Therapist Assisted Internet-Based Cognitive Behaviour Therapy Solution for Depression, Anxiety and Post Traumatic Stress Disorder (Inkblot) PIA Summary

Date of PIA Report: October 21, 2022 (PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 13, 2025

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background on the Therapist Assisted Internet-Based Cognitive Behaviour Therapy Solution for Depression, Anxiety and Post Traumatic Stress Disorder, key findings, risk and recommendations as applicable, target dates for completion.  See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The Mental Health and Addictions Center of Excellence at Ontario Health was established to support the delivery and implementation of the provincial Mental Health and Addictions strategy. A key component of achieving this strategy is providing coordinated access to mental health services through the implementation of the Ontario Structured Psychotherapy (OSP) program. 

The OSP program provides access to evidence-based, short-term, cognitive behavioral therapy (CBT) and related approaches to Ontarians with depression and anxiety-related conditions, with no out-of-pocket costs for participants. The program is delivered through 10 regional psychotherapy networks as a coordinated provincial program. Adopting a “hub and spoke” model, each network is comprised of several organizations working collaboratively to administer and deliver high-quality services for individuals (collectively, “clients” and individually a “client”) within a defined region of Ontario.  

Access to the program is centralized within each network which means that all individuals are referred directly to a Network Lead Organization (NLO) for screening and assessment. Following the centralized screening and assessment process, clients are directed to the service that best meets their needs with all available and appropriate client data. Based on ongoing monitoring of client progress throughout treatment, clients will either complete treatment or be referred back to the NLO for service navigation, as required. 

The Ministry of Health has provided funding to Ontario Health to add an iCBT service offering to the OSP program as another treatment option available to eligible and interested OSP clients. The Mental Health and Addictions Center of Excellence  is collaborating with external stakeholders, including the Provincial System Support Program (PSSP) from CAMH and the Ministry of Health to acquire and implement the iCBT service. Given that personal health information (PHI) is being collected, used, stored, and disclosed as a function of the iCBT solution, Ontario Health has mandated that a Privacy Impact Assessment (PIA) is conducted to ensure that the information is privacy-protected. This PIA is focused on the iCBT service provided by Inkblot that will be embedded into the OSP model and implemented as an available service offering at each of the NLOs. 

Key Findings

The PIA was conducted over the course of two months, beginning on August 22, 2022, and the assessment was based on information available up to and including October 21, 2022. In accordance with Ontario Health’s Privacy Risk Management policy and procedures, the Ontario Health Chief Privacy Officer (CPO) approves and endorses the results of the PIA and risk management process, and should there be a risk or risks that cannot be mitigated to an acceptable risk tolerance of minor, the designated business or portfolio owner must:  

• review and sign off the Risk Acceptance Form.  
• prepare a supporting documentation (briefing note) addressing possible consequences because of accepting the risk(s) and not implementing the recommendation(s) provided by Legal, Privacy and Risk Portfolio; and  
• submit the Risk Acceptance Form and support documentation to the Executive Lead for the applicable portfolio and to the Executive Lead for Legal, Privacy, and Risk Portfolio for review and approval.  

Ontario Health’s PIA Standard recommends that all very high, high, and moderate risks be mitigated to an acceptable level (minor) prior to a project going live. Any risks identified as Minor or less should also have a mitigation plan in place. For IB, the privacy analysis identified sixteen (16) risks and made twenty-three (23) recommendations to mitigate risks. Risk rating definitions used to assess the risk of each identified gap are available upon demand. The risks were rated as follows: 

• One very high rated risk 
• Nine moderate rated risks 
• Six minor rated risks 

Risks & Recommendations

The PIA makes the following risks and recommendations:

Risk 1: Inkblot offers its public-facing privacy policy as the foundation for obtaining ‘knowledgeable content’ from clients. The language in the existing privacy policy shows an incomplete approach to consent. This creates a risk of non-compliance with a specific aspect of PHIPA, namely ‘knowledgeable consent.’ 

Risk Level: Very High

Recommendations:

• It is strongly recommended that consent be revisited in the public-facing Privacy Policy, aligning with the Consent Principle. Specifically contemplate changes to address possible inaccuracies, inconsistencies, missing information, standardization of terminology, and relevancy. The contemplated changes may inform amendments to the Policy.  
• Inkblot should develop and implement internal processes and procedures to address the complexities. For example, if a client opts out of participating halfway through the program, what does this mean in terms of retention of information collected up to the time of opt-out. Who will have access to the retained information and why. 

Status: Completed

Risk 2: Inkblot’s public-facing Privacy Policy does not fully describe how it aligns with fair information practices, or how it complies with PHIPA. This creates a risk of non-compliance with the Act. 

Risk Level: Medium

Recommendations: It is strongly recommended that Inkblot consider rewriting its public-facing Privacy Policy to align with fair information practices and describe how it complies with PHIPA. 

Status: Completed

Risk 3: While Inkblot has a number of foundational policies, there is a lack of clear procedural documentation to operationalize key aspects of PHIPA. This creates a risk of non-compliance with the Act.

Risk Level: Medium

Recommendations:

• It is recommended that Inkblot create procedural documentation that demonstrates how access requests will be addressed. The procedures could include (for example) information about what data is accessible (for example, csv file, case notes), and what form provisioning of the requests should take. 
• It is recommended that Inkblot create procedural documentation that demonstrates how requests for correction will be addressed. The procedures could include (for example) information about the type of information that can be corrected (for example, information in the .csv file), whether there is timeline restrictions associated with corrections, and the role within Inkblot that will make the corrections. 
• It is recommended that Inkblot create procedural documentation on why and how to aggregate PHI, and the procedures should align with Ontario Health aggregation guidelines. 
• It is recommended that Inkblot create procedural documentation on why and how to de-identify PHI, and the procedures should align with the IPC de-identification guidelines. 
• It is recommended that the ‘Data Classification Policy’ be supported with information about how to implement data classification. 
• It is recommended that Inkblot’s approach to privacy breach notification be reviewed to meet with Ontario Health contractual requirements. The review should pay particular attention to how and in what form the notification will happen. 
• It is recommended that Inkblot develop Risk Management Protocols and Processes, placing a particular focus on addressing privacy and security risks. 

Status: Completed

Risk 4: Inkblot does not inform clients that it will install cookies on a client’s device or that it will install updates to the Platform. This creates a risk of non-compliance with CASL requirements to provide such notification in a Terms of Service or Privacy Policy.  

Risk Level: Medium

Recommendations: It is recommended that Inkblot update its Privacy Policy to inform clients if it intends to install software programs (such as cookies) on the client’s device (and why), and that it will perform software updates for which clients will be notified. 

Status: Completed

Risk 5: Based on interviews and documents provided, it appears as if there may be inadequate focus on PHIPA regarding employee and therapist training. This could pose a risk of unintentional breaches to privacy of PHI. 

Risk Level: Medium

Recommendations: In alignment with section 1.09 of the Service Agreement, it is recommended that Inkblot realign its employee/therapist training to focus on PHIPA and provide a copy of the updated training package to Ontario Health for review. 

Status: Completed

Risk 6: Aside from the Privacy Policy, clients are not educated on privacy-protective measures when enrolling and participating in the program. This creates a risk of inappropriate access and use of information in the iCBT program (for example, by family members). 

Risk Level: Medium

Recommendations: It is recommended that Inkblot work with the NLOs to ensure there is standard language provided to the clients related to their privacy obligations prior to being triaged to Inkblot. Inkblot may wish to consider leveraging the IPC-developed guidelines on working in a virtual care environment, for the purpose of educating clients through a resource available to clients.

Status: Completed

Risk 7: CAMH has been identified as an Agent of Inkblot and to date has not entered into any sort of agreement in which privacy obligations are articulated. This creates a risk that CAMH could inadvertently breach privacy without having benefit of clear direction in an agreement.  

Risk Level: Medium

Recommendations: It is recommended that Inkblot enter into an agent agreement with CAMH prior to sharing data. 

Status: Completed

Risk 8: Without more clarity on Inkblot’s approach to compliance with AODA, there is a risk that Inkblot may be in a state of non-compliance with the Act and the Service Agreement. 

Risk Level: Medium

Recommendations: It is recommended that Inkblot provide Ontario Health with attestation that it complies with the AODA requirements in alignment with section 3.12 of the Service Agreement

Status: Completed

Risk 9: Inkblot’s approach to record keeping appears to be incomplete, which creates a risk of issues and challenges with addressing access requests and breaches.

Risk Level: Medium

Recommendations: It is recommended that Inkblot place a focus on developing a policy, processes, procedures, and schedules to address record keeping. 

Status: Completed

Risk 10: No information was provided on Inkblot’s support services. If policies and procedures have not been developed and communicated to support services, a risk is created of inappropriate access, uses and disclosures of PHI to which support services have access. 

Risk Level: Medium

Recommendations: It is recommended that Inkblot develop privacy measures to limit uses, disclosure and retention that are specific to their support services.

Status: Completed

Risk 11: Inkblot’s privacy program is a work in progress that does not appear to include measurements to assess the health and maturity of its program over time. Without KPIs placed in the context of privacy requirements, there is a risk that Inkblot may have challenges assessing the sufficiency of its approach to compliance, particularly as laws and standards continue to evolve. 

Risk Level: Low

Recommendations: It is recommended that Inkblot consider developing performance measurements to determine (and report where required) the health and maturity of its privacy program over time. 

Status: Completed

Risk 12: Given that Green Shield Canada (GSC) has no role in the iCBT project, it is unclear what mechanism has been implemented by IB to ensure that PHI is not shared with GSC. This places Inkblot in a state of misalignment with the Accountability privacy principle and can lead to a state of non-compliance with PHIPA. 

Risk Level: Low

Recommendations: It is recommended that Inkblot provides an attestation of contractual arrangements with GSC that stipulates that Inkblot will not share PHI.

Status: Completed

Risk 13: A Solution Design Document (SDD) is a blueprint that serves as an overarching reference for an entire project setting, including the direction for and expectations from the implementation phase. Inkblot does not have an overall solution design. This creates a risk of non-compliance with PHIPA. 

Risk Level: Low

Recommendations: It is recommended that Inkblot place a focus on formally describing its solution design, with inclusion of aspects such as detailed descriptions of the technology, data flows and signature of interfaces.

Status: Completed

Risk 14: Some NLOs may request a Data Sharing Agreement. However, no standard template is being used by the NLOs, which creates a risk of disparate privacy obligations for IB. 

Risk Level: Low

Recommendations: While few NLOs have indicated an interest in requesting a DSA to date, if the number increases, it is recommended that Inkblot work with the NLOs to explore standard language. NOTE: No NLOs requested a DSA. 

Status: Not applicable

Risk 15: A person’s name is provided in the privacy policy for contact purposes. This creates a risk of non-compliance with the CASL requirement for contact information to be valid for 60 days. 

Risk Level: Low

Recommendations: It is recommended that Inkblot replace the contact information that includes the name of an individual with general contact information for the privacy program or area.

Status: Completed

Risk 16: Requests from a client to correct information in the application appear to be addressed manually by Inkblot staff. This practice has the potential to result in transposition or other accuracy-related issues which in turn create a risk of complaints and misalignment with the ‘accuracy’ privacy principle.  

Risk Level: Low

Recommendations: It is recommended that Inkblot develop a quality-assurance process to ensure that updates to client information are accurate. 

Status: Completed