Privacy and Confidentiality

Privacy and Confidentiality

Privacy and Confidentiality

  • Sara Riel Inc. and its employees will take all reasonable steps to maintain the confidentiality of all confidential organizational and personal information.
  • Sara Riel Inc. and its employees will respect and protect the privacy of personal information by complying with the 10 privacy principles required by the Personal Information Protection and Electronic Documents Act (PIPEDA), as follows:
    1. Accountability
    2. Identifying purpose
    3. Consent
    4. Limiting collection
    5. Limiting use, disclosure and retention
    6. Accuracy
    7. Safeguards
    8. Openness
    9. Individual access
    10. Challenging compliance
  • Sara Riel Inc. will maintain a privacy policy for distribution to members, clients and other interested parties, and will post this policy on its website. The policy will include references to:
    1. Restrictions placed on that disclosure.
    2. Time limits for holding personal information collected and the commitment to destroying unneeded information.
    3. The process by which individuals may access their personal information.
  • The organization will maintain high standards of physical and electronic security wherever personal information is being handled.
  • The organization’s Privacy Officer is:

Executive Director or Designate

All requests for access to personal information and all contact with the Privacy Commissioner of Canada will go through the Privacy Officer.

  • Employees have a right to understand, access and correct their personal information. Employee personal information collected, used or disclosed will be subject to the same care and conditions as outlined for other personal information.

 

  • PURPOSE
    • This Statement of Policy and Procedure outlines the organization’s compliance with privacy legislation, principles and practice.

 

  • SCOPES
    • This policy applies to all organization personnel.
    • Compliance with the principles outlined in this policy shall be treated as essential for contract compliance with suppliers, consultants and other contracted organizations.

 

  • RESPONSIBILITIES
    • It is the responsibility of every employee to ensure that privacy of personal information is protected and respected.
    • It is the responsibility of the Privacy Officer to:
      1. Develop and maintain both internal and external privacy policies.
      2. Ensure that systems and processes are in place to support the policies.
      3. Act as an expert resource on privacy within the organization.
      4. Act as a point of contact on privacy issues.

 

  • DEFINITIONS
    • “Cookies” refer to information stored on a computer hard drive in the course of accessing information from the Internet that tracks information about the individual’s browsing history and use of the Internet.
    • “Personal information” refers to all information related to a unique individual including name and contact information, identification numbers or codes, and sensitive personal information.
    • “PIPEDA” is the Personal Information Protection and Electronics Document Act, the federal law governing the commercial collection, use and disclosure of personal information.
    • “Privacy Commissioner of Canada” refers to the individual who has been identified by the federal government to inform and enforce PIPEDA.
  • PROCEDURES
    • All employees will protect and respect confidential and personal information by:
      1. Taking all reasonable steps to secure and protect the information, as follows:
  1. Electronic records of personal information will be subject to limited access by authorized personnel in the performance of their duties.
  2. Printed records of personal information, when they are not under the control of authorized personnel, will be kept in a secure location.
  • Transmitting out of the secured area, for example, by fax include security measures that only the individual receiving or sending material will have access.
    1. Disclosing to individuals that personal information is being collected and directing them to the Privacy policy.
    2. The information stored is that every use and disclosure of personal health information is limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.
    3. Destroying the information when it is no longer required. Personal information will be destroyed two years after it is no longer required.
  1. When destroying Person Health Information (PHI), it must be destroyed in a manner that preserves the confidentiality of the information. PHIA requires trustees to establish organizational policies and procedures in this regard. For example, such a policy could require that:
    1. PHI is never discarded in mainstream garbage.
    2. CDs and similar storage media must be physically destroyed.
    3. PHI held on a computer or in the memory found in other electronic equipment, such as photocopiers and fax machines, must be magnetically erased or overwritten in such a way that the information cannot be recovered.
      1. If a breach is determined it must be contained immediately and reported to a Manager
    4. immediately contain the breach
    5. assess any risk associated with the breach (ex: the sensitivity of the PHI and the potential damage that could be done if it is used maliciously)
  • assess what notification should take place (ex: board of directors, the Ombudsman, the individuals whose PHI was breached, etc.)
  1. assess what policy/procedural development is required to prevent the same or similar breach from occurring in the future
    • Appointment and Responsibilities of the Privacy Officer

The president will appoint a Privacy Officer for the organization whose name and contact information will be publicly available as the point of contact for all inquiries or issues related to privacy of personal information.

The Privacy Officer is responsible for:

  1. Development and maintenance of the organization’s privacy policies both for the public and for employee records.
  2. Thorough review of the organization’s collection, use and disclosure of personal information to ensure that only required information is dealt with.
  3. Communication of the Privacy policy for the public to the public and to all employees, including necessary employee training.
  4. Communication of the Privacy policy for employee information to all employees, including necessary management training.
  5. Acting as an expert resource for the organization on matters relating to privacy of personal information.
  6. Ensuring that the organization’s systems and procedures meet all legal compliance requirements and also a standard of excellence for respect of personal information.
  7. Documenting and analysing all complaints regarding the use, retention or disclosure of personal information.
  8. Instituting changes to the policy and related procedures he or she deems necessary in order to respect the principles of this policy.
  • Detailed Guidelines
    1. An individual has the right to file a statement of disagreement with their personal health information. If their request for correction is refused this statement has to be included in the chart.
  1. The statement has to be added to the record.
  2. All Trustees have to be notified if the statement pertains to the
  • The trustee must sever the personal health information that the trustee refuses to be examined or copied and permit the individual to examine and receive a copy of the remainder of the information.
  1. When a trustee makes a correction or adds a statement of disagreement, the trustee must, when practicable, notify any other trustee or person to whom the PHI was disclosed during the year before the correction was requested about the correction or statement of disagreement. (Needs Approval)
    1. Social Media

In this age of technological advancement, it is very easy to share information and photographs online via such vehicles as Facebook, Twitter, MySpace and personal web logs (blogs). Employees and agents of trustees, health professionals in particular, need to be extremely cautious. Posting PHI or photographs online is considered a disclosure of information, which could have serious legal and employment consequences.

PHI, including photographs, should never be posted without the express consent of the individual the information is about, even if permitted, or not specifically prohibited, by organizational policy.

  1. Personal information may be collected without knowledge or consent only in the following circumstances:
    1. In the event of an emergency that threatens the life, health or security of an individual.
    2. If there are reasonable grounds to believe that the information could be useful to investigate the contravention of a law.
  • The collection is in the interest of the individual and consent cannot be obtained in a timely way.
  1. The collection of the information with the individual’s knowledge or consent would compromise the availability or accuracy of the information and the collection is required to investigate the contravention of a law.
  2. The information is publicly available.

 

  1. Personal information may be disclosed without knowledge or consent only in the following circumstances:
  2. In the event of an emergency that threatens the life, health or security of an individual.
  3. To a lawyer representing the organization.
  • To collect a debt owed to the organization by the individual.
  1. To a government institution that has indicated disclosure is required on a matter relating to national security or the conduct of international affairs.
  2. The information is publicly available.
  3. If required by law.
  • For other circumstances listed in subsection 7(3) of PIPEDA.
    1. Requests from an individual to provide information about their personal information being collected, used or disclosed by the organization will be answered within 20 days. No fee will be charged for this service.
    2. If an individual withdraws consent for the use of personal information, the Privacy Officer will take all necessary steps to cease the organization’s use of the information within 30 days.