What is a PIA?
A Privacy Impact Assessment (PIA) is a process or assessment used to identify and evaluate potential privacy risks associated with collecting, storing, or sharing personal data in a project or information system. It helps ensure compliance with privacy laws and implement safeguards to protect information.
What is an ATO?
An Authorization to Operate (ATO) is formal approval granted by University Privacy that allows an information system that processes, stores, or transmits sensitive information to operate within the University environment. This approval is based on a the results of a PIA to determine if it meets University and regulatory requirements for safeguarding sensitive data.
The ATO process follows the PIA framework, which includes:
- Data Flow Mapping: Identification of what personal data is collected, how it flows, and who has access.
- Legal and Regulatory Compliance: Review of applicable privacy laws, regulations, and organizational policies.
- Risk Assessment: Analysis of potential privacy risks and their impact on individuals.
- Mitigation Measures: Strategies to reduce or eliminate identified risks (e.g., data minimization, encryption).
- Stakeholder Engagement: Input from University Privacy, OGC, UITS, ISO and other individuals involved.
- Recommendations and Action Plan: Steps to improve privacy and security controls.
- Documentation and Approval: Final report with sign-offs, including issuing the ATO.
When Do You Need a PIA and ATO?
You are implementing a new information system that processes, stores, or transmits University data, including regulated or sensitive information, such as Protected Health Information (PHI).
You are making significant changes to an existing system that could impact its security posture.
You are using cloud-based or third-party systems that will connect to university networks or handle University data.
How to Request an ATO
If you believe your project or system requires an ATO, please contact University Privacy for guidance and next steps.