Privacy Impact Assessments

Explanation

A privacy impact assessment (PIA) is a compliance and risk management tool used by Coast Mountain College (CMTN) to assess and address privacy risks associated with a new or changing initiative or program. Completing a PIA is a requirement of British Columbia’s Freedom of Information and Protection of Privacy Act (FOIPPA) and is necessary for all initiatives or programs at CMTN.

PIAs help CMTN identify and mitigate privacy risks, make informed decisions about new initiatives that impact privacy, and avoid privacy breaches by including privacy as part of the design of new initiatives or systems.

When to Complete a PIA

A PIA must be completed during the initial development of any new initiatives or software programs at CMTN that collect or use personal information. A PIA is also required when significant changes are made to existing programs or initiatives. 

The PIA must be completed and signed off by CMTN’s privacy officer before the launch of a new or changing initiative or software program. 

What is Considered Personal Information

Personal information is any information that can be used to identify an individual, including but not limited to names, birth dates, student ID numbers, mailing addresses, and medical information.

Responsibility for Completing a PIA

The privacy officer works with the department responsible for the initiative, system, or program to draft the PIA. Technology-based initiatives may also require the involvement of the IT Services Department. When this is the case, the privacy officer can help coordinate the involvement.

To complete a PIA, you will need to know the following information about the initiative:

  • the type of personal information that is being collected
  • the way in which personal information is being collected
  • where the personal information is being stored
  • the way in which personal information is being used
  • persons or entities with whom the personal information is being shared
  • safeguards that are in place to ensure the protection of personal information
  • the privacy risks and mitigation strategies.

Consequences of Not Completing a PIA

A PIA is a legal requirement of FOIPPA and not completing one may result in non-compliance with provincial legislation, CMTN policies and standards, and other legal and regulatory requirements. A PIA helps identify and build privacy and security requirements in advance of a launch, thereby helping projects minimize potential privacy or security breaches.

PIA Template and Tip Sheets

CMTN Privacy Impact Assessment Template

What is Personal Information

What is a Privacy Impact Assessment

What is a Privacy Breach

Privacy Breach Management

Questions about PIAs

If you are planning a new initiative, or have questions regarding the completion of a privacy impact assessment, please contact Aman Kang, the privacy officer at foi@coastmountaincollege.ca