PROCEDURE FOR CHECKING PRIVACY COMPLIANCE
The University uses a two-stage privacy impact assessment process:
The first stage is the Privacy Compliance Checklist, which is mandatory for all projects except research projects involving human subjects which have received ethics approval from a duly-constituted research ethics board.
The Checklist should be completed by the person responsible for the project, such as, the project manager in consultation with the unit's privacy officer and must be approved by the responsible unit head and submitted to the University Privacy Officer for review. Upon the completion of the checklist, a full Privacy Impact Assessment (PIA) may be required depending on the project.
Privacy Compliance Checklist
A Privacy Compliance Checklist must be completed for all new projects (except those noted above) and personal information banks (PIB's) that are developed, acquired or substantially revised by any academic or administrative unit of the University and is required to be completed during the planning stages of all (1) new projects and (2) modifications of existing projects. It may be used to check any existing program, paper-based or electronic, for privacy compliance.
Should the responsible unit head choose not to accept the recommendations of the University Privacy Officer in whole or in part, reasons for doing so will be communicated to the University Privacy Officer and IAPP Advisory Committee in writing.
Privacy Impact Assessment (PIA)
Based on a review of Privacy Compliance Checklist results and other factors, the University Privacy Officer may determine that a full PIA is required. The University Privacy Officer will consult with the IAPP Advisory Committee before rendering a decision regarding the need for a PIA. Although the University Privacy Officer may overrule the recommendation of the IAPP Advisory Committee, he or she would do so only upon very careful consideration of the issues involved.
The University Privacy Officer will provide advice and assistance in the completion of PIAs, but the ultimate accountability for their completion will rest with the unit head responsible for the project or PIB that is the subject of the PIA.
Every PIA will include, at a minimum, descriptions of the following:
A full PIA requires the involvement of a number of project participants and is required for a relatively small number of projects for which Privacy Compliance Checklists are completed.
The PIA will include the results of the Privacy Compliance Checklist, which will be appended to the PIA. No PIA will be undertaken for any project for which a Privacy Compliance Checklist has not been completed. The PIA document will have the following table of contents:
1. Executive Summary
3. Project Description
3.1. Project Objectives
3.2. Requirements for Personal Information
3.3. Authority for Collection, Use and Disclosure of Personal Information
3.4. Information Security Measures
4. List of Personal Information Data Elements
5. Table or Chart of Personal Information Flows
6. Contractual Relationships
7. Privacy Risks
7.1. Risk 1
7.1.1. Description of Risk
7.1.2. Description of Mitigation Measures
7.1.3. Estimation of Residual Risk after Mitigation
7.2. Risk 2...
8. Summary of Risks and Mitigation Measures
9. General Assessment of Project Compliance with Applicable Legislation
10.1. Project Charter and Descriptive Documentation
10.2. Completed Privacy Compliance Checklist
10.3. Other relevant Documentation