Privacy Impact Assessments (PIA)

UCalgary Privacy Impact Assessments (PIA)

UCalgary is required to conduct a privacy impact assessment (PIA) under the Protection of Privacy Act (POPA) for any new, or a substantial change to an existing, administrative practice, program, project or service that will involve the collection, use or disclosure of certain categories of personal information.

To determine whether a PIA is required for your initiative, or for more information regarding the process for completing and submitting PIAs, please review the information below or contact the Access and Privacy Office for guidance.

When do I have to complete a PIA?

UCalgary is required to complete a PIA for any new, or a substantial change to an existing, administrative practice, program, project or service:

involving the collection use or disclosure of Level 4 personal information under the UCalgary Information Security Classification Standard;
involving the personal information of a significant percentage of the population that UCalgary serves (e.g., initiatives impacting all students or all staff);
involving information sharing between two or more public bodies or as part of a common or integrated program or service;
involving the development or use of innovative technology, which may include the use of artificial intelligence or automated systems where there is an increased risk of novelty, uncertainty or harm; or
where otherwise determined by the Access and Privacy Office.

UCalgary will only be required to complete a PIA for institutional initiatives which support an operating program or activity of UCalgary carried out for the purposes of institutional research, planning or program quality assurance, evaluation or improvement. A PIA is not required for research projects caried out by academic staff members intended to develop or contribute to generalizable knowledge.

For more information regarding whether your initiative is being carried out for an institutional or research purposes, see the Guidelines for Researchers/Project Leads: Use of Student and Institutional Data.

What should be included in a PIA?

PIAs must be completed with a level of detail commensurate with the complexity of the initiative and in accordance with the sensitivity of the personal information involved and applicable security classification level.

A PIA must identify the risks associated with ��Ƶ collection, use and disclosure of personal information and must:

Include a summary of the purpose of the collection, use or disclosure of personal information for the proposed practice, program, project or service;
Identify the types of personal information that will be collected, used or disclosed and reasonable security arrangements in place to protect the information;
Identify the legal authority for the collection, use or disclosure of the information;
Identify the privacy risks and mitigation strategies respecting the information;
Identify any administrative, physical or technical safeguards in place to protect the personal information, including how the personal information will be securely transmitted, matched or linked, if applicable;
Describe accuracy, correction and retention procedures that will be implemented to ensure the personal information is accurate and complete; and
Establish a clear governance structure respecting the responsibilities and accountability of UCalgary, and any other public body participating in the program.

Who is responsible for completing a PIA?

The applicable faculty, department or administrative unit carrying out the initiative will be responsible for completing a PIA. The PIA will also need to be approved by the Information Steward (the SLT member or designate responsible for the business processes in their faculty, functional area or department).

The Access and Privacy Office will maintain an oversight and advisory role, will provide guidance, templates and support, and will identify key compliance requirements to ensure that privacy-by-design principles are integrated into the planning and design of all initiatives. The Access and Privacy Office will also maintain a privacy risk register to document, track, and ensure that privacy and security risks have been identified, evaluated, and addressed through the lifecycle of the initiative, and will be responsible for submitting PIAs to the OIPC.

The creation of a PIA can result in a significant amount of work. If you intend to introduce a new program or service involving the collection of personal information, or make substantial changes to an existing one, it is recommended that you contact the Access and Privacy Office early to determine whether a PIA is required or recommended.

When will a PIA be disclosed to the OIPC?

Following a review of your PIA, the Access and Privacy Office may determine that a PIA is required to be reported to the Office of the Information and Privacy Commissioner (OIPC). The OIPC may also request a copy of a PIA for any initiative at any time.

If a PIA is required to be submitted to the OIPC, then it must be completed using the OIPC approved template in accordance with the . The applicable faculty, department or administrative unit carrying out the initiative will still be responsible for completing a PIA using the OIPC template and the Access and Privacy Office will provide support, guidance and will be responsible for submitting the final PIA to the OIPC.

Please keep in mind when completing a PIA that any information included therein may be subject to disclosure to the OIPC or to the public in response to an access to information request under the Access to Information Act.

Frequently Asked Questions (FAQs)

Can I request a pre-project consultation?

If your practice, program, project or service is in the early concept or planning stage, you can submit an email to the Access and Privacy Office at accessandprivacy@ucalgary.ca to request a pre-project consultation. This is intended for initiatives that are still being explored. Once a project is approved to proceed and has defined business requirements and a budget, you should follow the PIA process outlined above.

Do pilot projects need a PIA?

Pilot projects are often smaller in scale and may incorporate strategies to mitigate risks, such as limiting the number of users or using synthetic data instead of real information. These measures can reduce the privacy risks and simplify the PIA process, potentially making a full assessment unnecessary. However, it's important to evaluate each pilot project individually to determine if a PIA is required. If you are conducting a pilot, please contact the Access and Privacy Office to request a project consultation.

When should I start the PIA process?

Start the PIA process as early as possible after initiating the project, even before the rest of the project has started. This ensures that the Access and Privacy Office can be engaged early and will help to prevent delays.

When will changes to my project result in a “substantial change” requiring a PIA

Examples of substantial change to a practice, program, project or service that may trigger a PIA being required include, but are not limited to:

Expansion to the amount and type of personal information that will be collected;
Significant changes to the way in which personal information is collected, used, disclosed or managed;
Where personal information will be linked or matched with information from third parties, another department or application;
System access will be changed so that new categories or groups of individuals will now have access to personal information (note: this does not include day-to-day operational changes or routine changes due to personnel changes); or
Storage or access to personal information will be changed, or personal information will be stored in a new software application or cloud service or managed by a new third-party vendor.

How much time and effort does a PIA take to complete?

PIAs must be completed with a level of detail commensurate with the complexity of the initiative and in accordance with the security classification level assigned to the personal information involved to determine the depth and scope of review.

Initiatives involving lower‑sensitivity information (or using only de-identified personal information) may not require an extensive privacy review or may not require that a PIA be completed at all.

Initiatives involving higher‑sensitivity information or more complex data flows undergo more detailed assessment to ensure risks are fully understood and mitigated. These projects often require active involvement from the Access and Privacy Office and IT GRC team and may require submission of the PIA to the OIPC. Each of these steps take time and must be factored into your project planning.

How do I find institutionally approved software tools or solutions for my projec

Start by consulting UService. For additional guidance, contact your IT Zone Manager through the Service Now portal.

UCalgary maintains various enterprise software tools designed for broad use across campus, such as Zoom, MS Teams, or D2L. However, even if a tool is approved for use at UCalgary, it may not be suitable for your specific use case. Your IT Zone Manager can help determine if a tool meets your needs and the Access and Privacy Office can determine whether a PIA is required.

If you wish to acquire a new software/application or retain the services of a data management or storage provider (located inside or outside of Canada) that will store, process or manage personal or confidential information, you must submit a request through the UCalgary . Please refer to the Guidelines for the Software Acquisition Process for more information and recommended best practices. This enables UCalgary to ensure compliance with POPA’s privacy protection requirements.

Who should I specify as the initiative lead/project owner during the PIA process

The initiative lead/project owner should be a UCalgary employee who is responsible for the day-to-day management of the initiative and authorized to make decisions and approve project actions. Your project should also have the approval of your Information Steward (the SLT member or designate responsible for the business processes in their faculty, functional area or department).

The initiative lead/project owner is responsible for ensuring that the project complies with POPA and UCalgary policies. They are also responsible for informing the Access and Privacy Office of any significant changes to the project scope or the handling of personal information which may necessitate a formal PIA being required.

As part of my project, I need access to personal information held by UCalgary. W

Records containing personal information held by UCalgary (e.g., student or staff records being stored in existing information systems) may only be used or disclosed in accordance with POPA and applicable UCalgary policy.

If you would like to access institutional personal information for your project, please complete the Request to Access Institutional Personal Information Form and submit to accessandprivacy@ucalgary.ca. The Access and Privacy Office will review the request with the Information Steward to determine whether access to the existing institutional data is permitted.

How do I determine the data classification for my project?

The Information Steward (the SLT member or designate responsible for the business processes in their faculty, functional area or department) is responsible under UCalgary policy for determining the information security classification level in consultation with UCalgary Legal Services.

The UCalgary Information Security Classification Standard establishes a framework for classifying all information assets containing personal information based on sensitivity:

Level 1: Public
Including personal information or data derived from personal information that is publicly available, such as business contact information.

Level 2: Protected
Including non-personal data and personal information or data derived from personal information that is not publicly available, but where any loss, unauthorized access or unauthorized disclosure would not result in an unreasonable invasion of personal privacy.

Level 3: Confidential
Including personal information or data derived from personal information that is confidential and where any loss, unauthorized access or unauthorized disclosure would result in an unreasonable invasion of personal privacy.

Level 4: Restricted
Including personal information or data derived from personal information that is highly sensitive and where any loss, unauthorized access or unauthorized disclosure would result in an unreasonable invasion of personal privacy and real risk of significant harm.

What are the consequences of not completing a PIA?

A PIA is legally required under POPA. Failure to comply with POPA can result in serious consequences for UCalgary and its many stakeholders, including financial penalties and fines of up to $200,000 for individuals and $1 million for organizations. It is also contrary to the UCalgary Code of Conduct and could damage UCalgary’s reputation or trust in the community.

Completing a PIA also identifies potential risks associated with a proposed practice, program, project or service and ensures proper security and risk mitigation measures are taken at the outset to prevent privacy incidents or costly adjustments and delays to your project in the future.