Can I request a pre-project consultation?
Use the PIA Inquiry located on UBC Self-Service portal. This form is intended to initiate a discussion regarding projects in the very early concept or idea stage. Once a project is approved to move forward with budget and business requirements, the PIA Request and Self-Assessment process should be initiated.
What issues are addressed by a PIA?
A PIA assesses the treatment of personal information (PI), which is defined as any recorded information about identifiable individuals, with the exception of the names and business contact information of employees, volunteers and service providers.
Examples of questions that are asked in the PIA process include, but are not limited to:
- What is the [University’s] legal authority to collect, use and disclose PI?
- Is the collection, use, and disclosure of the particular PI for a purpose that is consistent with the project as described?
- Is PI stored, processed, and accessed within Canada?
- How is PI protected from unauthorized use or disclosure?
- How long is PI retained for?
How much time and effort does a PIA take to complete?
UBC’s risk-based approach to PIAs results in extensive assessments to identify key risks and ensure appropriate actions are taken to address them. Higher-risk projects require the involvement of the PIA Team to review each submission and provide guidance to address privacy and information security risks.
For more complex projects, a multi-step process may be required spanning all project phases, from concept to implementation to operational sustainment.
Less complex projects must still comply with all relevant privacy and security regulations, however there is often no need for a full assessment by privacy personnel.
Any high-risk PIA that involves or results in data-linking between public bodies or agencies must also be reviewed with the BC Office of the Information and Privacy Commissioner (BC OIPC).
Note: a favorable result on completion of the Self-Assessment does not guarantee that a project is not complex or without risk. Many projects are perceived to be low risk, but in actuality present significant challenges for the University. The complexity and risks posed by a particular project are best determined by the PIA team.
When do I have to start a Privacy Impact Assessment (PIA)?
A PIA Request must be submitted for a new project or an existing project that is being substantially modified. A “project” refers to any system, process, program or activity that supports University business.
Start the PIA as early as possible after initiating the project, even before the rest of the project has started. This helps to prevent substantial re-work and project delays later on. If key elements of the project change, the Self-Assessment must be re-submitted.
Examples of substantial modifications that require a PIA include, but are not limited to:
- New types of PI will be collected
- Significant changes will be made to the way PI is collected, used or disclosed
- PI will be linked with information from third parties, another department or application
- System access will be changed so that new categories or groups of individuals will have access to PI (e.g. granting access to other units within the department, other departments or external parties). Note: this does not include day-to-day operational changes or routine due to personnel changes
- Storage or Access to PI will be moved outside Canada, or to a vendor or cloud service
- PI management or security will be outsourced
- The PI retention period will change
Are research projects treated differently?
Yes. Academic research projects do not require a PIA, but a Security Threat Risk Assessment (STRA) is required to assess any third-party tools used to collect, use, and/or store personal information for academic research. For more information, please visit ARC’s website. A PIA is required when a research tool:
- may also be used for other (non-research) university business;
- will contain data compiled by UBC for various, unknown future research purposes;
- or will integrate with other UBC Systems.
If any tool has identity and access management (IAM) integration (single-sign-on), then a Data Access Request (DAR) is required.
In addition, some academic research projects may involve a privacy and confidentiality review by the Research Ethics Board (REB), who approve projects and data usage. For more information, please visit the Office of Research Ethics.
The following case studies illustrate various research scenarios to clarify when a PIA is or is not required. Some cases also include instances where a third party may request a PIA. If there is any doubt please submit an inquiry via privacymatters.ubc.ca/pia-stra.
| # | Description | UBC PIA? | UBC STRA? | Why / Notes |
|---|---|---|---|---|
| 1 | Web-based tool use for a project, one instance: Participant data is collected with consent and stored in an online tool funded directly by the UBC research project. | N | Y | PIAs are required by BC’s FIPPA. However, “research information” of a university researcher is exempt from FIPPA under s.3(3)(i). |
| 2 | Web-based use for projects, multiple independent instances: An individual UBC research project collects consented participant data and stores it in an online tool funded by the project. The tool happens to be the same tool other groups have also used for research, but each instance and the projects are independent. | N | Y | PIAs are required by BC’s FIPPA. However, “research information” of a university researcher is exempt from FIPPA under s.3(3)(i). |
| 3 | Individual research project – clinical setting: Participants are recruited from clinical settings; all collected data is consent-based for the study only, with no clinical data included. | N | Y | PIAs are required by BC’s FIPPA. However, “research information” of a university researcher is exempt from FIPPA under s.3(3)(i). |
| 4 | Individual research project – clinical data: Participants are recruited from health authority clinical settings, and consent-based research data is collected and combined with clinical data for use in the study. | N | Y | A PIA may be required by the health authority for the secondary use of clinical data—this would not be a UBC PIA, but one conducted by the health authority. |
| 5 | Departmental web-based tool: A department is purchasing an online tool to provide a service to multiple researchers in their department for specific research projects. It will only be used for UBC research and only contain research records of specific projects. | N | Y | The tool only contains “research information” of a university researcher, so a PIA is not required. |
| 6 | Platform for various research projects, including data provided by a UBC department: It will only be used by researchers for research purposes. The tool contains several data sets that have been collected by the department to be used by various researchers on the platform (shared data sets). Future researchers may conduct research using the data sets. | Y | N | Even though this is a research system, since the shared data records are being provided by the department for the use of multiple researchers, they are subject to FIPPA and a PIA is therefore required for the platform as it includes the data. |
| 7 | Open-source software on UBC Hybrid Cloud: A department is deploying open-source software on the UBC Hybrid Cloud to support multiple research projects. The software is free and will only be used by UBC researchers;, however will integrate with UBC single sign-on (CWL) for authentication. | N | Y | A Data Access Request (DAR) is required. |
| 8 | Tool for research and administrative use: An individual research project deploys a tool to create visualizations for participant research data collected under consent. They will use the same tool to create visualizations of administrative functions within their department. | Y | N | This is an administrative use by UBC and requires a PIA as it contains more than just research records, but also UBC business records. |
| 9 | Third-party platform for multiple projects: Multiple independent research projects use a platform provided by a collaborating institution. This third party is the lead institution and data steward or owner of all project data. | N | N | This does not involve UBC Electronic Information. |
What are the consequences of not doing a PIA?
A PIA is a legal requirement of FIPPA and not completing one may result in non-compliance with provincial legislation, UBC policies, standards, and other legal and regulatory requirements. A PIA helps identify and build privacy and security requirements in advance of a launch, thereby helping projects avoid costly program, service or process redesign and minimize potential privacy or security breaches.
How do I find the status of a PIA?
If this relates to a PIA you submitted, use the UBC Self-Service Portal and navigate to View My Requests Incidents. The incident will include updates and provide the ability for you to add comments and questions for the Risk Advisor to review.
- If you are inquiring about a historical PIA, you can refer to the PIA Guidelines for reviews completed on common UBC tools.
- If you are inquiring about an active PIA that you did not submit, you can use the PIA Inquiry.
How do I know which systems have already had a PIA completed?
A project is required to complete a PIA regardless of whether the system already had a PIA completed. The PIA review process is focused on use cases. This ensures that vulnerabilities and issues are known to minimize potential privacy breaches. If you have any questions, please use the PIA Inquiry .
What if I do not know the product or system being implemented yet?
If you are at the concept or idea stage, a PIA Inquiry can be submitted to discuss privacy and information security risks and review existing UBC tools that may be able to provide the required capabilities.
If the project is approved but the product or system has not yet been selected, a PIA Request should be submitted based on the business case and information known at the time. The initial risk level will help inform the procurement process that may be required for product selection and service contracts.
If the product or system changes the Self-Assessment answers significantly, the Risk Advisor may require a new PIA Request submission to be submitted once the product or system is selected.
Who should I specify as the project owner on the PIA Request?
The project owner should be a UBC employee who has the authority to make decisions and approve work. This is often an administrative or departmental head of unit or senior manager.
Within the Self-Assessment, the project owner list is regularly updated to populate senior managers. If you cannot find the appropriate person, select an project owner higher in the organization or save the survey and discuss it with the project lead.
The project owner and the Project Lead are responsible for:
- Ensuring that the Initiative is planned and implemented in a manner that complies with the Freedom of Information and Protection of Privacy Act (FIPPA), UBC Policy #SC14 Acceptable Use and Security of UBC Electronic Information and Systems, and the UBC Information Security Standards
- Informing the PIA team of any material omissions or inaccuracies in the information provided in self-assessment
- Initiating a new PIA request if there are any significant changes to the Initiative as it pertains to collection, use, or disclosure of Personal Information (PI)
- Ensuring the on-going compliance with UBC Information Security Standards privacy and security policies
What additional information is required to complete the PIA?
The PIA team may require additional information to determine compliance with FIPPA and the Information Security Standards.
Examples of information that may be requested include, but are not limited to:
- A full description of all data elements in the project
- Data flow diagrams which illustrates how information is collected, used and disclosed. For more instruction, please view How do I create a Personal Information (PI) flow table and diagram?
- Validation of adherence to privacy and security requirements throughout testing and other methods
- Third-party attestation reports such as SOC reports, ISO 27001 certifications etc.
- Privacy and security clauses in contracts and agreements with vendors and other third parties, and/or consent statements
When do I need a Data Access Request?
You will need to complete a Data Access Request (DAR) form, for any new access to UBC data. If you already had previous access to the same set of data, the DAR will allow for the access to be registered for historical tracking of data access.
A PIA reference number may be requested depending on the nature of you request. For API data requests related to new systems, a PIA must be initiated so that the Data Steward Reviewers understand the application review status and identified risks. They may confirm that any request for PI aligns with the PI elements identified in the target system PIA. For more information on the Data Access Request process, please refer to Access UBC Data.
Can a completed PIA be shared with other organizations?
Sharing the results of your PIA within UBC is acceptable. All other requests for information about a PIA must be forwarded to the Office of the University Counsel. Do not respond to or acknowledge the request, but rather forward the request to: access.and.privacy@ubc.ca
Where can I go for more information about privacy or security?
The following can answer questions about privacy or information security:
- For fundamentals training on how to protect the privacy and information security of the UBC community, please enroll in the Fundamentals Training
- For questions about the PIA process, use the PIA Inquiry
- For specific advice about security, refer to the Information Security Standards or contact it.security@ubc.ca
- For specific advice about privacy, refer to the Privacy Fact Sheets or contact access.and.privacy@ubc.ca
- For general privacy / security questions not related to the PIA process, contact privacy.matters@ubc.ca
How do I approve a PIA report?
If you are identified as a project owner, you may receive an email request to approve the PIA report. The requestor and project lead will be identified, allowing you to discuss the PIA results with them prior to approving or reject. When you are ready, navigate to the UBC Self-Service Portal and use the Approval option that is found under “View My Records”.
To get started:
UBC Self Service Portal → My Requests → My Approvals
Review the information available and click on the Approve or Reject button. If rejecting, please include a comment regarding the reason.
If rejected, the PIA will return to the Risk Advisor for further review.
If accepted, the PIA will be closed with notice to the requestor and project owner.
For more support, please view How do I approve a PIA report and risk plan?
How do I find and review a PIA Final Report?
The final reports are posted online to a restricted audience, primarily project owners, Data Stewards, and Client Services Managers.
To get started:
UBC Self Service Portal → Search Knowledge
Enter in the project, product, or key descriptor in the search box
You can also use the drill down by selecting PIA Private Knowledge (if the button is not visible, you do not have required access for viewing PIA reports)
Project owners are based on senior role assignments within the organization. If you are a senior manager and you do not have access, please submit a PIA Inquiry that includes your role and required access.
What is the Risk Classification Tool (RCT)?
The RCT is a retired tool. It was used to determine a project’s privacy and information security risk classification. The PIA process now uses a Self-Assessment survey as part of the PIA request.