Professional Documents
Culture Documents
The following questionnaire has been designed to assist the privacy impact assessment
facilitator. Privacy Impact Assessments (PIAs) is a valuable method for identifying privacy risks
and preparing mitigation strategies. If your organization collects personally identifiable
information (PII) it should one PIA for each unique PII data set to ensure compliance and
identify unmitigated risks.
Defined by the Canadian Institute of Chartered Accountants (CICA) and the American Institute
of Certified Public Accountants (AICPA). Personally Identifiable Information is any information
relating to an identified or identifiable individual broken into two of the following categories:
(a). ‘Private Information’ (PI) customers name address, telephone number, social
security/insurance, other government identification numbers, employer, credit card numbers,
personal or family financial information, personal or family medical information, employment
history, history of purchases or other transactions, credit records and similar information.
(b). ‘Sensitive Private Information’ medical or health conditions, racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership, sexual preferences.
Privacy Principles
************
1.1. Has responsibility for Organizational privacy oversight been assigned to a Specific
individual? Y/N
1.2. Are the roles, responsibility and reporting structure of that person documented? Y/N
1.3. Have performance requirements been specified in a measurable way, and subject to
management reviews? Y/N
1.4. Are independent third-party audits facilitated to review privacy practices? Y/N
1.5. Has Organizational retained the legal right to collect, use, disclose, archive and
dispose of personally identifiable information under its custody? Y/N
1.6. Has Organizational retained the legal right to audit and enforce data protection
principles with the organizations external service providers? Y/N
2.1. Is the business purpose for the collection, use, retention and disclosure documented?
Y/N
2.2. Has the purpose for collection been mapped to the business purpose? Y/N
2.3. Has the purpose for collection been mapped to a specific statute or regulation? Y/N
2.4. Is the purpose for collection based on an exception due to debt collection,
investigations or media? Y/N
2.5. Has Organizational customers been formally notified of the purpose for the
collection? Y/N
3.1. Can the requirements for information collection be limited or reduced? Y/N
3.2. Is personally identifiable information collected directly from the individual? Y/N
3.3. Is personally identifiable information indirectly collected thou other programs? Y/N
3.4. Is personally identifiable information collected indirectly thru external parties? Y/N
3.5. Will the Customers online activity be monitored and related information collected?
Y/N
3.6. Is the information collected for planning, forecasting, or evaluation purposes? Y/N
3.7. Can the information collected be made anonymous and still meet the business
purpose? Y/N
4.1. Was the consent clearly linked to the purpose for collection and usage? Y/N
4.2. Did the consent clearly and unambiguously specify that personally identifiable
Information can be collected, used and disclosed? Y/N
4.3. Did the individual implicitly consent to the collection of their personally identifiable
information? Y/N
4.4. Was the consent to collect personal identifiable information implied? Y/N
4.5. Was consent gathered based on the individual’s option to ‘opt-in’? Y/N
4.6. Was consent gathered based on the individual’s option to ‘opt-out’? Y/N
4.7. Was personally identifiable information collected indirectly from an external third
parties? Y/N
4.8. Does consent allow for secondary uses like service improvements? Y/N
4.9. Has procedures been created to obtain further consent for usage not previously
identified? Y/N
6.1. Are updates to Customer records recorded including date, time stamp and user
account? Y/N
6.2. Have procedures been documented and communicated to Customers regarding
Access and maintenance of inaccurate records? Y/N
6.3. Are records kept regarding requests for access to records? Y/N
6.4. Can Customers access their personally information without disrupting regular
operations? Y/N
6.5. Has field level validation been implemented for interactive updates to records? Y/N
6.6. Has exception reporting been implemented for batch file processing? Y/N
6.7. Are errors to information process monitored and investigated? Y/N
6.8. Are external parties notified of corrections? Y/N
7.1. Has a Risk Assessment been facilitated for the information asset? Y/N
7.2. Are regular user account access and privilege access rights authorized and recorded?
Y/N
7.3. Has the roles and responsibilities for asset owners and custodians been documented
and communicated? Y/N
7.4. Has an information handling practice and standard been documented for the
collection, transmission, storage and disposal of personal information? Y/N
7.5. Has a breach protocol been documented and communicated to all stake holders? Y/N
7.6. Have Organizational employees been trained on the requirements for protecting
personal information? Y/N
7.7. Has a process been documented for granting users access to the maintenance
application to add, change or delete personal information? Y/N
7.8. Does the business system including audit logging of access to personal information
including date and time stamping and user account? Y/N
This guidance explains how to carry out a Data Protection Impact Assessment (DPIA). It builds
on the more general guidance on Privacy Impact Assessments issued by the Information
Commissioner's Office (see link on the right of this page).
Is a DPIA required?
A DPIA should be completed for any initiative that involves the processing of personal data or
any other activity that could impact the privacy of individuals. Examples are:
A DPIA should be completed for new initiatives or for changes to existing systems or processes.
It may also be a recommended outcome from a formal investigation into an information security
incident or weakness at the University.
The first step in conducting a DPIA is a screening process to decide whether the detailed work in
the subsequent steps will be required.
A DPIA must be completed for all research projects that may impact the privacy of indviduals
and/or involve the use of personal data.
Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible
for the initiative, such as:
Please note that in the case of research projects, the DPIA template is not mandatory; the
assessment can be recorded in the project's Data Management Plan instead.
Conducting a DPIA
Step One - Identify the need for a DPIA
Complete the DPIA screening questions in the DPIA template. If the answer to any of the
screening questions is 'Yes', a DPIA is required. Below are the screening questions, with some
additional context and examples to help determine answers.
Consultation should begin during this step (see Consultation section beneath Step 6 below).
Record the identified risks in the DPIA template. This forms the core of the DPIA process. The
aim is to compile a comprehensive list of all of the privacy risks associated with the initiative,
whether or not the risks require action.
A unique identifier
A description of the risk
An assessment of the impact of the risk (severe, major, moderate, minor, insignificant)
An assessment of the likelihood of the risk (very likely, likely, neither likely nor unlikely,
unlikely, very unlikely).
Identify controls to mitigate the risks and record them in the DPIA template. The aim is to
identify sufficient controls to eliminate each of the risks identified in Step Three, or to reduce
them to a level which is acceptable to the University. For some identified risks, no controls may
be required because the likelihood is so low and/or the impact so small that the risks are
acceptable to the University.
Once a control is identified, the expected result of its implementation should be recorded i.e.
whether it is likely to:
Proposed controls should then be approved by an appropriate individual. Normally this should be
the information asset owner or their nominated delagate, but it could also be:
Allocate the controls to appropriate individuals and record an agreed deadline for
implementation.
In the case of formal University projects, the implementation of many of the controls will fall
within the scope of the project, so should be managed in the same way as any other project task.
However, the implementation of some controls will be beyond the scope of the project (such as a
change to University policy) so related tasks should be assigned through the University's normal
management processes and added to the list of project dependencies. Where initiatives are being
run informally, or as 'business as usual' activities, the University's normal management processes
should be used to identify who will implement the controls and agree an appropriate deadline. In
all cases, a named individual and deadline for completion should be assigned and recorded.
In the absence of formal project management documentation, the DPIA should be used to record
when controls are implemented.
After the controls have been implemented, re-assess the risks and record the outcome in the
DPIA template. The risks then need to be accepted by an appropriate individual. Normally this
should be the information asset owner or their nominated delagate, but it could also be:
The individual who signs off the risks should have a clear understanding of the initiative,
particularly the privacy risks and how the controls address them. If any risk has not been reduced
to an acceptable level after implementation of the controls identified in Step Four, additional
controls will need to be identified and Step Five and Step Six will need to be repeated