The University uses a two-stage privacy impact assessment process:

• Privacy Compliance Checklist
• Full Privacy Impact Assessment (PIA)

The first stage is the Privacy Compliance Checklist, which is mandatory for all projects except research projects involving human subjects which have received ethics approval from a duly-constituted research ethics board.

The Checklist should be completed by the person responsible for the project, such as, the project manager in consultation with the unit's privacy officer and must be approved by the responsible unit head and submitted to the University Privacy Officer for review. Upon the completion of the checklist, a full Privacy Impact Assessment (PIA) may be required depending on the project. 

Privacy Compliance Checklist

A Privacy Compliance Checklist must be completed for all new projects (except those noted above) and personal information banks (PIB's) that are developed, acquired or substantially revised by any academic or administrative unit of the University and is required to be completed during the planning stages of all (1) new projects and (2) modifications of existing projects.  It may be used to check any existing program, paper-based or electronic, for privacy compliance. 

The Privacy Compliance Checklist is available at www.mun.ca/iap or from the University Privacy Officer, who will provide training and support for its use, as necessary.

The Privacy Compliance Checklist will be completed by the responsible organizational unit of the University before any collection, use or disclosure of personal information occurs in conjunction with the project or PIB that is the subject of the checklist.  Completed checklists must be submitted to the University Privacy Officer who will complete a review of the checklist results and may make recommendations to the responsible unit head regarding actions that may need to be taken to reduce any privacy risks identified and to ensure compliance with the legislation, the University's privacy policy, or related procedures.  If Checklist results contain significant privacy risks, the University Privacy Officer will consult with the IAP Advisory Committee.

Should the responsible unit head choose not to accept the recommendations of the University Privacy Officer in whole or in part, reasons for doing so will be communicated to the University Privacy Officer and IAP Advisory Committee in writing.

Privacy Impact Assessment (PIA)

Based on a review of Privacy Compliance Checklist results and other factors, the University Privacy Officer may determine that a full PIA is required.  The University Privacy Officer will consult with the IAP Advisory Committee before rendering a decision regarding the need for a PIA.  Although the University Privacy Officer may overrule the recommendation of the IAP Advisory Committee, he or she would do so only upon very careful consideration of the issues involved.

The University Privacy Officer will provide advice and assistance in the completion of PIAs, but the ultimate accountability for their completion will rest with the unit head responsible for the project or PIB that is the subject of the PIA.

Every PIA will include, at a minimum, descriptions of the following:

• The nature, objectives and purposes of the project or PIB that is the subject of the PIA, including its need for personal information
• The types of personal information involved
• The sources from which personal information is to be collected
• The purposes for which personal information is to be used within the University
• The recipients to whom personal information is to be disclosed
• The legislative and policy authority for the collection, use and disclosure of personal information.
• The security measures to be applied for the protection of personal information from unauthorized use or disclosure
• Plans for the periodic review or audit of personal information management practices, risks and outcomes
• Details of any contractual arrangements involving the exchange of personal information other than basic business contact information
• Potential privacy risks, planned measures to mitigate those risks, and the expected residual privacy risks that may remain after mitigation

A full PIA requires the involvement of a number of project participants and is required for a relatively small number of projects for which Privacy Compliance Checklists are completed.

The PIA will include the results of the Privacy Compliance Checklist, which will be appended to the PIA.  No PIA will be undertaken for any project for which a Privacy Compliance Checklist has not been completed.  The PIA document will have the following table of contents:

1. Executive Summary

2. Definitions

3. Project Description

3.1. Project Objectives

3.2. Requirements for Personal Information

3.3. Authority for Collection, Use and Disclosure of Personal Information

3.4. Information Security Measures

4. List of Personal Information Data Elements

5. Table or Chart of Personal Information Flows

6. Contractual Relationships

7.  Privacy Risks

7.1. Risk 1

7.1.1. Description of Risk

7.1.2. Description of Mitigation Measures

7.1.3. Estimation of Residual Risk after Mitigation

7.2. Risk 2...

8. Summary of Risks and Mitigation Measures

9. General Assessment of Project Compliance with Applicable Legislation

10. Appendices

10.1. Project Charter and Descriptive Documentation

10.2. Completed Privacy Compliance Checklist

10.3. Other relevant Documentation

10.4. ...

A spreadsheet is available from the University Privacy Officer to assist in the assessment of risks for PIAs.  This spreadsheet evaluates user-specified risks and mitigation measures against the ten Fair Information Principles of the CSA Model Privacy Code, which form the basis of the University's Privacy Policy and these Procedures.