Privacy Audits (updated)
Your organization has undertaken a privacy impact assessment (PIA) as part of its process of designing and implementing a new program. So, what’s next?
Once the new program has gone live, your organization should plan regular privacy audits to ensure that the program is operating in a manner that complies with applicable access and privacy legislation.
When undertaking the PIA process, your organization would have identified privacy impacts and identified methods (controls) to manage and/or mitigate the privacy impacts of the program to ensure compliance with the applicable access and privacy legislation.
During a privacy audit, you will determine if the controls identified through the PIA process are adequate in managing and/or mitigating the privacy impacts. This will include identifying what personal information/personal health information is actually being collected, used, and disclosed; reviewing the information systems used to store and manage the information; and reviewing the program’s policies, procedures, and actual practices to ensure your organization is managing personal information and/or personal health information in compliance with the applicable access and privacy legislation. While time-consuming, it is a worthwhile exercise to hopefully minimize the impacts of potential privacy breaches.
Through the audit process, your organization may identify areas of the program that may not be in compliance with applicable access and privacy legislation; or areas that may be inviting privacy vulnerabilities. Examples could be:
- Collecting, using and/or disclosing more personal information/personal health information than is necessary.
- Storing more personal information/personal health information instead of disposing of information in accordance with records and disposition schedules.
- Inadequate safeguards in protecting personal information/personal health information, including de-activating the accounts of employees on leave or of former employees.
Once inadequacies in controls are identified, your organization should identify methods to manage and mitigate the privacy impacts.
Programs will inevitably evolve as time goes on. It’s always a good idea to schedule regular privacy audits to ensure privacy impacts are being managed and/or mitigated to reduce the likelihood of a privacy breach.
While my office has not conducted any formal privacy audits, my office has the ability to conduct audits pursuant to subsection 33(d) of The Freedom of Information and Protection of Privacy Act, subsection 32(d) of The Local Authority Freedom of Information and Protection of Privacy Act, and subsection 52(d) of The Health Information Protection Act.