Do you collect personal, financial, or health information about your clients, customers, or patients?
Do you have employees?
Does your business have a newsletter mailing list?
Do you have security cameras in your business?
Then you probably need a Privacy Impact Assessment.
What is the purpose of a Privacy Impact Assessment?
A Privacy Impact Assessment (PIA) is the administrative practice of documenting your already-in-use office practices, and using them to assess your work from a privacy perspective. For example, is your receptionist's computer positioned in such a way that a client or patient might be able to read the screen? How could you prevent the unauthorized view? Do you know an employee who forgets to log out of his computer when he takes breaks? Do you have an automated time-out setting that logs him out of the computer?
A Privacy Impact Assessment process helps you to identify administrative, physical, and technical safeguards that you can use to mitigate the risks of unintentional and unauthorized collection, use, and disclosure of personally identifying and sensitive information.
Privacy is good for business.
Good business practices that protects the confidentiality and security of personal information contribute to efficient work flow practices. It is easier to attract and retain employees if you demonstrate care and responsibility for the personal information of your clients, employees, and business partners. Good privacy practices avoid the likelihood of costly privacy breaches and fines.
What is a Privacy Impact Assessment?
Privacy Impact Assessment (PIA) is a process that assists business owners and custodians to review the impact of a new (or change) flow of information, administrative practice, or information system affects the collection, use and disclosure of individually identifying personal and health information. A PIA describes the information flows in the project, identifies the legal authorities that allow for the flow of information, assesses potential impacts on and risks to privacy and identifies mitigation strategies to minimize the risks.
When to do a Privacy Impact Assessment?
A PIA is required before a business or healthcare provider implements a new practice or system, or changes to existing practices or systems. For example, if you are opening a new practice you need policies and procedures related to privacy and work flow systems, as well as a formal PIA.
You also need to complete a new PIA if you are:
- Adding or changing the way that you are collecting, using, or disclosing personal and health information
- Applying for access to information sharing initiatives
- Implementing a new customer records management (CRM) or Electronic Medical Record (EMR or EHR) system
Are you a vendor who supports a healthcare provider? You can improve your marketability by demonstrating that you understand the importance of confidentiality and security by conducting a PIA on your services and sharing the PIA summary with your client.
It is important to conduct the PIA at the appropriate stage of the project lifecycle. Conducting a PIA too early in the project will be difficult because you will not have all the information you need to fully describe the project or to fully identify privacy risks and mitigation measures. However, doing a PIA too late could mean having to make time consuming and expensive changes to applications, business processes, or other features that have already been completed.
The best stage to do a PIA is after all business requirements and major features of the project have been determined in principle, but before completing detailed design or development work to implement those requirements and features. For long term projects, include in the PIA what you think will be included in the project in a 6 month time frame. You may need to update your PIA after you have implemented the project and before you implement Phase 2.
Who Does the Privacy Impact Assessment?
Often, the Privacy Officer in your business completes the PIA with the help and support from the business unit and information technology department. However, the business owner, custodian or CEO is responsible for the PIA. In some regulated industries a PIA needs to be completed by an external third party. Most often, the PIA can be completed by employees in the business. There are on-line tools and training programs available to help you.
It's never too late to start a PIA!
If you have been in business for some time and haven't done a PIA yet, now is the time to get started. It is important to remember that a PIA is not a static document. Just because you completed a PIA when you first opened your business doesn't mean that you are done. You need to review, revise, or amend it when you collecting information for a different purpose, sharing information in a different way, or when you implement a new EMR.
Demonstrate accountability to your business, business partners, and clients by protecting their personal information. Avoid and mitigate your business risk by implementing good administrative, technical, and physical safeguards. Do a PIA for your business. And remember – you may not be able to do it all, but doing nothing is not an option.