A Privacy Impact Assessment (PIA) is a process which assists organizations in identifying and managing the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships etc. PIAs focus on how personal information (PI) will be collected, used, disclosed, stored, retained and protected.

If information security is also at risk, a slightly adapted process called a Privacy and Information Security Impact Assessment is conducted in collaboration with McMaster’s Information Security office.

What is personal information?

Personal information (PI) is recorded information that can be used to identify you.

• It reveals something of a personal nature about you.
• If you can be identified from the information (either alone or by combining it with other information), it is your PI.
• If you cannot be identified from the information, it is not your PI.

In order to ensure there is sufficient time to conduct a PIA, it should begin at the early stages of any new project, initiative, systems, processes, strategies, policies, business relationships etc. where any personal information is collected, used or disclosed. It is important that the PIA process starts early to avoid disruption to the project plan.

A Privacy Impact Assessment best suited to initiatives and projects that include the following:

• If a process involving the collection, use, retention, or disclosure of personal information is significantly altered. This could include:
  • If system access is changed so that a new group of people have access to personal information (i.e., a new department).
  • If storage of PI will be moved outside Canada.

• A third party will collect personal information on behalf of the university;
• The university will disclose personal information to a third party;
• A third party, who collects personal information, or receives personal information from the university, will disclose it to another third party;
• A new activity of the university will include the collection of personal information not included in the Notice of Collection, Use and Disclosure Statement;
• A current third party service provider will provide a new service to the university, which will involve a new use of the personal information they either collect from individuals, or receive from the university;
• An existing agreement with a third party is affected by changes to their privacy policy, terms of service, or internal information security and process;

PIAs are required for projects that are may include risk in the protection of privacy for individuals within the university community, and to support FIPPA and PHIPA compliance. The Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Protection Act (PHIPA) are pieces of provincial legislation in Ontario that aim to balance privacy with transparency.

Beyond legal compliance, the PIA process draws on McMaster’s own Privacy and Information Security-related policies and statements, such as the Notice of Collection, Use, and Disclosure Statement and the Information Security Policy. For more on McMaster’s policy framework, please visit the Policies, Procedures and Guidelines

When working with the Information Security Office, the Privacy Office will often use a Higher Education Community Vendor Assessment Tool (HECVAT) as part of the PIA process. This is a questionnaire that is designed to help institutions measure vendor risk, and communicates the information, data and cybersecurity policies are in place to protect sensitive information including personally identifiable information (PII).

If unsure whether your project requires a privacy impact assessment, the first step is to complete the Early Privacy Risk Check. Once submitted, the Privacy Office will review the information and confirm whether a PIA is necessary. The next step is to complete the Necessity Test to document the legal authority supporting the purpose for using the service or application.

At McMaster, PIAs are led by the Privacy Office (University Secretariat) and often involves collaboration with relevant partners in the Information Security Office and Legal Services.

Project leads work with the Privacy Office to provide information about how personal information fits into the project to ensure compliance with recommendations to mitigate privacy risks.

Vendors are often involved in providing additional information about their privacy and security practices.

The Information and Privacy Commissioner’s (IPC) Office requires that institutes complete a necessity test to determine the legal authority to use new tools or applications involving the collection, use and disclosure of personal information. The necessity test focusses on the purpose for using a new tool or application. If there is more than one purpose identified, the necessity test must be applied to all purposes.

This test consists of two steps:

Step 1: Identify the legal authority that supports the purpose for using the new tool.
This step requires specific reference to legislation, the university’s Notice of Collection, Use and Disclosure Statement, or relevant university policy that speaks to the mandates or requirements for the purpose for use of the service or application. If no legal authority is identified, the use of the service or application is not recommended by the Privacy Office.

Step 2: Where legal authority for the use of the service or application is identified, Step two requires that we identify the narrow-most range of personal information (PI) needed to effectively utilize the new service or application for the intended purpose. The goal is to identify the least amount of PI, from the fewest number of individuals.

Once the necessity test is complete, the next step is to review the vendor’s privacy policy (including related security policies) and terms of service documentation. In reviewing vendor policies, the privacy office has a guideline to support a thorough review of the privacy considerations that should be included. Guideline – How to Review a Privacy Policy.

• Initiate the PIA process early enough in the project timeline to allow for changes to be meaningfully integrated. Depending on the complexity of the services or project, a PIA may take up to a month to complete.
• Provide the Privacy Office with sufficient information to complete a thorough analysis.
• Implement any recommendations outlined in the PIA report.
• Re-initiate the process if significant changes to the project plan occur. The PIA process may have an iterative quality to ensure impacts on privacy compliance are effectively mitigated.
• Continuously monitor the project for risk and consult with the Privacy Office if necessary.
• Once the PIA process is initiated, the Privacy Office will lead you through more detailed steps in completing the PIA.

For tools that include automated functions, including artificial intelligence, we will include an algorithmic impact assessment. An Algorithmic Impact Assessment (AIA) is a risk assessment that determines the impact level of an automated decision-system. It is composed of 51 risk and 34 mitigation criteria, and assessment scores are based on many factors, including the system’s design, algorithm, decision type, impact and data.

The tool used at McMaster University was adapted from the AIA tool produced by the Treasury Board of Canada. While the TBC’s tool was intended for federal agencies and departments, it has been adapted to meet the needs of higher education and research at McMaster.