Do Alberta universities need PIAs under POPA?
Yes. Universities, colleges, and polytechnic institutions in Alberta are public bodies under POPA. Any SaaS tool or information system that collects, uses, or discloses personal information requires a PIA. Post-secondary institutions typically have extensive SaaS environments spanning academic, research, administrative, and student services — making PIA completion a significant but necessary undertaking.
What systems need PIAs in a university environment?
Post-secondary institutions use a broad range of tools: learning management systems (Brightspace, Canvas, Moodle), student information systems (Banner, PeopleSoft), research data platforms, library systems, email and productivity suites (Microsoft 365, Google Workspace), video conferencing (Zoom, Teams), HR and payroll, financial systems, and dozens of department-specific applications. Each tool that processes personal information requires jurisdictional analysis in Section G of the OIPC template.
What about research data?
Research involving personal information adds another layer of complexity. The OIPC template includes Section H3 (Risks Associated with Research) and Appendix A (Data Matching) for research-specific considerations. If research data is stored or processed using US-parented cloud platforms, the CLOUD Act applies — meaning a US legal order could compel access to research participants' personal information. Ethics boards should be coordinating with privacy officers on PIA requirements.
How should universities organize their PIA process?
Given the volume of SaaS tools across a university, a centralized approach works best: have the privacy officer maintain an inventory of all tools, prioritize by sensitivity (student records and research data first), and use a systematic process for completing PIAs. The OIPC template is the same regardless of the tool — what changes is the jurisdictional analysis for each vendor. This is where automated research tools save significant time.
Are learning management systems CLOUD Act exposed?
It depends on the vendor. D2L Brightspace is Canadian-incorporated (Kitchener, Ontario) — not CLOUD Act exposed. Canvas (Instructure, Inc.) is US-incorporated — CLOUD Act exposed. Moodle is open-source and depends on where the institution hosts it — self-hosted in Canada would not be CLOUD Act exposed, but cloud-hosted through a US provider would be. Each LMS requires its own jurisdictional analysis.
Auto-fill PIAs for your entire institutional stack
Select every tool your institution uses — from Brightspace to Banner to Microsoft 365. Our PIA Research Tool generates Sections F, G, and H2 of the mandatory OIPC template from a 753-tool database. $199.
Start PIA Research Tool →Alberta POPA overview → · CLOUD Act & Canadian data → · Data residency vs sovereignty → · PIA Research Tool →
Frequently asked questions
If a department deploys its own SaaS tool that processes personal information, it needs a PIA. The privacy officer should maintain a centralized process to ensure consistency and avoid duplication.
If students are provided Microsoft 365 or Google Workspace accounts, the institution is deploying a SaaS tool that processes student personal information. A PIA is required.