Privacy Impact Assessments (PIAs) are a key tool for demonstrating compliance with privacy laws. We outline our approach to basic institutional PIAs, as well as PIAs for multi-institutional or multi-jurisdictional data initiatives.
The KI Design approach to a single institutional privacy impact assessment falls in line with the provincial and federal requirements in Ontario and Alberta. The basic purpose of a PIA is to assess the impact of the collection, use, and disclosure of personal information on privacy and to justify this impact. Our approach begins with an analysis guided by the four-part test for necessity and proportionality established in R. v. Oakes (based on the Office of the Privacy Commissioner of Canada guideline):
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportional to the need?
- Is there a less privacy-invasive way of achieving the same end?
In addition to answering the above questions, we help to collect documentation to demonstrate compliance with the ten principles that form the core of PIPEDA:
Accountability – Governance structure, PIA protocols, auditing, training, legal consultation
Identifying Purposes – Purposes of data collection, legislative authority for collection, description of data collected
Consent – Notification process or exceptions to consent
Limiting Collection – Justification for each data element collected, and indication that data taken from other departments are purged of all but essential data elements
Limiting Use, Disclosure, and Retention – Use cases, proposed disclosures, data sharing agreements, retention and disposition policies
Accuracy – Processes for correcting data and monitoring changes to records
Safeguards – Physical and electronic safeguards, Threat Risk Analysis, encryption practices, access policies
Openness – Public communications regarding privacy practices
Individual Access – Processes for individual access to or correction of personal information
Challenging Compliance – Privacy complaint procedures, compliance audits
Once privacy risks have been identified and mitigating measures proposed, we help to develop an Action Plan that provides a timeline and assigns responsibilities for the implementation of these measures. We will also help to set up processes for ongoing updates of assessments, auditing and monitoring compliance with privacy policies, and retention and disposition of data.
Multi-Jurisdictional Privacy Impact Assessments
An increase in information sharing initiatives, such as Electronic Health Records (EHR), has led to a growing need for multi-institutional and multi-jurisdictional PIAs. Guidelines from the Office of the Privacy Commissioner recommend that such PIAs include a clear business case for information sharing, a common communications strategy to inform the public of information sharing, and a set of expected privacy practices shared by all institutions participating in the data sharing initiative.
- Purpose: We begin by defining the reasons for which health information custodians collect, use, retain and disclose personal health information.
- Custodianship: A key next step to ensuring privacy protective information sharing is the definition of a custodianship model. In the context of an EHR initiative, a steward will be designated to review and revise policies, processes, and procedures and to ensure the proper operation of shared records.
- Liability: In order to establish liability, we help to define the roles, responsibilities, and accountabilities of EHR participants. We define different EHR participants’ right and ability to manage (collect, retain, disclose, and correct) personal health information.
- Data Management: We define policies for management of data quality, records management, assurance of accuracy, retention and archiving, and secondary use of data.
- Controls: We define policies for the application of legislative requirements, including management of information safeguards, compliance auditing, identity validation and management, implementation of consent rules, breach management, and proactive and reactive monitoring of technology assets. Controls also include frameworks such as provider agreements, patient disclaimers, and mandatory and discretionary requirements that define the roles of EHR participants.