Privacy & Security Review Checklist

A privacy and security review is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign.

When are privacy and security reviews required?

Privacy and security reviews are generally required when a university community member, including researchers, wish to:

  • use new software, or a new online service or when you make changes to an existing system that impacts data flows, or
  • enter into a new or renewed contract in which a third party may have access to personal information,

handled in the course of a university operating program or activity.

Before you start a privacy and security review:

1. Have you reached out to your Senior IT partner?

Reach out to your Senior IT partner first to see if the software has already been through the review process or if there is a comparable software or service that has already been reviewed.

If you have questions about who your IT partner is, please contact

2. Have you gone through the IT Governance process?

If you are interested in licensing software or using an online service, before you commence a privacy and security review process, you will need to go through the IT Governance process. This is required to start the process of considering the use of new software or a new online service.

For more information, visit the IT Governance web site.

Complete and submit the Opportunity Proposal Form here.

Summary of the Privacy and Security Review Process

References in this summary to the CISO mean the Office of the Chief Information Security Officer. References to the IPO mean the Information & Privacy Office.

Complete the Privacy & Security Review Checklist

  1. The privacy and security review checklist is a Google Form that can be accessed below:

    Privacy & Security Review Checklist

    You can also find a Microsoft Word version of the checklist here   . We will need you to submit the form to the IPO and CISO through the Google Form. However, you might want to review and fill in the Microsoft Word version of the checklist in advance to ensure that you will have all of the information you need when you start filling out the Google Form. Unfortunately, you can’t save a partially completed Google Form and return to it later; it must be completed in one session.
  2. When you have completed the privacy and security checklist Google Form, click the “Submit” button to submit the checklist. A copy of the completed checklist will be emailed to you. A copy will also be accessible to the IPO and the CISO.
  3. As you complete the checklist, you will be advised about whether the personal information you are handling is classified as restrictedconfidentialprotected or unrestricted.

The next steps in the review process will depend on how the information is classified. If you are handling information that falls into more than one classification level, then the review process will proceed based upon the highest classification level. For example, if some of the information is restricted, and some of it is protected, then the review process will proceed based upon a classification level of restricted

If you have any questions as you complete the privacy and security review checklist, please do not hesitate to contact the IPO for privacy questions or the CISO for security questions. Contact information is listed further down this page in the footer.

Next Steps, Based Upon Classification Level

  1. Privacy Review – If the highest information level is restricted or confidential, then the IPO must review the initiative before it is implemented. If the highest information level is protected or unrestricted, then no further IPO involvement is required.
  2. IT Security Review – If the highest information level is restricted, confidential, or protected, then the CISO must review the initiative before it is implemented (unless the CISO and IPO agree that the review can be waived in the circumstances).
  3. Review of Contract / Online Terms of Use – If the information level is restrictedconfidential, or protected, then the contract / online terms of use must be reviewed.
    • Will the University be paying to use the software or online service? If so, then please contact SMS to review the contract or the online terms of use. This is necessary regardless of the amount you are paying and regardless of the method of payment (e.g. corporate credit card).
    • Is the software or online service free? If so, please contact the IPO about the next steps required for this review.

Quality Assurance

Periodically, the IPO and the CISO will assess the privacy and security review process for quality assurance purposes. In the course of those assessments, they may review completed privacy and security checklists in more detail, and follow up with the faculty or unit with questions and recommendations for improvement.


Q: Do researchers need to go through the privacy and security review process when entering into contracts with service providers to handle research data that includes personal information?

A: Yes - however, please note that we are not reviewing your study protocol or ethics application. Please only include information concerning the software, application or online service being used to support your study. For any questions regarding how this may impact your study, please contact the Research Ethics Office.

Q: Why are privacy and security reviews important?

A: The Freedom of Information and Protection of Privacy Act (the FOIP Act) requires public bodies such as the University of Alberta to have reasonable safeguards in place to protect against such risks as unauthorized access, collection, use, disclosure or destruction of personal information.

A privacy and security review is a risk management and compliance tool used to ensure that the University complies with this obligation.

In general, even if you don’t fit within the criteria listed above as requiring a privacy and security review, it is a good idea to conduct a privacy and security review whenever you are responsible for any other new project involving personal information, or for an existing project in which significant changes will be made to the way personal information is collected, used or disclosed.