Please enable javascript to view this page in its intended format.

Queen's University

Authorization to Operate

The  Authorization to Operate  process provides a structure, templates and check-list to assist in adoption of Software as a Service (SaaS) solutions at Queen's University.

Stages and Templates


Description and stage required

RFP Questions




The short form of these questions are to be  included in any RFP  that the Service Owner submits for a Cloud based or hosted Software as a Service solution.

The long form of this document is what is used when negotiating with or short listing proponents.

The responses to these questions will be reviewed by ITServices to assist in proponent selection.


Privacy Risk Assessment


This document is the responsibility of the Service Owner, and will be completed with input from the Service Owner, the Vendor and from ITServices.


The Privacy Risk Assessment (PRA) shall provide an evaluation of controls and risks relative to the cloud environment in scope with an eye towards achieving the following objectives:


  • To determine the privacy risks related to the current implementation and how the implementation aligns with
    the Ontario legislation  - FIPPA - Freedom of Information and Protection of Privacy Act, and the Federal legislation – PIPEDA, Personal Information Protection and Electronic Documents (Note: PIPEDA applies to commercial organizations but the principles do apply.)
  • To understand and document where sensitive information is stored and used, the level of adequacy of the existing security controls in Queen's University (focus being on people, processes, and technical security).

The purpose of this report is to:

  • Document the findings of a security-focused Privacy Risk Assessment (PRA) for the Queen's University software applications and services in scope
  • Inform Clients and stakeholders about the privacy objectives and safeguards of the Queen's University software applications and processes
  • Allow Clients and stakeholders to understand how the Queen's University software applications, service and processes may contribute to the business risks that they must manage.

Non Disclosure Agreement


The Queen's Non Disclosure Agreement is to be  signed by Vendors prior to a contract  in which an exchange of personal and confidential information is necessary between Queen's and the vendor as part of a negotiation, review or understanding of a service.



When all required documentation has been completed signatures are required by the following individuals to confirm the completion of the process, and the acceptance of any risk prior to go live of a SaaS solution at Queen's University.


  • Service Owner
  • Data Steward
  • Queen's CIO
  • Queen's General Counsel


Operational Documentation


Documentation will be required to identify the ongoing support of the service, contingency plans in case of an outage, notification process, contact information, licence renewal schedule and other areas that will provide the plan as to how the service will run efficiently.

This document is completed at the end of the AtO process, and links all the components that have been completed.
As a result, this becomes the Executive Summary of the collection of documents, and would be the first point of reference if needed.


Kingston, Ontario, Canada. K7L 3N6. 613.533.2000