Government's Guidance for Privacy Impact Assessments is an excellent resource for writing PIAs and for the most part, aligns section by section with the VIU PIA form.
To get started on your PIA, please fill out the PIA Needs Analysis Questionnaire. This will put your PIA in the queue and the Privacy Office will be in touch with next steps.
Questions
If you have any questions regarding this Guide or the completion of a Privacy Impact Assessment, please contact PIA@viu.ca.
Additional Resources