Procedure for Checking Privacy Compliance
Approval Date: 2008-09-11
Effective Date: 2008-09-11
Responsible Unit: Information Access and Privacy Office
The University uses a two-stage privacy impact assessment process:
- Privacy Compliance Checklist
- Full Privacy Impact Assessment (PIA)
The first stage is the Privacy Compliance Checklist, which is mandatory for all projects except research projects involving human subjects which have received ethics approval from a duly-constituted research ethics board.
The Checklist should be completed by the person responsible for the project, such as, the project manager in consultation with the unit's privacy officer and must be approved by the responsible unit head and submitted to the University Privacy Officer for review. Upon the completion of the checklist, a full Privacy Impact Assessment (PIA) may be required depending on the project.
Privacy Compliance Checklist
A Privacy Compliance Checklist must be completed for all new projects (except those noted above) and personal information banks (PIB's) that are developed, acquired or substantially revised by any academic or administrative unit of the University and is required to be completed during the planning stages of all (1) new projects and (2) modifications of existing projects. It may be used to check any existing program, paper-based or electronic, for privacy compliance.
Should the responsible unit head choose not to accept the recommendations of the University Privacy Officer in whole or in part, reasons for doing so will be communicated to the University Privacy Officer and IAP Advisory Committee in writing.
Privacy Impact Assessment (PIA)
Based on a review of Privacy Compliance Checklist results and other factors, the University Privacy Officer may determine that a full PIA is required. The University Privacy Officer will consult with the IAP Advisory Committee before rendering a decision regarding the need for a PIA. Although the University Privacy Officer may overrule the recommendation of the IAP Advisory Committee, he or she would do so only upon very careful consideration of the issues involved.
The University Privacy Officer will provide advice and assistance in the completion of PIAs, but the ultimate accountability for their completion will rest with the unit head responsible for the project or PIB that is the subject of the PIA.
Every PIA will include, at a minimum, descriptions of the following:
- The nature, objectives and purposes of the project or PIB that is the subject of the PIA, including its need for personal information
- The types of personal information involved
- The sources from which personal information is to be collected
- The purposes for which personal information is to be used within the University
- The recipients to whom personal information is to be disclosed
- The legislative and policy authority for the collection, use and disclosure of personal information.
- The security measures to be applied for the protection of personal information from unauthorized use or disclosure
- Plans for the periodic review or audit of personal information management practices, risks and outcomes
- Details of any contractual arrangements involving the exchange of personal information other than basic business contact information
- Potential privacy risks, planned measures to mitigate those risks, and the expected residual privacy risks that may remain after mitigation
A full PIA requires the involvement of a number of project participants and is required for a relatively small number of projects for which Privacy Compliance Checklists are completed.
The PIA will include the results of the Privacy Compliance Checklist, which will be appended to the PIA. No PIA will be undertaken for any project for which a Privacy Compliance Checklist has not been completed. The PIA document will have the following table of contents:
1. Executive Summary
3. Project Description
3.1. Project Objectives
3.2. Requirements for Personal Information
3.3. Authority for Collection, Use and Disclosure of Personal Information
3.4. Information Security Measures
4. List of Personal Information Data Elements
5. Table or Chart of Personal Information Flows
6. Contractual Relationships
7. Privacy Risks
7.1. Risk 1
7.1.1. Description of Risk
7.1.2. Description of Mitigation Measures
7.1.3. Estimation of Residual Risk after Mitigation
7.2. Risk 2...
8. Summary of Risks and Mitigation Measures
9. General Assessment of Project Compliance with Applicable Legislation
10.1. Project Charter and Descriptive Documentation
10.2. Completed Privacy Compliance Checklist
10.3. Other relevant Documentation