printemailclick to share buttonfacebooktwitterlinkedin
Privacy Impact Assessments

What is a Privacy Impact Assessment (PIA)?

A PIA is a process that allows Cancer Care Ontario to assess a program or information system’s privacy risks and compliance with Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) / CCO’s Privacy Policy. Where required, a PIA also details mitigating strategies and an action plan. A critical element of the PIA process is the implementation of the recommendations detailed in the assessment.

PIAs may focus on new or existing programs or systems. In the case of new programs or systems, the PIA will provide a framework to ensure that privacy is considered throughout their design, and may assist CCO in determining whether to proceed with the development. In the case of existing programs or systems, the PIA will assist in determining if the program or system meets privacy requirements or requires revision.

PIAs may also focus on organization-wide practices that could have an impact on privacy. Organizational practices, for example an email policy, or the lack of one, can have a significant bearing on whether or not a program or service is privacy sensitive.

PIAs look at questions such as:

  • the need for the program or system,
  • the personal health information (PHI) being collected and whether or not identifiable information is required,
  • the uses of the data,
  • how consent and notification are handled,
  • the measures taken to protect the data, and
  • the program or system’s compliance with PHIPA.

Safeguards to protect data during its collection, transfer, and storage are also addressed during a PIA but may involve a separate study that focuses on an analysis of the technical security measures in place. Such an assessment may be completed by someone who specializes in security rather than privacy. A Threat Risk Assessment may also be conducted.

The PIA process provides a level of assurance that privacy issues are identified and resolved or that mitigating strategies, with follow-up plans, are in place. The associated documentation can form the basis for seeking the advice of and notifying the Privacy Commissioner, promoting understanding of how CCO handles PHI, and engendering public trust that CCO handles PHI in a responsible manner.

Completed and Current PIA Summaries

Cancer Care Ontario will publish summaries of the PIAs that have been completed, and which are still current with respect to various programs and data holdings within the organization. The following is a list of summaries that will be published when available.

Program/Project PIAs Date Status
Sandy Lake SAR Pilot PIA Summary 2-Feb-17PIA Complete
CCO Ontario Breast Screening Program Correspondence Phase II: Invitation-Reminders, Recalls, Recall-Reminders and Normal Results20-Jan-17 PIA Complete
Ontario Breast Screening Program20-Jan-17PIA Complete
Specialized Services Oversight Information System - Interventional Radiology 20-Jan-17 PIA Complete
The INTEGRATE PIA Summary19-Dec-16 PIA Complete
Electronic Canadian Triage and Acuity Scale (eCTAS) 13-Dec-16 PIA Complete
Last modified: Wed, Apr 19, 2017
cancer care ontario | action cancer ontario   620 University Avenue Toronto Ontario, Canada M5G 2L7   Phone: 416.971.9800 Fax: 416.971.6888

Please help improve the quality of our website by answering 10 brief questions in our online survey. Would you like to participate?