Skip to Main Content
You are now in the main content area

Privacy Impact Assessments

On July 1, 2025, privacy impact assessments (PIA) became mandatory under the amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) introduced by Bill 194. If you are launching or revising an initiative (a system, project, program, policy or activity) that involves personal information, you must complete a PIA. 

We are working to develop a more streamlined process, but in the meantime, to get started:

  1. Download our  (google doc) PIA Form template (external link)  and answer all of the questions. 
  2. When you are done, complete the  (google form) PIA Submission Google Form (external link)  and upload your completed PIA Form.
  3. A member of the Privacy Team will review your answers and determine whether additional assessments are required within 10 business days.  
  4. If you have any questions or issues please contact us at privacy@torontomu.ca

When and How to Get Privacy Advice

Purpose

  • Explain when and why to contact our office for risk management advice

  • Our services include:
    • Information Access and Privacy
    • Legal Services
    • Records Management

Risk Assessment "Wheel"

  • Project Lead (you) is the “Hub” of the wheel
  • Risk Assessors as well as other stakeholders are “Spokes” of the wheel
Risk Assessment Wheel
Project Lead (PL)

Role:

  • PL is the employee or “Hub” of the wheel who is responsible for leading or managing the project

  • PL coordinates communications between all the “Spokes” including:

    • Risk assessors, decision makers, other advisors as well as vendors

  • Manages official project records

  • Ensures compliance with Ryerson policies

Role:

  • Approves the project

  • PL usually reports to the decision maker

  • Decides whether to accept risk assessors’ recommendations regarding identified risks

Role:

  • Provides advice and recommendations related to:

    • Protecting personal information and compliance with privacy legislation

    • Maintaining records including managing the life cycle of records and information from creation to disposition

    • May advise on compliance with University Administrative Policies

Timing:

  • PL contacts the Privacy Office while drafting the business requirements and before going to the market for a vendor solution

Role:

  • Provides legal advice related to legal risks and compliance, as well as reviews and negotiates agreements

Timing:

  • For Contracts under $25,000, PL contacts Legal Services while negotiating contracts for a vendor solution

  • For Contracts over $25,000, Purchasing contacts Legal Services prior to going to the market for a vendor solution as part of the procurement process

Role:

  • Provides advice and assists PL with navigating the procurement process as well as advises on financial risks

  • For Contracts over $25,000, Purchasing coordinates with Legal Services as well as other advisors and potential suppliers during the procurement process

Timing:

  • PL contacts Purchasing while/after completing the business requirements and prior to going to the market for a vendor solution

Role:

  • Provides advice and assists PL with navigating the insurance requirements

Timing:

  • PL contacts Insurance while completing the business requirements and prior to going to the market for a vendor solution

Role:

  • Provides advice and recommendations related to information systems security risks

Timing:

  • PL contacts CISO while drafting the business requirements and before going to the market for a vendor solution

Role:

  • Provides advice for information technology projects and service planning

  • Reviews IT Funding Applications for budget reallocation requests

Timing:

  • PL contacts CCS/IT while drafting the business requirements and before going to the market for a vendor solution