About

The Privacy Risk Assessment Lead is responsible for conducting comprehensive privacy risk assessments for radiology software systems in preparation for Ontario Health submissions. This role requires deep expertise in PHIPA (Personal Health Information Protection Act), privacy by design principles, and healthcare information systems. The successful candidate will lead the development of PRA documentation, coordinate with cross-functional teams, and ensure compliance with Ontario privacy regulations. Deliverable: Complete Privacy Risk Assessment document meeting Ontario Health and PHIPA requirements, ready for regulatory submission. KEY RESPONSIBILITIES 1. Privacy Risk Assessment Development • Lead the development of comprehensive Privacy Risk Assessment (PRA) documentation for radiology software systems • Conduct thorough analysis of Personal Health Information (PHI) collection, use, disclosure, and retention practices • Identify and document all privacy risks associated with system operations • Assess likelihood and impact of privacy risks using structured risk assessment methodologies • Develop risk mitigation strategies and privacy controls to address identified risks 2. PHIPA Compliance and Legal Analysis • Ensure all PRA documentation complies with Ontario's Personal Health Information Protection Act (PHIPA) and O.Reg. 329/04 • Establish legal authority for PHI collection, use, and disclosure with appropriate PHIPA citations • Review and document Health Information Custodian (HIC) status and agent relationships • Verify compliance with IPC Ontario guidelines and best practices • Map privacy requirements to applicable legislation and regulations 3. Data Flow Analysis and Mapping • Document complete PHI inventory including all data elements collected and processed • Create comprehensive data flow diagrams showing PHI movement through the system • Map data collection points, processing activities, storage locations, and disclosure paths • Analyze and document PHI retention periods and disposal procedures • Identify all third-party data sharing and cross-border transfers 4. Privacy by Design Implementation • Assess implementation of Privacy by Design principles in system architecture • Evaluate privacy controls including role-based access control, audit logging, and encryption • Review consent management processes and individual rights procedures • Document privacy-enhancing technologies and data minimization practices • Recommend improvements to strengthen privacy posture 5. Stakeholder Coordination • Coordinate with IT Security Lead, System Architects, and Compliance teams • Conduct interviews with system administrators, clinicians, and end-users • Facilitate workshops to gather privacy requirements and concerns • Present findings and recommendations to senior leadership • Collaborate with legal counsel on complex privacy issues 6. Documentation and Reporting • Prepare comprehensive PRA documentation (35+ pages) meeting Ontario Health requirements • Develop privacy risk matrices, assessment tables, and compliance mappings • Create executive summaries and recommendations for decision-makers • Document privacy policies, procedures, and training requirements • Prepare submission package with all required appendices and supporting documentation 7. Breach Management and Incident Response • Document breach detection, notification, and response procedures • Ensure compliance with PHIPA breach notification requirements (s.12(2)) • Establish processes for IPC Ontario reporting and annual breach reporting • Review incident response plans and privacy breach procedures   REQUIRED QUALIFICATIONS Education • Required: Bachelor's degree in Law, Information Technology, Health Informatics, or related field • Preferred: Master's degree in Privacy Law, Health Information Management, or Information Security Certifications (One or More Required) • CIPP/C (Certified Information Privacy Professional - Canada) • CIPM (Certified Information Privacy Manager) Professional Experience • Minimum 5-7 years of experience in privacy, compliance, or information security roles • Minimum 3 years of experience conducting Privacy Impact Assessments (PIAs) or Privacy Risk Assessments (PRAs) • Proven experience with healthcare information systems (RIS, PACS, EMR, or similar) • Demonstrated experience with Ontario Health or eHealth Ontario submissions • Experience working with Health Information Custodians in Ontario healthcare settings Technical Knowledge • Expert knowledge: Ontario PHIPA and O.Reg. 329/04 • Strong knowledge: PIPEDA, FIPPA, and Canadian privacy legislation • Working knowledge: Healthcare standards (HL7, DICOM, FHIR) • Understanding of information security controls and risk management frameworks • Familiarity with Privacy by Design principles and implementation • Knowledge of data protection technologies (encryption, access controls, audit logging)