Building a Data Privacy Policy

-Rachel Aubie

As case management organizations become more reliant on technology for coordinating programs, it’s increasingly important for those organizations to understand what information they need to collect and any potential risks when storing their client data electronically. Proactive organizations must establish Data Privacy policies that explain the specific requirements for data collection and outline the steps for the collection processes including any strategies should a breach occur.

When discussing data privacy, it’s important to understand the distinction between data privacy and data security. Privacy is the overall approach and the policies an organization has to keep client data secure from accidental or malicious access to that data. Security features within a software system help prevent these types of breaches.

Any personal data, or data specific to the treatment of a client holds inherent risk.

When establishing a data privacy policy the following are key starting points to determine what the policy should include:

  • An understanding of what data needs to be collected and why
  • Any training or knowledge requirements for staff
  • Security and breach protocols

Organizations exploring data privacy policies should perform a Privacy-Impact Assessment (PIA). PIAs are reviews performed internally (often by external parties) on all aspects of the organization’s collection, use and disclosure of personal information data in order to understand any possible risks.

Understand what your organization does with data

The first step in evaluating your collection and use of client data is understanding the goals of your data collection. Basic demographics can be valuable for outcome reporting, but any personal data, or data specific to the services/treatment of a client holds inherent risk. If personal information is collected but never used in the care or service of a client, the organization is taking on unnecessary risk. Organization data policies should outline very clearly which data is to be collected, and sensitive information that is not necessary for client service should not be collected.

Another discussion at this stage should focus on client data retention periods. Keeping client data longer than required is another unnecessary risk. With this understanding, timelines and a process for the disposal of data can be established.

Staff Access and Training

Once you have determined which data needs to be collected, establish policies and staff training focused on the use and access of client personal data. Staff should only have access to client records and data necessary to provide service for a specific client. Staff should also be instructed on when, why and how client data should be accessed within systems including the implications of accessing data they have no cause to access at a specific time/situation.

Establishing a Breach protocol

Even the most proactive and risk secured organization must be prepared for a data breach. Incorporating breach protocol in the policy will ensure that addressing and following-up on a breach can happen as quickly as possible. In many instances, having a breach protocol is mandatory and the disclosure of breaches is required by law.

Breach protocols typically include three main components:


  1. Internal Breach Notification: Once a breach is suspected all relevant staff/stakeholders must be notified to trigger the appropriate response as quickly as possible.
  2. Method for determining the scope of the breach: This is where audit and transaction logging are critical, enabling a review of the access to determine the specific records included in the breach.
  3. Breach Notification: This notification is often mandatory under legislation – in many cases notification must occur within a specific timeframe. The governing body for the industry (example: Ministry of Health, or Government Privacy Commissioner) and the affected client(s) must be informed of the breach. The notification should include the types of records that were accessed and the potential impact of the breach.

For organizations currently storing client data electronically, or looking to move to electronic data collection, researching and establishing a data privacy policy is essential. The steps above should help to provide a base level of understanding of how to begin developing a policy.

Reduce the number of steps required to collect, store and report on client services. 

Coyote is fortunate to have worked with many organizations in establishing best practices for their electronic data collection. For information on transitioning from paper to secure electronic data collection contact us today.