KI Design Privacy Impact Assessment Approach

Privacy Impact Assessments (PIAs) are a key tool for demonstrating compliance with privacy laws. We outline our approach to basic institutional PIAs, as well as PIAs for multi-institutional or multi-jurisdictional data initiatives.

The KI Design approach to a single institutional privacy impact assessment falls in line with the provincial and federal requirements in Ontario and Alberta. The basic purpose of a PIA is to assess the impact of the collection, use, and disclosure of personal information on privacy and to justify this impact. Our approach begins with an analysis guided by the four-part test for necessity and proportionality established in R. v. Oakes (based on the Office of the Privacy Commissioner of Canada guideline):

  1. Is the measure demonstrably necessary to meet a specific need?
  2. Is it likely to be effective in meeting that need?
  3. Is the loss of privacy proportional to the need?
  4. Is there a less privacy-invasive way of achieving the same end?

In addition to answering the above questions, we help to collect documentation to demonstrate compliance with the ten principles that form the core of PIPEDA:

Accountability – Governance structure, PIA protocols, auditing, training, legal consultation

Identifying Purposes – Purposes of data collection, legislative authority for collection, description of data collected

Consent – Notification process or exceptions to consent

Limiting Collection – Justification for each data element collected, and indication that data taken from other departments are purged of all but essential data elements

Limiting Use, Disclosure, and Retention – Use cases, proposed disclosures, data sharing agreements, retention and disposition policies

Accuracy – Processes for correcting data and monitoring changes to records

Safeguards – Physical and electronic safeguards, Threat Risk Analysis, encryption practices, access policies

Openness – Public communications regarding privacy practices

Individual Access – Processes for individual access to or correction of personal information

Challenging Compliance – Privacy complaint procedures, compliance audits

Once privacy risks have been identified and mitigating measures proposed, we help to develop an Action Plan that provides a timeline and assigns responsibilities for the implementation of these measures. We will also help to set up processes for ongoing updates of assessments, auditing and monitoring compliance with privacy policies, and retention and disposition of data.

Multi-Jurisdictional Privacy Impact Assessments

An increase in information sharing initiatives, such as Electronic Health Records (EHR), has led to a growing need for multi-institutional and multi-jurisdictional PIAs. Guidelines from the Office of the Privacy Commissioner recommend that such PIAs include a clear business case for information sharing, a common communications strategy to inform the public of information sharing, and a set of expected privacy practices shared by all institutions participating in the data sharing initiative.

Our unique approach builds on these basic requirements to define a clear, seven-step process that we use both to guide our clients as they develop privacy policy prior to EHR adoption, and to conduct PIAs in an EHR context.

  1. Purpose: We begin by defining the reasons for which health information custodians collect, use, retain and disclose personal health information.
  2. Custodianship: A key next step to ensuring privacy protective information sharing is the definition of a custodianship model. In the context of an EHR initiative, a steward will be designated to review and revise policies, processes, and procedures and to ensure the proper operation of shared records.
  3. Liability: In order to establish liability, we help to define the roles, responsibilities, and accountabilities of EHR participants. We define different EHR participants’ right and ability to manage (collect, retain, disclose, and correct) personal health information.
  4. Data Management: We define policies for management of data quality, records management, assurance of accuracy, retention and archiving, and secondary use of data.
  5. Controls: We define policies for the application of legislative requirements, including management of information safeguards, compliance auditing, identity validation and management, implementation of consent rules, breach management, and proactive and reactive monitoring of technology assets. Controls also include frameworks such as provider agreements, patient disclaimers, and mandatory and discretionary requirements that define the roles of EHR participants.
  6. Process: We apply privacy policy to workflows and interactions throughout care delivery processes, including service model, delivery model, management of consent, reporting procedures, circle of care management, and incident management.
  7. Adoption: In this final step we develop instruments for the implementation of privacy policy during the adoption and ongoing development of EHR, such as provider agreements, patient disclaimers, mandatory and discretionary requirements, and system feedback.

Why Invest in Privacy?

For companies and public organizations running on limited budgets, it can be difficult to see the benefits of investing in privacy. In our experience, executives and boards do not usually ask how privacy could help them; they ask what similar organizations are doing, and what the potential penalties of privacy violations might be. When these are the criteria for decision making, there is very little incentive to do more than the minimum standard. Once basic privacy policies and procedures are in place, it is easy for organizations to slip into complacency.

Yet privacy, information technology, and information protection experts are emphasizing that managing privacy risk is more important than ever. Organizations hold more digitized information than ever before, and the increased use of portable devices, shared systems, and online portals creates new opportunities for information theft and hacking. Recent business and world news illustrate how data risks have materialized in the form of major breaches of citizens’ personal data. Affected organizations, particularly in the public sector, are under pressure to make changes.

Contrary to the typical narrative in management, we would suggest understanding risk management as an investment rather than an overhead cost. We suggest three ways of understanding privacy risk management beyond the usual focus on the harms of data breaches.

  • Risk management is business process improvement. Many privacy or security risks can be solved through business process improvements. In our experience, many of the recommendations in risk assessments have to do with processes.  For example, a common issue with online portals is that the handoff between registration and billing for account holders is unidirectional: there is no process to confirm that registered users have paid their fees, or to suspend their accounts when their registration has expired. Filling this gap addresses the privacy issue of unauthorized portal access, and also generates revenue.
  • Risk management is automation. Similarly, if privacy or security risks are a result of manual processes that can be automated, risk mitigation can be sold as increased efficiency. For example, if two departments host their own data sets pertaining to user profiles, investing in an automated validation tool will eliminate redundant efforts and reduce errors requiring staff attention.
  • Risk management is a selling point for funding or investment business cases. Risk and compliance managers can show how risk mitigation is a differentiating factor in the eyes of external funders, clients, and business partners. Business cases for external funding or investment and responses to requests for proposals can cite risk management as a differentiating factor with regard to external competition.

These three principles can work for private or public sector, major or small organizations.  Risk management provides both product and service companies with a competitive advantage by differentiating them from others. Government organizations facing funding cuts can leverage process improvements to improve employee utilization and limit outsourcing.

Privacy is best understood as an investment factor that improves bottom lines and provides a competitive advantage. Such an approach changes the question from, “What is the minimum I have to pay to manage this risk?” to “What is my return on investment?”