Privacy Impact Assessment

A Privacy Impact Assessment (PIA) is a key tool used to assess and manage privacy risks in any university initiative that involves the collection of personal information.

Required under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA), a PIA helps ensure transparency, legal compliance, and trust by identifying potential privacy risks, confirming safeguards are in place, and documenting how personal information will be handled throughout an initiative.

  • Privacy Impact Assessment (PIA): A PIA is an assessment that evaluates privacy risks associated with the collection, use, and disclosure of personal information in an initiative.
  • Privacy and Security Impact Assessment (PSIA): A PSIA is an assessment that evaluates both privacy risks and information security risks when personal information is collected, used, stored, or shared in an initiative.

These assessments are now required under amendments to FIPPA that came into effect on July 1, 2025. 

PIAs are required for any new or significantly modified program, system, or process that collects personal information. Depending on the Risk Score assigned to the initiative, and whether personal information will be stored or processed using University-managed IT systems or externally hosted or cloud-based services (i.e., outside of university-managed IT systems), a Privacy and Security Impact Assessment (PSIA) may also be required. Use the PIA/PSIA Checklist as a guide. Contact the Privacy Office if uncertain ([email protected]). 

 

 

Individuals designated as Initiative Leads are responsible for completing a PIA (and a PSIA if required).

  • Start the PIA completion process at least 4 (four) weeks before any personal information is collected.
  • Before beginning, consult the Privacy Office to confirm whether a PIA already exists for the initiative or system.

Completed PIAs must be submitted to the Privacy Office either for filing or approval, depending on the nature of the initiative.

 All required details are outlined in the PIA Forms, but at a high level, a PIA must describe:

  • the legal authority for collecting personal information,
  • how the information flows through the system/process,
  • who will be impacted, and
  • how the data will be stored, accessed, retained, and disclosed.
  • Initiative leads must also assign a Risk Score using the form, which determines whether the Privacy Office must approve the PIA before the initiative can proceed.

Typically a significant modification involves any change to the type, purpose, collection, use, sharing, consent, authority, custody, legal basis, users, service providers, processes, technology, security, or delivery methods related to personal information. For a detailed explanation, including examples, refer to pages 2-3 of the PIA/PSIA Checklist.

  • Before completing a PIA or PSIA, Initiative Leads must complete the PIA-Risk Evaluation and Scoring Tool. This tool will help you calculate a Risk Score for your initiative, which will be used to determine: 
    • if a PIA or PSIA is required
    • which of the two available PIA forms to use, and 
    • whether formal review and approval of the PIA is needed before the initiative can begin.
  • A copy of the PIA-Risk Evaluation and Scoring tool must be submitted to the Privacy Office along with the completed PIA or PSIA Form. 
  • To complete a PIA or PSIA use one of the following two (2) available forms: 
    • Low and Medium Risk Score: If your initiative has a Low or Medium Risk Score, use the PIA – Short Form.
    • High and Very High Risk Score: If your initiative has a High or Very High Risk Score, use the PSIA – Long Form.  

This depends on the level of risk.

  • Low or Medium Risk Score: Formal approval is not required, but the PIA must still be completed by the Initiative Lead and submitted to the Privacy Office for filing. 
  • High or Very High Risk Score: These require formal review and approval by the Privacy Office and IT Team to ensure legal compliance.
  • For PIA/PSIAs requiring approval: Submit to the Privacy Office as early as possible, and no later than four (4) weeks before any personal information is collected as part of the initiative. The review and approval process typically takes a minimum of two (2) weeks, but may take longer if revisions or clarification are needed.
  • For PIA/PSIAs that do not require approval: Submit to the Privacy office as early as possible, and no later than two (2) weeks before any personal information is collected as part of the initiative. 

No, such existing programs, systems or processes do not require a PIA/PSIA unless the process has undergone a significant modification, as outlined above. 

 

No, unless a PIA/PSIA is triggered by one of the changes listed above. In that case, the privacy statement will be reviewed as part of the assessment.

No, the collection, use and disclosure of personal information for research purposes is typically governed by Research Ethics Boards (REB) policies and processes.

Contact [email protected]