PIA Process Overview

PIA Process Overview

PIA Process Overview

UBC uses a risk-based approach to conducting PIAs. The Self-Assessment is used to determine the inherent project risk and level of review required. Submitting a PIA early in the project life cycle provides an opportunity to address any potential issues as part of the design and product selection.

  1. To initiate the process, the requestor submits a PIA Request using the UBC Self-Service Portal . An incident ticket number will be assigned to your submission.
  2. Complete and submit the Self-Assessment to determine your project’s privacy and information security inherent risk level. Ensure your submission contains as much detail as possible to maximize our understanding an ability to assist in risk identification and mitigation efforts.
  3. Upon completion of the PIA, the requestor is provided an interim and final report which includes the identified risks.

Note: the project owner is expected to maintain compliance with FIPPA and the Information Security Standards throughout the operations of the process and system; they are required to submit a new PIA for any changes to the PI data use, storage, or technology. A “project” refers to any system, process, program or activity that supports University business.

Privacy requirements are set out in the Privacy Fact Sheets.

Security requirements are set out in the Information Security Standards.

If you have questions about the application or interpretation of these documents, submit a PIA Inquiry .

Risk Level Process Description
Low or Medium
  • Projects may proceed after Self-Assessment without further review.
  • If there is a change in risk level, the project is responsible for submitting an updated Self-Assessment.
High or Very High
  • Projects must undergo a review by the Risk Advisor to assess compliance with privacy and security requirements.
  • The project will be assigned an Information Collection assessment which aids in the collection of supporting documents.
  • The project owner will be required to approve the PIA report which will include identified risks and their associated treatment plan.

Please refer to the PIA Process Overview Knowledge Base article for more information.

Got a question? For a PIA consult, search of existing results, or general questions please use the PIA Inquiry .