Service providers across diverse service categories are often required to collect personal information as a central function of the social safety net; however, who or what ensures that data is protected? Privacy Impact Assessments (PIA) are a best practice used across numerous private sector industries to protect customer data and mitigate the risk of security breaches. In the social sector, a PIA can be used to protect client information and mitigate compliance and privacy concerns. Yet, most organizations have a hard time understanding what a PIA is. And if it applies to their organization.
In 2021, the average cost of a data breach incident in Canada was $6.75 million. Privacy Impact Assessments (PIA) are an opportunity to help mitigate the risk for both users and service providers. PIAs tell the story of your organization’s work with respect to the data and privacy of clients. By identifying the potential privacy risks of a program or service, PIAs find gaps or compliance concerns and create processes to mitigate the gaps you may have in your organization. A PIA is a risk management process that supports organizations to protect themselves and their clients by meeting legal requirements and supporting privacy protection.
Myth 1: My Organization Doesn’t Use Private Information, So We Don’t Need a PIA
Oftentimes service providers or custodians don’t think they fit the requirements for a PIA because they don’t fall into what they think a custodian is.
So what is personal information? And who is a custodian?
Personal information is any “information about an identifiable individual that is recorded in any form,” meaning something as complex as fingerprints or medical diagnoses to seemingly basic information like name and address. Even if your organization doesn’t collect what you think is ‘risky data’, any Personally Identifiable Information can be misused and should be protected.
Custodians are health services providers, be it individuals, boards, agencies or corporations, that collect any data related to individually identifying health information. Examples of custodians are nursing homes, physicians, pharmacists, rehabilitation centers, shelters, housing supports, employment services, mental health clinics, addiction services, registered nurses and any other social service providers named in the regulations.
Custodians are required to review the privacy safeguards to protect health information periodically. Custodians must, therefore, under the Health Information Act (HIA), submit PIAs to the Information and Privacy Commissioner prior to implementing practices that collect individually identifying health information. You are viewed as a custodian under the regulation if your organization:
• protects, promotes or maintains physical and mental health
• prevents, diagnoses or treating illness
• aids in rehabilitation
• is involved with caring for the health needs of the ill, disabled, injured or dying
The HIA is a Government of Alberta Act that clarifies the balance between privacy protection and client information sharing to manage the health system. While the HIA is specific to Alberta, across Canada, provincial governments have similar acts, such as the Personal Health Information Protection Act (PHIPA) in Ontario and the Personal Information Protection Act in British Columbia, that work to ensure the protection of collected personal information.
If you’re still unsure, ask yourself, does this project or program require collecting personal information? If yes, then you’ll likely need a PIA.
Myth 2: My Organization Does Not Have Any Privacy Risks
You might be thinking, what’s the point of a PIA? Does it only tell me what personal data my organization uses? Not quite – PIAs, in addition to identifying what personal data you’ve collected, also determine how data flows through your organization’s processes and technology; this allows you to identify security and privacy gaps along the way. PIAs dive deeper than a superficial understanding of what data you collect and look at the collection methods, the format of the information, the security of the information storage, and its accessibility. PIAs are a due diligence practice to identify and mitigate future security and privacy breaches.
In one such security breach in Ontario, Rowlands v. Durham Region Health, a settlement was agreed upon arising from a nurse’s loss in 2009 of an unencrypted USB stick containing individual health information data of over 83,000 flu shot patients. While no identity theft occurred, damages were still paid, and the risk of privacy threatened both the plaintiffs and the reputation of the defendants. PIAs account for how data is stored, used, who can access it, and what necessary protocols are required to ensure personal health data security. In this case, a PIA would have flagged the use of an unencrypted USB stick and therefore possibly mitigated this loss. Therefore, they are an invaluable tool to prevent risks you might not have even known existed.
Myth 3: It’s a Painful Process That My Organization Won’t Have Time For
PIAs have four key components: project initiation, data flow analysis, privacy analysis, and the privacy impact analysis report. The first component involves determining the collection, use and security retention and disposal of any personal information used by your organization. Data flow analysis looks at how your organization uses the data and consults with stakeholders to understand how the information will be used across the organization or within programs or activities.
The third step involves an analysis of the information used to identify the potential risks and how your organization can fulfill its legal requirements as set out by the Privacy Act and related regional regulations. HelpSeeker normally does this through a short questionnaire that captures the necessary information. The final step is to create the report itself; this involves developing solutions and documenting your findings to move ahead with the program or activity.
While the process may seem daunting at first, it is more than doable, and the benefits of protection certainly outweigh the costs of liability and security breaches. Globally, the cost of a data breach incident is $5.34 million, in Canada it is higher at $6.75 million. PIAs are best practices and can be conducted and reported by contractors specializing in collecting and assessing your organization’s risks. So is it a painful process? The short answer is no, but it is undoubtedly a necessary process that will require effort to safeguard your organization and protect it from liability and risk.
Myth 4: PIAs Aren’t Worth It
PIAs are common practice for organizations to ensure privacy is a feature in their programs and make privacy a key factor. CMHC completes frequent PIAs alongside new, revised or outsourced programs; this protects both CMHC and those who leverage its programs from privacy breaches.
What are the benefits of doing a PIA?
PIAs act as an early warning system to identify and mitigate risks; they enable decision-makers to act with the knowledge that they are protected from internal issues and have taken proactive steps to prevent external threats or compliance issues.
A PIA ensures that your organization complies with privacy laws and that community values are reflected in your programs. Stakeholders and end-users know that the project is designed for their safety and security. This demonstrates reassurance to individuals, institutions, partners and your team that best practices are followed and support better decision-making and a culture of privacy within an organization. Promoting transparency and individual awareness builds trust in your organization while improving efficiency and minimizing redundancies in using, collecting, and storing personal information data.
Organizations may also be concerned that the PIA will create more problems than they solve. The PIA itself simply identifies gaps within your process or organization, it is up to your organization to prioritize and plan any changes you would like to make in light of this information. OIPC will not mandate how you need to change, but rather identify the gaps in your process for you to work with.
How to Make the Most of PIAs
Cyber attacks and security breaches are not uncommon for Canadian service providers. In October of 2021, the Newfoundland and Labrador health-care system faced a cyberattack that saw over 200,000 files taken which contained personal information, including SIN numbers and contact information. The attack delayed thousands of appointments and procedures in the following week. While there is no evidence the stolen data has been misused, there is still strong concern about when and if it will be.
PIAs are widely accredited as a best practice for ensuring privacy risk management; they are essential tools for any organization handling individual health and personal information. It’s important to note that PIAs are not a one-and-done process. Instead, PIAs need to be done when designing a new program or service, making significant changes to an existing program or service, or switching from conventional to electronic service delivery models. It is an ongoing process that supports dynamic adjustment to policies and practices to support and protect privacy and security. Still, it is an essential process to protect your community.