1 / 27

Privacy and the 10 Principles

Privacy and the 10 Principles. For Long-Term-Care and Community Care. Agenda. Privacy Legislation Why Privacy Matters The CSA Code Detailed review of CSA Code. Personal Information Protection & Electronic Documents Act (PIPEDA). As of January 1 2004,

skip
Download Presentation

Privacy and the 10 Principles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and the 10 Principles For Long-Term-Care and Community Care

  2. Agenda • Privacy Legislation • Why Privacy Matters • The CSA Code • Detailed review of CSA Code

  3. Personal Information Protection & Electronic Documents Act (PIPEDA) • As of January 1 2004, • PIPEDA applies to the collection, use and disclosure of personal information by organizations in the course of commercial activities … (s. 30(1) and (2)). • Applies to both electronic and hard copy personal information

  4. PIPEDA and Health Care • Provinces with “substantially similar laws” will be exempt • Health care requests to be exempt have been ignored • PIPEDA is based on CSA code. Any future legislation Ontario may introduce will be based on the CSA Code. PIPEDA and Ontario legislation will be consistent • PIPEDA provides the opportunity to review and develop good information management practices and avoid risk

  5. The New Reality The individual described by the personal information controls the information Regardless of who might own the media used to store the information

  6. Privacy Legislation and the Individual Provide or withhold consent How personal information will be used and disclosed Ability to access and correct Complain if privacy is compromised • Control • Knowledge • Access • Recourse

  7. Risks of Not Adhering to the 10 Principles • Out dated Information Management practices • Risk of breach of privacy with paper, fax and e-health • Damage to reputation • Loss of goodwill/trust • Negative media exposure • Damages, legal liability, legal fees

  8. Privacy Legislation - Government • Federal • Canada Privacy Act 1980 • Ontario • Freedom of Information and Protection of Privacy Act (FIPPA) 1988 • Municipal Freedom of Information and Protection of Privacy Act (MFIPP) 1991 • All provinces/territories have privacy legislation for government

  9. Privacy Legislation - Private Sector • Federal Government • The Personal Information Protection & Electronics Document Act (PIPEDA) • Provincial Government • Ontario Proposed Privacy of Personal Information Act (PPIA) • (BC, Alta, Man, Que. have Privacy legislation) Commercial Activity. Substantially Similar .

  10. The CSA Code • Derived from the OECD’s Fair Information Practices • Define Canada’s core privacy values • Form the basis for Federal and Provincial Privacy Legislation. • Introduced in 1996 Canadian Standard Association Model Codes for the Protection of Personal Information.

  11. Accountability Identifying Purposes Consent Limit Collection Limit Use, Disclosure & Retention Accuracy Safeguards Openness Individual Access Challenging Compliance The CSA Code - 10 Principles

  12. Principle 1 - Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organizations compliance with privacy principles • Designate a person (s) • Develop Privacy Policies • Educate staff • Review (revise) 3rd party contracts • Put polices & procedures to enable recourse

  13. Accountability - Slide 2 • Analyze all information handling practices - create an inventory of all data repositories and collection forms • What PI is collected • Why is it collected • How it is collected • What use is made of it • Where is it kept • How is it secured • Who has access to or uses it • To whom is it disclosed

  14. Principle 2 - Identifying Purposes The purpose for which personal information is collected shall be identified by the organization at or before the time the information is collected. • Notification document (brochure, web site) • Personal information to be collected • Specific purposes for the collection • Contact information of the privacy person

  15. Identifying Purposes - Slide 2 • Communicate purpose for which it is collected- initially and when the purpose changes • Notification Document - “Notice” • Be specific - the individual must be able to understand • Provide examples • direct care • administration and quality management • research, teaching • complying with legal or regulatory requirements

  16. Principle 3 - Consent The knowledge and consent of the individual are required for the collection, use or disclosure of personal information except where inappropriate • Consent policies and procedures • Express consent - explicit (verbal or written) • Implied consent - assumed • Notice - give written information • Who obtains consent • Who gives consent (need policies and procedures for SDM)

  17. Consent - Slide 2 • Express Consent required when you cannot imply it or use a notice • to disclose to third parties • to obtain from third parties • Focus on individual knowing and consenting • Obtain express consent when reasonably and practicably possible (consent per episode not transaction) • The individual (SDM) can revoke consent

  18. Principle 4 - Limiting Collection Collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair & lawful means • Limit amount of information collected to purpose (principle 2) • Collect information from the individual to whom it applies or SDM • Collect in a fair & lawful way

  19. Limiting Collection - Slide 2 • Define policies and develop technical restraints for collecting Personal information • Collect only what you “need to know” • Individuals must be informed of their right to restrict collection • When additional information is to be collected (not identified in purpose) get consent

  20. Principle 5 - Limit Use, Disclosure & Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as is necessary for the fulfillment of those purposes.

  21. Limiting Use, Disclosure and Retention - Slide 2 • Limit use & disclosure of information to the purposes identified (or obtain consent) • Access to be provided only to authorized individuals • Define categories of Personal Health Information and determine need to know for each category • Develop policies on how it is used, disclosed • Audit use and disclosure • Dispose of information in a way that prevents access (anonymize) • Define policies for retention and destruction of information

  22. Principle 6 - Accuracy Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be use. • Consider protocols to ensure accuracy and provide direction if information is inaccurate • Build input and edit rules into the application • Allow the individual access to personal information to determine/confirm its accuracy • Allow the individual to make corrections

  23. Principle 7 - Safeguards • Personal information shall be protected by security safeguards appropriate to the sensitivity of the information • Physical- restricted access • Organizational-security policies, authorized access • Technological- password control, encryption, firewalls, system audits

  24. Principle 8 - Openness An organization shall make readily available to individuals, specific information about its policies and practices relating to the management of personal information. • Provide contact information of accountable person • Provide information needed to make informed decisions • Identify what personal information is disclosed

  25. Principle 9 - Individual Access Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

  26. Principle 10 - Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to designated individuals or individuals responsible for the organization’s compliance. • The individual can complain • The organization must respond to the complaint • The complaint process must be simple • If complaint justified, take corrective action

  27. Discussion Thank You

More Related