Professional Documents
Culture Documents
Version 2.0
October 2017
Page 1 of 64
October 2017
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 2 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
HIQA aims to safeguard people and improve the safety and quality of health and
social care services across its full range of functions.
HIQA’s mandate to date extends across a specified range of public, private and
voluntary sector services. Reporting to the Minister for Health and engaging with the
Minister for Children and Youth Affairs, HIQA has statutory responsibility for:
Page 3 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Safe, reliable healthcare depends on access to, and the use of, information that is
accurate, valid, reliable, timely, relevant, legible and complete. For example, when
giving a patient a drug, a nurse needs to be sure that they are administering the
appropriate dose of the correct drug to the right patient and that the patient is not
allergic to it. Similarly, lack of up-to-date information can lead to the unnecessary
duplication of tests — if critical diagnostic results are missing or overlooked, tests
have to be repeated unnecessarily and, at best, appropriate treatment is delayed or
at worst not given.
Under section (8)(1)(k) of the Health Act 2007, HIQA has responsibility for setting
standards for all aspects of health information and monitoring compliance with those
standards. In addition, HIQA is charged with evaluating the quality of the
information available on health and social care — section (8)(1)(i) — and making
recommendations in relation to improving the quality and filling in gaps where
information is needed but is not currently available [section (8)(1)(j)].(1)
Although there are a number of examples of good practice, the current ICT
infrastructure in health and social care services in Ireland is highly fragmented with
major gaps and silos of information. This results in individuals being asked to
provide the same information on multiple occasions.
Page 4 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
This updated version of the Guidance on Privacy Impact Assessment in health and
social care will benefit service providers by informing and increasing awareness on
the use of privacy impact assessments in health and social care settings to
demonstrate transparency and compliance with privacy and data protection
legislation.
Page 5 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Table of Contents
Document outline................................................................................................. 9
Key terms used in this document ........................................................................ 10
Page 6 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 7 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Version Control
This table shows the version history for the Guidance on Privacy Impact Assessment
in health and social care document.
Page 8 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Document outline
Part 1 of this document introduces the concept of privacy and the importance of
information in providing high-quality, safe health and social care services. It provides
background information on current legislation and policy in this area and indicates
the role of the Health Information and Quality Authority (HIQA) in this regard. It
details the role of Privacy Impact Assessments (PIAs) in protecting privacy, their
benefits and limitations.
Acknowledgements
HIQA would like to sincerely thank all those who participated in informing this
updated version of the Guidance on Privacy Impact Assessment in health and social
care through advising on the international background review and participating in
the targeted consultation.
Please note: The content of this document does not purport to be legal advice or a
definitive interpretation of statutory provisions. Any person who requires legal advice
should seek this from a suitably qualified legal advisor.
Page 9 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Service provider:
This term is used in this guidance to describe any agency, practice, hospital, or organisation
proposing to undertake a project involving the collection or processing of personal health
information. It also refers to an individual if that individual is acting as a legal entity, for
example; a general practitioner (GP), private consultant or national data collection.
Data protection legislation, including the GDPR, refers to the legal term ‘Data Controller’*.
Service user:
This term is used in this guidance to describe individuals whose personal health information
is potentially being collected, used and disclosed by a service provider. For example:
people who use health and social care services as patients
carers, parents and guardians
organisations and communities of interest that represent the interests of people who
use health and social care services
members of the public and communities who are potential users of health services
and social care interventions.
Data protection legislation, including the GDPR, refers to the legal term ‘Data Subject’*.
*
See glossary in Appendix 1 for full definition of terms.
Page 10 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Project:
In this document, a project means any proposal, review, system, programme, process,
application, service or initiative that includes the processing of personal health information.
The definition also includes any proposed amendment(s) to the items listed above that are
already in existence.
Processing:
The processing of personal health information means performing any operation or set of
operations on the information or data, whether or not by automatic means, including:
(a) obtaining, recording or keeping the information
(b) collecting, organising, storing, altering or adapting the information
(c) retrieving, consulting, sharing or using the information
(d) disclosing the information or data by transmitting, disseminating or otherwise
making it available, or
(e) aligning, combining, matching, blocking, erasing or destroying the information.
The definition of personal health information has been broadened under the GDPR to
include: an individual identifier, genetic data, biological sample data, in vitro diagnostic test,
and biometric data such as imaging.
Page 11 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 12 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
1. Introduction
Information is a vital resource in the delivery of high-quality, safe health and social
care services. Service providers collect, use, store and disclose personal health
information to provide care. This can present a risk to the privacy and confidentiality
of service users as increasing amounts of personal health information are processed.
However, there is a need to strike an appropriate balance between using personal
health information to provide appropriate and safe care, while continuing to protect
individuals’ rights to privacy and confidentiality.(2) Privacy Impact Assessments (PIAs)
form a fundamental part of information governance in assuring that individuals’
rights to privacy and confidentiality are appropriately protected. PIAs are used
across all sectors but are particularly important in the context of personal health
information, as this is regarded as being sensitive information and merits higher
protection under privacy legislation.
The completion of a PIA enables all providers of health and social care services to
review management and practices in the handling of personal health information
with a view to achieving compliance with legislation and best practice. Undertaking a
PIA at the earliest possible stage of a project helps identify potential privacy issues
and allows time for solutions and mitigations to be put in place prior to the project
‘going live’. This increases awareness among professionals and creates a culture
where maintaining personal health information privacy is a priority.
1.1 Background
The primary mandate of the Health Information and Quality Authority (HIQA) is to
ensure quality and safety in health and social care in Ireland. In relation to HIQA’s
health information function this includes ensuring that individuals’ rights are
appropriately protected and that the privacy, confidentiality and security of their
personal health information is assured.
The National Standards for Safer Better Healthcare, published in 2012, describe a
vision for quality and safety in healthcare which includes the use of accurate and
timely information to promote effectiveness and drive improvements.(3) ‘Use of
information’ is one of the eight themes of the standards, highlighting the importance
of actively using information as a resource for planning, delivering, monitoring,
managing and improving care.
Page 13 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
reliable health and social care.(4) Privacy Impact Assessments are outlined in the
standards as a useful tool to ensure that individuals’ rights are appropriately
protected:
The guidance outlines a step-by-step process for undertaking a PIA and the
important factors to be considered at each stage of the process.
1.3 Methodology
The guidance update was developed in line with HIQA’s guidance development
process. This was informed by a detailed background review of international best
practice, which is published on the HIQA website. A summary of international
evidence is outlined in Appendix 2. The development of this PIA guidance has drawn
strongly from international best practice in other jurisdictions. A targeted
consultation was undertaken with experts and key stakeholders to provide feedback
on the development of the guidance. Following the targeted consultation, HIQA
analysed the feedback and revised the guidance as appropriate.
Page 14 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
1.4 Privacy
Privacy can be defined simply as the right to be left alone.(7) In terms of personal
health information, privacy can be described as the right of individuals to keep their
information confidential.(8) Health information is considered to be one of the most
sensitive forms of information. Providers of health and social care services collect,
use, store and disclose personal health information in the process of providing safe,
effective health and social care. This can present a risk to the privacy and
confidentiality of service users as increasing amounts of personal health information
are processed. Personal health information is a valuable commodity and it is vital
that it is treated as such.
Privacy is a human right enshrined in both Irish and European legislation. Service
providers, as legal Data Controllers, are obliged to uphold this human right and
respect the privacy and confidentiality rights of individuals in relation their personal
health information. Service providers must create a balance between respecting
individual privacy and providing safe, effective care. The human right to privacy is
legislated under:
The Irish Constitution, Article 40.3.1: ‘The State guarantees in its laws to
respect, and, far as practicable, by its laws to defend and vindicate the
personal rights of the citizen’(9)
Each individual accessing health and social care has specific rights in relation to their
privacy. Data protection legislation also ensures that the right to privacy is protected
by those who collect, use and disclose personal information. Under legislation,
everyone is entitled to:
feel confident that their personal information is kept safely and securely
check that the information held about them is correct, complete and up to
date
have their information used only for its original stated purpose(s)
know who can access their personal health information and why
Page 15 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
change any details that are factually incorrect or remove any information that
is not held for a valid reason.(12)
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018
and will replace Ireland’s Data Protection Acts(13) and the existing EU Data Protection
Directive.(14)† The principles of data protection remain similar: service providers are
responsible for ensuring that they only hold personal information that is actually
needed, and that they hold it securely, for as long as it is needed, and for the
specific purposes for which it was obtained. In addition, the GDPR puts a greater
emphasis on evidence-based compliance, with specific requirements for
transparency, more extensive rights for data subjects and stronger penalties for non-
compliance.(15) Some principles are new such as ‘data protection by design’ and ‘data
protection by default’. In practice, this means embedding data privacy features and
data privacy enhancing technologies directly into the design of projects at an early
stage. This will help to ensure better and more cost-effective protection for
individual data privacy.(15) Some of the key requirements under the GDPR relevant to
this guidance are the following:(15,16)
- public bodies
†
The General Scheme of the Health Information and Patient Safety (HIPS) Bill was published on 10
November 2015; however at the time of publishing this guidance the Bill had yet to be enacted. This
Bill was drafted to safeguard the privacy of individuals to ensure that there can be public confidence
in prescribed health information resources.
Page 16 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The Data Protection Officer must be consulted and should oversee the
progress of the DPIA.
Data subjects:
Data Controllers are obliged to seek the views of data subjects or their
representatives where appropriate on the privacy risks identified in the DPIA
and the ways to address them.
Supervisory authority:
The supervisory authority is responsible for enforcing the obligations on Data
Controllers holding and processing personal health information. In the Irish
context, this role is undertaken by the Office of the Data Protection
Commissioner. The supervisory authority must be consulted if the DPIA does
not identify mitigating safeguards against residual risks.
Data Controller:
Data Controllers are obliged to carry out a DPIA to protect the privacy of the
individuals whose personal health information they collect. Data Controllers
are fully accountable for the methodological choices of a DPIA and
appropriately documenting it.
Page 17 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The Office of the Data Protection Commissioner in Ireland has developed Guidance
on Data Protection Impact Assessments (DPIA) in the context of the GDPR.(17) The
term ‘Privacy Impact Assessment’ (PIA) is often used interchangeably with the term
‘Data Protection Impact Assessment’ (DPIA).(18) However, data protection is only one
aspect of privacy.(19) A PIA ensures that privacy is considered as a human right, as
well as ensuring compliance with the GDPR obligation of undertaking a DPIA.(19) In
the context of health and social care, the concepts of both privacy and data
protection have been considered and hence the term PIA is used.
Service providers are obliged to conduct a PIA to protect the privacy of the
individuals whose personal health information they collect. The primary objective of
a PIA is to weigh up any negative privacy impacts of a project against the benefits
offered to the public. The potential impact on individual privacy should be
considered at the start of a project or when proposing a change to an existing
project, as risks may be costly to address later on. The size or budget of a project is
not a useful indicator of its impact on privacy, as small changes to a current process
may impact individual privacy greatly. The PIA should be a ‘live document’ which can
be revised as the project develops or changes throughout the project lifecycle.
Service providers are fully accountable for carrying out a PIA and documenting it
appropriately.
The PIA process begins at the planning stage of any new or significantly amended
programme, initiative, system or project that involves the collection, use or
disclosure of personal health information. PIAs serve as an ‘early warning system’ for
the organisation, detecting potential privacy problems and identifying precautions to
be undertaken at the earliest possible stage.
Page 18 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
‡
‘Data Protection by design’ means embedding data privacy features and data privacy enhancing
technologies directly into the design of projects at an early stage. This will help to ensure better and
more cost-effective protection for individual data privacy.
Page 19 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
A PIA in its own right may not highlight all privacy risks or issues associated with a
project. It is important to understand that a PIA is a tool used to assess privacy risks
and so is very dependent on service providers having the correct processes in place
to carry out the PIA. These include:
selection of those with the necessary knowledge and skills to carry out the
PIA
It is essential that the PIA is reviewed and updated regularly to reflect any changes
to the direction of the project. This ensures that all identifiable privacy risks are
addressed. A PIA is intended to be an integral part of the project management
process for new projects or significant amendments to current projects.
Issues may arise in projects that are beyond the scope of this guidance or that
require more detailed consideration and analysis. Service providers should continue
to use their good judgment, in parallel with this guidance, for projects undertaken
that involve personal health information. This guidance does not guarantee
compliance with the provisions in privacy or data protection legislation, or any other
legislation governing the collection, use or disclosure of personal information. Advice
on compliance with legislation can be sought from the designated Data Protection
Officer of the organisation or independent legal advisors.
Page 20 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 21 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The PIA process should be undertaken by the service provider and carried out by the
person or people identified as having the appropriate expertise and knowledge of
the project in question. As such, it should generally be undertaken by the project
team. The designated Data Protection Officer of the organisation should be
consulted and should monitor the progress of the PIA process. The views of
individuals or their representatives should be consulted as appropriate. Additionally,
if a third party organisation is processing the data on behalf of the service provider,
the third party should assist with the PIA and provide any necessary information
required. If the service provider does not identify sufficient safeguards or control
measures to mitigate residual high risks, the Office of the Data Protection
Commissioner should be consulted. The service provider is responsible for the
completion of the PIA and for implementing any changes to the project plan
following recommendations for privacy enhancement or risk mitigation that arises
from the PIA.
PIAs should be reviewed, quality assured, approved and signed off at senior
management level. The Data Controller (service provider) is ultimately responsible
for ensuring that the PIA is carried out appropriately. For example, the Director
General of the Health Service Executive (HSE) was responsible for the PIA conducted
on the Individual Health Identifier.(20) Similarly, HIQA’s Chief Executive Officer was
responsible for the National Patient Experience Survey Programme’s PIA.(21)
Page 22 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
lifecycle. The PIA process should be undertaken when a project proposal is in place
but before any significant progress or investment has been made.
The findings and recommendations of the PIA should influence the final detail and
design of the project. Conducting PIAs should be embedded as part of the project
management framework so that the management of privacy risk is an ongoing
process. The PIA should evolve in line with changes to the project.
The GDPR states that the views of stakeholders should be sought, and documented,
when undertaking a PIA.(15) Consultation with key stakeholders is an important
element of the PIA process. It ensures that key privacy issues are noted, addressed
and communicated. Consultation allows stakeholders to identify privacy risks based
on their own personal experience, expertise or interests. It also provides an
opportunity to suggest ways to mitigate these risks.
Stakeholders include those who are interested in, or may be affected by, the project
being considered. It may be useful to identify the key stakeholders by creating a list
during the beginning stages of the PIA process which can be updated as the project
progresses.
Page 23 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
project team
designated Data Protection Officer of the organisation
IT staff
records management personnel
communications team
senior management.
Timely – at the right stage and allow sufficient time for responses.
Clear and proportionate – in scope and focused.
Reach and representative – ensure that those likely to be affected have a
voice.
Ask open, transparent, objective questions and present realistic options.
Feedback – ensure that those participating get feedback at the end of the
process.
Page 24 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The PIA process involves the evaluation of privacy implications of projects and
relevant legislative compliance. Where potential privacy risks exist, ways to avoid or
mitigate these risks are identified. There are five stages in the PIA process:
Page 25 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The figure illustrates the generic iterative PIA process. In practice it is likely that each of the
stages will be revisited multiple times before the PIA can be completed. Each stage of the
PIA process must be documented to ensure compliance with the GDPR.
Yes
Yes
Stakeholder consultation
No
Yes
Stage 5: Incorporate
the PIA outcomes into
the project plan
Page 26 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The threshold assessment should be carried out by the project team. The questions
in the threshold assessment checklist determine if a PIA is required, focusing on the
scope of the project and how personal health information will be used. The
questions seek to ascertain, for example, whether the information will be used for
research or statistics. A template for a PIA threshold assessment is available in
Appendix 4.
Page 27 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The threshold assessment results in two possible outcomes for the project team,
that is to say, either to proceed or not with the PIA.
If the result of the threshold assessment is that a PIA is not required, the process
should be documented, with senior management approval, and stored in the
project management file.
If the result of the threshold assessment is that a PIA is required, consult the
designated Data Protection Officer of the organisation for advice. It is a
requirement under the GDPR that the Data Protection Officer is consulted and
kept informed of the PIA’s progress.(15) Before undertaking the PIA, consider the
team required, set out the terms of reference, consider the benefits of
conducting the PIA internally or getting an external consultant.
Each stage of the PIA process must be documented to ensure compliance with the
GDPR.(15)
Page 28 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Stage 2 of the PIA requires the service provider to explore and document the
following:
privacy management arrangements of the service provider
description of the project
the mapping of information flows.
Privacy management arrangements relates to how the service provider manages the
privacy of personal health information in relation to the current project. The privacy
arrangements of the service provider need to be considered to put the project, and
any potential risks to individuals’ fundamental right to privacy, into context.
Is the service provider the legal Data Controller for all personal health
information within the scope of the project?
Are third party organisations involved and are there service-level agreements
documented outlining their roles and responsibilities?
Page 29 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
This section requires the project team to provide an introduction and background to
the project, including the reasons for undertaking the project. It serves to put the
project and any potential privacy risks in context. It is imperative to explore the
scope of the project to determine how far-reaching its impact is likely to be. This
section looks at indicators such as the proportion of the population upon which the
project impacts and the effects the project is likely to have on the individuals
involved. In the case of a national project, this may be the general population. It can
also be the population of individuals of a particular service provider that may be
affected by the project. Generally, the greater the scope of the project, the more
detailed the PIA is likely to be.
Page 30 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Following a description of the project’s overall nature and scope, the next step is to
map the project’s information flows. This stage should consider the privacy of
information in terms of collection, use, quality, security, disclosure, access and
correction, retention, storage and disposal. The analysis should be sufficiently
detailed to identify privacy risks. In order to effectively map the information flows, it
will also be necessary to communicate with other staff and key project stakeholders
(see section 4.4).
This section is designed to help produce a clear picture of the information flows
within the envisaged project. Understanding the life cycle of information from
collection to disposal can help determine where risks to privacy could occur.
Detailed mapping of the information flows should examine the following areas:
As is the case for the other stages, these questions serve to focus the areas for
consideration, and are not intended to be exhaustive. Service providers should
answer each of these questions, and others as appropriate, in as much detail as
possible, highlighting any potential privacy risks in relation to each of the answers
provided. Sample questions to identify potential privacy risks as part of the
information mapping stage are listed below.
Page 31 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The following sample questions will aid in identifying potential privacy risks.
How will information be used? Identify and describe all the uses of the personal
health information and how these uses relate to the purpose of the project.
When will the information be processed? (e.g. on a systematic basis, only in certain
cases, during a limited period of time, etc)
How will the information be handled? Describe the processes.
Information quality:
What are the consequences for individuals if the personal information is not accurate
or up-to-date?
What are the processes that ensure only relevant, up-to-date and complete
information will be disclosed?
Information security:
What security measures will be taken to protect the information from loss,
unauthorised access, use, modification, disclosure or other misuse? Include
information on how data is transferred from sites or systems.
How will personal information be protected if it is to be managed by someone else?
Who has access to the information? Who will authorise access to the information?
Outline the identity of the service provider, the third party processor etc. Have the
roles and responsibilities of each been appropriately documented, for example in
service contracts?
Page 32 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Disclosure of information:
What are the retention and destruction practices to be employed in the project?
When will personal information be de-identified or destroyed?
How will this be done securely?
Where will the data be processed and stored? Include information on storage
location and data transfers.
What is the data retention period?
Having completed Stage 2 of the PIA, the next steps to be taken will depend on
whether or not the service provider has identified any potential privacy risks with the
new processing procedure or existing issues with systems currently in place.
If privacy risks are not identified in Stage 2, the process should be documented,
signed by the project team and approved by senior management as appropriate.
If privacy risks have been identified at Stage 2, the next stage of the PIA - Stage
3 - involves a full assessment of the areas that present risks and an analysis of
how best to mitigate or avoid them.
Each stage of the PIA process must be documented to ensure compliance with the
GDPR.(15)
Page 33 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
For this stage of the PIA process, consultation of service users or their
representatives should be conducted. Through consultation, fresh insights on the
perceptions of the impact of privacy risks can be gathered, and potential solutions
can be suggested by the individuals to reduce or mitigate the risks.
Stage 3 of the PIA process should be reviewed and approved by a member of senior
management in the organisation.
Risk analysis is about developing an understanding of privacy risks to the rights and
freedoms of individuals. It has been defined as a systematic process to understand
the nature of risk and to deduce the level of risk involved. In analysing the risks it is
necessary to determine the impact and the likelihood of a particular event occurring,
thereby determining the level of risk. Analysing risks is an ongoing process – it
should be repeated whenever there is a change in the circumstances that affect a
risk. In the case of health information projects, service providers should consider the
likelihood and impacts of the event occurring, both to individuals and to the service.
This will enable service providers to rate the risk accordingly.
Page 34 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Following the analysis of each risk, the next step is to identify ways to mitigate the
risk by reducing or eliminating the likelihood of each risk occurring. The positive
effects of risk mitigation should always be balanced against how the goals of the
project will be affected. Selecting the most appropriate solution to a risk involves
evaluating the costs of implementing the action against the benefits derived from it.
In each case, the cost of mitigating a risk should be appropriate and proportionate
to the value gained in terms of protection of personal health information gains. The
Page 35 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
control measure employed should be the option that is effective and the least
intrusive into individuals’ lives, protecting their right to privacy and ensuring
compliance with data protection laws. Every effort should be made to ensure that
risks are analysed and privacy solutions are put in place at the earliest possible stage
of project planning.
The privacy risks can be ranked by risk rating in order to highlight the highest
priority risks for those with accountability for the service. The privacy risk register
can include a log to track the actions taken to reduce or eliminate risks.
Page 36 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The risk register should be a live document, updated as the project progresses to
reflect solutions that have been implemented or new risks that have been identified.
Examples of privacy risks and risk mitigation strategies are outlined below are
outlined in the box below.(17,22)
Page 37 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
updated.
These actions, and potentially others, and the consequences for both the individual
and the proposed project should be considered and discussed in respect of each risk.
The option(s) chosen for each risk, and the justification behind the choices made,
should be clearly explained in supporting documentation. Any residual risks should
be documented in the service provider’s risk register, which should be reviewed,
updated and managed on a regular basis by the project team and the senior
management. A final review and sign-off of residual risks should be conducted
before the project begins data collection.
Page 38 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Stage 3 of the PIA process should be reviewed and approved by a member of senior
management from within the organisation. Each stage of the PIA process must be
documented to ensure compliance with the GDPR.(15)
Page 39 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The PIA report should be quality assured and approved by senior management from
within the organisation. This involves assurance from senior management that the
PIA has been conducted appropriately by the appropriate members of staff and that
the content of the report is an accurate reflection of the PIA process, the privacy
risks of the project and the actions taken to mitigate those risks. This is an important
step in increasing accountability for the handling of personal health information and
its protection.
The focus of a PIA report should be on the needs and rights of individuals whose
personal health information is collected, used or disclosed. The structure and format
of the report will vary depending on the project and its particular specification.
An overview of the PIA process undertaken, documenting each stage to ensure compliance
with the GDPR including:
Stage 1
- a copy of the threshold assessment
Stage 2
- project and organisation description, with an emphasis on the scope and
information flows of the project
Stage 3
- risk analysis; description and rating of each risk
- solutions to safeguard privacy, with rationale for each solution recorded
- outline of any remaining risks that could not be resolved, consultation with the
Office of the Data Protection Commissioner and a business case outlining their
justification if required
- details of any stakeholder consultation; with individuals or the general public.
The report should be easily understood by the general public as the assumed target
audience. The completed PIA report should be written as a stand-alone document in
Page 40 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
a clear, coherent manner so that the PIA is communicated effectively. The National
Adult Literacy Agency (NALA) have useful resources to aid plain English writing of
reports - www.nala.ie.(24) The PIA should also be published in an accessible manner
and be located in a user-friendly location.
There are a number of benefits to preparing and publishing a PIA report, primarily
for the service provider compiling it but which also extend further. Service providers
are not legally obliged to publish PIA reports, however public organisations may
especially benefit from doing so to build a culture of accountability and transparency
and inspire public confidence in the service provider’s handling of personal health
information. It should be noted that a summary document might suffice for
publication, especially if the full PIA report contains sensitive findings such as
security risks.
A PIA should be regarded as an ongoing process that does not end with the
preparation of the PIA report. Stage 5 ensures that PIA outcomes are incorporated
into the project plan.
Page 41 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
The service provider, as the legal Data Controller, is ultimately responsible for the
project risks. The ongoing management of the project’s privacy risks should be
incorporated into the service provider’s overall risk management strategy.
If the PIA has been conducted by an external expert, it is imperative for business
continuity that a full handover is conducted with the relevant person so that the PIA
cycle can continue. If the PIA has been conducted within the organisation, then the
ownership of reviewing the PIA should be outlined.
One of the most important steps of the PIA is addressing the recommendations in
order to ensure that improvements are made. If privacy risks have been identified,
an action plan should be developed to manage the implementation of the PIA
recommendations into the project. It is important to ensure that actions are carried
out prior to the project going live.
Page 42 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
A PIA should be regarded as an ongoing process that does not end with the
preparation of the PIA report. The PIA should be reviewed regularly, incorporated
into project management processes and monitored accordingly. As the project
progresses, the PIA should be revisited and updated or revised if developments in
the design or implementation of the project create new privacy implications that
were not previously considered.
Page 43 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
8. Conclusion
Privacy Impact Assessments (PIAs) are used across all sectors but are particularly
important in protecting personal health information as this is highly sensitive
information requiring higher protection. The primary purpose of undertaking a PIA in
health and social care is to protect individuals’ right to privacy in relation to their
personal health information.
Having updated this guidance, HIQA will continue to develop and publish additional
documents to support improvements in information governance and to protect the
rights and interests of health and social care service users.
Page 44 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
9. References
Page 45 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
16. Ireland Data Protection Comissioner. General Data Protection Regulation.
Available from: https://www.dataprotection.ie/docs/GDPR/1623.htm.
17. Ireland Office of the Data Protection Commissioner. Data Protection Impact
Assessments (DPIA). 2017. Available from: http://gdprandyou.ie/data-protection-
impact-assessments-dpia/.
18. Article 29 Data Protection Working Party. Guidelines on Data Protection
Impact Assessment (DPIA) and determining whether processing is “likely to result in
a high risk” for the purposes of Regulation 2016/679. 2017. Available from:
http://ec.europa.eu/newsroom/document.cfm?doc_id=44137.
19. Trilateral Research. A Comparative Analysis of Privacy Impact Assessment in
Six Countries. 2013. Available from:
http://www.jcer.net/index.php/jcer/article/view/513/393.
20. Ireland Health Service Executive. Privacy Impact Assessment (PIA) for the
Individual Health Identifier: Draft for Public Consultation. 2016. Available from:
http://www.ehealthireland.ie/Library/Document-Library/IHI-Documents/PIA-IHI.pdf.
21. National Patient Experience Survey Programme. Privacy Impact Assessment
(PIA) - Summary Report. Dublin 2017. Available from:
https://www.patientexperience.ie/app/uploads/2017/07/HIQA-NPESP-PIA-Summary-
Final-Report-v1-0-July-2017-2.pdf.
22. Office of the Australian Information Commissioner. Guide to undertaking
privacy impact assessments. 2014. Available from:
https://www.oaic.gov.au/resources/agencies-and-organisations/guides/guide-to-
undertaking-privacy-impact-assessments.pdf
23. UK. The Information Commissioner's Office. Conducting privacy impact
assessments code of practice: Data Protection Act 2014. Available from:
https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
24. The National Adult Literacy Agency (NALA). Plain English guidance. 2017.
Available from: https://www.nala.ie/resources/118.
25. Article 29 Data Protection Working Party. Guidelines on Data Protection
Officers (DPOs). 2017. Available from:
http://ec.europa.eu/newsroom/document.cfm?doc_id=44100.
26. Ministry of Health New Zealand. Ministry Guidelines on Privacy Impact
Assessments (PIA). 2017.
27. NHS Digital. Privacy Impact Assessment Report Customer Template 2017.
28. Treasury Board of Canada Secretariat. Directive on Privacy Impact
Assessment. 2010. Available from: http://www.tbs-sct.gc.ca/pol/doc-
eng.aspx?id=18308.
29. New Zealand Office of the Privacy Commissioner. Privacy Impact Assessment
Toolkit. 2015. Available from: https://opcwebsite.cwp.govt.nz/news-and-
publications/guidance-resources/privacy-impact-assessment/.
30. European Data Protection Supervisor. Assessing the necessity of measures
that limit the fundamental right to the protection of personal data: A Toolkit. 2017.
Available from: https://edps.europa.eu/sites/edp/files/publication/17-06-
01_necessity_toolkit_final_en_0.pdf.
Page 46 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 47 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
10. Appendices
Appendix 1: Glossary
Please note the General Data Protection Regulation (GDPR) has been referenced
throughout this glossary.(15)
Data Controller ‘Data Controller’ means the natural or legal person, public
authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of
personal data; where the purposes and means of such processing
are determined by European Union or Member State law, the
controller or the specific criteria for its nomination may be
provided for by EU or Member State law (Article 4[7] of the
GDPR).(15)
Data protection by The concept of ‘Data Protection by design’ and ‘Data Protection
design by default’ means embedding data privacy features and data
privacy enhancing technologies directly into the design of
projects at an early stage. This will help to ensure better and
more cost-effective protection for individual data privacy (Article
25 of the GDPR) .(15)
Page 48 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Data subject An individual who is the subject of personal health or social care
data, for example, a patient admitted to a hospital or a child
receiving the service of a social worker (Recital 75 of the GDPR).
Privacy Impact The PIA process is designed to identify and address the privacy
Assessment (PIA) issues of a particular project. It considers the future
consequences of a current or proposed action by identifying any
potential privacy risks and then examining ways to mitigate or
avoid those risks. A PIA is best undertaken at the beginning of a
project before any significant investment has been made, when
the outcome of the PIA can influence the design of the project. A
PIA should also be carried out when a change to a project is
proposed. Throughout the project, the PIA will need to be
Page 49 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Service provider This term is used in this guidance to describe any agency,
practice, hospital, or organisation proposing to undertake a
project involving the collection or processing of personal health
information. It also refers to an individual if that individual is
acting as a legal entity, for example; a general practitioner (GP),
Page 50 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Service user This term is used in this guidance to describe individuals whose
personal health information is potentially being collected, used
and disclosed by a service provider.
For example:
people who use health and social care services as patients
carers, parents and guardians
organisations and communities of interest that represent
the interests of people who use health and social care
services
members of the public and communities who are potential
users of health services and social care interventions.
Data protection legislation, including the GDPR, refers to the legal
term ‘Data Subject’.(15)
Page 51 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
In order to verify the content of the international review, and to gain further insight,
key organisations in each jurisdiction were contacted. These include:
Australia
- Office of the Australian Information Commissioner,
- The Australian Institute of Health and Welfare.
Canada
- Office of the Privacy Commissioner of Canada,
- The Canadian Institute for Health Information.
New Zealand
- Ministry of Health,
- The Office of the Privacy Commissioner.
United Kingdom
- Care Quality Commission,
- Information Commissioner’s Office,
- NHS Digital,
- NHS England.
Legislation
Each jurisdiction reviewed has legislation to protect privacy. Australia, Canada and
New Zealand have privacy acts, while the UK and the EU have data protection
legislation. The European Convention on Human Rights encompasses privacy within
the EU, and is legislated for in the UK under the Human Rights Act. Some
jurisdictions have further legislation protecting the privacy of health information at a
governmental level such as the UK’s National Health Service Act and the Health and
Page 52 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Social Care Act; while Australia and Canada legislate for health information privacy
at the state, provincial and territorial level. There is currently no legal requirement to
undertake Privacy Impact Assessments in Australia, New Zealand, or the UK;
however, they are a focus of ‘best practice’ and are required as part of adherence to
certain national standards. PIAs are legally required at a provincial and territorial
level in some jurisdictions in Canada.
PIA guidance
In many of the jurisdictions reviewed, such as Australia, New Zealand and the UK,
the Information or Privacy Commissioner had responsibility for developing broad
guidance on PIAs for all sectors. Sector-specific guidance has been developed for the
health sectors in New Zealand(26) and the UK.(27) The development of this PIA
guidance has drawn strongly from best practice in other areas (Appendix 3). Some
of the PIA guidance documents which were reviewed in greater detail include:
The requirement for Data Protection Impact Assessment (DPIA) under the new
General Data Protection Regulation (GDPR) has resulted in a number of guidance
documents being published in Europe. Some of those reviewed include:
§
Please note these guidelines are being updated and are due to be published in early October 2017.
Page 53 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
PIA process
The PIA guidance documents that were identified internationally were reviewed and
assessed in order to determine best practice in relation to the PIA process. The
number of stages within the PIA process varies in each guidance document, ranging
from four steps in the European Data Protection Supervisor toolkit, which focused on
privacy as a human right, to 12 steps in the European Privacy Impact Assessment
Framework guidance. While the number of steps may vary, the essential
components that formed part of each guidance document were included in the five
stages outlined in this document. The mapping of the stages used in each of the
documents reviewed and how they relate to the stages used in this document can
be found in Appendix 3.
Page 54 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Stage 2 - Plan the PIA Risk area Systematic Identification Identifying the Gather all the Describe the
Identification Describe the identification description of of PIA team and information information
of risks: project and the envisaged fundamental setting terms of you need to do flows (how it
By examining Identify and categorisation processing rights and reference the PIA is obtained,
the consult with Analysis of Assessment of freedoms Description of the Sketch out the used and
privacy stakeholders personal the necessity limited by the proposed project information retained)
management Map information and processing of Analysis of the flows Identify the
scope and information elements proportionality personal data information flows Check against privacy and
description flows of the Define and other privacy the privacy related risks
information processing objectives of impacts principles against
flows. Views of data the measure Consultation with Identify any privacy
subjects or their stakeholders real privacy legislation
representatives risks Consult with
are sought Consult with internal and
stakeholders external
stakeholders
Page 55 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Stage 3 - Privacy impact Privacy Assessment of Choose Risks Take action Identify and
Analyse and analysis and compliance the risks to the option that is management Manage any evaluate the
address the compliance analysis rights and effective and Legal compliance risks with using privacy
risks: check freedoms of data least intrusive check third-party solutions;
conduct Privacy subjects Compliance Formulation of contractors reduce or
detailed management: Measures with data recommendations eliminate risk
analysis of addressing risks envisaged to protection Cost-benefit
privacy risks, to remove, address the risks laws analysis of
develop minimise or Consult privacy
ways to mitigate any supervisory versus
mitigate negative authority when a project
them, privacy impacts DPIA reveals outcomes
Senior identified high residual
management Recommendati risks that cannot
approval. ons be mitigated
Report - is an Summary of Documentation - Preparation and Publish PIA Sign off and
Stage 4 - important analysis and Provide DPIA publication of the record the
PIA report: output of the recommendat report to report PIA
Publish PIA process. ions supervisory outcomes
Formal authority if Approval at
approval required right level
Publishing is not Publish
a legal report
requirement. Circulate to
Consider stakeholders
publishing report
or summary
Page 56 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Stage 5 - Respond and Monitoring and Implementation of Review and Integrate the
Incorporating review - A PIA review- recommendations adjust the PIA outcomes
PIA outcomes should be periodically or Revisiting PIA if as necessary into the
into the regarded as an when processing the project in as the project project plan
project plan ongoing changes question changes develops Continue to
process External review Establish better use
and or audit governance throughout
structures to the project
manage lifecycle
personal
information
Align the PIA
with the
organisation’s
existing
project-
management
methodologies
Get an external
view of your
PIA
Page 57 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Please note this template is available on the HIQA website as an interactive PDF:
Page 58 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 59 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 60 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Page 61 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
New Zealand – Privacy Impact Assessment Toolkit . The Office of the Privacy
Commissioner.(29) https://opcwebsite.cwp.govt.nz/news-and-publications/guidance-
resources/privacy-impact-assessment/
European Union
Page 62 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
Privacy Impact Assessment (PIA) for the Individual Health Identifier: Draft for Public
Consultation. Health Service Executive.(20)
http://www.ehealthireland.ie/Library/Document-Library/IHI-Documents/PIA-IHI.pdf
Page 63 of 64
Guidance on Privacy Impact Assessment in health and social care: Version 2.0
George's Court,
George's Lane,
Dublin 7,
D07 E98Y
URL: www.hiqa.ie
Page 64 of 64