Skip to main content

Privacy Impact Assessment

A privacy impact assessment (PIA) is a process used to determine how a particular project, system or initiative could affect the privacy of an individual. The purpose of a PIA is to ensure that privacy considerations are addressed during the planning and implementation of projects that involve the collection, use, disclosure, or storage of personal information.

PIAs support Ontario Tech’s strategic priority of “Tech with a Conscience”, promoting the ethical use of technology to enhance our academic and administrative service offerings while ensuring that stakeholders’ rights and expectations of privacy are respected and upheld.

PIAs consider:

  • The contractual arrangement between the vendor and Ontario Tech
  • The adequacy of technological safeguards and the policies and practices of the vendor as they relate to privacy
  • The university’s obligations under the Freedom of Information and Protection of Privacy Act (FIPPA) and other applicable legislation.

The goal is to generate recommendations to better ensure the privacy of our stakeholders, including providing a notice of collection, minimizing the personal information involved, activating security features where available and/or making sure there are adequate contractual protections in place.

  • When do I need to request a PIA?

    If you are contracting with a third party for services or information systems, contracts require a legal review including a PIA where the contract involves the transfer, storage or use of personal information.

    You should request a PIA as early as possible where a proposed project has the potential to affect the privacy of Personal Information of identifiable individuals. This may include developing or upgrading computer systems, integrating Personal Information from multiple databases, moving to online service provision, or contracting with a cloud service provider.

  • What information do I need to provide to start the PIA process?

    We ask that you provide the information listed below as a starting point. Please submit the information to

    1. Vendor agreements and terms of service; (a copy of the draft agreement between the University and Vendor)
    2. Vendor privacy policies;
    3. Vendor information regarding security and privacy;
    4. Information regarding any partners involved in the provision of the service (e.g. any cloud storage platform used for storing personal information)
    5. Audit certificates and reports related to vendor security and privacy (e.g. SOC 2 Report, ISO certification, HECVAT)
    6. A description of the personal information involved and the number of individuals and what constituent groups they come from (e.g. students from a particular faculty, employees, alumni).
    7. A description of the integration with any existing systems, and any personal information transferred to/from those systems (e.g. integration with the LMS or Banner systems.)
    8. A contact at the Vendor in case we have any further questions.
  • What is Personal Information?

    What is Personal Information?

    Personal information is defined under FIPPA. It means recorded information about an identifiable individual. This can include, but is not limited to:

    • an individual’s biographical details (name, sex, age, race)
    • an individual’s biological details (face, fingerprints, blood type, etc.)
    • nationality
    • religion
    • marital status
    • education
    • medical or criminal history
    • financial information
    • identifying numbers, for example, Social Insurance Numbers
    • an individual’s contact details (personal address, phone number, etc.)
    • personal opinions and views.

If you have any questions or concerns, please contact the Privacy Office at