Privacy Commissioner Issues New Privacy Impact Assessment Requirements

April 15, 2010

The Office of the Information and Privacy Commissioner has developed new requirements for the development of Privacy Impact Assessments (PIAs) by health information custodians.

The new requirements establish best practices for PIAs gleaned from more than 10 years of experience in reviewing and commenting on more than 2700 PIAs. Commissioner Frank Work says that the new requirements do not set new expectations, but rather give health information custodians clear guidance about what needs to be considered in assessing risks to privacy and the information that should be included in a PIA.

The new requirements were developed following an extensive review of the previous PIA questionnaire and consultation with health system stakeholders. They update and provide clear guidelines, and a consistent format for the development of a PIA.

PIAs are mandatory under the Health Information Act (HIA). The requirements have been designed for health information custodians. Public bodies and organizations subject to the Freedom of Information and Protection of Privacy Act or the Personal Information Protection Act may also find them useful to use as a reference tool to help draft PIAs. Commissioner Work feels they will assist health information custodians in striking the right balance between using health information to provide care and manage the health system with protecting Albertans’ privacy. Work says “The new requirements provide clear, concise and up to date instruction for health care providers that will help them assess risks associated with electronic health records such as Alberta Netcare”.

Some health information custodians are likely working on new PIAs right now within the parameters of the existing PIA questionnaire. Custodians will have a six month transition period, until mid September, to adopt the new requirements.