Ombudsman releases privacy impact assessment process to help ensure compliance with personal health information privacy lawReturn to listing
Dec 2, 2004
A privacy impact assessment process designed specifically to help protect the privacy of personal health information under The Personal Health Information Act (PHIA) has been placed on the Manitoba Ombudsman's web site. In making the announcement, Ombudsman Barry Tuckett said that "undertaking privacy impact assessments has become a generally accepted 'best practice' for both the public and private sectors of society."
The Privacy Compliance Tool (PCT) for PHIA is a companion due diligence process to another released late last year for Manitoba public bodies that are within the scope of both The Freedom of Information and Protection of Privacy Act (FIPPA) and PHIA. "We felt that producing a separate assessment technique for personal health information trustees would simplify the process by removing all unnecessary references to FIPPA," said Mr. Tuckett.
A clear intention of Manitoba 's privacy laws is to prevent breaches of information privacy before they occur. "Use of a privacy impact assessment process by Manitoba personal health information trustees should reduce the risks of people's personal information being compromised and enhance public trust and confidence in how this information is being managed," said Mr. Tuckett.
"While use of the tool is voluntary," said Mr. Tuckett, "the potential cost of noncompliance with legislated personal health information privacy requirements are high both in terms of the loss of privacy for individuals and the public in general and in view of the expense of fixing or even abandoning practices or systems that do not meet statutory requirements."
Some personal health trustees may already have a privacy impact assessment template that they have used. Manitoba Health, for example, has created a privacy impact assessment that must be completed whenever it is involved in developing or modifying electronic information records systems and databases. The PHIA Privacy Compliance Tool is not intended to replace any such effective instrument that is in place, but it may be used as a measure of or a supplement to any existing tool.
Central purposes of FIPPA and PHIA are to control the collection of personal and personal health information and to protect against the unauthorized use, disclosure, and destruction of this information. The Acts also provide for an independent review of the decisions of public bodies and personal health information trustees by the Manitoba Ombudsman.
Created in 1970, the Office of the Manitoba Ombudsman exists to promote fairness, equity and administrative accountability through independent and impartial investigation of complaints and legislative compliance reviews. An Access and Privacy Division, created in 1998, investigates complaints and reviews compliance under The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act.