Background
The Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies such as VIU to conduct a Privacy Impact Assessment (PIA) for all new or substantially modified systems, projects, programs or activities (hereinafter referred to as “Projects”). A PIA is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign.
Frequently Asked Questions
Q: What issues are addressed in a PIA?
A: The PIA process assesses the treatment of “personal information”, which is defined as “any recorded information about identifiable individuals, with the exception of the names and business contact information of employees, volunteers and service providers”. Here are examples of questions that are asked in the PIA process:
- What is our legal authority to collect, use and disclose the personal information?
- Is the personal information stored within Canada?
- How is the personal information protected from unauthorized use or disclosure?
- How long is the personal information retained?
Q: How much time and effort does a PIA take to complete?
A: VIU’s risk-based approach to PIAs results in more extensive assessments of higher risk projects to ensure key risks are identified and appropriate action is taken. These higher-risk projects will require the involvement of central privacy and security staff who will review the PIA forms you submit and will provide guidance and assistance to help you meet compliance requirements. Higher-risk projects typically take several weeks to approve, though they may take longer in complex cases.
In addition, all high-risk PIAs that involve data-linking between public bodies or agencies have to be sent to the provincial Information and Privacy Commissioner for review. It is uncertain how long this review process will take, so you should budget plenty of time in these cases.
Conversely, while lower-risk projects will still need to comply with all relevant VIU privacy and security standards, there is no need for you to wait for an independent assessment by central privacy and security personnel.
Q: Are research projects treated differently?
A: Yes. A PIA is not required for research projects. Research at VIU must, however, comply with any standards for security and privacy prescribed by research funding agencies and ethics boards.