Privacy Impact Assessment
Quebec privacy law requires that Concordia conduct Privacy Impact Assessments (PIA) in a number of circumstances. This section provides examples of situations where a PIA must be conducted.
Why conduct a Privacy Impact Assessment
Conducting a PIA helps the University assess, among other factors:
- How a product, program or service uses, processes or stores an individual’s Personal Information.
- The existence and effectiveness of the safeguards in place which protect Personal Information.
Examples of when a PIA is required
Situations that require a PIA to be completed include:
- Any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, release, keeping or destruction of Personal Information of members of the university community (for example: any cloud-based software or information system which stores and/or processes Personal Information);
- When the University plans to communicate Personal Information without consent to a person or body that wishes to use the information for study, research or statistical purposes;
- When the University plans to communicate Personal Information outside Québec or entrust a person or body outside Québec with the task of collecting, using, communicating, or retaining such information on its behalf;
- When a researcher wishes to use, acquire, or renew a contract for software and/or a cloud-based platform that will collect, process, communicate or store Personal Information regarding research participants;
- When a department or unit wishes to use, acquire, or renew a contract for software and/or a cloud-based platform to manage appointments or room bookings and where it is necessary to provide Personal Information of members of the university community, including student names and email addresses;
- When a department or unit wishes to use, acquire, or renew a contract for software and/or a cloud-based platform to organize online or in-person events and where it is necessary to provide Personal Information, including an event participant’s name and email address, credit card information etc.;
- When a department or unit wishes to use, acquire, or renew a contract for software and/or a cloud-based platform which includes a chat function and/or where it is necessary for students to provide their Personal Information such as ID numbers to validate their identity;
- When a department or unit wishes to use, acquire, or renew a contract for software and/or a cloud-based platform to use, collect, process or store medical information concerning individuals.
Process to complete a PIA
A PIA is triggered by Procurement when purchasing software through a purchase requisition (PR).
A PIA must be completed by the end-user (staff or faculty) before using software that processes Personal Information in the cloud. As such, the Privacy Impact Assessment form for software use must first be filled out and submitted.
In other situations, not involving the acquisition of cloud-based software, but where a PIA must be concluded (e.g., sharing Personal Information outside of Quebec), users can consult the Privacy Ambassador in their unit and/or contact the Privacy Officer.
After a fully completed PIA form is received, IITS and Legal Services will carry out further assessments. Users should expect delays of up to 6 weeks between the time that a fully completed form is received and approval.