Policies & Guidelines

Privacy impact assessments

Although not required under the Alberta FOIP Act, Privacy Impact Assessments (PIAs) provide a way to mitigate various privacy risks associated with projects implemented by public bodies that collect, use, and disclose personal information.

Mount Royal University departments can use the Privacy Impact Assessment (PIA) format developed by the Office of the Information and Privacy Commissioner of Alberta (the OIPC) for any department projects that collect, use and disclose personal information.

Completed Privacy Impact Assessments may be forwarded to the Mount Royal University Privacy Office for review. These PIAs are retained on file by the Mount Royal University Privacy Office for future reference.

Depending on the project, the University department can also take an additional step and forward the Privacy Impact Assessment (PIA) to the OIPC for review. The OIPC can then, upon review, decide to "accept" the PIA, which demonstrates that the OIPC is satisfied that the University has made reasonable provisions to protect an individual's privacy.

Because the responsibility for protecting the privacy of individuals falls on the University due to the Alberta FOIP Act, the OIPC will "accept" (rather than "approve") the PIA.

The table (below) provides a summary of Privacy Impact Assessments (PIAs) submitted to the Mount Royal University Privacy Office.

Privacy reviews

A privacy review is when the University conducts a (short-form) privacy assessment of software initiatives or business unit projects.

Any completed privacy reviews are noted in the listing below and are identified with the (“PR”) within the file number.

The privacy review relies on similar privacy controls as the PIA process (above), but relies on a shorter review process.

During the privacy review process any security documentation is retained as part of the file.

Examples of when it may be preferable to conduct a short privacy review (PR) in the following circumstances:

  • The sensitivity of the personal information is low (not financial or health information).
  • The personal information is not in the University’s custody/control, but the initiative may still have a wider community impact.
  • The software initiative has no significant touchpoints (not integrated with institutional-wide systems)