Can I request a pre-project consultation?
Yes, if your project is in the early concept or planning stage, you can submit a PIA Inquiry form through the UBC Self-Service portal to request a pre-project consultation. This form is intended for initiatives that are still being explored. Once a project is approved to proceed and has defined business requirements and a budget, you should begin the PIA Request and Self-Assessment process.
What issues are addressed by a PIA?
A Privacy Impact Assessment (PIA) evaluates how personal information (PI) is handled within a project. PI is any recorded information about identifiable individuals, excluding the names and business contact details of employees, volunteers and service providers.
A PIA typically addresses the following key questions to ensure compliance with legal and institutional requirements:
- What is UBC’s legal authority to collect, use and disclose PI?
- Does the collection, use, and disclosure of the PI align with the described purposes of the project?
- Is PI stored, processed, and accessed within Canada?
- How is PI protected from unauthorized access and disclosure?
- What is the retention period for PI?
How much time and effort does a PIA take to complete?
The time and effort required to complete a PIA at UBC depends on the project's complexity and associated risks. UBC employs a risk-based approach to PIAs, which involves detailed assessments to identify key risks and ensure that appropriate measures are implemented to address these risks.
- High Risk Projects: These require active involvement from the PIA Team to review submissions and guide the management of privacy and information security risks. Such projects often entail a multi-step assessment process covering all phases from concept to operational sustainment.
- Less Complex Projects: While these projects must comply with all applicable privacy and security regulations, they typically do not require a comprehensive assessment by the PIA Team.
- Data-Linking Projects: Projects involving or resulting in data-linking between public bodies or agencies require additional review by the BC Office of the Information and Privacy Commissioner (BC OIPC).
How do I find institutionally supported IT tools or solutions for my administrative or operational needs?
Start by consulting the UBC IT Service Catalogue. For additional guidance, contact your Client Service Manager (CSM).
Tools already reviewed through the PIA process fall into two categories:
- Enterprise Use: Designed for broad use across UBC. If your intended use aligns with established guidelines, a new PIA may not be required.
- Limited Use Case: These tools have specific constraints regarding how they can be used, by whom, and how personal information is handled.
Even if a tool is approved for use at UBC, it may not be suitable for your specific use case. Your CSM can help determine if a tool meets your needs and whether a PIA Inquiry should be submitted.
When do I have to start a Privacy Impact Assessment (PIA)?
A PIA Request must be submitted for a new project or an existing project that is being substantially modified. A “project” refers to any system, process, program or activity that supports University business.
Start the PIA as early as possible after initiating the project, even before the rest of the project has started. This helps to prevent substantial re-work and project delays later on. If key elements of the project change, the Self-Assessment must be re-submitted.
Examples of substantial modifications that require a PIA include, but are not limited to:
- New types of PI will be collected
- Significant changes will be made to the way PI is collected, used or disclosed
- PI will be linked with information from third parties, another department or application
- System access will be changed so that new categories or groups of individuals will have access to PI (e.g. granting access to other units within the department, other departments or external parties). Note: this does not include day-to-day operational changes or routine due to personnel changes
- Storage or Access to PI will be moved outside Canada, or to a vendor or cloud service
- PI management or security will be outsourced
- The PI retention period will change
Are research projects treated differently?
Yes. Academic research projects do not require a PIA, but a Security Threat Risk Assessment (STRA) is required to assess any third-party tools used to collect, use, and/or store personal information for academic research. For more information, please visit ARC’s website. A PIA is required when a research tool:
- may also be used for other (non-research) university business;
- will contain data compiled by UBC for various, unknown future research purposes;
- or will integrate with other UBC Systems.
If any tool has identity and access management (IAM) integration (single-sign-on), then a Data Access Request (DAR) is required.
In addition, some academic research projects may involve a privacy and confidentiality review by the Research Ethics Board (REB), who approve projects and data usage. For more information, please visit the Office of Research Ethics.
The following case studies illustrate various research scenarios to clarify when a PIA is or is not required. Some cases also include instances where a third party may request a PIA.
Use this interactive form to help determine the right team for your inquiry, or if there is any doubt please submit an inquiry via privacymatters.ubc.ca/pia-stra.
| # | Description | UBC PIA? | UBC STRA? | Why / Notes |
|---|---|---|---|---|
| 1 | Web-based tool use for a project, one instance: Participant data is collected with consent and stored in an online tool funded directly by the UBC research project. | N | Y | PIAs are required by BC’s FIPPA. However, “research information” of a university researcher is exempt from FIPPA under s.3(3)(i). |
| 2 | Web-based use for projects, multiple independent instances: An individual UBC research project collects consented participant data and stores it in an online tool funded by the project. The tool happens to be the same tool other groups have also used for research, but each instance and the projects are independent. | N | Y | PIAs are required by BC’s FIPPA. However, “research information” of a university researcher is exempt from FIPPA under s.3(3)(i). |
| 3 | Individual research project – clinical setting: Participants are recruited from clinical settings; all collected data is consent-based for the study only, with no clinical data included. | N | Y | PIAs are required by BC’s FIPPA. However, “research information” of a university researcher is exempt from FIPPA under s.3(3)(i). |
| 4 | Individual research project – clinical data: Participants are recruited from health authority clinical settings, and consent-based research data is collected and combined with clinical data for use in the study. | N | Y | A PIA may be required by the health authority for the secondary use of clinical data – this would not be a UBC PIA, but one conducted by the health authority. |
| 5 | Departmental web-based tool: A department is purchasing an online tool to provide a service to multiple researchers in their department for specific research projects. It will only be used for UBC research and only contain research records of specific projects. | N | Y | The tool only contains “research information” of a university researcher, so a PIA is not required. |
| 6 | Platform for various research projects, including data provided by a UBC department: It will only be used by researchers for research purposes. The tool contains several data sets that have been collected by the department to be used by various researchers on the platform (shared data sets). Future researchers may conduct research using the data sets. | Y | N | Even though this is a research system, since the shared data records are being provided by the department for the use of multiple researchers, they are subject to FIPPA and a PIA is therefore required for the platform as it includes the data. |
| 7 | Open-source software on UBC Hybrid Cloud: A department is deploying open-source software on the UBC Hybrid Cloud to support multiple research projects. The software is free and will only be used by UBC researchers;, however will integrate with UBC single sign-on (CWL) for authentication. | N | Y | A Data Access Request (DAR) is required. |
| 8 | Tool for research and administrative use: An individual research project deploys a tool to create visualizations for participant research data collected under consent. They will use the same tool to create visualizations of administrative functions within their department. | Y | N | This is an administrative use by UBC and requires a PIA as it contains more than just research records, but also UBC business records. |
| 9 | Third-party platform for multiple projects: Multiple independent research projects use a platform provided by a collaborating institution. This third party is the lead institution and data steward, or owner of all project data. | N | N | This does not involve UBC Electronic Information. |
What are the consequences of not doing a PIA?
A PIA is legally required under the FIPPA. Failure to conduct a PIA may result in non-compliance with this legislation, as well as other UBC policies and legal standards. Completing a PIA prevents costly adjustments by identifying necessary privacy and security measures early in the project lifecycle, thereby minimizing potential privacy and security breaches.
Do pilot projects need a PIA?
Pilot projects at UBC are often smaller in scale and may incorporate strategies to mitigate risks, such as limiting the number of users or using synthetic data instead of real information. These measures can reduce the privacy risks and simplify the PIA process, potentially making a full assessment unnecessary. However, it's important to evaluate each pilot project individually to determine if a PIA is required. Please refer to the guidelines on "What projects or initiatives require a PIA?" for detailed criteria.
Note: Transitioning from a pilot to a full-scale launch often constitutes a significant change, necessitating a re-evaluation to determine if a new PIA is required.
How do I find the status of a PIA?
To check the status of a PIA you submitted, please use the UBC Self-Service Portal and select “View My Requests Incidents.” You will see updates and can add comments or questions for the Risk Advisor.
For historical PIAs, visit the PIA Report page which features a select sample of sanitized reports that exclude sensitive security information.
If you are inquiring about an active PIA that you did not submit, please use the PIA Inquiry form for assistance.
How do I know which systems have already had a PIA completed?
You can check the PIA Reports page to see if a system or process has already undergone a PIA. Remember, many PIAs are completed through consultations and may not result in a formal report. If you cannot find information on a specific system or process, consider raising a PIA Inquiry.
If your intended use of a system falls within the scope of an existing PIA as detailed on the PIA Reports page, no additional PIA may be required. Consult the PIA Guidelines for further clarity on the expected use of commonly used community tools.
When in doubt about whether a PIA is necessary, it is prudent to submit a PIA Inquiry for further guidance.
What if I do not know the product or system being implemented yet?
- Initial Stages: If your project is still at the concept or idea stage, submit a PIA Inquiry to initiate discussions about potential privacy and information security risks.
- Project Approval without Product Selection: If your project has been approved but the product or system has not yet been selected, submit a PIA Request based on the known business case and available information. This will help guide the procurement process.
- Significant Changes: If subsequent selection of the product or system significantly alters the initial Self-Assessment, a new PIA Request might be necessary. Submit this once the final product or system is chosen.
Who should I specify as the project owner on the PIA Request?
The project owner should be a UBC employee who is authorized to make decisions and approve project actions. This individual is typically a department head or a senior manager.
The project owner is responsible for ensuring that the project complies with relevant laws like the FIPPA, UBC Policy #SC14, and the UBC Information Security Standards. They must also inform the PIA team of any significant changes to the project scope or the handling of personal information.
What information should I prepare for the completion of a PIA?
The PIA team facilitates the completion of a PIA based on information collected and provided by the project team.
Not every PIA requires the same depth, but project teams should allocate time to support the PIA process. Examples of information that may be requested include, but are not limited to:
- A full description of all data elements in the project
- Data flow diagrams which illustrates how information is collected, used and disclosed. For more instruction, please view How do I create a Personal Information (PI) flow table and diagram?
- Validation of adherence to privacy and security requirements throughout testing and other methods
- Third-party attestation reports such as SOC reports, ISO 27001 certifications etc.
- Privacy and security clauses in contracts and agreements with vendors and other third parties, and/or consent statements
When do I need a Data Access Request?
You will need to complete a Data Access Request (DAR) form, for any new access to UBC data. If you already had previous access to the same set of data, the DAR will allow for the access to be registered for historical tracking of data access.
A PIA reference number may be requested depending on the nature of you request. For API data requests related to new systems, a PIA must be initiated so that the Data Steward Reviewers understand the application review status and identified risks. They may confirm that any request for PI aligns with the PI elements identified in the target system PIA. For more information on the Data Access Request process, please refer to Access UBC Data.
Can a completed PIA be shared with other organizations?
Sharing the results of your PIA within UBC is acceptable. All other requests for information about a PIA must be forwarded to the Office of the University Counsel. Do not respond to or acknowledge the request, but rather forward the request to: access.and.privacy@ubc.ca.
Where can I go for more information about privacy or security?
For inquiries and support related to privacy and information security at UBC, consider the following resources:
- To refresh your knowledge, re-enroll in Privacy & Information Security – Fundamentals Part I and II. These modules provide a high-level overview of key responsibilities and best practices.
- To access workshops, updates, and discussions on current topics, join the Privacy Matters Champions Network.
- To view pre-recorded sessions, interactive workshops, and panel discussions, visit Privacy Matters on Demand.
- For questions about the PIA process, use the PIA Inquiry
- For advice about information security, refer to the Information Security Standards or contact it.security@ubc.ca
- For privacy-related guidance, see the Privacy Fact Sheets or contact access.and.privacy@ubc.ca
- For general questions not related to the PIA process, contact privacy.matters@ubc.ca
How do I approve a PIA report?
If you are identified as a project owner, you may receive an email request to approve the PIA report. The requestor and project lead will be identified, allowing you to discuss the PIA results with them prior to approving or reject. When you are ready, navigate to the UBC Self-Service Portal and use the Approval option that is found under “View My Records”.
To get started:
UBC Self Service Portal → My Requests → My Approvals
Review the information available and click on the Approve or Reject button. If rejecting, please include a comment regarding the reason.
If rejected, the PIA will return to the Risk Advisor for further review.
If accepted, the PIA will be closed with notice to the requestor and project owner.
For more support, please view How do I approve a PIA report and risk plan?
How do I find and review a PIA Final Report?
The final reports are posted online to a restricted audience, primarily project owners, Data Stewards, and Client Services Managers.
To get started:
UBC Self Service Portal → Search Knowledge
Enter in the project, product, or key descriptor in the search box
You can also use the drill down by selecting PIA Private Knowledge (if the button is not visible, you do not have required access for viewing PIA reports)
Project owners are based on senior role assignments within the organization. If you are a senior manager and you do not have access, please submit a PIA Inquiry that includes your role and required access.
What is the Risk Classification Tool (RCT)?
The RCT is a retired tool. It was used to determine a project’s privacy and information security risk classification. The PIA process now uses a Self-Assessment survey as part of the PIA request.