Privacy Impact Assessment Methodology

BlueImpact’s Privacy Impact Assessment Methodology adopted the guideline from Canada Health Infoway and Information Privacy Commissioner of Ontario and is customized specifically to the healthcare sector’s need.  Our PIA methodology proposes comprehensive and systematic approach to evaluate all functional and non-functional components of the solution, analyzes the requirement from legislation, organizational policy/standards, and stakeholder expectations, determine the gaps/deficiencies and opportunities for improvement, and propose effective and practical recommendations to enhance the privacy design/management. Our proposed PIA methodology has 5 phases:

1. Preparation

In preparation to start the PIA project, the consultants and the client project team/stakeholder will conduct a kickoff meeting to confirm the project timeline, scope, work plan, contact person, etc. The agenda of the kickoff meeting includes:

  • review, determine and agree on the objective and scope of the PIA;
  • identify all project documentation for review and reference;
  • discuss and confirm the PIA approach, timeline and deliverables;
  • discuss and confirm the logistics of the project (the meeting schedule, project coordination, communication and reporting protocol, etc.)

By the end of Preparation Phase, the consultants will document the PIA scope and agreed-upon Approach.

2. Information Gathering

The next step is to identify and gather all project documentations that are within scope of the assessment and available for the consultant for review. This generally includes, but is not limited to, the following:

  •  Previous PIA reports
  • Previous or current TRA reports
  • Logical Privacy and Security Architecture documentation
  • Information/Data Governance documentation
  • Business Requirement Document (BRD)
  • Detailed Requirement Document (DRD)
  • System Design Document (SDD)
  • System Architecture Document
  • Network Architecture Document
  • Organization Privacy and security Policies, Standards and Processes/Procedures
  • Agreements with third-parties

Once the relevant documentations are provided, the consultant will review the document to obtain complete understanding of the solution and its development/implementation lifecycle. Information related to the solution will be documented, missing information will be identified. The consultant will have interview session(s) to confirm the information gathered so far and collect missing information that are not captured in the documentation.

Upon completion of this phase, the consultant will develop an in-depth understanding of the project and solution and are ready to move to the next phase.

3. Conceptual Analysis

In this phase, the consultant will analyze the information gather so far and trying to determine and document the following information for analysis:

  • Applicable legislations and regulations
  • All stakeholders including users, clients, government agencies, service providers
  • All third-parties involved in the project design, development and implementation
  • Solution software architecture
  • Solution network architecture
  • Business (clinical) processes supported by the solution
  • Data flow mapping
  • Software development lifecycle
  • Solution implementation (technology implementation and integration, process re-engineering and integration, communication, training and awareness)
  • Solution operations process including the technology operations and administration operations
  • Privacy operations processes such as breach management, consent management, client privacy right support process, etc
  • Security operations processes such as user account management, audit log review

With the information collected and documented, the consultant will perform the conceptual analysis to determine the followings:

  • Privacy requirements applied to the project
  • Information (data) governance framework
  • Privacy accountability framework (for all stakeholders and participants)
  • Solution architecture
  • Collection/use/disclosure/retention/disposal of PI and PHI
  • Software development lifecycle
  • Solution operations (business, privacy, technology, administrative)

At this point, the privacy requirements are clearly identified and documented, and all privacy controls (technology, process, and people) are determined and documented. The consultant can perform in-depth analysis on the privacy risk and impact of the project.

4. Privacy Assessment

In this phase, the consultant will analyze the privacy requirements captured in the previous phase, evaluate the existing privacy controls, and determine the risks and impacts. The privacy and security practices will be assessment against:

  • Applicable legislations and regulations namely Personal Health Information Protection Act, 2004 (PHIPA);
  • CSA Model Code for Protection of Privacy standards; and
  • IPC/O’s Privacy Guidelines for healthcare organizations.

Once the privacy risks associated with project is identified, the consultant will classify and rate the findings based on the magnitude of impact on privacy.

5. Reporting

A final report will be developed to summarize the project overview, data flow, solution architecture, findings and recommendations. The recommendations are determined and evaluated that will reduce the risk to the level that is acceptable by client’s management. The final report will be presented to and reviewed by the client’s management. Whenever, a residual risk is not at the level that can’t be accepted based on risk appetite of the project stakeholders, additional mitigating safeguards and/or controls will be proposed to the client that if implemented properly, will further reduce the risk to an acceptable level.

 

 

PIA Report

The PIA report will include the following contents:

1. Executive summary highlighting findings

2. Overview of project and solution architecture

3. Statement of scope of assessment as well as assumptions and limitations

4. Identification of documents and resources consulted,

5. An overview of the methodology used for conducting the PIA

6. Identification of the solution data flows and data flow analysis

7. High level overview of privacy and security architecture

8. Legislative analysis and corresponding data governance analysis and recommendations

9. A comprehensive privacy risk analysis based on data flows, business processes and PHIPA requirements

10. Privacy risk description, impact, ratings and recommendations:

11. PIA Summary document suitable for posting to client’s website

12. PIA Report Presentation deck suitable for business audiences and stakeholders