Privacy impact assessment
56(1)A custodian that is a public body or any other custodian prescribed by regulation shall conduct a privacy impact assessment in the following situations:
(a)
for the new collection, use or disclosure of personal health information or any material change to the collection, use or disclosure of personal health information;
(a.1)
for the creation of a common or integrated service, program or activity or a modification to a common or integrated service, program or activity;
(b)
for the creation of a personal health information system or personal health information communication technology or a modification to a personal health information system or personal health information communication technology;
(c)
subject to section 57, if a custodian performs data matching with personal health information or with any personal health information held by another custodian or another person.
56(1.1)Paragraph (1)(
a) does not apply to the collection, use or disclosure of personal health information if the collection, use or disclosure is necessary for the delivery of an existing common or integrated service, program or activity.
56(2)A privacy impact assessment shall describe, in the form and manner as may be prescribed by regulation, how the proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individual to whom the information relates.
2009, c.53, s.10; 2013, c.47, s.6; 2017, c.30, s.2; 2017, c.31, s.71