Privacy Impact Assessment for the Canadian Forces Health Information System - Limited Capability

Author: Peter Pakeman, PAKEMAN & Associates
Version: 2.0 (Final Report)
Date: May 26, 2004

Executive Summary

This report is a Privacy Impact Assessment (PIA) on the Canadian Forces Health Information System (CFHIS) Project with a focus on Limited Capability (LC). The report builds on the findings and recommendations of the Canadian Forces Health Services Group (CF H Svcs Gp) Preliminary Privacy Impact Assessment (February 2003) and CFHIS Threat Risk Assessment (March 2001).

The report was conducted using Treasury Board guidelines for conducting PIAs, which incorporates the ten principles of the Canadian Standards Association (CSA) Model Code for assessing fair information handling practices. Throughout the PIA process numerous resources were accessed, and information obtained was validated through redundancies built into the PIA tools and information sharing strategies.

The major findings, recommendations, and conclusions of this PIA are consistent with those of the Preliminary Privacy Impact Assessment (PPIA) completed in February 2003. This report concludes that CF H Svcs Gp and CFHIS LC are addressing all risks with risk mitigation strategies that are in line with privacy best practices.

The major findings and recommendations to mitigate potential privacy risks for CFHIS LC are presented below in a framework that is consistent of the ten principles of fair information handling practices:

Principle 1 - Accountability

A Privacy Officer position has been established, and is currently filled by a contractor. There is a requirement to continue efforts to permanently staff the position.

Principle 2 - Identifying Purpose

CF H Svcs Gp is obligated to develop, maintain, and submit Personal Information Bank (PIB) descriptions to Treasury Board. These PIBs are as critical to internal CF H Svcs Gp operations, as are Medical Service Instructions (MSIs). PIBs include descriptive statements about Purpose, Consistent Uses, Retention and Disposal. The purpose of the CFHIS LC data (i.e., the electronic medical record) is in keeping with the purpose of PIB description (DND PPE 810).

Principle 3 - Consent

The Privacy Act requires the use of consents when collected personal information is not directly related to an operating program or is inconsistent with its purpose. CFHIS LC primarily uses information that is collected and consented by applicants (e.g., pre-enrolment medical examination) for purposes that are directly related to CF H Svcs Gp's mandate and is consistent with its purpose, as described in PIB (DND PPE 810).

Principle 4 - Limiting Collection

This CSA principle contends that information collected must be limited to that extent which is necessary for the purposed identified. A review of unofficial CFHIS LC data elements did not identify any unnecessarily collected data. (Note: The development of data dictionary is a work in progress).

Principle 5 - Use, Disclosure, Retention

Use

The primary and secondary uses of CFHIS LC data have been determined, and are consistent with those described in PIB (DND PPE 810).

Disclosure

The disclosure of CFHIS LC data for purposes of Registering and Determining Eligibility, Scheduling Appointments and Recording Immunizations) constitutes authorized disclosure, and is consistent with MSI CF 2000-003 (Disclosure of Personal Information) which is drafted and will be promulgated.

Retention

The retention of CFHIS LC data is consistent with recently approved MSI CF 2000-004 (Retention and Disposal of Personal Information), but is inconsistent with Defense Subject and Classification Disposition System (DSCDS) Medical Plans and Services 6610. There is a requirement to align 6610 - Medical Plans and Services with MSI CF 2000-004.

Principle 6 - Accuracy

A number of risks have been identified concerning the accuracy of health information. The CFHIS Project is addressing risks associated with Data Dictionary, Merge/ Combine Feature, Master Patient Index (MPI), and Chart Management. When addressed the risks associated with quality, completeness, authenticity, and timeliness of information will be mitigated.

Principle 7 - Safeguards

CFHIS LC will maintain and manage Protected A information. As a rule of thumb, the security measures implemented to safeguard Protected A information are typically minimal. This was not the case for CFHIS LC, as it was developed on the premise that it will ultimately maintain and manage Protected B information. There is a potential risk that authorized users could modify their own information; however, the recording of such an event by CFHIS' extensive audit trail features mitigates it.

Principle 8 - Openness

As previously indicated, a contractor currently fills the Privacy Officer position. There is a requirement to publish contact information and continue the development of a Privacy Program (e.g., awareness communications, orientation/ education/ training, audits) in collaboration with Access to Information and Privacy (ATIP), ISSO HSI, and HI/RM HQ for consistent content and messaging. The development of these initiatives has commenced.

Principle 9 - Individual Access

Individual access by CF members to their personal information is consistent with DAOD 1002-2 (Informal Access to Personal Information) and MSI CF 2000-002 (Access Control of Personal Health Information). CFHIS LC processes provide opportunities for members (e.g., at the time of registration) to view collected data for the purpose of ensuring its accuracy. In addition, CFHIS has the ability to print information, which improves the informal access process.

Principle 10 - Challenging Compliance

CF members can make complaints to their Clinic Manager or Base/Wing Surgeon concerning information contained in the medical record. If members are not provided with access to requested information or are not satisfied with the outcome of their request, they can formally file a CF grievance or file a complaint with the federal Privacy Commissioner.

Page details

Date modified: