Ontario’s Information and Privacy Commissioner (“IPC”) released a report on September 5, 2012 titled “A Policy is Not Enough: It Must be Reflected in Concrete Practices”. As the title suggests, the IPC reminds us that a policy alone cannot protect privacy – it is the action stemming from the policy that is vital. In its 21-page paper, the IPC provides 7 steps that organizations should consider implementing. Hospitals and other health care facilities should take note as these recommendations apply to you. The following is a summary of the key messages provided in the report.
Privacy policies should be appropriate, easy-to-understand, comprehensive and customized for the organization. They should be consistent with industry standards and IPC resources, and should be reviewed on a regular basis to ensure they account for any new standards, legislation, technology, etc.
Step 2: Link each requirement within the policy to a concrete, actionable item – operational processes, controls and/or procedures, translating each policy item into a specific practice that must be executed
Step 3: Demonstrate how each practice item will actually be implemented
A policy cannot protect privacy all by itself – it requires implementation by staff. Organizations should review their policies and provide concrete, actionable items for each requirement. While policies are often high level in nature, corresponding procedures are a good place to include who is responsible for a particular action and how specifically that action can be implemented (e.g. explain how one actually encrypts information, including which tabs to click to correctly go through the process).
Step 4: Develop and conduct privacy education and awareness training programs to ensure that all employees understand the policies/practices required, as well as the obligations they impose
Employees come and go, policies change and memories fade. Continuous privacy training is essential to ensure that all employees understand the policies and actual steps involved in implementation of privacy policies. As well, continuous training helps to imbed privacy awareness into the organizational culture. The IPC report includes a list of topics that training could cover, such as the kind of information that is collected, the consequences of a breach, and an explanation of when and how to effectively use encryption.
Step 5: Designate a central “go to” person for privacy-related queries within the organization
If employees have questions relating to their privacy obligations, it should be clear who they can ask for clarification. This step is actually not a “new” idea for PHIPA health information custodians. Section 15 of the Personal Health Information Protection Act requires organizations to designate a “contact person” to facilitate compliance with the Act, respond to inquiries and complaints from the public, and ensure that agents of the organization are informed of their privacy duties. The “go to” person should have sufficient expertise and authority, and should be easily accessible to staff. While many larger organizations have entire privacy offices, it is easy for smaller organizations to overlook this important step. The IPC does not expect smaller organizations to have one person dedicated to this role, and acknowledges that a senior level person may take on this role in addition to other duties.
Step 6: Verify both employee and organizational execution of privacy policies and operational processes and procedures
How can an organization know whether privacy training is being properly conveyed? By following up in both formal and informal ways (for example, comprehensive and random audits). Such follow-up should not be characterized as distrust in employees, but rather, a way to determine whether the training methods are effective and that compliance is consistently maintained. As the IPC states, “Trust – but Verify Execution”.
Step 7: Proactively prepare for a potential privacy breach by establishing a data breach protocol to effectively manage a breach.
A privacy breach is not the time to determine what a breach protocol should look like; rather, it is a time to act swiftly to contain the breach and notify affected parties. It must be clear to employees who in the organization to contact, what steps to take, and ultimately how to manage the breach in the most effective manner. There is not a cookie-cutter approach to doing so and the right approach for your organization will not be obvious to everyone. It is important to ensure that employees receive training in breach protocols and know where to access the protocol should they need to locate it in a timely fashion.
Many of the steps outlined in the IPC’s paper are not novel ideas to health care organizations, but they are worth revisiting from time to time as organizations strive to improve their privacy practices. The overall message of the report is that a policy must be reflected in practice. It is the people who interact with the personal information who must be informed of their duties and adequately trained at all times on how to carry out those duties.