PIA Process Overview

Last updated: September 19, 2024
Koerner Library and Ponderosa complex at sunset

UBC uses a risk-based approach to conducting PIAs

Enterprise Risk & Assurance outdoor meeting

The Self-Assessment is used to determine the inherent project risk and level of review required. Submitting a PIA early in the project life cycle provides an opportunity to address any potential issues as part of the design and product selection.

To initiate the process, the requestor submits a PIA Request using the UBC Self-Service Portal. An incident ticket number will be assigned to the request.
The requestor completes and submits the Self-Assessment to determine the related privacy and information security risk levels. The Self-Assessment should contain as much detail as possible about the project/initiative to assist in risk identification and to determine the next steps necessary. Completion of the Self-Assessment is required to initiate this process. Note: The PIA cannot proceed without completion of the Self-Assessment.
Depending on the complexity of the project/initiative, a Risk Advisor may contact the requestor with follow up questions or information requests. The Advisor will discuss the project/initiative, risks, and observations with the requestor, and outline next steps in the assessment process. In complex multi-phase projects, the risk advisor may issue an interim report advising of risks identified at the time, but will not finalize the PIA till nearer system implementation.
In consultation with the requestor, the Risk Advisor documents identified risks, recommends controls to address, and advises conditions that should be met before implementation.
Upon completion of the PIA, the Risk Advisor issues a report that includes the agreed risk treatment plan. It is the business owner’s responsibility to accept the report and any documented conditions that must be fulfilled as part of project implementation.

Note: the project owner is expected to maintain compliance with FIPPA and the Information Security Standards throughout the operations of the process and system; they are required to submit a new PIA for any changes to the PI data use, storage, or technology. A “project” refers to any system, process, program or activity that supports University business.

Staff walking on Point Grey campus

 

Services on the Self-Service Portal

PIA Inquiry

Risk Advisor provides basic information on privacy risk for initiatives, existing UBC technologies, and to inclusion in business cases

PIA Risk Assessment

Risk Advisor works with the Project team to ensure risks are identified, privacy information is included in RFP process, and adequate controls are planned.

PIA Completion

Risk Advisor reviews project updates and risk register, verifying that the build matches recommended control level and aligns with UBC policy and FIPPA.

Output from Services

Idea

  1. Info for Business Cases
  2. Referral to PIA Submissions
  3. Support with Privacy Questions

Assess

  1. Self-assessment
  2. Advisor Review
  3. Risk Register
  4. Interim Report

Review

  1. Implementation Checklist
  2. Updated PIA Details
  3. Updated Risk Register
  4. PIA Final Report

Project Stages

Pre- Project/Conceptual

Project Planning

Project Execution/Close-out

Privacy requirements are set out in the Privacy Fact Sheets.

Security requirements are set out in the Information Security Standards.

If you have questions about the application or interpretation of these documents, submit a PIA Inquiry

 

Risk LevelProcess Description
Low or Medium
  • Projects may proceed after Self-Assessment without further review.
  • If there is a change in risk level, the project is responsible for submitting an updated Self-Assessment.
High or Very High
  • Projects must undergo a review by the Risk Advisor to assess compliance with privacy and security requirements.
  • The project will be assigned an Information Collection assessment which aids in the collection of supporting documents.
  • The project owner will be required to approve the PIA report which will include identified risks and their associated treatment plan.

 

Please refer to the PIA Process Overview Knowledge Base article for more information.

Got a question? For a PIA consult, search of existing results, or general questions please use the PIA Inquiry.

Go Further...

Privacy Matters @ UBC

Safety & Risk Services | 2389 Health Sciences Mall
University Counsel | 6328 Memorial Road,
UBC Cybersecurity | 6356 Agricultural Road
E-mail privacy.matters@ubc.ca

UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning