Office of the Saskatchewan Information and Privacy Commissioner. Guide to FOIP, Chapter 6, Protection of Privacy. Updated 27 February 2023. 100 • What events would trigger a focused audit (e.g., a privacy breach)?306 An audit log is produced when conducting a random audit (i.e., sheets of data). If the audit logs are not reviewed on a regular basis by someone that can interpret the data, the random audit is not overly useful. In Investigation Report H-2013-001, the Commissioner provided guidance on this. Although focused on the equivalent provision (section 16) of The Health Information Protection Act, it is helpful when considering section 24.1 of FOIP: [198] … However, my office was not provided any policies or procedures that guide the review of audit logs. Such a policy and related procedure should exist to guide the review of such audit logs. For example, what would be contained in an audit log that would cause the Privacy Coordinator to investigate whether a privacy breach has occurred? How often are audit logs produced and how often are they reviewed? How are employees informed there are audit logs being produced to track their activities and for what purposes? A policy and related procedure that clearly reflects the requirements of HIPA and guides RQRHA [former Regina Qu’Appelle Regional Health Authority] in monitoring its employees is of the utmost importance in preventing and containing any similar privacy breaches. The use of audit logs can reassure clients that their personal information is accessed only by those who need to access it and only when appropriate. The information captured in an audit log can be provided in a report to support investigations into privacy breaches and complaints.307 Audit reports can be used for any or all of the following: • “Proactive auditing” as part of user compliance monitoring • “Reactive auditing” as evidence to support complaints or privacy breaches and security incidents investigations • Identify opportunities for additional staff education or communication • Supporting client requests for a report on who has accessed their information308 306 SK OIPC & eHealth Saskatchewan joint resource, Audit and Monitoring Guidelines for Trustees, at p. 3. 307 The Canadian Health Informatics Association (COACH) Guidelines, Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records – 2010 Guidelines for the Protection of Health Information Special Edition, Canada’s Health Informatics Association, 2020, p. 25. 308 The Canadian Health Informatics Association (COACH) Guidelines, Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records – 2010 Guidelines for the Protection of Health Information Special Edition, Canada’s Health Informatics Association, 2020, p. 25.
RkJQdWJsaXNoZXIy MTgwMjYzOA==