Seventy. Five. Thousand. That’s one big number and it’s how many IAPP members there are as of this week. It really says something about the profession that our association is growing at this rate. That being said, there’s still room for growth and I won’t even be surprised when we hit 100,000 in the not-so-distant future.
In other news this week, the Information and Privacy Commissioner of Ontario released an important decision after an investigation conducted under the Personal Health Information Protection Act. It is called PHIPA Decision 175.
You should read it — there are some important takeaways. First, the process of deidentifying a data set is a “use” of that dataset, so there are legal obligations that must be followed. Second, while the process of deidentifying a dataset can occur without consent of the individual patients, the custodian must nevertheless be transparent with those patients by providing notice that they will be deidentifying the data. Third, custodians that deidentify the data have security obligations to make sure that the dataset remains deidentified, even after the custodian no longer has it — for example, if the custodian sells the deidentified dataset. This means custodians must have good contracts in place with those organizations that end up receiving the deidentified dataset. The decision also reinforces the need to employ very robust deidentification measures — they point to guidance for that.
There will probably be about a thousand of us privacy professionals gathered in Toronto at the IAPP Canada Symposium next week and PHIPA Decision 175 will be just one of the many learning opportunities we have planned. What part of the conference are you most looking forward to — the keynotes, the Commissioners’ Gameshow, the sessions or the awesome networking opportunities? I’m pretty sure it’s all going to be great and I can’t wait to see you all soon!