Office of the Saskatchewan Information and Privacy Commissioner. Best Practices for Transporting PI and PHI Outside of the Office. April 2020. 2 Purpose These best practices are for people who transport personal information (PI) and personal health information (PHI) outside the office or work from home. It is important to remember that all government institution, local authority and health trustee employees have a statutory duty to protect PI and PHI. The duty to protect can be found in section 16 of The Health Information Protection Act, section 24.1 of The Freedom of Information and Protection of Privacy Act and section 23.1 of The Local Authority Freedom of Information and Protection of Privacy Act. There are three types of safeguards to keep in mind when protecting PI and PHI: administrative, physical and technical. In order to protect PI and PHI, a multi-layered approach is required utilizing a combination of all three types of safeguards. Administrative Safeguards Administrative safeguards include written policies and procedures, annual training for employees, confidentiality agreements, agreements with Information Management Service Providers (IMSPs), auditing programs, records retention and destruction schedules and access restrictions. The following are some administrative safeguards to consider when transporting PI and PHI outside of the office: • Ensure you are following your organization’s IT Acceptable Use policies. • Set up periodic audits and reviews of the databases to monitor the databases being used. • De-identify information wherever possible, including removing information like addresses, names, unique identifiers (i.e. health services number), birthdates, phone numbers, etc., that would help identify the individual. • Have training that will help employees with identifying emails that may contain malicious links or attachments. • Make sure you discuss with your family not to go into your workspace and use or view your phone, laptop or computer, and files. • Understand and follow policies, procedures and guidelines set up by your organization for using files outside of the office.
RkJQdWJsaXNoZXIy MTgwMjYzOA==