Drug Exception Centre (DEC) Privacy Impact Assessment (PIA) Summary

DEC is part of the Non-Insured Health Benefits (NIHB) Program for the First Nations & Inuit Health Branch (FNIHB) that was established in 1997. Under the authority of the Canada Health Act, NIHB (Record Number HCan OF4) provides, to registered First Nations and recognized Inuit people, a range of medically necessary goods and services. These goods and services supplement benefits provided through other private or provincial/territorial programs. The appropriate senior official or executive for the program is the Director, Benefits Review Services Division, and the delegate for section 10 of the Privacy Act is the Access to Information and Privacy (ATIP) Coordinator.

The purpose of DEC is to process and expedite pharmacists' requests for drug benefits that require prior approval, to ensure consistent application of the NIHB drug benefit policy across the country, and to ensure an evidence-based approach to accessing drug benefits.  The PIA reflects the status of the DEC operations as of May 4, 2006

The objective of this PIA is to identify the privacy risks associated with the DEC and to provide recommendations to mitigate and/or eliminate these risks.

The identified privacy risks include:

1. Collection of Personal Information Data Elements (e.g. name, date of birth, client identification number)
   • Recommendation: Benefits Review Services Division (BRSD) conduct an analysis to determine whether or not all of the personal data elements collected for the DEC are required for the drug exception transactions.
   • Remedial Action Taken: All information that is not required for drug exception transactions have been removed.
2. Unnecessary Disclosure of Personal Information (e.g. pre-populated client identifying information in BEQ forms)
   • Recommendation: DEC discontinue the disclosure of client ID on the Benefit Exception Questionnaire (BEQ).
   • Remedial Action Taken: The client ID has been removed from the BEQ.
3. Unregistered Personal Information Bank (PIB)
   • Recommendation: BRSD document a PIB for the DEC for inclusion in InfoSource at the appropriate time
   • Remedial Action Taken: The Drug Exception Centre has submitted a new Personal Information Bank (PIB) to the Access to Information & Privacy Office (ATIP) for publication in Info-Source.
4. Incomplete Security Procedures (e.g. documentation for collection, transmission, storage, disposal, access privileges)
   • Recommendation:
     1. Develop and document security measures;
     2. Implement follow-up training to staff on the NIHB Privacy Code and the Privacy Act.
        
   • Remedial Action Taken:
     1. The DEC has drafted a Privacy and Security procedure manual and is currently working with the Information Management Services Directorate to clearly document security policies that are currently in place and to develop security measures addressing any outstanding security risks that have been identified through the PIA;
     2. Mandatory privacy training sessions for NIHB employees will be provided by the NIHB's Program Planning and Policy Division. NIHB managers will also provide opportunities to staff to attend departmental privacy information sessions accessible through the Health Canada Learning Centre and to consult the new Health Canada Intranet Security Portal.