PIAs

PIA Requirements

The HIA requires that a custodian submit a privacy impact assessment to the Information and Privacy Commissioner for review and comment before implementing new, or making changes to an existing practice or information system relating to the collection, use or disclosure of individually identifying health information.

The Office of the Information and Privacy Commissioner has developed Privacy Impact Assessment (PIA) Requirements to assist custodians in reviewing the impact that a project may have on individual privacy. The PIA Requirements are designed to ensure that a custodian evaluates the practice or information system’s compliance with the HIA.

The PIA Requirements are mandatory for PIAs submitted under the Health Information Act and should be used for any new project. We recognize that some custodians will already be in the process of completing a PIA on an existing project using the old PIA questionnaire. There will be a six month transition time, until September 15, 2010, in which it will be acceptable to submit a PIA using the old PIA questionnaire.

Public bodies subject to the Freedom of Information and Protection of Privacy Act and organizations subject to the Personal Information Protection Act may also use the PIA Requirements as a reference tool to help draft PIAs. All mention of legislation in these requirements refers to the HIA. Anyone using these requirements as guidelines to write a PIA under FOIP or PIPA will need to research these laws for proper legal authority to collect, use and disclose personal information.

Because the onus always remains on the organization to ensure adequate levels of privacy protection, as required in the applicable legislation, a PIA will not be "approved". Once satisfied that the organization has addressed the relevant considerations and is committed to the provision of the necessary level of privacy protection, a PIA will be "accepted". Acceptance reflects that the custodian has made reasonable efforts to protect privacy. A PIA cannot be used to obtain a waiver of, or relaxation from, any requirement of the relevant legislation.