A privacy and security review is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign.
Privacy and security reviews are generally required when a unit wishes to:
This process is not designed for research projects. The Information & Privacy Office or Chief Information Security Officer can be contacted for more information about privacy & security in relation to research projects.
Ready to complete the privacy and securityreview checklist?
To begin the process of obtaining approval to use new software or a new online service, or to enter into a contract in which a third part may have access to personal information, please complete the review checklist by clicking on the green button above.
Before you do so, you may wish to review a copy of the checklist to ensure you will have all of the information you need.
If you are interested in licensing software or using an online service, before you commence a privacy and security review process, you will need to go through the IT Governance process. This is required to start the process of considering the use of new software or a new online service.
For more information, visit the IT Governance web site: https://www.ualberta.ca/it-governance
To complete and submit the Opportunity Proposal Form: https://www.ualberta.ca/it-governance/toolkit/proposal
References in this summary to the CISO mean the Office of the Chief Information Security Officer. References to the IPO mean the Information & Privacy Office.
The privacy and security review checklist is a Google Form that is located here:Microsoft Word version of the checklist here . We will need you to submit the form to the IPO and CISO through the Google Form. However, you might want to review and fill in the Microsoft Word version of the checklist in advance to ensure that you will have all of the information you need when you start filling out the Google Form. Unfortunately, you can’t save a partially completed Google Form and return to it later; it must be completed in one session.
The next steps in the review process will depend on how the information is classified. If you are handling information that falls into more than one classification level, then the review process will proceed based upon the highest classification level. For example, if some of the information is restricted, and some of it is protected, then the review process will proceed based upon a classification level of restricted
If you have any questions as you complete the privacy and security review checklist, please do not hesitate to contact the IPO for privacy questions or the CISO for security questions. Contact information is listed further down this page in the footer.
Periodically, the IPO and the CISO will assess the privacy and security review process for quality assurance purposes. In the course of those assessments, they may review completed privacy and security checklists in more detail, and follow up with the faculty or unit with questions and recommendations for improvement.
A: No. Privacy and security reviews are not required when the University enters into contracts that involve the sharing or disclosure of personal information in the course of a research project. Instead, research at the University of Alberta must comply with:
A: The Freedom of Information and Protection of Privacy Act (the FOIP Act) requires public bodies such as the University of Alberta to have reasonable safeguards in place to protect against such risks as unauthorized access, collection, use, disclosure or destruction of personal information.
A privacy and security review is a risk management and compliance tool used to ensure that the University complies with this obligation.
In general, even if you don’t fit within the criteria listed above as requiring a privacy and security review, it is a good idea to conduct a privacy and security review whenever you are responsible for any other new project involving personal information, or for an existing project in which significant changes will be made to the way personal information is collected, used or disclosed.