Ontario Breast Screening Program Integrated Cancer Management System PIA Summary

Background

The OBSP is a province-wide, organized breast screening program that provides high-quality breast cancer screening to eligible women. The purpose of the OBSP is to decrease mortality from breast cancer by increasing the number of women getting screened regularly and receiving appropriate follow-up so that cancers are diagnosed early when treatment is more successful.

Ontario Health manages the OBSP and its related Integrated Client Management System (ICMS). The ICMS is an information management system used not only to provide statistical information on screening and assessment indicators but also to support front line administration and management of the OBSP. This means that the ICMS includes personal health information (PHI) required for both program administration (e.g. client registration and payments) and program management (e.g. statistical analysis and evaluation). The OBSP also allows Ontario Health more direct engagement with patients in providing breast cancer screening services (e.g. the sending of invitations for cancer screening).

Key Findings

In general, this PIA concludes that Ontario Health has the authority to collect, use and disclose PHI for the operation of the OBSP as a prescribed person pursuant to ss. 39(1)(c), 39 (4) and 49(1) of the Personal Health Information and Protection Act, 2004 (PHIPA), or, in the alternative with respect to use and disclosure of PHI, ss.41(1)(b) and 42(1)(c) and (d) of the Freedom of Information and Protection of Privacy Act (FIPPA).

This assessment also concludes that in providing services to allow OBSP health care providers, or health information custodians (HICs) to use electronic means to collect, use and disclose PHI, Ontario Health also operates the OBSP as a health information network provider (HINP). These services are delivered through the ICMS.

Risks & Recommendations

This PIA Addendum identifies 46 privacy risks and recommends 43 mitigating actions be taken by Ontario Health to manage these risks. The outstanding risks and related recommendations are summarized in Part IV of the PIA. 

In summary, the PIA identified some privacy controls that should be enhanced to support the Program, including the following key recommendations: 

• A retention schedule for OBSP PHI should be operationalized;
• The ability to print off outstanding cases when generating invoices per OBSP should be eliminated from the ICMS functionality;
• Ontario Health should consider de-identifying the PHI of OBSP Clients and non-OBSP Clients where the purposes for the use of ICMS data does not require that the identity of a specific woman be known;
• Ontario Health should review the publicly available information and communications provided to OBSP sites, so clients are made aware of the collection, use and disclosure of their PHI as well the consent management process;
• Ontario Health should enhance the features of the ICMS consent management system and the OBSP consent directive process;
• The Genetic Release Form at the Genetic Clinics should be discontinued;
• Ontario Health should enhance the ICMS access controls; and
• Ontario Health's agreement with the Regional Cancer Centres (RCCs) should be amended to identify that the RCCs are functioning as an agent of Ontario Health for the purpose of data management activities.

Ontario Health is currently in the process of implementing the recommendations made in OBSP PIA.