Privacy Governance

  1. Policy

Category: Privacy
Subject: Privacy Governance
Division: Human Resources and Corporate Services
Policy Number: CA.58.01.100
Effective Date: October 1, 2015

POLICY STATEMENT

This privacy policy sets the standards for the protection and management of confidential information by Wellington-Dufferin-Guelph Public Health’s (WDGPH) health information custodian, and all agents of the custodian, regardless of the format in which the information is collected and stored.  Confidential information includes personal information, personal health information and sensitive information about non-person entities (e.g. schools).

WDGPH’s privacy policy complies with the provisions of Ontario Personal Health Information Protection Act, 2004 (PHIPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) for the collection, use, disclosure and retention of personal and/or personal health information, or sensitive confidential information.

Video Surveillance

Given the open and public nature of the WDGPH facilities and the need to provide for the safety and security of employees and clients who may be present at all hours of the day, WDGPH may make use of video surveillance systems. These systems may operate at any time in a 24-hour period. Video equipment shall be installed to only monitor those spaces that have been identified as requiring video surveillance. An employee receiving an inquiry from the public regarding the WDGPH use of video surveillance shall direct the inquiry to the Chief Privacy Officer (CPO).  See procedure CA.58.02.106 Video Surveillance.

Privacy in the Workspace

WDGPH has adopted a clear desk and workspace commitment to improve the security and confidentiality of information in our custody in paper records, electronic records and removable devices. This is to reduce the risk of unauthorized access, loss of and damage to information during and outside normal working hours, or when work areas are unattended. When traveling out of the office in the performance of assigned duties, employees must ensure the confidentiality of all records. See procedure CA.58.02.105 Privacy in the Workplace.

Access, Correction and Release of Information

WDGPH may request the services of a third party or vice versa. A third party is considered to be an individual or organization external to the public health unit. Confidential information must not be disclosed to any third party without consent of the client unless a valid search warrant, or subpoena, or other such legal document (data sharing agreement) has been issued.

Examples of some possible third-parties are:

External research bodies (e.g., universities/colleges, teaching hospitals);
Surveillance institutes (e.g., PHO, ICES, PHAC, CCO, BORN1);
Data storage/disposal companies (e.g., Iron Mountain, Shred-it, Secure-it); and 
I & IT service providers managing the electronic retention/transfer/storage/disposal of records.

WDGPH recognizes that, except in special circumstances[1], a person has the right to access and/or request a copy of their own confidential information and general information held by the Agency. These requests are processed under the MFIPPA and PHIPA, 2004.

A person can request to access, correct or obtain a copy of their confidential information in the custody of WDGPH. Formal applications are not always necessary to obtain personal or personal health information held by WDGPH under the MFIPPA, or the PHIPA (section 52(6)).

WDGPH regards the access to personal information for research purposes as an important privilege. Protecting the privacy of individuals whose personal information is used for research purposes and the confidentiality of personal information held by WDGPH is an integral commitment of the Agency.

Privacy Breaches

WDGPH’s security practices are continually evolving to ensure that the integrity and confidentiality of information and systems are maintained. Any breach of safeguarded information is unacceptable except if permitted due to extenuating circumstances, or as required under applicable legislation. All privacy breaches must be immediately reported to the immediate Manager/Supervisor or Director and CPO for follow-up and be formally investigated.  See procedure CA.58.02.103 Privacy Breach Protocol.

SCOPE

This policy applies to the WDGPH representatives (employees, volunteers, student placements, agents, consultants and third party contractors) who are required to ensure confidential, personal and personal health information remains in the control and custody of WDGPH, and is safeguarded from unauthorized access by unauthorized individuals internally, and externally.

Professional practice standards, established by professional regulatory bodies that are related to client record-keeping and maintaining the privacy and confidentiality of confidential information, are respected and upheld in this policy.

GPH may require additional procedures to this privacy policy, these procedures must remain consistent with the privacy standards and requirements set out in this policy.

DEFINITIONS

PHIPA Ontario Personal Health Information Protection Act, 2004

MFIPPA the Municipal Freedom of Information and Protection of Privacy Act

Agent – refers to all those individuals who, with the authorization of the health information custodian, act for, or on behalf of, the custodian in respect to confidential information for the purpose of the custodian (employees, physicians, students, volunteers, researchers, vendors, contractors, consultants). 

Confidential information – includes personal information, personal health information and sensitive information for non-person entities.

REFERENCES AND RELATED FORMS, POLICIES AND PROCEDURES

Corresponding Procedure:  CA.58.02.100 Privacy Governance
CA.58.02.103 Privacy Breach Protocol
CA.58.02.105 Privacy in the Workplace
CA.58.02.106 Video Surveillance
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Personal Health Information Protection Act (PHIPA)
Canadian Standards Association – CSA Fair Information Principles

CONTACT FOR INQUIRIES

Director, Human Resources and Corporate Services

APPROVED BY

Director, Human Resources and Corporate Services 


Procedure

Category: Privacy
Subject: Privacy Governance 
Division: Human Resources and Corporate Services 
Procedure Number: CA.58.02.100
Effective Date: August 1, 2015

PROCEDURE

The Medical Officer of Health (MOH) and the agents at Wellington-Dufferin-Guelph Public Health (WDGPH) accept their obligations and responsibilities as a custodian and agents of a custodian under Personal Health Information Protection Act, 2004 (PHIPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and commit to:

  • Ensure clients understand the purposes for the collection, use and disclosure of their confidential information;
  • Ensure clients are aware that they may withhold, or give consent to the collection, use or disclosure of their confidential information, except where permitted by law;
  • Ensure clients are aware that they may withdraw consent to the disclosure and use of their confidential information at any time without jeopardizing any services they are receiving;
  • Provide clients with information on how to contact the Chief Privacy Officer (CPO);
  • Inform clients if there is inappropriate access, loss or theft of their confidential information;
  • Make information about WDGPH’s privacy and security policies and practices available upon request;
  • Provide clients with information on how to register a complaint about the WDGPH’s privacy and security practices;
  • Ensure all agents understand their responsibilities to protect privacy and confidentiality of confidential information;
  • Ensure the client’s consent is obtained before releasing any confidential information to external third parties; and
  • Provide clients with information on how to register a complaint about the WDGPH’s privacy and security practices.
Privacy Statement:

WDGPH will post its Information and Privacy Statement as a public notice throughout its offices, clinics and other client points of contact, including the website. The Information and Privacy Statement will explain in an easy understandable manner the purpose for WDGPH’s collection, use, and disclosure of confidential information and will also provide information regarding:

  • WDGPH’s information management and protection practices;
  • How to contact the CPO;
  • How a client may file a complaint;
  • How a client may request access to, and correction of his/her confidential information; and
  • Obtaining clients’ consent before their information is released to third parties, except where permitted by law.
Privacy Standards:

The standards and requirements established are organized in accordance with the Canadian Standards Association (CSA), around the ten CSA Fair Information Principles as follows:

  1. Accountability:

WDGPH is responsible for the confidential information under its control and must designate an individual(s) to be accountable for WDGPH’s compliance with the following principles.  The following roles and responsibilities are identified:

MOH is the designated Health Information Custodian. This role is responsible for the following:

  • The collection, use, and disclosure of personal or personal health information by all agents in accordance with the provisions (PHIPA and MFIPPA);
  • The accountability for agents’ compliance of MFIPPA and PHIPA;
  • Delegation of operational responsibilities of implementation and compliance of the privacy policies and information management practices; and
  • Designation of the role of the CPO.

CPO oversees all matters related to privacy on behalf of the MOH/CEO, whose roles and responsibilities include:

  • Accountable for the implementation and maintenance of WDGPH’s privacy and security program (Directors, Managers, Human Resources, Information Technology);
  • Ensure compliance with rules set out in PHIPA, MFIPPA, and WDGPH’s privacy policies;
  • Ensure that all  Board of Health members and agents of WDGPH are informed of their privacy related obligations;
  • Respond to inquiries from the public about WDGPH’s information practices;
  • Respond to requests of an individual for access to, or correction of,  personal or personal health information in the custody or under the control of WDGPH;
  • Enter into third party agreements (where required);
  • Receive complaints about any alleged violation of privacy obligations;
  • Chair WDGPH’s Privacy Advisory Committee; and
  • Investigate any breach of privacy, inappropriate access, loss, theft or conflict by any of its agents.

Other individuals within WDGPH have the responsibility to ensure the implementation of, and compliance with, WDGPH’s information management practices as identified and directed by the CPO:

Director and Manager roles and responsibilities include:

  • Ensure that all employees have received mandatory training re: Privacy and Information Management Systems;
  • Work closely with the CPO to retrieve records requested;
  • Ensure that collection statements are included on all WDGPH forms in relation to their division and services provided;
  • Identify potential privacy issues or practices and address with the CPO;
  • Enforce privacy policies and procedures with employees ; and
  • Managers should report all privacy breaches to their Director and CPO.

Human Resources roles and responsibilities include:

  • Work closely with the CPO to develop a privacy training model for all employees;
  • Keep records indicating all employees have received mandatory training  for privacy;
  • Collect, store and disclose employee information where applicable in compliance with privacy legislation; and
  • Identify potential privacy issues or practices and address with the CPO.

Information Technology (IT) roles and responsibilities include:

  • Ensure that WDGPH’s IT infrastructure meets all requirements as outlined by IPC;
  • Develop training material for privacy related specifically to information security;
  • With proper authorization, oversee the secure disposal of electronic records;
  • Identify potential privacy issues and practices relating to IT, and address with the CPO;
  • Safeguard and set measures to protect electronic information within WDGPH; and
  • Provide a regular audit report on safety and risk management, and conduct Privacy Impact Assessments as requested by the CPO.

Public Health Agents have an obligation to protect the privacy and confidentiality of confidential information they come in contact with during and after their employment or contract with WDGPH. As such, all agents’ roles and responsibilities include:

  • Comply with all aspects of this policy;
  • Sign a confidentiality agreement that outlines their obligations to protect the privacy and confidentiality of confidential information at the time of employment and/or engagement;
  • Complete WDGPH’s privacy and security training program;
  • Report any known or suspected breaches of client privacy to their Manager and CPO;
  • Report to their Manager and CPO any instances where confidential information handled by the agent is stolen, lost or accessed by unauthorized persons;
  • Return all information assets in their possession upon termination of their employment or contract;
  • Ensure confidential information is not left exposed on unoccupied desks during and at the end of the working day;
  • Ensure confidential information is securely stored in locked cabinets or file rooms when not in use;
  • Ensure access to computer and mobile devices, including BlackBerry, are locked when left unattended;
  • Ensure measures are taken to avoid accidental disclosure of information stored on computing devices (e.g., allowing computer screen to be viewed by members of the public or other employees);
  • Adhere to records and information management policies and procedures;
  • Use system generated unique identifiers in communications with employees rather than personal/specific identifiers;
  • Ensure secure procedures are used when faxing confidential information to persons outside WDGPH (e.g., community physicians and other public health agencies), and when receiving faxed confidential information;
  • Ensure ONE-mail service is used to send confidential information outside WDGPH’s network;
  • Ensure that all client information they receive from any source external to WDGPH becomes the responsibility of WDGPH and must be treated as confidential information;
  • Ensure confidential information is never discussed in public areas or with family members, personal friends and associates;
  • Ensure all confidential information is securely transported within and outside of WDGPH; and
  • ​Ensure records containing confidential information found unattended are immediately returned to the appropriate area to which the records belong and reported to the CPO.

WDGPH extends protection to employees who report a privacy or security breach, or who refuses to perform a transaction they believe to be in contravention of PHIPA (PHIPA s.70) or this policy. Employees should report such instances to the CPO.

  1. Identifying Purposes:

The purposes for which information is collected should be identified to the person prior to or at the time the information is collected. This information must be provided verbally or in writing to the client.  It is not sufficient to assume that the client has read and understood the public notice of WDGPH’s Information and Practice Statement.

  1.  Consent:

The client must first be made aware of, and understand the reason for collecting the information.  Informed consent from the client is then required for the collection, use or disclosure of their personal information, except where otherwise authorized by law. WDGPH presumes that clients, including minors, are capable of consenting to the collection, use or disclosure of their personal information unless there are grounds to assume otherwise. In these instances, consent will be sought from the client’s authorized substitute decision-makers.

  1. Limiting Collection:

Confidential information will be collected by fair and lawful means. The collection of information must be limited to that which is necessary for carrying out the purpose for which it was collected. WDGPH will not collect a client’s information by misleading or deceiving clients about the purpose(s) for which it is being collected. If other information will serve the purposes for collection, confidential information will not be collected.

  1. Limiting Use, Disclosure and Retention:

Confidential client information collected by WDGPH shall not be used or disclosed to third parties for purposes other than those for which it was collected, except with the express consent of the client, or as required by the law. Non-identifying information related to clients’ care and services may be used to inform issues related to administration, strategic planning, decision making, research and allocation of resources.

  1. Accuracy:

WDGPH takes reasonable steps to ensure that the information collected is as accurate, complete, and up to date as is necessary for the purposes for which it uses the information. When a client’s confidential information is disclosed, and where WDGPH is aware of limitations to either accuracy or completeness of the information, WDGPH shall make this fact known to the recipient of the client’s confidential information.

  1. Safeguards:

WDGPH maintains measures to protect confidential information in its custody or control from unauthorized access, disclosure, copying, use modification or destruction.

In all WDGPH offices and in any premises where confidential information is located, the following procedures are required:

  • File storage areas are to be locked when unsupervised;
  • Access to information will only be permitted through designated employees;
  • All computer terminals must be both encrypted and password protected;
  • All electronic devices must be both encrypted and password protected;
  • All information stored on a disk, CD, flash drive or other mobile device must be password protected; and encrypted; and
  • ​Computer screens must be password protected when not in use.
  1. Openness:

WDGPH will make readily available to its clients and the public specific information about its privacy policies and practices for managing confidential information. A written public Information and Management Practices Statement will be available on WDGPH’s website and posted in all locations where programs and services are provided.  The Statement will contain:

  • Contact information of the CPO;
  • How a client may obtain access to, or request correction of, a client’s record of confidential information that is in the custody or control of WDGPH;
  • How to make a complaint to the MOH and to the Information and Privacy Commissioner/Ontario;
  • WDGPH’s purpose for the collection of confidential information;
  • How the client’s confidential information will be used or disclosed and by whom;
  • The client’s right to withhold or withdraw their consent for the collection, use, or disclosure of their confidential information by WDGPH; and
  • Circumstances when the client’s express consent will be obtained prior to the disclosure of their confidential information.
  1. Individual Access

Upon written request to the CPO, an individual must be informed of the existence, use and disclosure of their information and shall be given access to that information. A person is able to challenge the accuracy or completeness of the information and have it amended as appropriate.

  1. Challenging

A person may address a challenge concerning WDGPH’s compliance with the above principles to the CPO.

COMPLIANCE

Agent Compliance:

Violation of this policy by any agent is grounds for disciplinary action up to and including dismissal, and where required reporting of the incident to the appropriate health professional regulatory body.

Third Party Compliance Contracts:

WDGPH remains responsible for confidential information it has in its custody or control, including when that information has been disclosed to a third party.

Where WDGPH uses the services of a third party to manage or process confidential information, it will enter into an agreement with the third party that will require the third party to adhere to WDGPH’s privacy policies.

Violations of the privacy terms and conditions could constitute a breach of contract and appropriate action will be taken by WDGPH

Research Protocol:
  1. WDGPH communicates privacy protection policies and practices to WDGPH employees, partners and stakeholders.
  2. WDGPH restricts access to personal information to those members of the organization who have authorized access for research purposes.
  3. WDGPH ensures all employees are trained in the principles and practices of personal information protection and requires all employees to reflect their commitment to respect the WDGPH’s principles, policies and practices in the protection of personal information on an annual basis.
  4. WDGPH ensures that all policies and practices are consistent with the best standards of privacy protection in health research and legislative requirements.

DEFINITIONS

IPC Information Privacy Commissioner

PHIPA Ontario Personal Health Information Protection Act, 2004

MFIPPA the Municipal Freedom of Information and Protection of Privacy Act

Health Information Custodian (HIC) – MOH

Chief Privacy Officer (CPO) – Person designated by MOH to act on behalf of the HIC

REFERENCES AND RELATED FORMS, POLICIES AND PROCEDURES

Corresponding Policy:  CA.58.01.100 Privacy Governance
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Personal Health Information Protection Act (PHIPA)

CONTACT FOR INQUIRIES

Director, Human Resources and Corporate Services

APPROVED BY

Director, Human Resources and Corporate Services