Privacy Impact Assessment (PIA) Specialist - Senior

Must Haves:

• Minimum of 5 years health privacy experience conducting privacy impact assessments on medium to high complexity projects
• Minimum 5 years direct operational level privacy experience preferably in a health sector and/or IT environment
• Minimum 5 years experience developing privacy policies and procedures requirements or controls
• Minimum 5 years Familiarity with EMR or HIS infrastructure design and data flows
• Minimum 5 years Knowledge of Information Technology concepts and processes that impact the protection of personal information including (but not limited to) Internet tools system interfaces information security information architecture and data flows
• Holds an undergraduate or graduate degree in health policy IT security law or a related discipline
• Familiarity with the Personal Health Information Protection Act 2004 (PHIPA) and its related requirements for Health Information Network Providers (HINP) and Electronic Service Providers (ESP)
• Familiarity with OntarioMD EMR certification
• Familiarity with Application Programming Interface (API) functionality and management
• Familiarity with Public Key Infrastructure (PKI)

Description

Background Information

• This resource is being procured to Support Privacy Assessments for Cyber Security & Foundational Services Portfolio including Service Management. Some of the projects that require Privacy Assessments are:
  • INID-000685 DHIR Panorama R4.4 Upgrade and AWS Cloud Migration
  • INID-000873 RFP for ONE Network
  • INID-000887 Migrate IBM Kafka to Cloud
  • INID-000888 Migrate OCP In Azure to OCP in AWS
  • INID-000917 Enterprise Managed File Transfer
  • Other Projects that need Privacy Assessments
• The Senior Privacy Analyst will be procured for a 12-month period to also be made available for DxH KTLO (Keep the Lights On) and other projects to be prioritized by DxH that are currently not resourced for a Privacy Assessment and are not on the above list.

Responsibilities:

• The Senior Privacy Impact Assessment (PIA) Specialist will lead and support various EHR Modernization initiatives including:
• Develop privacy policies and procedures
• Conduct privacy impact assessments for medium to high complex initiatives
• May be required to support investigating privacy incidents patient inquiries and privacy requests of any kind
• Identify and assess privacy risks
• Provide privacy advisory and support to business teams
• Lead and/or participate in Ontario Health regional or provincial committees or project teams as the privacy Subject Matter Expert
• Identify privacy requirements
• Develop strong relationships with various internal and external stakeholders to foster a culture of privacy
• Respond and provide advice and legislative interpretation for information and access requests consent management requests complaints or inquiries appeals and privacy issues under the Personal Health Information Protection Act 2004 and the Freedom of Information and Protection of Privacy Act.
• Support privacy program projects and activities to improve the efficiency and effectiveness of the Privacy Office
• Develop and deliver privacy training for Ontario Health
• Other duties as required

Desired Skills:

• Completion of a university undergraduate or masters degree in health policy IT security law or a related discipline
• Demonstrated knowledge and experience of access and privacy requirements and practices preferably related to the health and public sectors
• Recognized security certification or designation is an asset
• Excellent knowledge of privacy and security concepts trends and issues. This will include an understanding of their impact on business processes as well as skill with interpretation and communication of principles and compliance requirements
• Knowledge and ability to interpret of Ontarios Personal Health Information Protection Act 2004 (PHIPA)
• Knowledge and ability to interpret Ontarios Freedom of Information and Protection of Privacy Act (FIPPA)
• Analytical skills to understand the current and future access and privacy implications of policies decisions and business initiatives
• Thorough understanding of privacy-by-design and best practices
• Experience with conducting and/or providing oversight for Privacy Impact Assessments and Privacy Threshold Assessments including developing privacy requirements risk mitigation plans corporate policies and developing and/or delivering training content
• Knowledge of technology architecture and infrastructure digital health solutions and services enterprise and corporate IT including information and cyber security preferred
• Working knowledge of digital health technologies and information security industry standards
• Excel in a fast-paced and project focused environment
• Exceptional analytic and creative problem-solving abilities
• Good understanding of related disciplines such as IT system design policy development (privacy or security) business architecture legal processes Freedom of Information administration business analysis risk management project management
• Knowledge of Information Technology concepts and processes that impact the protection of personal information including (but not limited to) Internet tools system interfaces information security information architecture and data flows
• Excellent Communication skills both verbal and written and strong stakeholder engagement skills
• Time Management with the ability to manage tight deadlines and prioritize multiple projects

Required Experience / Evaluation Criteria: 100 Points

• Minimum 5 years Health privacy experience conducting Privacy Impact Assessments (PIAs) on medium to high complexity projects.: 20 Points
• Minimum 5 years direct operational level privacy experience in a health sector and/or IT environment or both.: 20 Points
• Minimum 5 years experience developing privacy policies and procedures requirements or controls.: 10 Points
• Familiarity with the Personal Health Information Protection Act 2004 (PHIPA) and its related requirements for Health Information Network Providers (HINP) and Electronic Service Providers (ESP).: 15 Points
• Familiarity with OntarioMD Electronic Medical Records (EMR) Certification.: 10 Points
• Familiarity with EMR or HIS infrastructure design and data flows.: 10 Points
• Familiarity with Application Programming Interface (API) functionality and management.: 10 Points
• Familiarity with Public Key Infrastructure (PKI).: 5 Points

Deliverables include but are not limited to:

• The Senior Privacy Impact Assessment (PIA) Specialist will be required to work with the appropriate teams to:
• Conduct Privacy Impact Assessments for projects listed as well as any other Projects identified.
• Conduct additional privacy assessment requirements within the scope of the project.
• Conduct/complete Privacy Threshold Assessments and associated documentation
• Conduct/complete Privacy Impact Assessments and associated documentation
• Provide Privacy Consultation on a diverse range of complex multi-stakeholder health privacy issues and Information Technology (IT) initiatives throughout the product/service development and deployment life cycle
• Develop risk mitigation plans
• Create or inform the creation of data flow diagrams and associated privacy controls and compliance requirements
• Review and advise on agreements including data sharing agreements

Additional Terms

• Term: The term of this position is 251 Business Days.
• The resource will comply with Ontario Health policies and procedures. Ontario Health assets including laptops and related equipment cannot be removed from the province of Ontario without prior written approval from Ontario Health.
• Assignment Type: This position is currently listed as Hybrid. The resource under this request will be required to work onsite as per Hiring Manager sole discretion.