Privacy Impact Assessment FAQs

A Privacy Impact Assessment (PIA) is a formal process for identifying, evaluating, and mitigating privacy and security risks associated with activities that involve personal information. Every project that collects personal information should have a PIA throughout its life, that tracks from beginning to end. 

PIAs are now a legal requirement at Laurentian for all new or significantly changed activities involving personal information, as mandated by Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA). 

PIAs help ensure compliance, build trust, and protect individuals and the institution from privacy breaches and reputational harm.

Personal information is any recorded or unrecorded information about an identifiable individual. This includes, but is not limited to: name, age, race, religion, contact details, academic records, financial information, medical or criminal history, identifying numbers, and personal opinions.

As of July 1, 2025, PIAs are mandatory under FIPPA before collecting personal information.

This means for all new or significantly changed activities that collect, use, retain, disclose, or dispose of personal information. 

This requirement is overseen by the Information and Privacy Commissioner of Ontario.

A PIA examines: Purpose and legal authority for collecting, using, or disclosing personal information; Types and sources of personal information involved; Risks to individuals and the institution; Safeguards and mitigation steps; Roles and responsibilities for privacy protection; Retention and disposal practices; Compliance with all relevant legislation and policies.

Failure to complete a required PIA is a breach of Laurentian’s legal obligations under FIPPA. 

The Information and Privacy Commissioner can investigate, issue public decisions, and order changes. 

Deficient PIAs expose the university and responsible individuals to legal, reputational, and personal consequences.

Start A pia before launching any new project or activity involving personal information. 

Update before making any significant change to the purpose, technology, or process involving personal information. 

PIAs are living documents and should be updated as projects evolve.

PIA compliance is a shared responsibility.

Project leads, program owners, and all staff involved in activities with personal information must participate.

The Office of General Counsel (OGC) and Information and Privacy Officer provide expert support, forms, and guidance, conduct the assessment with information you provide, and draft the PIA Report.

The OGC and Information and Privacy Officer will help you to identify activities requiring a PIA, provide forms and guidance, conduct the analysis and prepare the official PIA report, advise on risk mitigations and compliance steps, and maintain documentation for accountability and IPC requests.

The time required depends on the complexity of your project. Simple activities may take a few days; complex projects with advanced technology or large data sets may take weeks. 

Early engagement with the Information and Privacy Officer is recommended to avoid delays.

For your PIA, you will need to provide: detailed project description and objectives; types and sources of personal information; roles and responsibilities; technology and security measures; retention and disposal plans; and involvement of service providers and other third parties.

We will provide you with the right questionnaires and work with you to collect only what is needed.

PIA reports must be approved by University decision-makers and documented.

Laurentian maintains a centralized repository for PIAs, accessible for review, updating, and providing to the IPC if required.

PIA reports are Laurentian records. Consult the OGC or Privacy Office before sharing any PIA documentation externally.

No, the University is legally required to prepare a PIA before collecting personal information.

Vendor PIAs can provide useful information for the PIAs that the University conducts and may simplify some of University information gathering. But the University is legally required to perform its own PIA to FIPPA standards.

Laurentian must provide PIAs and supporting documentation to the IPC upon request, especially in the event of a breach. Robust PIAs help demonstrate due diligence and compliance, reducing institutional risk.

Many research activities and employment/labour relations activities may be exempt from PIA requirements under FIPPA, but context matters. 

Some portions of these activities, or information associated with or derived from them may be subject to PIA requirements. 

Additionally, privacy questions should always be discussed with OGC or the Information and Privacy Officer because there may be privacy or security concerns even if a PIA is not required.

Always use the PIA Intake Form to confirm whether a PIA is needed for your specific activity and consult the Information and Privacy Officer if you have questions.

Unauthorized access, use, or disclosure of personal information; Collection of unnecessary or excessive personal information; Inadequate security measures; Invasive or poorly configured software; Excessive or privacy invasive AI or algorithmic processing; Retention beyond required periods; Failure to notify individuals or obtain necessary consents; Risks from third-party service providers, their staff and agents.

Laurentian must comply with privacy laws and other requirements, and also be able to show, with documentation and evidence, that compliance has been achieved.

If our actions are not documented, we cannot prove or demonstrate that they happened. 

PIAs support demonstrable accountability by documenting that Laurentian assessed privacy and security for activities with personal information, that we identified and implemented mitigations, that our PIAs were properly reviewed and approved by appropriate University officials, and that we went back and re-evaluated, mitigated, and approved as necessary when changes occurred.

Please contact the Information and Privacy Officer at privacyinquiries@laurentian.ca for support, forms, guidance, or to discuss your project’s privacy requirements.