Privacy & Security Review Checklist

A privacy and security review is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign.

When are privacy and security reviews required?

Privacy and security reviews are generally required when a unit wishes to:

  • use new software or a new online service involving personal information, or
  • enter into a new or renewed contract in which a third party may have access to personal information handled in the course of a University operating program or activity.

This process is not designed for research projects. The Information & Privacy Office or Chief Information Security Officer can be contacted for more information about privacy & security in relation to research projects.

Ready to complete the privacy and security review checklist?

Complete Review Checklist

To begin the process of obtaining approval to use new software or a new online service, or to enter into a contract in which a third part may have access to personal information, please complete the review checklist by clicking on the green button above.

Before you do so, you may wish to review a copy of the checklist to ensure you will have all of the information you need.

Before you start a privacy and security review, have you gone through the IT Governance process?

If you are interested in licensing software or using an online service, before you commence a privacy and security review process, you will need to go through the IT Governance process. This is required to start the process of considering the use of new software or a new online service.

For more information, visit the IT Governance web site: https://www.ualberta.ca/it-governance

To complete and submit the Opportunity Proposal Form: https://www.ualberta.ca/it-governance/toolkit/proposal

Summary of the Privacy and Security Review Process

References in this summary to the CISO mean the Office of the Chief Information Security Officer. References to the IPO mean the Information & Privacy Office.

  1. The privacy and security review checklist is a Google Form that is located here:

    Privacy & Security Review Checklist

    You can also find a Microsoft Word version of the checklist here . We will need you to submit the form to the IPO and CISO through the Google Form. However, you might want to review and fill in the Microsoft Word version of the checklist in advance to ensure that you will have all of the information you need when you start filling out the Google Form. Unfortunately, you can’t save a partially completed Google Form and return to it later; it must be completed in one session.
  2. When you have completed the privacy and security checklist Google Form, click the “Submit” button to submit the checklist. A copy of the completed checklist will be emailed to you. A copy will also be accessible to the IPO and the CISO.
  3. As you complete the checklist, you will be advised about whether the personal information you are handling is classified as restricted, confidential, protected or unrestricted.

The next steps in the review process will depend on how the information is classified. If you are handling information that falls into more than one classification level, then the review process will proceed based upon the highest classification level. For example, if some of the information is restricted, and some of it is protected, then the review process will proceed based upon a classification level of restricted

If you have any questions as you complete the privacy and security review checklist, please do not hesitate to contact the IPO for privacy questions or the CISO for security questions. Contact information is listed further down this page in the footer.

Next Steps, Based Upon Classification Level

  1. Privacy Review – If the highest information level is restricted or confidential, then the IPO must review the initiative before it is implemented. If the highest information level is protected or unrestricted, then no further IPO involvement is required.
  2. IT Security Review – If the highest information level is restricted, confidential, or protected, then the CISO must review the initiative before it is implemented (unless the CISO and IPO agree that the review can be waived in the circumstances).
  3. Review of Contract / Online Terms of Use – If the information level is restricted, confidential, or protected, then the contract / online terms of use must be reviewed.
    • Will the University be paying to use the software or online service? If so, then please contact SMS to review the contract or the online terms of use. This is necessary regardless of the amount you are paying and regardless of the method of payment (e.g. corporate credit card).
    • Is the software or online service free? If so, please contact the IPO about the next steps required for this review.

Quality Assurance

Periodically, the IPO and the CISO will assess the privacy and security review process for quality assurance purposes. In the course of those assessments, they may review completed privacy and security checklists in more detail, and follow up with the faculty or unit with questions and recommendations for improvement.

FAQs

Q: Do researchers need to go through the privacy and security review process when entering into contracts with service providers to handle research data that includes personal information?

A: No. Privacy and security reviews are not required when the University enters into contracts that involve the sharing or disclosure of personal information in the course of a research project. Instead, research at the University of Alberta must comply with:

  1. The Research Records Stewardship Guidance Procedure, located at https://policiesonline.ualberta.ca/PoliciesProcedures/Procedures/Research-Records-Stewardship-Guidance-Procedure.pdf
    and
  2. any standards for security and privacy prescribed by the research ethics board and research funding agencies.

Q: Why are privacy and security reviews important?

A: The Freedom of Information and Protection of Privacy Act (the FOIP Act) requires public bodies such as the University of Alberta to have reasonable safeguards in place to protect against such risks as unauthorized access, collection, use, disclosure or destruction of personal information.

A privacy and security review is a risk management and compliance tool used to ensure that the University complies with this obligation.

In general, even if you don’t fit within the criteria listed above as requiring a privacy and security review, it is a good idea to conduct a privacy and security review whenever you are responsible for any other new project involving personal information, or for an existing project in which significant changes will be made to the way personal information is collected, used or disclosed.