Privacy Impact Assessments: Frequently-Asked Questions

A privacy impact assessment (PIA) is a process for identifying and addressing privacy risks associated with the implementation of an administrative practice or information system that collects, uses, discloses, stores or processes identifying personal or health information. Depending on the type of administrative practice or information system, completing a PIA may be challenging.

This page addresses some of the most frequently asked questions that the Office of the Information and Privacy Commissioner (OIPC) has received about PIAs. The questions are set out in the categories of:

  • General
  • Virtual Care
  • Netcare
  • CII/CPAR
  • PIA Amendments and Updates
  • Information Management Agreements
  • Opening Multiple Clinics
  • PIA Reviews
  • Changes to PIA Process
  • PIA Training

General

  1. When do I need to submit a PIA?

Answer: The Health Information Act (HIA) section 64 requires each custodian to prepare a PIA that describes how proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individuals who are the subjects of the information. HIA requires custodians to submit PIAs to the Commissioner for review and comment before implementing proposed administrative practices or information systems (or changes to existing administrative practices or systems) that involve the processing of identifying health information.

While public bodies under the Freedom of Information and Protection of Privacy Act (FOIP Act) and private sector organizations under the Personal Information Protection Act (PIPA) are not required by law to submit PIAs to the Commissioner, the OIPC highly recommends and encourages public bodies and organizations to voluntarily submit PIAs for review and comments.

  1. What do I need to include in my PIA?

Answer: Currently, PIAs submitted by custodians under HIA need to meet the requirements set out in our Privacy Impact Assessment Requirements Guide, 2010.

  1. What if my PIA submission does not follow the Privacy Impact Assessment Requirements Guide, 2010?

Answer: If your PIA does not meet the Privacy Impact Assessment Requirements Guide, 2010  and does not contain sufficient information to enable the OIPC to review and comment on it, your PIA will not be reviewed by the OIPC. Your PIA file will be closed. If your PIA does not follow the guide but contains sufficient information about the administrative practice and/or information system, the OIPC will review and comment on it.

  1. Is there a PIA template available online?

Answer: At this time, our office does not have a PIA template. We recommend following our Privacy Impact Assessment Requirements Guide, 2010.

  1. I am opening a new clinic and will be implementing different systems such as an electronic medical record (EMR), secure messaging tool, patient portal and Netcare. Should I submit one PIA that describes my organizational controls and the implementation details related to each of these systems?

Answer: You should submit one PIA for each information system. This allows a timelier review by the OIPC, and if one system has privacy or security issues, then it will not affect the OIPC’s ability to review and comment on the PIAs for the other systems.

The first PIA should describe your organizational controls (policies and procedures) and the implementation details related to the main system such as an EMR, including specific policies and procedures for that information system.

For each subsequent PIA you submit for other information systems, you do not need to address your organizational controls, if those controls described in the first PIA have not changed.  Rather, you just need to reference your previously submitted PIA OIPC file number and the section of the PIA where you described those controls.

If it has been several years since you submitted your organizational controls including policies and procedures, it is recommended that you review them and submit updated copies to the OIPC with your new PIA submission. Going forward, you would then cite these updated organization controls in your future PIA submissions.

  1. Can I hire a PIA consultant to prepare my PIA?

Answer: Yes. You may hire a consultant to prepare your PIA; however, the custodian(s) are accountable for the PIA and all the information described therein. The custodian should be actively involved in the PIA development.

  1. What if my administrative practice or information system is about sharing non-identifying health information? Do I need to submit a PIA?

Answer: Non-identifying health information is defined in HIA section 1(1)(r). As per the requirement in s. 64 of HIA, a PIA may not be required in this case; however, there may be risks of re-identification especially when it comes to the process that was used to make the identifying information non-identifiable. If you submit a PIA to our office, our review may help you identify risks that you may not have considered or potential areas of non-compliance with HIA.

  1. What is the best way to submit a PIA?

Answer: The OIPC prefers email submissions using the pia@oipc.ab.ca email address, although the OIPC still accepts PIAs submitted by mail.

  1. HIA says each custodian must submit a PIA to the Commissioner. Can a group of custodians working in a single setting submit one PIA to the Commissioner?

Answer: While HIA does state that “each” custodian must submit a PIA, the OIPC does allow one PIA to be submitted by multiple custodians practicing in a common environment, under the same administrative practices, which implement the same health information system, policies and procedures.

All custodians must agree to the PIA, and all custodians must sign off on the PIA. Each custodian is still accountable for compliance with HIA and the health information that the custodian collects, uses or discloses.

When submitting a PIA from multiple custodians, please indicate who the primary contact (custodian) is for the PIA, so OIPC correspondence can be directed to that individual. It will be up to this primary contact to provide copies of the OIPC correspondence to all participating custodians of the PIA.

  1. Who needs to sign the cover letter for the PIA?

Answer: The custodian or custodians submitting the PIA must sign the PIA. If a group of custodians submit a PIA, all the custodians participating in the PIA submission must be signatories to the cover letter for the PIA.

  1. Can an affiliate of a custodian sign the PIA?

Answer: Generally, no. Custodians must sign their PIA submissions, as compliance with HIA lies with the custodian. Privacy officers or a representative of the custodian [i.e. consultants hired by the custodian(s) to write the PIA or answer questions on behalf of the submitted PIA], or their affiliates cannot sign the cover letter for the custodian.

However, for custodians as described in section 1(1)(f)(iv), (ix.1), (ix.2), (xii) and (xii.1) (e.g. Alberta Health, Recovery Alberta, Ministry of Mental Health and Addiction, etc.), a responsible affiliate who has been delegated appropriate authority may sign off on a PIA on behalf of the custodian.

  1. Can anyone at the clinic submit a PIA by email to the OIPC or does it have to be the custodian?

Answer: While the custodian must complete and sign the PIA, a representative of the custodian, such as the privacy officer or any other individual, may submit the PIA to the OIPC on behalf of the custodian.

The PIA submission requires the custodian’s full contact information. This includes full name, title, physical mailing address, email address and phone number. Our office requires custodian contact details in order to open the PIA file. Submitting a PIA without the custodian’s full contact information may result in delays with processing the PIA file.

  1. Can I email you a link so you can retrieve my PIA submission (e.g. cloud storage) or does it need to be attached to the email?

Answer: No. Please attach the PIA and cover letter to the email.

  1. How do I know if the OIPC has received my PIA submission?

Answer: If a submission is sent to our PIA email address (pia@oipc.ab.ca), you will receive an email acknowledging receipt of your submission. If you do not receive a confirmation email, and you are concerned, please contact us (phone 780-422-6860 or toll free at 1-888-878-4044 or email generalinfo@oipc.ab.ca) to confirm we received your submission. If you submit your PIA by mail or fax, we do not send confirmation of receipt.

Once a PIA file has been created, you will receive correspondence with your PIA file number. If there are issues with the submission (e.g. missing PIA requirements), we may not open a file and any hard copy submissions will be returned. You will be informed if your PIA is not processed.

  1. What should I expect after submitting a PIA?

Answer: After you receive the initial email confirming receipt of your email submission and the letter with your file number, you will either be contacted by the PIA reviewer about questions regarding the PIA or you will receive a letter with comments and recommendations (if applicable). The letter may require the custodian to follow up with the reviewer on the implementation of the recommendations.

  1. Can the custodian’s representative such as a privacy officer or a PIA consultant be the point of contact for questions on the PIA?

Answer: If the PIA describes who to contact regarding questions on the PIA, the PIA reviewer will contact that individual for clarifying questions. However, our office requires contact information, including full name, title, physical mailing address, email address and phone number, for the custodian, so that formal correspondence can be directly sent to the custodian. A custodian’s representative may be copied on OIPC formal correspondence, if the custodian has provided that contact information.

  1. How long does the OIPC take to review a PIA?

Answer: Based on the current PIA backlog and available resources, it may take up to 12 months to have your PIA reviewed and to receive comments. We are working to implement improvements in the way that we process PIAs and we anticipate that these changes will shorten our turnaround times.

  1. If I would like to know the status of my PIA, can I or my representative contact the OIPC for an update?

Answer: Yes. The custodian (or one of the participating custodians) who submitted and signed off on the PIA can contact our office for an update. Where the PIA has identified an affiliate responsible for privacy compliance (i.e. privacy officer), the affiliate or representative may inquire on behalf of the custodian(s).

  1. Once I submit my PIA, can I start using my information system or do I have to wait for the OIPC to complete its review?

Answer: Section 64 of HIA requires the custodian to submit the PIA prior to implementing the information system or administrative practice. If you are implementing a high-risk information system and require preliminary feedback from the OIPC, we encourage you to engage with our office early on in the project so that we can review and comment prior to the implementation.

  1. My PIA was accepted but I can’t find it. Does the OIPC retain the PIA documentation and, if so, can the OIPC send me a copy of my PIA, the OIPC’s acknowledgment letter, and the PIA review letter?

Answer: Each custodian is responsible for maintaining accurate records of their PIA(s) and the related OIPC correspondence. While the OIPC has assisted in providing custodians with copies of PIAs in the past, the OIPC has since stopped that practice. It is not within the OIPC mandate to provide this service.

  1. Once I submit my PIA and receive OIPC comments, are my obligations satisfied?

Answer: The custodian must review their PIAs regularly and ensure amendments to their PIAs are submitted as appropriate. In order to do this review, each custodian should have a copy of the PIAs and the OIPC PIA correspondence related to the review of each PIA.

Virtual Care

  1. Do I need to submit a PIA if I am providing care virtually?

Answer: Yes. The PIA should describe your administrative practices and any information systems used to provide virtual care. There are additional considerations that you must address in your virtual care PIA, including:

  • whether the custodian meets the definition of a custodian under HIA, s. 1(1)(f);
  • how the custodian has custody and/or control of the health information in the virtual care platform and how this is maintained;
  • how the custodian is collecting, using and disclosing health information, reflected in the PIA’s information flow and legal authorities’ tables (if the custodian is using a third-party vendor to provide virtual care, this data flow may include information flows under the Personal Information Protection Act);
  • the Information Manager Agreement requirement under section 66 of HIA and section 7.2 of the Health Information Regulation; and
  • policies and procedures that reflect HIA compliance with respect to this type of care model.

Netcare

  1. I am a care provider but not a custodian, as defined in HIA s. 1(1)(f). I own a clinic and my staff need Netcare access. Can I submit an Expedited Netcare PIA to get access to Netcare?

Answer: Alberta Health has described the requirements for obtaining Netcare Access. Only authorized custodians as per section 56.1(b) can request access to Netcare. Custodians may submit an Expedited Netcare PIA following the OIPC Expedited Netcare PIA Requirements found here. Additional information on Netcare can be found at Alberta Health’s Netcare Learning Centre website: Privacy & Security, Netcare Learning Centre (albertanetcare.ca) or contact Alberta Health directly.

  1. What is an Expedited Netcare PIA?

Answer: In 2006, Alberta Health in consultation with the OIPC implemented an expedited process for custodians to submit PIAs for the Alberta Netcare Portal (ANP). Under this process, custodians attest they understand their duties and responsibilities in relation to Alberta Netcare, as described in the Alberta Netcare PIA submitted to the OIPC, on custodians’ behalf, by Alberta Health.

  1. What kind of change in my administrative practices may trigger an amendment to my Expedited Netcare PIA for access to the ANP?

Answer: Some examples of changes to administrative practices that may trigger amendments are:

  • if you are adding new custodians to the PIA (e.g. a group of custodians submitted a PIA and additional custodians are joining the practice), then a PIA amendment to the existing Expedited Netcare PIA is required (please be sure to reference the original PIA file number); and
  • if there is a change to the organizational privacy policy manual.
  1. What should I do if there is a change to the custodian who submitted the Expedited Netcare PIA?

Answer: If there is a change to the custodian who submitted the Expedited Netcare PIA (may be referred to as the lead custodian in the PIA) such as closing a practice or transferring or selling it to another custodian, a new Expedited Netcare PIA must be submitted under the new (or successor) custodian. In addition, the custodian should contact Alberta Heath to terminate existing Netcare access.

  1. If I already have an Expedited Netcare PIA accepted by the OIPC but I want to change my electronic medical record (EMR), do I need to submit a new Expedited Netcare PIA along with my new EMR PIA?

Answer: No. You will not need to resubmit your Expedited Netcare PIA unless there is a change to your organizational information management practices that will impact your Netcare PIA. However, pursuant to section 64 of HIA, you are required to submit a PIA for the new EMR.

  1. If I am submitting PIAs on an electronic medical record (EMR) and Netcare, is it best to combine those in one PIA or submit separate PIAs?

Answer: It is best to submit these PIAs separately, each with its own cover letter. Expedited Netcare PIAs are reviewed on an expedited basis by the OIPC.  If an Expedited Netcare PIA is included in another PIA describing the implementation of other systems (such as an EMR, secure messaging, etc.), the review of that PIA may not be expedited.

  1. If I live outside Alberta and provide virtual care to Albertans, can I submit an Expedited Netcare PIA?

Answer: You may submit an Expedited Netcare PIA if you are a custodian as defined under HIA and associated regulations and if you provide health care services to Albertans. To be an authorized custodian, among other requirements detailed in s. 56.1 of HIA, you must meet the definition of a custodian. For example, if you are a physician you must be a member of the College of Physicians and Surgeons of Alberta.

Community Information Integration (CII)/Central Patient Attachment Registry (CPAR)

  1. Do I need to submit a separate CII/CPAR PIA for each custodian practicing at our clinic? Can I submit one PIA listing all the custodians practicing at our clinic?

Answer: While each custodian is required to submit a PIA (HIA s.64), if the custodians implement the same policies, procedures, processes and electronic medical record implementation (EMR), you may submit one PIA for all the custodians. However, each custodian must sign off on the PIA.

  1. Do I need to update the OIPC when there is a new custodian joining our clinic and participating in the CII/CPAR initiative?

Answer:  Yes. You need to update that with the OIPC. If the new custodian adopts the existing policies and procedures at the clinic and uses the same implementation of the EMR, one of the custodians of the existing CII/CPAR PIA may send a letter to the OIPC, which should include the following information:

  • the new custodian’s name and contact information;
  • that the new custodian is being added to the existing PIA (include the OIPC file number of the existing PIA); and
  • that the new custodian has reviewed the existing PIA and will abide by the controls described in the PIA.

The letter must be signed by both the new custodian and the existing custodian.

  1. The CII/CPAR template requires a custodian to reference their PIA details for their EMR. What if I don’t have an EMR PIA or if I submitted a PIA for my EMR but haven’t received my file number yet?

Answer: If you do not have an EMR PIA, please do not submit the CII/CPAR PIA, as the PIA will not be reviewed. If you have submitted your EMR PIA to the OIPC but have not heard back from the OIPC regarding your file number, please include this information in your CII/CPAR PIA submission for consideration by the OIPC.

  1. If I change my EMR, do I need to submit a PIA for my new EMR and also submit a new CII/CPAR PIA?

Answer: Yes. If a custodian implements a new EMR, the custodian is required to submit a PIA to the OIPC pursuant to section 64 of HIA. In addition, the custodian will need to submit a new CII/CPAR PIA that references the new EMR, because CII/CPAR requires connectivity to the EMR.

PIA Amendments and PIA Updates

  1. What is a PIA amendment?

Answer: A PIA amendment is a PIA under section 64 of HIA. A PIA amendment addresses privacy and security risks associated with changes to an existing administrative practice and/or information system that impacts the collection, use and/or disclosure of identifying health information. A PIA amendment focuses on areas that have changed in an existing administrative practice or information system, and how the custodian has identified and addressed privacy and security risks associated with the change. The amendment must still follow the OIPC PIA Requirements Guide 04-14-10 (oipc.ab.ca). Page 12 of the guide describes when a PIA amendment may be appropriate.

  1. Can I use a copy of my existing PIA to identify and strike what has changed and add new information using a different colour font?

Answer:  Yes. You may use that approach. Remember to ensure all sections affected by the change are addressed.

  1. What are some examples of changes to administrative practices or an information system that require PIA amendments?

Answer: Some examples of changes to administrative practices or an information system that require PIA amendments include:

  • migration of an on-premise (locally implemented) electronic medical record (EMR) to the cloud;
  • adding a new module to an existing EMR;
  • addition of a new custodian to an existing group of custodians in a practice using the same EMR and information management policies and procedures. The amendment must describe how each custodian has agreed to the details in the PIA, entered into agreements with information managers, etc.; and
  • transferring health records from a retiring custodian to another custodian (successor custodian). The retiring custodian should submit an amendment to his or her existing PIA describing the steps taken to ensure privacy and security compliance during the transfer to the successor custodian. The successor custodian will need to submit his or her own PIA regarding HIA compliance associated with the acquisition of the information.
  1. I am a custodian who is looking at closing my practice. What do I need to do with my existing PIA(s)?

Answer: If you are closing your practice, you must submit a PIA amendment addressing the steps you have taken to protect health information in your custody and/or control, including:

  • informing patients about the closure of the practice;
  • facilitating the transfer of patient health information to new health care providers to ensure continuity of care;
  • responding to access to information requests from patients;
  • securely transferring health information to a successor custodian;
  • if there is no successor custodian, steps taken to secure health information in your custody and/or control;
  • securely decommissioning your EMR, including the proper termination of any agreements and the termination of access to health information;
  • ensuring your information manager has securely removed health information from its environment; and
  • securely disposing of health information when the retention period expires.

Custodians are accountable for the health information of their patients, and they must ensure HIA compliance. This includes responding to access to information requests until they transfer the health records to another custodian or until the end of the retention period, after which the records are securely destroyed.

  1. What is a PIA update?

Answer: Changes to an existing PIA that do not affect the collection, use, disclosure or protection of health information are considered PIA updates. Our office manages these types of submissions differently than PIAs and PIA amendments. A custodian will often notify our office of changes such as:

  • clinic address;
  • clinic name change;
  • removing participating custodians from a PIA submitted by a group of custodians; and
  • change of privacy officer.

These changes must be submitted by the custodian and the letter must be signed by the custodian. Once the OIPC receives these PIA updates, we will update your PIA file. No new file is opened and no letter is sent confirming the update. However, if there is an issue or a question, we will contact the custodian.

  1. What changes do not require a PIA submission (including a PIA, PIA amendment or a PIA update)?

Answer: If a change does not impact the collection, use, disclosure or protection of health information, you are not required to submit a PIA. While custodians may need to update their PIA so the OIPC can contact them and have up-to-date organizational information, other information is not critical to provide to the OIPC. For example, the OIPC does not need to know if there is a:

  • change to staff (affiliates) – If there are no changes to the roles or access procedures then this change likely would not need a PIA submission. The custodians need to ensure the new staff are appropriately trained as described in their existing PIAs.
  • change to janitorial services or shredding company. Custodians need to ensure the steps described in the PIA on HIA compliance by these services are implemented with the new organization. These steps may include the signing of confidentiality and/or non-disclosure agreements.

Information Manager Agreements

  1. What is an information manager?

Answer:  Section 66(1) of HIA includes a description of the following services that, if performed by a person or body, makes that person or body an information manager for purposes of HIA:

66(1) In this section, “information manager” means a person or body that

  1. (a) processes, stores, retrieves or disposes of health information,
  2. (b) in accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information to create non-identifying health information, or
  3. (c) provides information management or information technology services.

2. When do I need an information manager agreement (IMA)?

Answer:  Pursuant to section 66 of HIA, custodians are required to enter into an IMA prior to providing health information to an information manager. Information managers must comply with HIA and its regulations as well as the agreement they enter into with the custodian in respect of the information provided to the information manager by the custodian. Custodians may not have the authority to disclose health information to providers of information management services without appropriate written agreement.

  1. Who needs to sign an IMA?

Answer: IMAs must be signed by custodians. Agreements signed by individuals who are not custodians are not valid IMAs under HIA.

  1. What needs to be included in an IMA?

Answer: Section 7. 2 of the Health Information Regulation specifies what IMAs must address:

7.2 For the purposes of section 66(2) of the Act, an agreement between a custodian and an information manager must

(a) identify the objectives of the agreement and the principles to guide the agreement,

(b) indicate whether or not the information manager is permitted to collect health information from any other custodian or from a person and, if so, describe that health information and the purpose for which it may be collected,

(c) indicate whether or not the information manager may use health information provided to it by the custodian and, if so, describe that health information and the purpose for which it may be used,

(d) indicate whether or not the information manager may disclose health information provided to it by the custodian and, if so, describe that health information and the purpose for which it may be disclosed,

(e) describe the process for the information manager to respond to access requests under Part 2 of the Act or, if the information manager is not to respond to access requests, describe the process for referring access requests for health information to the custodian itself,

(f) describe the process for the information manager to respond to requests to amend or correct health information under Part 2 of the Act or, if the information manager is not to respond to requests to amend or correct health information, describe the process for referring access requests to amend or correct health information to the custodian itself,

(g) describe how health information provided to the information manager is to be protected, managed, returned or destroyed in accordance with the Act,

(h) describe how the information manager is to address an expressed wish of an individual relating to the disclosure of that individual’s health information or, if the information manager is not to address an expressed wish of an individual relating to the disclosure of that individual’s health information, describe the process for referring these requests to the custodian itself, and

(i) set out how an agreement can be terminated.

Please note that your IMA must include all of the provisions listed above from (a) to (i). Omitting any of these sections will make your IMA non-complaint with HIA.

Section 8.4 of the Health Information Regulation also specifies that when health information is going to be stored, used or disclosed by a person in a jurisdiction outside of Alberta, the custodian must enter into a written agreement with that person prior to the storage, use or disclosure of the information.

  1. Should I attach a copy of my IMA(s) to my PIA?

Answer: You may attach a copy of your IMA(s) to your submission. You should review your IMA(s) and confirm in your PIA submission if your IMA(s) meet(s) the requirements outlined above. In the event you do not provide your IMA(s), the PIA reviewer may ask to see a copy of your IMA(s), so you should be prepared to provide that documentation if requested.

  1. My vendor has provided an IMA. If I sign that, is it adequate?

Answer: While a vendor may provide an IMA for the custodian to sign, custodians must ensure that any IMAs they sign meet the requirements of section 7.2 of the Health Information Regulation.

  1. I have left my practice and can’t get access to my health records. What should I do?

Answer:  When custodians do not directly sign agreements with their EMR vendors, they may find themselves in the unfortunate position of not being able to exercise control over health information they need to provide health services. Custodians remain accountable for the health information they collect, use and disclose and must ensure they are playing an active role in determining how that information is managed (see OIPC Investigation Report H2013‐IR‐01 https://oipc.ab.ca/wp-content/uploads/2022/01/H2013-IR-01.pdf).

Note: Custodians working in a practice with other custodians should all have their own agreements with information managers and understand what will happen should they leave the clinic (e.g. process for obtaining copies of their patients’ health records).

Opening Multiple Clinics

  1. I am adding a new clinic at another location, and I have already submitted a PIA for the prior clinic. Do I need to submit a PIA for this new clinic?

Answer: Yes. A new PIA should be submitted. A custodian or group of custodians may open multiple locations for their practice. While each clinic may follow the same policies and procedures, the PIA should clearly describe whether there are any differences besides address for the new clinic location(s). Some elements to consider are whether the same or different custodians will be working in the new clinic, differences in the clinic set-up, privacy and security governance in each clinic, systems implemented in each clinic, differences in physical and technical safeguards in each clinic, use of different service providers, etc.

PIA Reviews

  1. Sometimes I receive comments and recommendations and sometimes I just receive a closing letter from the OIPC. Why does this happen?

Answer: The way we review PIAs can be different depending on the complexity of the administrative practice or system and the content of the PIA submissions. PIAs on complex systems or novel approaches may result in more comments than a PIA describing a system that is commonly implemented in Alberta. PIAs that describe the implementation of a system or administrative practice that is likely to impact a large segment of the population may have significant impacts on individuals’ privacy and require a more thorough review of legislative compliance and may result in more comments and recommendations.

  1. Can I talk to the PIA reviewer during the PIA review?

Answer: Yes. You can speak with PIA reviewers during the review process. There are times when follow-up questions may be asked over the phone or in writing. If you wish to speak to someone about your PIA and it has already been assigned to a manager for review, contact the manager directly or email generalinfo@oipc.ab.ca with your PIA file number.

  1. My vendor says they have an accepted PIA. Why do I need to submit a PIA if they already have one that has been accepted?

Answer: It is the custodian/public body/organization’s responsibility to ensure they are complying with the applicable privacy legislation to protect health information or personal information in their custody or control. HIA describes the custodian’s duty to prepare and submit a PIA. While vendors may provide documentation to support the PIA review process, the custodian is responsible for submitting a PIA (s. 64 of HIA). The custodian will need to describe the system they are implementing and how the system will be used (who will use it, what it will be used for, type of information it will process, how it will be customized, what agreements are entered into, clinic privacy policies and procedures, etc.). Vendors are able to support the PIA submission by providing the technical details on how the system works and what they offer for technical, physical and administrative safeguards but they are not required by law to submit a PIA to the OIPC.

Changes to PIA Process

  1. What is changing about the current PIA process?

Answer: On October 1, 2024, the OIPC changed the way PIAs are reviewed. PIAs will no longer be accepted, conditionally accepted, or not accepted. Instead, PIAs will be reviewed and a closing letter with comments and recommendations will be issued, when required; otherwise just a closing letter will be issued.

  1. Why did the PIA review process change?

Answer: The change better aligns with section 64(2) of the Health Information Act, which authorizes the OIPC to review and comment on PIAs. The change is designed to better support privacy compliance by focusing on identifying and communicating compliance gaps to custodians, for remediation in a timely manner.

PIA submissions to the OIPC have increased exponentially since the OIPC’s Privacy Impact Assessment Requirements Guide was first published in 2010. The current review process is no longer sustainable. The high volume of PIA submissions has led to a backlog of files, resulting in delays in reviewing and providing timely feedback to custodians.

The changes to this process will increase efficiency in our reviews, enable timely resolution of PIA files, help reduce backlogs in processing these files, and allow the OIPC to allocate resources to PIA files that require increased attention. These changes align with the OIPC strategic priority of enhancing internal processes to support our legislative mandate and to improve timelines.

  1. What does this mean for PIAs that were submitted before the change?

Answer: PIAs received by our office prior to the change, but where the review has not been completed, will be reviewed under this new process. You may receive clarifying questions if the PIA reviewer has any. Closing letters will be issued and will include comments and recommendations, if required.

  1. The Privacy Impact Assessment Requirements Guide, 2010 still says PIAs will be accepted, not accepted or conditionally accepted. Why is this the case if you aren’t accepting PIAs anymore?

Answer: Changes to the Privacy Impact Assessment Requirements Guide and the development of new PIA resources to assist custodians, public bodies and organizations in completing and submitting PIAs to the OIPC are in progress. New and updated PIA resources will be published on our website when completed. Please continue to use the existing Privacy Impact Assessment Requirements Guide, 2010 while completing your PIAs, until the new resources are available.

  1. If you aren’t sending acceptance letters anymore, what can I expect when are you finished reviewing my PIA?

Answer:  You will receive a closing letter that may contain comments and recommendations. If the letter contains recommendations, you will be asked to indicate if you accept or reject the recommendations by a certain date. This information may be published on the PIA Registry located on our website.

  1. Some PIAs require a PIA acceptance in order to get access to a system, such as Alberta Netcare Portal, Community Information Integration and Central Patient Attachment Registry (CII/CPAR). Will this OIPC process change affect my ability to get access to these systems?

Answer: According to the new OIPC process, a closing letter that may contain comments and recommendations will be sent to the custodian. Questions related to Netcare and CII/CPAR access should be directed to Alberta Health and its eHealth team.

PIA Training

  1. Can my professional college or association provide PIA training?

Answer: You can contact your professional college or association to request OIPC PIA training for your members. You can also use the speaking engagement form on our website to request OIPC training here.

The OIPC website also has a resources page that includes information on topics including cloud computing, artificial intelligence, and electronic health system requirements, which may assist in the completion of a PIA.