U of T logo

Information Security

Experiencing phishing, fraud or another security incident?

U of T logo

Information Security

Experiencing phishing, fraud or another security incident?

Report an incident

U of T logo

Information Security

Experiencing phishing, fraud or another security incident? Report an incident

FAQs

Topics on this page:

  1. General
  2. Requirements
  3. Conducting an assessment

General

1. What is personal information?2025-10-06T15:37:46-04:00

Personal information is any data that can identify a person, either on its own or when combined with other information. It is defined in Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) as recorded information about an identifiable individual. An individual’s personal information includes information regarding race, gender, home address, medical history, education history, identifying numbers (e.g. social insurance number, student number), financial information, employment history, personal opinions, completed assignments or exams, and grades, comments and evaluations provided by an instructor. If you are collecting this kind of information about individuals, you may need to conduct a PIA to ensure compliance with privacy law.

2. How do I know if the information I am collecting constitutes personal information under FIPPA?2025-10-06T16:31:13-04:00

To learn about privacy and what constitutes personal information, all U of T faculty, staff and librarians should complete two modules of privacy training via the Security Awareness and Training platform. If you do not already have access to the Security Awareness and Training platform, contact your local IT team to request onboarding.

3. What is a privacy breach and how should I report it?2025-10-06T16:34:08-04:00

A privacy breach is an incident involving the unauthorized collection, use, access or disclosure of personal information. There can be internal breaches (inappropriate sharing of information from within the university) or external breaches (by third-party vendors). Individual users are not expected to report directly to the Information and Privacy Commissioner of Ontario — this is done centrally through the university’s FIPP Office. If you suspect or discover a privacy breach, please report it immediately to your local IT team or freedom of information liaison (FOIL) and copy privacy@utoronto.ca.

Requirements

4. When am I required to conduct a privacy impact assessment (PIA)?2025-10-06T16:49:38-04:00

Consider the following questions about your project, activity or initiative.

  • Is this a new undertaking that involves the collection of personal information?
  • Are you collecting or using new types of personal information or making significant changes to existing systems, methods or tools for collecting personal information?
  • Are you changing how you handle personal data (e.g. new technology or a new purpose)?
  • Could this project increase privacy risks (e.g. surveillance, profiling)?
  • Are you reusing personal information that was initially collected for a different purpose?

If you answered “Yes” to any of these questions, a PIA is required before you start collecting personal information or before changes are implemented.

If all answers are “No,” your project may proceed without a PIA. However, if the scope or nature of the project changes, please re-evaluate whether a PIA is necessary.

5. Do I need a new PIA for processes, systems or activities that operated prior to July 1, 2025?2025-10-06T16:51:31-04:00

No. If you have been collecting personal information through an existing process or system, you may continue doing so without a PIA. You can continue even if you are collecting information from a new group of individuals — as long as the process or system is not new to the university, the type of information you are collecting is the same and you are not making a “significant change” to the existing process.

6. What counts as a “new” process or a “significant change” to an existing process, system or activity?2025-10-06T16:55:01-04:00

A change is considered significant if it involves:

  • Collecting new types of personal information; for example:
    • You previously collected name and student number, but now also collect information about religion and race.
    • You are adding the collection of biometric data to an existing information collection form.
  • Using existing personal information for a new purpose (e.g. using student data for predictive analytics).
  • Sharing existing data with new third parties.
  • Changing technology (e.g. moving from paper forms to a cloud-based system).
  • Expanding the scope or scale of data collection (e.g. from one department to campus-wide).

If your project involves any of these, it likely qualifies as a significant change—and a PIA will be required.

7. Who do PIA requirements apply to?2025-10-06T16:56:17-04:00

PIA requirements apply to all staff, faculty and librarians employed at the university when they are conducting U of T-related activities. They do not apply to students. Note that collection of personal information as part of a research project approved by the Research Ethics Board does not require a PIA (see next question).

8. If I am collecting personal information for research purposes, is a PIA required?2025-10-06T16:57:08-04:00

Collection of personal information as part of a research project will continue to be overseen through the Research Ethics Board review process and does not require a PIA.

Conducting an assessment

9. How do I conduct a PIA?2025-10-06T17:00:57-04:00

Only individuals with expertise in privacy and FIPPA requirements and who are trained by the Information Security (IS) team in performing PIAs should conduct these assessments. The IS central division offers PIAs as a cost-free service for those who need support. If you think your activity may require a PIA, please request a PIA from Information Security or contact your local IT team.

10. What happens after I fill out a PIA request form? How long does the process take?2025-10-06T17:06:29-04:00

Once you complete and submit the PIA request form, a ticket is created in the Enterprise Service Centre (ESC) portal, and you’ll receive an email confirmation.

An Information Security analyst is assigned to your request. If additional information is needed, the analyst contacts you directly. You can track the progress of your request by visiting the ESC portal and selecting “My Requests” from the top navigation bar. You can also communicate with the assigned analyst by adding notes to the open ticket.

Throughout the assessment, the analyst may ask follow-up questions or request clarifications to ensure a thorough review. Upon completion, their findings and recommendations are documented in a formal report and shared with you.

The assessment typically takes four to eight weeks from the time all required information has been received, depending on the complexity of the initiative.

11. What happens once my PIA is completed?2025-10-06T17:04:33-04:00

Once the PIA is completed, the Information Security team informs you of the results and shares the final report with you. The PIA report is also stored in a central repository for record-keeping purposes.

If specific risks are identified, a key requirement under FIPPA is for you to address and mitigate these risks before proceeding with any information collection. You will need to:

  • Document the mitigation strategies and actions you plan to implement.
  • Share this documentation with the Information Security analyst supporting your PIA, who files it alongside your PIA in the central repository.
  • Retain a copy of both the PIA and the mitigation plan for your records.
12. I want to outsource my PIA to a third party. What are the requirements?2025-10-06T17:08:26-04:00

If you are planning to outsource the PIA process to a third party, please open an ESC ticket with the central Information Security Risk Management team or contact the U of T FIPP Office at privacy@utoronto.ca for further guidance.

Last modified: October 6, 2025

Go to Top