As of 1 July 2025, Ontario's (FIPPA) requires institutions, including Queen’s University, to prepare a written Privacy Impact Assessment (PIA) before:
- any new collection of personal information, or
- any significant change to the purpose for which an existing collection of personal information is used or disclosed.
What is a PIA?
A PIA is a risk management tool used to identify and mitigate potential privacy and security issues when someone’s personal information is collected and used. A PIA:
- confirms the proper safeguards are in place to protect personal information
- promotes transparency and accountability
- increases trust in Queen’s University’s systems and processes
How is PIA conducted?
Queen’s has developed a to facilitate this process. Units intending to collect personal information, or to make a significant change to the purpose for which they are using or disclosing personal information, must complete the form and submit it to the Records Management and Privacy Office for approval before collecting any personal information or implementing intended changes.
Please leave adequate time for completing the PIA as there may be further consultation required before approval. The Records Management and Privacy Office generally requires two weeks to review and approve a PIA. More time may be needed if clarification is necessary.
Queen's is required to provide a copy of the PIA to Ontario's Information and Privacy Commissioner if the commissioner requests a copy.
Are there any exceptions to the requirement to complete a PIA?
- If personal information is being collected in a new cloud solution (externally hosted information technology) for which you or your unit is responsible, the PIA will normally be incorporated in the Security Assessment Process, and this PIA form does not need to be completed. However, if personal information is being collected using existing software tools (e.g., M365, Qualtrics), a PIA is required.
- Personal information collected, used and disclosed for a research purpose where the research is subject to Research Ethics Board review does not require completion of a PIA form. Privacy impacts will be assessed through the REB review process. However, administrative surveys do require a PIA.
- Personal information collected, used and disclosed in relation to employment or labour relations may not require a PIA. Certain employment and labour relations-related information falls outside the scope of FIPPA as described in our Notice of Collection for Employees. However, these records contain sensitive personal information and must be protected like other personal and confidential information in accordance with the university's privacy and cybersecurity policies, procedures and standards. If you are planning a new collection or significant change to a use or disclosure of employment or labour relations-related personal information, you are encouraged to contact the Records Management and Privacy Office who may recommend a PIA.
- The requirement to conduct a PIA is not retroactive. Collections of personal information that occurred, or are part of processes that were put in place, prior to 1 July 2025 are not subject to the new PIA requirements. However, units will be required to complete a PIA if substantial changes to any of the following occurs:
-
- the use for which the personal information is collected
- who we share the personal information with, or disclose it to
-