Our approach to a single institutional privacy impact assessment falls in line with the provincial and federal requirements in Ontario and Alberta. The basic purpose of a PIA is to assess the impact of the collection, use, and disclosure of personal information on privacy and to justify this impact. Our approach begins with an analysis guided by the four-part test for necessity and proportionality established in R. v. Oakes (based on the Office of the Privacy Commissioner of Canada guideline).
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportional to the need?
- Is there a less privacy-invasive way of achieving the same end?
In addition to answering the above question, we address the ten principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information. In keeping with this approach, below we offer examples of the types of documentation typically included in a PIA to demonstrate each of the ten principles.
The accountability analysis includes a definition of the governance structure of the privacy program, including descriptions of input from legal services or Access to Information and Privacy branches of the institution, and a standard process for determining when PIAs are required, carrying them out, implementing mitigating measures, and auditing for assurance and compliance.
Supporting evidence may include confirmation that PIAs are signed off at the appropriate level, that privacy training is documented and regularly refreshed, and that privacy protective clauses are present in all contracts (particularly where third parties are handling personal information, in accordance with the Treasury Board Secretariat’s Directive).
In this analysis we provide a clear description of the program and why each piece of information collected is relevant; a description of the legislative authority for the collection; and a clear list of all the data elements collected. Relevant documents may include application forms identifying the purpose of collection and online notices of information use. We also provide a description of intended secondary purposes of information and methods of data collection (direct or indirect).
In order to validate consent requirements we will seek a copy of the notification language or privacy notice statement provided to individuals submitting information; or if consent was not sought, a reason for not seeking consent consistent with the Privacy Act.
In this analysis we provide a justification for each data element collected, and an indication that data taken from other departments are purged of all but essential data elements.
Limiting Use, Disclosure and Retention
In this section, our approach provides a description of specific use cases and proposed disclosures, and copies of MOUs or agreements with third parties governing use, retention and disclosure of information. We define a clear policy for retention and disposition of data that is also noted in the Personal Information Bank, and a process for the destruction of data.
Here we provide a description of processes for ensuring the accuracy of information: how records are changed, what processes are open to individuals seeking to correct data, and how changes to records are logged and monitored.
This section may include a description of physical and electronic safeguards, a Threat Risk Analysis emphasizing privacy risks and concerns, notation of encryption practices, policies for remote access and Role-Based Access Control, etc.
We will seek a copy of a clear summary of privacy practices that is posted on the organizational website, and in the case of particularly sensitive programs, a description of a public communications plan.
We provide a description of the formal ATIP process, as well as informal processes for individual access to or correction of personal information.
Here we describe who is responsible for receiving privacy complaints, and how and when compliance audits will be undertaken.
Once privacy risks have been identified and mitigating measures proposed, the OFP expects an Action Plan that provides a timeline and assigns responsibilities for the implementation of these measures. An Action Plan will ideally also include processes for ongoing updates of the PIA, a schedule for regular TRAs, a process for auditing and monitoring compliance with privacy policies, and a plan for the retention and disposition of data.
Approach to Multi-Institutional Privacy Impact Assessments
An increase in information sharing initiatives, such as Electronic Health Records (EHR), has led to a growing need for multi-institutional and multi-jurisdictional PIAs. The OPC’s guidelines recommend that such PIAs include a clear business case for information sharing, a common communications strategy to inform the public of information sharing, and a set of expected privacy practices shared by all institutions participating in the data sharing initiative.
We begin by defining the reasons for which health information custodians collect, use, retain and disclose personal health information.
A key next step to ensuring privacy protective information sharing is the definition of a custodianship model; as defined in PHIPA, custodians are healthcare providers responsible for the management of personal health information. These include: individual healthcare practitioners and group practices; community service providers under the Long-Term Care Act, 1994; community care access centres; public or private hospitals; psychiatric facilities under the Mental Health Act; institutions under the Mental Hospitals Act; and independent health facilities under the Independent Health Facilities Act.
In the context of an EHR initiative, a steward will be designated to review and revise policies, processes, and procedures and to ensure the proper operation of shared records.
Liability is defined as a legal obligation, due at present or at some time in the future. By establishing liability, we help to define the roles, responsibilities, and accountabilities of EHR participants.
>Power and authority
In conjunction with liability, we define different EHR participants’ right and ability to manage (collect, retain, disclose, and correct) personal health information.
Here we define policies for management of data quality, records management, assurance of accuracy, retention and archiving, and secondary use of data.
In this step we define policies for the application of legislative requirements, including management of information safeguards, compliance auditing, identity validation and management, implementation of consent rules, breach management, and proactive and reactive monitoring of technology assets.
>Templates for Participant Roles
Controls include frameworks such as provider agreements, patient disclaimers, and mandatory and discretionary requirements that define the roles of EHR participants.