Privacy Impact Assessments at Laurentian University

A PIA is a formal, structured process that for identifying and mitigating privacy risks associated with programs, activities, services, technologies, or systems that involve the collection, use, disclosure, retention, or disposal of personal information, and for evidencing institutional understanding and acceptance of the activities assessed and any residual risks they carry. 

A well-performed PIA confirms that the University has assessed identifiable and foreseeable privacy risks, that it has addressed those risks through mitigations and harm reductions, and that a responsible University decision maker has reviewed and approved the PIA and the mitigations as being sufficient for the activity to proceed in compliance with privacy and security legal and practice requirements and expectations.

All of this is comprehensively documented in PIA working documents, worksheets and templates, project documentation, vendor documentation, applicable standards and requirements, certifications and attestations, mitigation and harms reduction records, and completed and approved PIA Reports. These must be provided to the Information and Privacy Commissioner on request.

Personal information is defined in the Freedom of Information and Protection of Privacy Act (FIPPA) as information about an identifiable individual. This includes, but is not limited to: name, age, race, religion, contact details, academic records, financial information, medical or criminal history, identifying numbers, and personal opinions. Personal information also includes unrecorded information about identifiable individuals, such as spoken information.

While personal information generally does not include information about individuals acting in a professional or official capacity, it does include all information about individuals acting in their personal capacity. Consequently, almost all information about students and their academic activities and outcomes, identities, contact information, and most other characteristics and data about them is personal information. Likewise, information about other community members, parents, and most members of the public who interact with the University will generally be personal information.

A PIA is a systematic process to carefully and comprehensively:

• Assess legal authority to work with personal information in an activity or project
• Map, examine, and assess the project or activity
• Assess and consider what is done with personal information in the project or activity
• Identify and document privacy risks for and possible harms for mitigation
• Confirm and document the performance of necessary risk mitigations
• Confirm institutional responsibility with appropriate review and approval of the PIA
   

PIAs have several useful and positive purposes, including:

• Foster trust with students, community members, and the public
• Reduce implementation surprises, problems, and re‑work/fixes
• Facilitate smoother procurement and contracting
• Help to secure institutional approval and necessary resources
• Reduce the likelihood of:
  • privacy breaches,
  • harm to data subjects,
  • IPC investigations, and
  • reputational harm to projects and the University
• Support accountability and oversight by the IPC
• Demonstrate and document compliance with FIPPA requirements

Before July 1, 2025, PIAs were a good best practice – something that institutions did at their own discretion to protect privacy and manage risk. 

As of July 1, 2025, the preparation of a written PIA is required by FIPPA, before any personal information can be collected. This legal obligation is overseen by the Information and Privacy Commissioner. FIPPA was amended to require PIAs through Bill 194, which also enacted the Digital Security and Trust Act.

As it is governed by FIPPA, the University must complete a PIA as required by FIPPA section 38(3) prior to collecting personal information in its activities. This legal duty applies to all individuals responsible for activities that collect personal information at, for, or on behalf of the University.

The completion of a PIA includes the mitigation of identified risks as well as review and approval by University officials responsible for the activity before personal information is collected.

The University is required to provide PIAs to the IPC on request.

PIAs are required for all new or significantly changed programs, activities, systems, services, technologies, or initiatives that involve the collection, use, disclosure, or retention of personal information. This can be any activity that involves personal information, whether simple or complex, part of a program of study, or administrative, delivered by University staff or service or by outside contractors or service providers.

In other words, the legal requirement for PIAs extends to all University activities with personal information and a PIA is required when the university:

• Intends to collect personal information for a program, activity or service
• Makes a change to:
  • The purpose for which personal information is collected, used, or disclosed.
  • The manner of collection, use, disclosure, retention, or storage, such as cloud storage or services, a new vendor/service provider, AI/analytics, or biometrics
• Implements new technology that processes personal information (e.g., proctoring tools, face detection, IoT devices, AI models).

Examples of activities that will certainly require a PIA or privacy advice include:

• Student‑facing systems (LMS integrations, exam tools, advising platforms).
• Alumni, advancement and donor systems.
• Research-related administrative systems not already covered by REB.
• Security technologies (CCTV, access control, biometrics, location tracking).
• Vendor‑provided cloud services processing university data.

FIPPA contains exclusions for certain types of information, including research and human resources and employment information, so some of these activities may not require PIAs as their privacy requirements will be met by a research ethics board (REB) or are built into University employment or human resources policies and procedures. Nevertheless, if in doubt, we ask that you contact University legal counsel and ask about your activity or project, or enter it in the PIA Intake form, as there may be aspects of these activities that require a PIA. Additionally, activities involving personal information may have privacy implications that need to be assessed by the Office of the General Counsel (OGC) to prevent other legal or regulatory issues, even if a PIA is not required.

For example, research involving human participants that is reviewed and approved through an REB is generally governed by REB processes and its privacy and confidentiality should be assessed by the REB, consistent with TCPS 2 requirements, but administrative and other systems and activities supporting or used with research may need a PIA.

If in doubt, contact OGC or the Information and Privacy Officer early; we will advise whether a PIA is required or whether other processed, such as REB review, information security assessment, or contract review are necessary or appropriate.

We ask that you use the PIA Intake button and process to start working with us.
When you press the button, you will receive a brief questionnaire to collect very basic information about your activity and to confirm whether personal information is involved in your activity so as to require a PIA.

We will assess your answers and get back to you promptly to let you know if a PIA is needed. If it is, we will also work with you to get you the right questionnaires to fill so that we can complete the PIA.

Because you will know the details of the activity, we will ask you for the information that we will need to assess it at the depth and detail necessary to complete a PIA that complies with FIPPA requirements and that meets the standards set out in the IPC Privacy Impact Assessment Guide.

We may need to get back to you for additional information or details as we go, but our intention is to make your work as simple and brief as possible, while still obtaining the necessary information to perform a compliant PIA.

We will use your information to assess things like legal authority, whether you are only collecting the necessary personal information and no more, whether security is strong and consistent with current standards, and we will also work with your vendor/s to ensure that our arrangements with them and their practices and contractual conditions are privacy protective and secure.

We will then get back to you if there are any necessary mitigations, and after those are performed, we will have the PIA reviewed and approved by the University.

We will only ask for what is necessary to complete the PIA. We ask you to be transparent and complete providing information to us. The University and your activity will succeed or fail based on the quality of PIA that we can produce, and the quality of the PIA will be entirely dependent on the quality and completeness of information on which it is based.

All of these steps are necessary for a legally compliant PIA. We will handle all legal and technical privacy and security steps, in collaboration with University IT and cybersecurity staff and other specialists as necessary to produce the PIA Report.

We work this way because you have the essential information about the activity, we have the necessary legal knowledge, our IT and cybersecurity specialists have the necessary security knowledge, and other specialists as necessary may be needed for technical or specialized PIAs.

For simple activities, PIAs may be very straightforward, brief, and quick to complete, while PIAs for complex activities may require substantial time and the participation of a larger and more complex team.

For this reason, we ask that you consider the time required to complete a PIA when planning the go-live date of your activity or project, and build in enough time for the PIA. Please do not hesitate to consult with OGC or the Information and Privacy Officer if you would like to discuss the expected timing of a PIA for an activity that you are planning.

Completed and approved PIAs will be kept in the University PIA Repository to:

• Track risk mitigations and harm reductions and confirm when they are performed,
• Update PIAs as risk mitigations and harm reductions are performed,
• Update PIAs as changes to programs occur, 
• Record and retain completion and approval dates and PIA versions, 
• Provide assessments to the IPC as required by FIPPA