|
1.0 PURPOSE
The purpose of this policy is to ensure that all Team Members of the
Steeves & Rozema Group (S&R) are aware of and adhere to the ten
principles of privacy. During the course of conducting business it
may be necessary to collect personal information. In an effort to
ensure the privacy of all clients, residents and employees and the
protection of their Personal Information (PI) the following
practices will be followed by S&R as the custodians of the
information.
2.0 SCOPE
All Steeves & Rozema properties and homes are responsible for PI
under its control and shall designate an individual or individuals
who are accountable for the organization’s compliance with adhering
to the ten privacy principles
3.0 DEFINITIONS
Personal Information (PI) - Personal information includes any
factual or subjective information, recorded or not, about an
identifiable individual. This includes information in any form, such
as:
• Gender, age, date of birth, marital status, partner’s
information, financial information (credit records, loan records
etc.), pictures, biometrics, personal contact information, ID
numbers (SIN, OHIP No. etc.), ethnic origin or blood type
• Opinions, evaluations, comments, social status, or
disciplinary actions; and
• Employee files, medical records (also PHI), existence of
a dispute between a consumer and a merchant, intentions (for
example, to acquire goods or services, or change jobs).
*personal information does not include the name, title, business
address or telephone number of an employee of an organization”
PIPEDA (Personal Information Protection and Electronic Documents
Act) - Personal Information & Protection of Electronic Documents Act
is a Federal Consent Based Act (April 23, 2000), which applies to
the Canadian private sector. It applies to organizations who
collect, use or disclose information in course of commercial
activities
PRIVACY ACT – Is a Federal Authority based Act (July 1, 1983), which
imposes obligations on 150 Federal Government Departments and
Agencies.
4.0 REFERENCES
Privacy Act (July 1, 1983)
PIPEDA (Personal Information Protection and Electronic
Documents Act - April 13, 2000)
5.0 ROLES & RESPONSIBILITIES
None
6.0 PROCEDURE
Principle 1 – Accountability
• The CEO of Steeves & Rozema has ultimate accountability
for protecting the Personal Information of clients, residents and
team members. The CEO may be supported in this activity by
delegating the day-to-day operational privacy responsibilities to
other individuals. All team members share responsibility for
adhering to the organization’s privacy policies and procedures.
• The name and contact information of the individual
designated to oversee the compliance with the principles, the
privacy officer, is available upon request.
• The privacy officer shall implement policies and
practices to give effect to this policy, including:
a. Implementing procedures to protect personal and personal
health information
b. Establishing procedures to receive and respond to
complaints and inquiries;
c. Training team members and communicating to team member’s
information about privacy principles and practices.
Principle 2 – Identifying Purposes
• The custodian at or before the time the information is
collected shall identify the purpose for which PI is collected. The
primary purposes are the delivery of services, quality management,
billing and meeting legal and regulatory requirements.
• Identifying the purposes for which PI is collected at or
before the time of collection allows us to determine the information
needed to fulfill these purposes.
• The identified purposes are specified at or before the
time of collection to the individual from whom the PI is collected.
Depending upon the way in which the information is collected, this
can be done orally or in writing. An admission or application for
services form, for example, may give notice of the purposes.
• When PI has been collected if it is to be used for a
purpose not previously identified, the new purpose shall be
identified prior to use. Unless law requires the new purpose, the
consent of the individual is required before information can be used
for that purpose.
• Persons collecting PI should be able to explain to
individuals the purposes for which the information is being
collected.
Principle 3 – Consent
• The knowledge and consent of the individual are required
for the collection, use, or disclosure of personal information,
except where inappropriate.
Note: In certain circumstances PI can be collected, used, or
disclosed without the knowledge and consent of the individual. For
example, legal, medical, or security reasons may make it impossible
or impractical to seek consent. When information is being collected
for the detection and prevention of fraud or for law enforcement,
seeking the consent of the individual might defeat the purpose of
collecting the information. Acquiring consent may be impossible or
inappropriate when the individual is cognitively impaired, seriously
ill or psychotic and the substitute decision maker is not available.
Organizations are advised to follow the rules provided in the Health
Care Consent Act and Substitute Decisions Act.
• Consent is required for the collection of PI and the
subsequent use or disclosure of this information. Typically, the S&R
will seek consent for the use or disclosure of the information at
the time of collection. In certain circumstances, consent with
respect to use or disclosure may be sought after the information has
been collected but before use (for example, when S&R wants to use
information for a purpose not previously identified).
• The principle requires “knowledge and consent”. We will
make a reasonable effort to ensure that the individual is advised of
the purposes for which the information will be used. To make the
consent meaningful, the purposes must be stated in such a manner
that the individual can reasonably understand how the information
will be used or disclosed.
• In obtaining consent, the reasonable expectations of the
individual are also relevant. For example, an individual seeking
service/admission should reasonably expect that the the person
collecting the information in addition to using the individual’s
name and address for administration purposes, would also contact the
individual to advise on the availability of the room in the
facility. On the other hand, an individual would not reasonably
expect that PI given to a health-care professional would be given to
a company selling health-care products, unless consent was obtained.
Consent shall not be obtained through deception.
• The way in which the custodian seeks consent may vary,
depending on the circumstances and the type of information
collected. The custodian will generally seek express consent when
the information is likely to be considered sensitive. Implied
consent would generally be appropriate when the information is less
sensitive. An authorized representative can also give consent.
• Individuals can give consent in many ways. For example:
(a) An admission form may be used to seek consent, collect
information, and inform the individual of the use that will be made
of the information. By completing and signing the form, the
individual is giving consent to the collection and the specified
uses;
(b) A check-off box may be used to allow individuals to
request that their names and addresses not be given to other
organizations. Individuals who do not check the box are assumed to
consent to the transfer of this information to third parties;
(c) Consent may be given orally when information is collected
over the telephone; or
(d) Consent may be given at the time that individuals use an
organization’s product or service.
• An individual may withdraw consent at any time, subject
to legal or contractual restrictions and reasonable notice. We will
inform the individual of the implications of such withdrawal.
Principle 4 – Limiting Collection
• S&R will only collect PI for lawful purposes permitted
by PIPEDA and by other Acts i.e. Privacy Act (SIN).
• PI will be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
• PI shall not be used or disclosed for purposes other
than those for which it was collected, except with the consent of
the individual or as required by law. PI will be retained as long as
necessary for the fulfillment of the purpose.
• S&R will use and disclose PI for the purpose identified.
If S&R uses or discloses PI for a new purpose, it will document this
purpose and obtain consent, e.g., for promotion.
• If PI is used or disclosed without an individual’s
consent in a circumstance that requires consent, S&R will make a
note of such use and/or disclosure, and inform the individual of the
use or disclosure at the first reasonable opportunity. S&R will keep
the note as part of the record about the individual or in a form
that is linked to those records.
• S&R may disclose PI where the disclosure is necessary
for the purpose of eliminating or reducing a significant risk of
serious bodily harm to an individual, a person or group of persons.
Principle 6 – Accuracy
• S&R will take reasonable steps to ensure PI is as
accurate, complete, and up-to-date as is necessary for the purposes
for which it is to be used.
• S&R will not routinely update PI, unless such a process
is necessary to fulfill the purposes for which the information was
collected.
Principle 7 – Safeguards
• Security safeguards appropriate to the sensitivity of
the information will protect PI
• S&R’s security safeguards will protect PI against loss
or theft, as well as unauthorized access, disclosure, copying, use,
or modification. S&R will protect PI regardless of the format in
which it is held, e.g., verbal, paper or electronic.
• S&R ensures that the records of PI and PHI in its
custody and control are retained, transferred and disposed of in a
secure manner.
• The methods of protection include:
• Physical measures, for example, locked filing cabinets
and restricted access to offices;
• Organizational measures, for example, acceptable use
policies of S&R communication systems, limiting access to
information on a “need-to-know” basis; and
• Technological measures, for example, the use of user
identification and passwords to access S&R information systems.
• S&R makes its employees, volunteers and other agents
aware of the importance of maintaining the confidentiality of PI. As
a condition of employment, all S&R employees and volunteers must
sign the S&R confidentiality agreement and agree to adhere to the
information practices.
• Care is taken in the disposal or destruction of PI, to
prevent unauthorized parties from gaining access to the
information.
• S&R will notify an individual at the first reasonable
opportunity if PI is stolen, lost or accessed by unauthorized
persons.
Principle 8 – Openness
• S&R will make readily available to individuals specific
information about its policies and practices relating to the
management of PI
• S&R sets out its information practices in writing and
makes this information available in a form that is generally
understood.
• S&R sets out its information practices on its policies
and practices available in a variety of ways. For example, S&R has
brochures available throughout the facilities, it will mail
information to family members and it will also provide online access
to its Privacy Statement.
Principle 9 – Individual Access
• Upon written request, an individual will be informed of
the existence, use and disclosure of his or her PI and will be given
access to that information. An individual will be able to challenge
the accuracy and completeness of the information and have it amended
as appropriate.
Note: In certain situations, S&R may not be able to provide access
to all the PI that it holds about an individual. Exceptions to the
access requirements will be limited and specific. The reasons for
denying access will be provided to the individual upon request.
Exceptions may include:
• Access could reasonably be expected to result in a risk
of serious harm to the treatment or recovery of the individual or a
risk of serious bodily harm to an individual or group of
individuals,
• Information that is prohibitively costly to provide;
information that contains references to other individuals,
• Information that cannot be disclosed for legal reasons,
• Information that is subject to solicitor-client or
litigation privilege.
In addition, S&R may provide personal information about tenants or
occupants to providers of utilities, services and or commodities to
the buildings (including, without limitation, gas, electricity,
water, telephone and cable TV), for the purpose of expediting the
applicable services.
• S&R will provide an individual with access to his or her
record of PI, except in limited circumstances. If S&R refuses an
access request, the individual is entitled to make a complaint to
the Office of the Information and Privacy Commission of Ontario
• S&R will provide a request form to enable the individual
to access his or her record. S&R will make all efforts to provide
the requested PI as soon as reasonably possible, but not later than
30 days.
• S&R may charge the individual seeking access a fee
• An individual may request S&R to correct his or her PI
if he or she believes that the record is inaccurate or incomplete.
An individual must successfully demonstrate the inaccuracy or
incompleteness of PI and give S&R the necessary information to
correct the record
• S&R will notify persons to whom the record was
previously disclosed, of the correction except where the correction
would not affect the provision of health or other benefits.
• S&R is not required to correct PI that consists of a
record that was not originally created by S&R, if S&R does not have
sufficient knowledge, expertise or authority to correct the record
or the record consists of a professional opinion made in good faith
about the individual.
Principle 10 – Challenging Compliance
• An individual will be able to address a challenge
concerning compliance with the above principles to S&R’s Privacy
Officer
• An individual who has grounds to believe that S&R has
contravened PIPEDA may make a complaint in writing utilizing the
Privacy Complaint form HR 7.5.4b and forward it to the Privacy
Office at Head Office.
• The Privacy Officer will respond to all complaints or
inquiries about its information practices relating to the handling
of personal information.
• If an individual wants to complain to the Information
and Privacy Commissioner S&R will inform them how to lodge a
complaint.
• If a complaint is found to be justified through the
internal or external complaint review process, S&R will take
appropriate measures, including, if necessary, amending its
information practices.
**DISCLAIMER**
The Steeves & Rozema Group reserves the right to change this policy
from time to time. If a material change is made, this policy will be
updated immediately. We recommend that periodically you review this
policy to ensure that you are aware of any changes that may have
occurred. All privacy policies are available from any member of the
management team. Your continued reading of the policy and use of our
site following the posting in any changes shall constitute your
acceptance of these changes.
 |
