Privacy Impact Assessment

Privacy Impact Assessment

A PIA examines a system to determine whether the risks to privacy in that system rise to the level requiring a change in the system or a change in the procedures followed by the people using the system. A PIA also makes recommendations about how risks may be remedied. 

The assessment identified six risks in Release 1 of the IAR at the application and systems level. One was rated as a high risk and two were rated as a medium risk and drop to a low residual risk if remediated.

The high risk was to seek a legal opinion if TransForm can use Personal Health Information (PHI) for the EMPI under its current role as a Health Information Network Provider (HINP). The opinion was that "yes", TransForm can, provided the original intent and scope stays within the IAR. The EMPI data can’t be reused for another purpose and expansion plans within IAR are segregating usage to keep the consent model consistent.

One medium risk identified was surrounding knowledge transfer as the system transitions from a project to ongoing operational status. That documentation has been transferred and training provided.

The last medium risk identified is with respect to the software vendor and questions whether TransForm should have a legal agreement. The agreement and licensing is being left with the Ministry of Health and Long-Term Care; however, TransForm is included in the support contract.

All other low risk items have been remediated and are no longer privacy threats.

Release 4`s assessment found six low to medium risks.

One risk involves TransForm acting as a consent call centre without express contractual agreements with the HICs. There is an implied consent through the training program delivered as HICs are oriented, but a formal acknowledgement of the service is being drafted as a short-term mitigation. A formal new Data Sharing Agreement is being developed for publication and signing by year end by the HICs to completely mitigate the risk.

The other risks involve updating published privacy policies to reflect the new services being hosted. These are being actively developed and will be published shortly.

Request More Information If you would like more information about either this PIA or the TRA, or for qualified project participants to obtain a copy of the detailed documents, please contact:

Telephone: 519-437-6264

Email: privacy@transformsso.ca

Or

By Mail:

TransForm Shared Service Organization

Privacy and Security Office

1453 Prince Road

Windsor, Ontario N9C 3Z4

Contact Us

Contact Information

750 Richmond St Chatham, ON N7M 5J5