Information Risk Assessment

Aim

The aim of Waterloo’s Information Risk Assessment program is to:

  1. identify and understand potential privacy and security risks of new or redesigned university business processes or services that use Restricted and Highly Restricted information (including Personal Information), or other sensitive information;
  2. prevent or mitigate negative privacy and security consequences;
  3. enhance privacy and security protection; and
  4. help Information Stewards decide whether to proceed with the initiative. 

When to engage an Information Risk Assessment

The Information and Privacy Commissioner (IPC) of Ontario, has identified examples of the types of projects that would benefit from an Information Risk Assessment.  According to IPC, these initiatives involve substantial change to the processing (i.e., collection, use, or disclosure) of personal information.

To know whether you should engage the Information Risk Assessment process, then please answer all of the following questions which stem from IPC guidance:

  1. Is this a new program(s) that will involve significant collection, use, or disclosure of Restricted or Highly restricted information, including Personal Information? In particular, these would be enterprise-wide initiatives or those involving multiple programs or partners?

            ☐ Yes              ☐ No

  1. Will it involve major changes to existing programs that will involve a significant change in the collection, use and disclosure of Restricted or Highly Restricted information, including Personal Information? In particular, those resulting from: an integration of programs; broadening of target population; change in service delivery channels; expansion of amount or type of data collection; constraining or eliminating opportunities for anonymity or pseudonymity; or major shift toward indirect collection of personal information?

            ☐ Yes              ☐ No

  1. Will it involve use of new technology or one known to impact privacy that could raise significant privacy risks (e.g., biometrics, smart cards, drug testing, or technology with surveillance capabilities)?

            ☐ Yes              ☐ No

  1. Will it involve major changes to technology that will alter: the functionality of information management; access to Restricted or Highly Restricted Information, including Personal Information; or security features?

            ☐ Yes              ☐ No

  1. Will it involve creation or modification of databases that will contain Restricted or Highly Restricted Information, including Personal Information? In particular, where the data is sensitive or relates to a significant number of people, or that will link separate databases or create files that index or point to Personal Information on such databases?

            ☐ Yes              ☐ No

  1. Will it involve creation or modification of identification and authentication schemes that will involve multi-purpose identifiers, biometrics or identity cards? This includes integration with central University systems such as WATIAM, ADFS, and/or LEARN.

            ☐ Yes              ☐ No

  1. Will it involve another significant collection, use, or disclosure of Restricted or Highly Restricted information, including Personal Information that is not captured by the previous 6 questions?

            ☐ Yes              ☐ No

If “yes”, complete the Information Risk Assessment intake form

If you responded “yes” to any of questions listed above, then please fill out and submit this intake  form.  This will engage the Information Risk Assessment Process for your new or redesigned university business process or service.

If you responded “no” to all of the questions listed above, then your initiative does not require that you engage the Information Risk Assessment Process and you do not need to complete the intake form.  You would be free to proceed with your project with the proviso that you immediately re-evaluate should it be determined that your initiative does involve substantial changes to how restricted or highly restricted information, including Personal Information is processed.

What happens after you submit the Information Risk Assessment intake form?

Intake forms are reviewed by the Privacy Officer and the Information Security Officer, recommendations are made thereon, and ownership of the findings resides with the relevant Information Stewards.

Timeline

Typically 2-4 weeks (depending on initiative complexity)

Making Changes

After submitting the Information Risk Assessment intake form, you will receive a re-take link to make any changes to your response.