PIA Process Overview

PIA Process Overview

PIA Process Overview

UBC uses a risk-based approach to conducting PIAs. The Self-Assessment is used to determine the inherent project risk and level of review required. Submitting a PIA early in the project life cycle provides an opportunity to address any potential issues as part of the design and product selection.


  1. To initiate the process, the requestor submits a PIA Request using the UBC Self-Service Portal . An incident ticket number will be assigned to the request.
  2. The requestor completes and submits the Self-Assessment to determine the related privacy and information security risk levels. The Self-Assessment should contain as much detail as possible about the project/initiative to assist in risk identification and to determine the next steps necessary. Completion of the Self-Assessment is required to initiate this process. Note: The PIA cannot proceed without completion of the Self-Assessment.
  3. Depending on the complexity of the project/initiative, a Risk Advisor may contact the requestor with follow up questions or information requests. The Advisor will discuss the project/initiative, risks, and observations with the requestor, and outline next steps in the assessment process. In complex multi-phase projects, the risk advisor may issue an interim report advising of risks identified at the time, but will not finalize the PIA till nearer system implementation.
  4. In consultation with the requestor, the Risk Advisor documents identified risks, recommends controls to address, and advises conditions that should be met prior to implementation.
  5. Upon completion of the PIA, the Risk Advisor issues a report that includes the agreed risk treatment plan. It is the business owner’s responsibility to accept the report and any documented conditions that must be fulfilled as part of project implementation.

Note: the project owner is expected to maintain compliance with FIPPA and the Information Security Standards throughout the operations of the process and system; they are required to submit a new PIA for any changes to the PI data use, storage, or technology. A “project” refers to any system, process, program or activity that supports University business.



Privacy requirements are set out in the Privacy Fact Sheets.

Security requirements are set out in the Information Security Standards.

If you have questions about the application or interpretation of these documents, submit a PIA Inquiry .


Risk Level Process Description
Low or Medium
  • Projects may proceed after Self-Assessment without further review.
  • If there is a change in risk level, the project is responsible for submitting an updated Self-Assessment.
High or Very High
  • Projects must undergo a review by the Risk Advisor to assess compliance with privacy and security requirements.
  • The project will be assigned an Information Collection assessment which aids in the collection of supporting documents.
  • The project owner will be required to approve the PIA report which will include identified risks and their associated treatment plan.

Please refer to the PIA Process Overview Knowledge Base article for more information.


Got a question? For a PIA consult, search of existing results, or general questions please use the PIA Inquiry .