A privacy and security review is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign.
Privacy and security reviews are generally required when a university community member, including researchers, wish to:
handled in the course of a university operating program or activity.
Ready to complete the privacy and securityreview checklist?
To begin the process of obtaining approval to use new software or a new online service, or to enter into a contract in which a third party may have access to personal information, please complete the review checklist by clicking on the green button above.
Before you do so, you may wish to review a copy of the checklist to ensure you will have all of the information you need.
1. Have you gone through the IT Governance process?
If you are interested in licensing software or using an online service, before you commence a privacy and security review process, you will need to go through the IT Governance process. This is required to start the process of considering the use of new software or a new online service.
For more information, visit the IT Governance web site.
Complete and submit the Opportunity Proposal Form here.
2. Have you checked to see if the software has already been through the review process or if there is a comparable software or service that has already been reviewed?
Software that has completed a PSR is listed here. Please see if there is already software on campus for the same purpose (example: Event management) before submitting a checklist.
References in this summary to the CISO mean the Office of the Chief Information Security Officer. References to the IPO mean the Information & Privacy Office.
The privacy and security review checklist is a Google Form that is located here:Microsoft Word version of the checklist here . We will need you to submit the form to the IPO and CISO through the Google Form. However, you might want to review and fill in the Microsoft Word version of the checklist in advance to ensure that you will have all of the information you need when you start filling out the Google Form. Unfortunately, you can’t save a partially completed Google Form and return to it later; it must be completed in one session.
The next steps in the review process will depend on how the information is classified. If you are handling information that falls into more than one classification level, then the review process will proceed based upon the highest classification level. For example, if some of the information is restricted, and some of it is protected, then the review process will proceed based upon a classification level of restricted
If you have any questions as you complete the privacy and security review checklist, please do not hesitate to contact the IPO for privacy questions or the CISO for security questions. Contact information is listed further down this page in the footer.
Periodically, the IPO and the CISO will assess the privacy and security review process for quality assurance purposes. In the course of those assessments, they may review completed privacy and security checklists in more detail, and follow up with the faculty or unit with questions and recommendations for improvement.
A: Yes - however, please note that we are not reviewing your study protocol or ethics application. Please only include information concerning the software, application or online service being used to support your study. For any questions regarding how this may impact your study, please contact the Research Ethics Office.
A: The Freedom of Information and Protection of Privacy Act (the FOIP Act) requires public bodies such as the University of Alberta to have reasonable safeguards in place to protect against such risks as unauthorized access, collection, use, disclosure or destruction of personal information.
A privacy and security review is a risk management and compliance tool used to ensure that the University complies with this obligation.
In general, even if you don’t fit within the criteria listed above as requiring a privacy and security review, it is a good idea to conduct a privacy and security review whenever you are responsible for any other new project involving personal information, or for an existing project in which significant changes will be made to the way personal information is collected, used or disclosed.