Privacy impact assessments (PIAs) are managed by the Privacy Office and help Dalhousie University measure and mitigate potential information privacy and security risks on new or changing tools and technologies. A PIA must be completed for all new or substantially modified systems, projects, programs, or activities that collect, use, store, and/or disclose personal information.
The assessment is a series of questions focused on the treatment and protection of personal information. Questions might include: How is the information collected, used, and stored? By whom and for what purpose? Where is the information stored? How long is it retained? An assessment ensures that data is handled responsibly and in compliance with applicable legislation and Dalhousie’s policies and procedures.
Who conducts a Privacy Impact Assessment?
PIA’s are managed by the Privacy Office. The Chief Information Security Officer, Records Manager, Legal Counsel, and representatives from faculties or units play a key role in the PIA process.
What role does ATS play?
Mike Duggan, instructional technologies architect, has been part of a few assessments. The most recent was for Turnitin, the new text-matching software integrated with Brightspace. Mike says his role is “to find the information required for the assessment from the vendor, whether that be in the vendor’s privacy policy, or a Higher Education Community Vendor Assessment Tool (HECVAT).” Mike uses what the vendor provides in the HECVAT to complete the assessment. The full HECVAT forms may contain 200+ rows of questions to complete; finding the information relevant to our needs can be a challenge.
As detailed as the HECVAT is, it doesn’t capture everything. For example, for Brightspace-integrated tools like Turnitin, the Privacy Office might ask for an access matrix to understand who will have access to what data. That is a question Mike can answer, but other questions might require more information from the vendor. The review process can take time.
Once the Privacy Office approves the PIA, Jason Flynn, manager of academic technology operations, works with legal counsel to finalize the contract. In fact, from the time a new product is identified, Jason is actively working with Mike, the Legal team, the Privacy Office, and the vendor to move the process forward and prevent or minimize delays.
For further information on Privacy Impact Assessments please contact the Privacy Office: foipop@dal.ca.