Frequently Asked PIA Questions
Frequently Asked PIA Questions
Frequently Asked PIA Questions
Can I request a pre-project consultation?
Use the PIA Inquiry located on UBC Self-Service portal. This form is intended to initiate a discussion regarding projects in the very early concept or idea stage. Once a project is approved to move forward with budget and business requirements, the PIA Request and Self-Assessment process should be initiated.
What issues are addressed by a PIA?
A PIA assesses the treatment of personal information (PI), which is defined as any recorded information about identifiable individuals, with the exception of the names and business contact information of employees, volunteers and service providers.
Examples of questions that are asked in the PIA process include, but are not limited to:
- What is the [University’s] legal authority to collect, use and disclose PI?
- Is the collection, use, and disclosure of the particular PI for a purpose that is consistent with the project as described?
- Is PI stored, processed, and accessed within Canada?
- How is PI protected from unauthorized use or disclosure?
- How long is PI retained for?
How much time and effort does a PIA take to complete?
UBC’s risk-based approach to PIAs results in extensive assessments to identify key risks and ensure appropriate actions are taken to address them. Higher-risk projects require the involvement of the PIA Team to review each submission and provide guidance to address privacy and information security risks.
For more complex projects, a multi-step process may be required spanning all project phases, from concept to implementation to operational sustainment.
Less complex projects must still comply with all relevant privacy and security regulations, however there is often no need for a full assessment by privacy personnel.
Any high-risk PIA that involves or results in data-linking between public bodies or agencies must also be reviewed with the BC Office of the Information and Privacy Commissioner (BC OIPC).
Note: a favorable result on completion of the Self-Assessment does not guarantee that a project is not complex or without risk. Many projects are perceived to be low risk, but in actuality present significant challenges for the University. The complexity and risks posed by a particular project are best determined by the PIA team.
When do I have to start a Privacy Impact Assessment (PIA)?
A PIA Request must be submitted for a new project or an existing project that is being substantially modified. A “project” refers to any system, process, program or activity that supports University business.
Start the PIA as early as possible after initiating the project, even before the rest of the project has started. This helps to prevent substantial re-work and project delays later on. If key elements of the project change, the Self-Assessment must be re-submitted.
Examples of substantial modifications that require a PIA include, but are not limited to:
- New types of PI will be collected
- Significant changes will be made to the way PI is collected, used or disclosed
- PI will be linked with information from third parties, another department or application
- System access will be changed so that new categories or groups of individuals will have access to PI (e.g. granting access to other units within the department, other departments or external parties). Note: this does not include day-to-day operational changes or routine due to personnel changes
- Storage or Access to PI will be moved outside Canada, or to a vendor or cloud service
- PI management or security will be outsourced
- The PI retention period will change
Are research projects treated differently?
Yes. Generally speaking, a PIA is not required for academic research projects. There are certain circumstances, however, when a security assessment may be required for tools used to collect, store and protect personal information during academic research. If you have any questions, please use the PIA Inquiry to request a consultation.
Research projects are covered by the Research Ethics Board (REB), who approve the project and data usage. For more information, please visit the Office of Research Ethics.
What are the consequences of not doing a PIA?
A PIA is a legal requirement of FIPPA and not completing one may result in non-compliance with provincial legislation, UBC policies, standards, and other legal and regulatory requirements. A PIA helps identify and build privacy and security requirements in advance of a launch, thereby helping projects avoid costly program, service or process redesign and minimize potential privacy or security breaches.
How do I find the status of a PIA?
If this relates to a PIA you submitted, use the UBC Self-Service Portal and navigate to View My Requests Incidents. The incident will include updates and provide the ability for you to add comments and questions for the Risk Advisor to review.
- If you are inquiring about a historical PIA, you can refer to the PIA Guidelines for reviews completed on common UBC tools.
- If you are inquiring about an active PIA that you did not submit, you can use the PIA Inquiry.
How do I know which systems have already had a PIA completed?
A project is required to complete a PIA regardless of whether the system already had a PIA completed. The PIA review process is focused on use cases. This ensures that vulnerabilities and issues are known to minimize potential privacy breaches. If you have any questions, please use the PIA Inquiry .
What if I do not know the product or system being implemented yet?
If you are at the concept or idea stage, a PIA Inquiry can be submitted to discuss privacy and information security risks and review existing UBC tools that may be able to provide the required capabilities.
If the project is approved but the product or system has not yet been selected, a PIA Request should be submitted based on the business case and information known at the time. The initial risk level will help inform the procurement process that may be required for product selection and service contracts.
If the product or system changes the Self-Assessment answers significantly, the Risk Advisor may require a new PIA Request submission to be submitted once the product or system is selected.
Who should I specify as the project owner on the PIA Request?
The project owner should be a UBC employee who has the authority to make decisions and approve work. This is often an administrative or departmental head of unit or senior manager.
Within the Self-Assessment, the project owner list is regularly updated to populate senior managers. If you cannot find the appropriate person, select an project owner higher in the organization or save the survey and discuss it with the project lead.
The project owner and the Project Lead are responsible for:
- Ensuring that the Initiative is planned and implemented in a manner that complies with the Freedom of Information and Protection of Privacy Act (FIPPA), UBC Policy #SC14 Acceptable Use and Security of UBC Electronic Information and Systems, and the UBC Information Security Standards
- Informing the PIA team of any material omissions or inaccuracies in the information provided in self-assessment
- Initiating a new PIA request if there are any significant changes to the Initiative as it pertains to collection, use, or disclosure of Personal Information (PI)
- Ensuring the on-going compliance with UBC Information Security Standards privacy and security policies
What additional information is required to complete the PIA?
The PIA team may require additional information to determine compliance with FIPPA and the Information Security Standards.
Examples of information that may be requested include, but are not limited to:
- A full description of all data elements in the project
- Data flow diagrams which illustrates how information is collected, used and disclosed. For more instruction, please view How do I create a Personal Information (PI) flow table and diagram?
- Validation of adherence to privacy and security requirements throughout testing and other methods
- Third-party attestation reports such as SOC reports, ISO 27001 certifications etc.
- Privacy and security clauses in contracts and agreements with vendors and other third parties, and/or consent statements
When do I need a Data Access Request?
You will need to complete a Data Access Request (DAR) form, for any new access to UBC data. If you already had previous access to the same set of data, the DAR will allow for the access to be registered for historical tracking of data access.
A PIA reference number may be requested depending on the nature of you request. For API data requests related to new systems, a PIA must be initiated so that the Data Steward Reviewers understand the application review status and identified risks. They may confirm that any request for PI aligns with the PI elements identified in the target system PIA. For more information on the Data Access Request process, please refer to Access UBC Data.
Can a completed PIA be shared with other organizations?
Sharing the results of your PIA within UBC is acceptable. All other requests for information about a PIA must be forwarded to the Office of the University Counsel. Do not respond to or acknowledge the request, but rather forward the request to: firstname.lastname@example.org
Where can I go for more information about privacy or security?
The following can answer questions about privacy or information security:
- For fundamentals training on how to protect the privacy and information security of the UBC community, please enroll in the Fundamentals Training
- For questions about the PIA process, use the PIA Inquiry
- For specific advice about security, refer to the Information Security Standards or contact email@example.com
- For specific advice about privacy, refer to the Privacy Fact Sheets or contact firstname.lastname@example.org
- For general privacy / security questions not related to the PIA process, contact email@example.com
How do I approve a PIA report?
If you are identified as a project owner, you may receive an email request to approve the PIA report. The requestor and project lead will be identified, allowing you to discuss the PIA results with them prior to approving or reject. When you are ready, navigate to the UBC Self-Service Portal and use the Approval option that is found under “View My Records”.
To get started:
UBC Self Service Portal → My Requests → My Approvals
Review the information available and click on the Approve or Reject button. If rejecting, please include a comment regarding the reason.
If rejected, the PIA will return to the Risk Advisor for further review.
If accepted, the PIA will be closed with notice to the requestor and project owner.
For more support, please view How do I approve a PIA report and risk plan?
How do I find and review a PIA Final Report?
The final reports are posted online to a restricted audience, primarily project owners, Data Stewards, and Client Services Managers.
To get started:
UBC Self Service Portal → Search Knowledge
Enter in the project, product, or key descriptor in the search box
You can also use the drill down by selecting PIA Private Knowledge (if the button is not visible, you do not have required access for viewing PIA reports)
Project owners are based on senior role assignments within the organization. If you are a senior manager and you do not have access, please submit a PIA Inquiry that includes your role and required access.
What is the Risk Classification Tool (RCT)?
The RCT is a retired tool. It was used to determine a project’s privacy and information security risk classification. The PIA process now uses a Self-Assessment survey as part of the PIA request.