A Privacy Impact Assessment (PIA) is a process which assists organizations in identifying and managing the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships etc. PIAs focus on how personal information (PI) will be collected, used, disclosed, stored, retained and protected.

If information security is also at risk, a slightly adapted process called a Privacy and Information Security Impact Assessment is conducted in collaboration with McMaster’s Information Security office.

What is personal information?

Personal information (PI) is recorded information that can be used to identify you.

• It reveals something of a personal nature about you.
• If you can be identified from the information (either alone or by combining it with other information), it is your PI.
• If you cannot be identified from the information, it is not your PI.

In order to ensure there is sufficient time to conduct a PIA, it should begin at the early stages of any new project, initiative, systems, processes, strategies, policies, business relationships etc. where any personal information is collected, used or disclosed. It is important that the PIA process starts early to avoid disruption to the project plan.

A Privacy Impact Assessment best suited to initiatives and projects that include the following:

• If a process involving the collection, use, retention, or disclosure of personal information is significantly altered. This could include:
  • If system access is changed so that a new group of people have access to personal information (i.e., a new department).
  • If storage of PI will be moved outside Canada.

• A third party will collect personal information on behalf of the university;
• The university will disclose personal information to a third party;
• A third party, who collects personal information, or receives personal information from the university, will disclose it to another third party;
• A new activity of the university will include the collection of personal information not included in the Notice of Collection, Use and Disclosure Statement;
• A current third party service provider will provide a new service to the university, which will involve a new use of the personal information they either collect from individuals, or receive from the university;
• An existing agreement with a third party is affected by changes to their privacy policy, terms of service, or internal information security and process;

PIAs are required for projects that are may include risk in the protection of privacy for individuals within the university community, and to support FIPPA and PHIPA compliance. The Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Protection Act (PHIPA) are pieces of provincial legislation in Ontario that aim to balance privacy with transparency.

Beyond legal compliance, the PIA process draws on McMaster’s own Privacy and Information Security-related policies and statements, such as the Notice of Collection, Use, and Disclosure Statement and the Information Security Policy. For more on McMaster’s policy framework, please visit the Policies, Procedures and Guidelines

When working with the Information Security Office, the Privacy Office will often use a Higher Education Community Vendor Assessment Tool (HECVAT) as part of the PIA process. This is a questionnaire that is designed to help institutions measure vendor risk, and communicates the information, data and cybersecurity policies are in place to protect sensitive information including personally identifiable information (PII).

Once you’ve determined that your project should have a privacy impact assessment, complete the preliminary privacy analysis questionnaire and send it to the Privacy Office. The Privacy Office will review the information, and confirm whether a PIA is necessary.

At McMaster, PIAs are led by the Privacy Office (University Secretariat) and often involves collaboration with relevant partners in the Information Security Office and Legal Services.

Project leads work with the Privacy Office to provide information about how personal information fits into the project, and to later ensure compliance with guidance on best practices.

Vendors are often involved in providing additional information about their privacy and security practices.

• Initiate the PIA process early enough in the project timeline to allow for changes to be meaningfully integrated. Depending on the complexity of the services or project, a PIA may take up to a month to complete.
• Provide the Privacy Office with sufficient information to complete a thorough analysis.
• Implement any recommendations outlined in the PIA report.
• Re-initiate the process if significant changes to the project plan occur. The PIA process may have an iterative quality to ensure impacts on privacy compliance are effectively mitigated.
• Continuously monitor the project for risk and consult with the Privacy Office if necessary.
• Once the PIA process is initiated, the Privacy Office will lead you through more detailed steps in completing the PIA.

For tools that include automated functions, including artificial intelligence, we will include an algorithmic impact assessment. An Algorithmic Impact Assessment (AIA) is a risk assessment that determines the impact level of an automated decision-system. It is composed of 51 risk and 34 mitigation criteria, and assessment scores are based on many factors, including the system’s design, algorithm, decision type, impact and data.

The tool used at McMaster University was adapted from the AIA tool produced by the Treasury Board of Canada. While the TBC’s tool was intended for federal agencies and departments, it has been adapted to meet the needs of higher education and research at McMaster.