Privacy Impact Assessments

Procedure Number
002
Policy Number
2105
Responsibility
VP Finance & Operations
Approved
JIBC Executive
Effective Date
May 17, 2023
Procedure Statement

Scope

This procedure forms part of JIBC’s Protection of Privacy and Access to Information policy (the “Policy”), and sets out process by which the Institute will conduct Privacy Impact Assessments on the Institute’s systems, projects, programs, and activities in accordance with the Act. Terms not otherwise defined in this procedure are as defined in the Policy.

Conducting Privacy Impact Assessments

JIBC will take a risk management approach when conducting Privacy Impact Assessments in accordance with the Act.

Prior to developing, implementing, or amending any system, project, program, or activity that may involve Personal Information, Administrators must contact the General Counsel to discuss and identify potential privacy implications. At this stage, the General Counsel may require that the Administrator responsible for the system, project, program, or activity complete an initial questionnaire or checklist to collect initial information with respect to potential privacy implications.

The General Counsel will review and consider all available information and decide the level of Privacy Impact Assessment that is appropriate for the particular system, project, program, or activity, which may include any of the following:

  • deeming that Privacy Impact Assessment obligations have been appropriately discharged and that no further action is necessary at the time;
  • instructing the Administrator responsible for the system, project, program, or activity to complete a short-form Privacy Impact Assessment in a format approved by the General Counsel; or
  • instructing the Administrator responsible for the system, project, program, or activity to complete a long-form Privacy Impact Assessment in a format approved by the General Counsel.

The General Counsel will review completed Privacy Impact Assessments to ensure compliance with the Institute’s legal and privacy obligations, and will either:

  • approve the Privacy Impact Assessment;
  • instruct the Administrator responsible for the system, project, program, or activity to obtain further information to enable the General Counsel to approve the Privacy Impact Assessment; or
  • refuse to approve the Privacy Impact Assessment.

Completed Privacy Impact Assessments will be stored electronically within the Office of the General Counsel.

Related Policies and Procedures