< Project Name >
Privacy Risk Assessment
Template Last Updated: July 24th, 2015
Submission Date:
Executive Team:
Project Sponsor:
Service Owner:
Project Manager:
Template Name:
Privacy Risk Assessment Template
Template ID:
RA.1
Project Stage:
Overview of the Privacy Risk Assessment Process
The Privacy Risk Assessment is a process that provides a comprehensive review and evaluation of the
risks and controls associated with the data collection requirements of a cloud based or hosted solution.
Objective:
To ensure that Queen’s University’s and Vendors data collection and handling processes are aligned with
the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information
Protection and Electronic Documents Act (PIPEDA).
Instruction Guide for the Privacy Risk Assessment Template
What is the Privacy Risk Assessment Template?
The Privacy Risk Assessment Template provides documentation for the risk assessment reviews
conducted with regards to the software application and services in consideration. It also provides the
vendor, project team and stakeholders with better understanding as to how the data collection, storage
and handling requirements of their software applications and services impact the businesses they
manage.
The completion of this template is mandatory for all projects that require the collection and storage of
personal information from students and employees.
Who should fill out the Privacy Risk Assessment Template?
The Project Manager, with the assistance of the Service Owner and the Vendor, is responsible for the
completion of this document.
When should the Privacy Risk Assessment Template be filled out?
The Privacy Risk Assessment Template is completed in parts, as the sections are categorized according
to project stage.
What are the sections of the Privacy Risk Assessment Template?
Proposal
Solution Information
Investigation
Data flow diagram
Business flow
diagram
Data classification
matrix
Privacy & Security
Assessment of
Vendor
Initiation
Planning
Privacy Risk
Assessment of Service
Privacy Risk
Owner (Initiation)
Assessment of Service
Privacy Risk
Owner (Investigation) Contract/NDA/SLA Assessment of Service
Owner (Planning)
Implementation
Privacy Risk
Assessment of Service
Owner
(Implementation)
Operational
documentation
Creation of Risk
Register
Authorization Sign-off
Action Items for each stage not included in the PRA Template:
Proposal


Work with PPO to review the tools to use for privacy office and ITS security.
Introduce data stewards to proposed project idea.
Initiation



Contract signoff
Queen’s Non-Disclosure Agreement with vendor
Service Level Agreement with vendor
Implementation

Operational documentation – how the service/solution will be managed and monitored
A. Proposal Stage
I.
Solution Information
Project Overview
Insert 3-5 sentences outlining the project overview, business needs and key objectives.
Solution Information
Vendor: <Insert>
Software Name: <Insert>
Overview of Solution: <Insert>
Scope of Personal Information to be shared with vendor:
<Insert list>
Key Stakeholders
Name
Title
II.
Data Flow
The data flow diagram serves as a graphic representation of the flow of data through an information
system. It must illustrate the following:
a. How data is being collected
b. How data is being stored and processed
Note that in some cases, the data flow architecture diagram could be identical to the business flow
diagram. Please see sample below with the recommended level of detail:
III.
Business Flow Diagram
The business flow diagram outlines the existing business processes in place. It should clearly
demonstrate the overall goal of the business process, as well as the requirements involved in every step
of the process.
Please see sample below with the recommended level of detail:
IV.
Data Classification Matrix
The data table below should list all personal information collected from end users.
Personal information is defined as any information that can identify an individual. This includes
employment records such as performance reviews, tax information such as T4 slips and information
about current students including grades and transcripts.
Data Element
1.
2.
3
4.
5.
6.
7.
Data Classification
Purpose
Data Steward
Approval
Data Element
Data Classification
Purpose
Data Steward
Approval
8.
9.
10.
Further information regarding data classification at Queen’s University can be found at
http://queensu.ca/cio/security/standards/dcs.html
Please attach the complete data requirements in the appendix.
V.
Privacy and Security Analysis
The Privacy and Security Analysis contains XX questions that should be answered by the Project
Manager, Vendor and Service Owner at different project stages.
B. Investigation Stage
Service Owner
Question
A-1
A-2
A-3
A-4
A-5
Who is responsible on behalf of the university for
compliance with legislation and privacy principles pertaining
to the information involved in the project?
Why is this collection of personal information required?
Will collected personal information be used for data
matching, data analysis or data profiling? Will it be
anonymized?
Will collected personal information be linked or cross
referenced to other information systems, technologies or
programs? Will it be anonymized?
Will collected personal information be used for planning,
forecasting or evaluation? Will it be anonymized?
Response
If Applicable,
Indicate the
Document
Where This is
Addressed
A-6
A-7
A-8
A-9
A-10
A-11
A-12
A-13
A-14
A-15
A-16
A-17
A-18
Will there be secondary purposes for data collection?
How are individuals informed of the purposes and authority
of data collection?
What documentation exists for the purposes of data
collection?
Can individuals opt out of data collection?
How do individuals consent to this use and disclosure of
their personal information?
What alternative is provided to individuals who do not
consent to this collection, use and disclosure of their
personal information?
How long will the collected personal information be
retained?
How will accuracy of personal information be assured?
What are the privacy requirements of the data?
Will the privacy and security measures on data collection
and handling available for the general public?
How will individuals be able to access their personal
information?
Who is responsible for addressing a challenge concerning
compliance with privacy principles and data protection for
the information collection?
If the personal information is being stored outside of
Ontario, what are the legal considerations for the collection,
transmission, storage, disposal and authority of personal
information?
Project Manager
Question
A-19
Which key stakeholders been provided with an opportunity
to comment on the sufficiency of privacy protections and
their implications on the proposed/existing solution?
A-20
Have you contacted other universities or institutions who
have implemented the same solution to discuss about the
risks planned for and issues encountered? Please provide
feedback.
Response
If Applicable,
Indicate the
Document
Where This is
Addressed
A-21
Have you consulted University General Counsel on the
privacy and security risks & considerations?
Privacy & Security Assessment (Initial Stage) questions should be completed by all vendors bidding in
the investigation stage.
C. Initiation Stage
Service Owner
Question
B-1
B-2
B-3
B-4
B-5
Response
If Applicable,
Indicate the
Document
Where This is
Addressed
Response
If Applicable,
Indicate the
Document
Where This is
Addressed
Provide documentation showing which persons, positions,
or employee categories have access to the personal
information records.
Will user activities be monitored for security and quality
assurance purposes?
Will personal information be disclosed to any persons who
are not employees of Queen’s University?
What control mechanisms are in place to monitor user
accounts, access rights and security authorizations within
the system?
What are the criteria for determining and authorizing "need
to know" access to personal information?
Project Manager
Question
B-6
Have privacy and security risks been identified on the
Project Risk Register?
Privacy & Security Assessment (Detailed Stage) questions should be completed by all vendors bidding in
the Initiation stage.
D. Planning Stage
Service Owner
Question
C-1
C-2
C-3
C-4
C-5
C-6
C-7
C-8
C-9
C-10
Will communications exist to inform individuals how the
system works and how their personal information will be
managed?
What protocols are in place to ensure stored personal
information is accurate, complete and up-to-date?
How will personal information be updated?
Will individuals be provided with an option to update all of
their personal information?
Will a log exist to track any changes made to stored
personal information in the system?
What is the system of record for the personal information?
How will other sources of the same information be
updated?
What are the protocols in place to identify security breaches
or disclosures of personal information in error?
How will users be notified of a compromise of security or
loss of data?
How will requests from individuals for access to and
correction of personal information be recorded and
tracked?
Response
If Applicable,
Indicate the
Document
Where This is
Addressed
E. Implementation Stage
Service Owner
Question
D-1
D-2
Response
If Applicable,
Indicate the
Document
Where This is
Addressed
Response
If Applicable,
Indicate the
Document
Where This is
Addressed
Has your staff been formally trained for handling personal
information?
Does the vendor agreement establish privacy requirements?
Project Manager
Question
D-3
Has the Privacy Risk Assessment been fully completed?
Privacy and Security Risk Register
Based on your responses in the Section VI (Privacy and Security Analysis), please fill out the risk register
below.
Risk
Description
Example: The
contract with
Vendor is already
in place and may
not have been
reviewed by legal
counsel for security
and privacy
provisions
Risk
Likelihood
Risk
Consequence
Owner
Risk Mitigation
Low,
Medium or
High
Low, Medium
or High
Example: Project
Manager
Example: Future agreements
or amendments should be
reviewed by legal counsel for
security and privacy
contractual provisions
needed in contract.
Feedback from George
Farah, Information Systems
Security Office requests
agreements should include:
 Data retention
policies
 Security exposures
practices
 Incident
identification and
notification
processes
Appendix 1: FIPPA
“Personal information” (FIPPA) means recorded information about an identifiable individual, including,
(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation
or marital or family status of the individual,
(b) information relating to the education or the medical, psychiatric, psychological, criminal or
employment history of the individual or information relating to financial transactions in which the
individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, telephone number, fingerprints or blood type of the individual,
(e) the personal opinions or views of the individual except where they relate to another individual,
(f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or
confidential nature, and replies to that correspondence that would reveal the contents of the original
correspondence,
(g) the views or opinions of another individual about the individual, and
(h) the individual’s name where it appears with other personal information relating to the individual or
where the disclosure of the name would reveal other personal information about the individual;
“Business identity”: (FIPPA) Personal information does not include the name, title, contact information
or designation of an individual that identifies the individual in a business, professional or official
capacity.
The purpose of FIPPA is: to provide a right of access to information under the control of institutions in
accordance with the principles that, information should be available to the public, necessary exemptions
from the right of access should be limited and specific, and decisions on the disclosure of government
information should be reviewed independently of government; and to protect the privacy of individuals
with respect to personal information about themselves held by institutions and to provide individuals
with a right of access to that information
The provisions of Part 3 of FIPPA apply to personal information – that is, recorded information about an
identifiable individual1 – in the custody or under the control of a public body.
FIPPA assessment is based on questions addressing:
1. Collection; (Sec. 38(2))
2. Use; (Sec. 41)
3. Disclosure; (Sec. 42)
4. Retention; and (Sec. 40(1))
5. Destruction. (Sec. 40(4))
Appendix 2: PIPEDA
PIPEDA is a federal legislation aimed to protect individual private information. It governs how private
sector organizations collect, use and disclose personal information in the course of commercial
businesses. The assessment of PIPEDA is based on a series of questions grouped by the following ten
fundamental privacy principles:
Principle 1 - Accountability
An organization is accountable for personal information under its control and shall designate an
individual(s) who is/are accountable for the custodian’s compliance with the appropriate legislation and
the Principles adopted by Queen’s University.
Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the custodian at or
before the time the information is collected. Individuals must be told why their personal information is
being collected at or before the time of collection.
Principle 3 - Consent
Consent of the individual is required for the collection, use and disclosure of personal information,
except where obtaining consent is inappropriate.
Principle 4 - Limiting Collection
The primary purpose of the collection of personal information is to benefit the individual. Collection for
a use, which is not the care and treatment of the individual, shall be restricted to what is necessary and
shall not impede the collection of information for the primary purpose. Information shall be collected
by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention
Personal information shall only be used or disclosed for purposes for which it was collected, except with
the consent of the individual or as required by law. The purpose of the use, disclosure and retention of
personal information is to benefit the individual. Any other use or disclosure shall be restricted to what
is necessary and shall not impede the collection of information.
Principle 6 - Accuracy and Integrity
The accuracy and integrity of personal information are necessary to offer the services required, the
individual right to privacy and to meet the requirements for its collection, use or disclosure.
Principle 7 – Security Safeguards
Personal information shall be protected by security safeguards appropriate to the information and
against unintended or unauthorized access, use or intrusion, or such dangers as accidental loss or
destruction. Principle 8 - Openness
The custodian shall make readily available to individuals specific information about its policies,
procedures and practices relating to the management of personal information.
Principle 9 - Individual Access
Individuals have the right to access their own personal information. Upon request, an individual shall be
informed of the existence, use and disclosure of his or her personal information and shall be given
access to that information. An individual shall be able to challenge the accuracy and completeness of
the information and have it amended as appropriate, subject to exceptions.
Principle 10 - Challenging Compliance
Individuals shall be informed that the custodian’s policies, procedures and practices are open to scrutiny
and challenge. An individual shall be able to challenge compliance with the above Principles