The University of Guelph is committed to respecting the privacy of all those who work and study here, particularly in relation to the collection of personal information. As part of its ongoing efforts to protect privacy, the University has instituted measures to ensure that personal information is collected, used, and stored appropriately. Under the the Freedom of Information and Protection of Privacy Act [1] (FIPPA), the University is required to conduct a Privacy Impact Assessment (PIA) prior to the collection of any personal information.

What is Personal Information?

Personal information is recorded information about an identifiable individual. It can include, but is not limited to, information about one’s age, race, sex, marital status, educational, employment and medical history, unique numbers such as SIN or student numbers, and one’s name when used in conjunction with another identifying piece of information. 

It is important that personally identifiable information is collected only when necessary. For example, student numbers should not be revealed on posted class lists because it is unnecessary, and it would be relatively easy for someone to associate that number with a person’s name, address, grades, and other personal information.

Privacy Impact Assessments

The purpose of a PIA is to identify potential information privacy and security risks for University initiatives that may use, access, or store personal information. The PIA process is used to determine how a program or service could impact the privacy of an individual. PIAs are particularly important when implementing a new initiative or system which involves the collection of personal information that was not previously collected or was collected using a different system or process. 

All new University initiatives that involve collection of personal information must participate in a PIA before any collection of personal information occurs. Most PIAs will involve a written assessment of specific privacy considerations and the steps to be taken to prevent, reduce, or mitigate privacy risks. Complex projects may require an external assessment, and any cost associated with an external assessment will need to form part of the project budget.

IMPORTANT NOTE: Initiatives being processed through the Information Security and Risk Assessment and/or the Research Ethics Board for Human Participants are not required to complete a PIA as the collection of personal information is addressed within their approval processes.

How to Complete a Privacy Self-Assessment

Please complete the Privacy Self-Assessment Form [2] and send it to privacy@uoguelph.ca [3]. Proponents of initiatives with a medium or high-risk classification will be required to work with the Information Governance & Privacy Office to address practices to safeguard the collection, use, access or storage of personal information. 

It is important that the PIA process is begun early in the initiative timeline to ensure adequate time to address any privacy risks identified. Depending on the complexity of the initiative, a PIA can take up to 1 – 2 months to complete.

If you are unsure as to whether your initiative requires a PIA, please contact the Information Governance & Privacy Office [4] for further information.