AI tools Require Privacy Impact Assessments

This section now fully incorporates TRU’s official PIA flowchart and PIA form. (References: PIA Flowchart V1, PIA Template August 2024)

AI tools are software services. These services must abide by TRU policies of acceptable use, TRU purchasing policies, legal, and regulatory requirements.

If a staff member wants to use any AI tool other than Copilot, and the tool may collect or process:

  • Student personal information.
  • Employee personal information.
  • Vendor or contractor personal information.
  • Any TRU-owned personal information.

Then a Privacy Impact Assessment (PIA) is required.

TRU’s PIA Process Flowchart

PIA Flowchart V1

Privacy Impact Assessment (PIA) Decision Checklist (Simplified)

(Based on TRU’s PIA Flowchart, attached above)

You must complete a PIA if:

  • The AI tool collects or processes Personal Information as defined in Freedom of Information and Protection of Privacy Act (FIPPA).
  • The tool is cloud-based (not on-premises).
  • You have not verified where data will be stored.
  • You have not read or understood the vendor’s Terms of Use.
  • Consent is not already collected.
  • The tool involves data linking between systems.
  • The initiative is a cross-departmental program involving Personal Information.
  • The Software stores or transmits information outside of Canada.
  • You are unsure whether the collection is authorized under Freedom of Information and Protection of Privacy Act (FIPPA) s.26(c)

If ANY of the above is true -> a PIA is required

This aligns perfectly with TRU’s flowchart instructions. If you are unsure whether your initiative requires a PIA, please contact the Privacy Office at privacy@tru.ca or you can contact the Information Security at InfoSecurity@tru.ca

PIA Process Summary

Personal Information includes any data that could identify an individual (e.g. email, name, address, SIN, and so on).

  • Is collection authorized under the Freedom of Information and Protection of Privacy Act (FIPPA) s.26?
  • Is information collected in a manner authorized by the Freedom of Information and Protection of Privacy Act (FIPPA) s.27?
  • Is use authorized under Freedom of Information and Protection of Privacy Act (FIPPA) s.32?
  • Is disclosure authorized under Freedom of Information and Protection of Privacy Act (FIPPA) s.33?

Note: You can view the Freedom of Information and Protection of Privacy Act here.

  • Cloud = almost always a required PIA
  • On-premises = often do not need a PIA but check with the Privacy Office.

If you don’t understand them -> consult TRU Privacy / Info Security

Also, check the TRU’s PIA Flowchart attached above.

Please contact TRU Privacy or Information Security through the following channels:

See the TRU’s PIA Process Flowchart attached above.

Fully complete the sections listed as required. Those that are not listed as required will be filled out by Privacy and/or Information Security. However, the more fields you fill out yourself (not only required) will help speed up the process.

  • Initiative description (required)
  • Scope (required)
  • Personal Information involved (required)
  • Data Storage location (required)
  • Security controls
  • Data flow flowchart or personal information table (required)
  • Risk mitigation table (required but often augmented by Info. Security)
  • Data linking and Common program activity (required but often by Privacy Office)
  • Collection notice

Supplementary documentation – depending on the confidentiality/sensitivity of the data involved, you may need to provide corroborating documentation in support of the security and privacy maturity of the service. Ask the vendor for as many of these documents they have available: Privacy/Security Policies, HECVAT, PCI-DSS

  • Privacy Office reviews.
  • Information Security Director reviews.
  • Adjustments made if required.
  • Signatures collected.

Only after Privacy Impact Assessment (PIA) approval can the tool be used with TRU Personal Information.