Ontario’s Smart Systems for Health Agency needs to bring its privacy policy in line with provincial legislation, change its operating procedures and manage documents more carefully, Anne Cavoukian’s office has warned.
The Information and Privacy Commissioner of Ontario (IPC) published a report lambasting the SSHA, which is involved with a range of activities that include identity management, portal services and securing e-mail. The IPC review included a look at more than one hundred documents as well as a visit to one of the SSHA’s employee training sessions and a meeting with its chief privacy officer. The SSHA had been given a checklist of what staff would be looking for prior to the review.
“The documentation provided indicated that a comprehensive suite of privacy and security policies and procedures have not been adopted or developed by the SSHA,” the IPC says, which has been posted on SSHA’s Web site. “Even where privacy and security policies and procedures have been developed or adopted, there are instances where those polices and procedures have not been compiled with or have not been followed in a systematic or verifiable manner.”
The report also criticizes SSHA’s privacy staff for not having direct operational responsibility for accomplishing its privacy and security objectives. Although the SSHA does have a privacy policy, it is not completely in line with the Personal Health Information Protection Act (PHIPA), which governs the privacy of health-care data.
SSHA has been mired in problems and criticism since the beginning of the year, when it consulting firm Deloitte published an in-depth critique of the agency’s track record, achievements and practices. It concluded, among other things, that it has no strategic plan, little visibility or support from other health-care organizations and inadequate security. It has also been dealing with the departure of its founding CEO and last month appointed Bill Albino, a former EDS executive, to take over.
A letter from Albino that has also been posted on the organization’s Web site responds to the IPC report with a promise to deal with 57 of the recommendations by August. Thirteen other areas will require changes that could take some time, SSHA spokesman Paul Kilbertus said.
“It’s deeper into the organization. It involves change to the design and organization of how we do things. We’re going to start work on those immediately,” he said, adding that SSHA has been given no deadline on when it needs to report back.
Another 12 recommendations will demand involvement from the Ministry of Health and Long-Term Care, Kilbertus said, which has also received a copy of the report.
“They want to leave the onus on us – ‘You go on and lead this effort, because it’s mainly directed at you – but they will be on the table with us.”
SSHA will be bringing in outside consultants to assist with its privacy issues, Kilbertus said. So far, the organization has retained the services of retired Deloitte privacy specialist Robert Parker and Sharon Cohen, former CEO of Ontario Shared Services.
Comment: [email protected]
