As of October 1, 2024, the Office of the Information and Privacy Commissioner (OIPC) of Alberta has made changes to the process for managing privacy impact assessments (PIAs). These changes affect custodians under the Health Information Act (HIA), including regulated members of the Alberta College of Pharmacy.
Background on PIAs
PIAs help identify and address potential privacy risks that may occur. A PIA is used for information systems, administrative practices, and policy proposals that relate to the collection, use, or disclosure of individually identifying health and personal information.
As custodians under the HIA, pharmacists and pharmacy technicians are required to submit PIAs to the OIPC for review and comment before implementing proposed new administrative practices or information systems (section 64, HIA). For example, before a pharmacy team offers virtual care to patients, the team must submit a PIA for each enabling technology it plans to use to the OIPC. This requirement is stated in Standard 20 of the Standards of Practice for Virtual Care.
What is changing?
- PIAs will no longer be accepted, conditionally accepted, or not accepted.
- Instead, PIAs will be reviewed and a closing letter with comments and recommendations will be issued.
- The OIPC will be reviewing PIAs as submitted.
- If the PIA submission is incomplete or insufficient, the OIPC will close the file and notify the submitter of that. Generally, the OIPC will not be asking additional questions as this causes delays in the review process; however, the submitter will be asked to consider re-submitting the PIA.
- PIAs received by the OIPC prior to October 1, 2024, but have yet to be reviewed, will be reviewed under the new process. You may receive clarifying questions if the PIA reviewer has any. Closing letters will be issued and will include comments and recommendations, if required.
Why is this change being made?
- The change will better align with section 64(2) of the HIA, which authorizes the Commissioner to review and comment on PIAs.
- The change is designed to better support privacy compliance by focusing on identifying and communicating compliance gaps to custodians for remediation in a timely manner.
- PIA submissions to the OIPC have increased exponentially since the OIPC’s Privacy Impact Assessment Requirements Guide was first published in 2010. The current review process is no longer sustainable.
- The high volume of PIA submissions has led to a backlog of files, resulting in delays in reviewing and providing timely feedback to custodians, public bodies, and organizations.
- The changes to this process will increase efficiency in the OIPC’s reviews, enable timely resolution of PIA files, help reduce backlogs in processing these files, and allow the OIPC to allocate resources to PIA files that require increased attention.
Additional information
- Changes to the Privacy Impact Assessment Requirements Guide and the development of new PIA resources to assist custodians in completing and submitting PIAs to the OIPC are in progress.
- New and updated PIA resources will be published on the OIPC website when completed. Please continue to use the existing Privacy Impact Assessment Requirements Guide while completing your PIAs.
- For more information, refer to the OIPC’s PIA Frequently Asked Questions page.