Function: Regulations
Policy:

3-40 Personal Information Protection
CMHO Standard(s): P.A.3.3, P.*A.4.2, M.E.2.1, M.H.2.1
Approved: January 2009

POLICY 3-40 PERSONAL INFORMATION PROTECTION 
Approved January 2009

St. Leonard’s Community Services is committed to protecting the privacy of the personal information of its staff, members, donors, clients and other stakeholders.  The Agency collects, uses and discloses personal information only to the extent required to fulfill the purposes stated within this policy.

The Agency will protect the privacy of personal information related to both staff and clients by ensuring full compliance by all Board members, staff and volunteers with the terms and conditions of the Personal Health Information Protection Act (PHIPA) and other relevant legislation such as Personal Information Protection and Electronic Documents Act (PIPEDA) and the Freedom of Information Act (FOIA) as detailed in the procedures that follow.  A statement (see Appendix 1) to inform clients and the general public of this compliance will be posted in an easily accessible and visible location within each of the St. Leonard’s Community Services office sites and will also be provided to each new client entering into service with St. Leonard’s Community Services. Furthermore, all St. Leonard’s Community Services offices will post any government posters and distribute any booklets or other information provided by the government for the sharing of PHIPA information with clients and/or the public.

Personal information is any factual or subjective data, recorded or not, that can be used to distinguish, identify or contact a specific individual.  This information can include an individual’s opinions or beliefs, as well as facts about, or related to, the individual.  This includes information in any form such as a personal e-mail address, credit card numbers, home addresses etc. 

Business contact information and certain publicly available information, such as names, addresses and telephone numbers as published in telephone directories, is not considered personal information. Also, it does not include information normally found on a business card, such as name, title, company name and address, business e-mail address, and business telephone or fax numbers.

The Human Resources Administrator is the designated Privacy Officer for St. Leonard’s Community Services.  While this staff member will have overall responsibility, every staff and member of St. Leonard’s Community Services is responsible for ensuring compliance with this policy.  St. Leonard’s Community Services staff may, from time to time, be delegated to act on behalf of the Privacy Officer and will be given responsibility for the collection, use and disclosure of personal information in regard to specific clients on their caseload. 

St. Leonard’s Community Services collects, uses and discloses personal information about staff in order to partner with other service providers in the employment relationship.  Although this is not strictly covered under the PHIPA, St. Leonard’s Community Services will take the necessary precautions to ensure this information is adequately protected and is only used for the purposes for which it is collected and is only disclosed when necessary to do so.

All information provided to third parties for the purposes of payroll and benefit administration is provided under the agreed upon contractual terms with that service provider in order to ensure the privacy of this information.  It will be used only for the intended purposes and will not be disclosed to any other party.

St. Leonard’s Community Services is committed to providing clients with the best possible intervention to ensure achievement of their maximum potential.  To this end, St. Leonard’s Community Services may collect, use and disclose personal information, where applicable and where necessary, for the following purposes:

  • to plan client care and intervention;
  • to facilitate communication between intervention staff;
  • to meet legal and professional documentation requirements regarding client care;
  • as a source of data for clinical research and statistics;
  • as a planning tool when evaluating services and making service improvements;
  • for fundraising activities; and,
  • to comply with legal and regulatory requirements.

PROCEDURE

A. Health Information Custodian

For the purposes of the PHIPA legislation, all staff of St. Leonard’s Community Services are considered to be Health Information Custodians and, as such, will take every reasonable precaution to ensure the accuracy of all personal information they collect or release.  The Health Information Custodian will also clearly state, where necessary, any limitations on the accuracy, completeness or the up-to-date status of the information.  If any aspect of the personal information is questionable, it is the responsibility of the person questioning the information to clarify the accuracy of that information with the author who must then ensure those details are corrected.

B.  Accuracy of Information

It is the responsibility of the individual staff and client to advise St. Leonard’s Community Services of any changes to their personal information.  Staff need to notify the Human Resources Administrator and clients need to notify their Counsellor (Primary Worker).

C. Security of Information

St. Leonard’s Community Services is committed to ensuring that personal information is protected from unauthorized access, unintended disclosure or theft.  Protection is provided by firewalls in the computer system, passwords to protect databases, signed confidentiality agreements, locked file cabinets and restricted access to offices.  Only authorized staff have access to the information. Other protection includes policies for confidentiality in the use of e-mail, faxes, phone messages, voice mail and working files. 

D. Obtaining/Withdrawing Consents

It is the practice of St. Leonard’s Community Services that each client will sign a consent to service agreement at the time of Intake or as soon as practical thereafter.  At the same time, written consents to share information with any current service providers or those involved with the client within the past two (2) years and relevant to the service being sought, are also obtained.  Prior to any information being shared with a third party, other than as may be required by law, St. Leonard’s Community Services requires written informed consents signed by the client and/or the parent/guardian/caregiver.  Any use or disclosure of a client’s personal information without consent will be noted in the client’s file and, in most circumstances, will be disclosed to the client at the first reasonable opportunity.

A staff’s written confirmation of acceptance of an offer of employment with St. Leonard’s Community Services carries with it an implied consent for necessary personal information to be shared with administrators of payroll and benefit programs.  Personal information, other than that required by law, will only be shared with the written consent of the staff member.

Implied Consent is that obtained where the individual is provided with a notice, posted in a place where it can be seen or directly given to the person verbally and/or given as part of the referral and/or intake process.  In the case of crisis service calls, informed consent is implied by virtue of accessing the service.  The individual is given an opportunity to withhold consent. 

A client or staff member may withdraw his/her consent at any time by submitting a written request to either the Counsellor (Primary Worker) or the Human Resources Administrator, respectively.  The withdrawal of that consent will be effective the date it is received.  The withdrawal will be clearly noted in the client file or the staff member’s Human Resources file.

Expressed (or written) consent is obtained before disclosing information to someone who is not a Health Information Custodian such as an insurer, an employer, WSIB, CAS, lawyer, etc. or to a Health Information Custodian but for a purpose other than providing health care (e.g., a school nurse).

PHIPA permits the collection, use and disclosure of personal information without consent in specific instances as may be required by other legislation such as the Child and Family Services Act, the Coroners Act and the Vital Statistics Act.

E. Disclosing Personal Information (i) Non-Health Information Custodian

  1. Ensure there is a valid original consent form that is signed, witnessed and dated on file or that the consent form that is received is likewise valid.
  2. Enter the request into the client file.
  3. Indicate on all copies of reports and documents, the date and to whom the information is being sent.
  4. Indicate the date the request was completed.
  5. Ensure the consent and any covering letter is on record in the client file.

F. Disclosing Personal Information (ii) Health Information Custodian

  1. When a verbal request is received, the St. Leonard’s Community Services staff member will complete the consent for release of information indicating that the request was verbal.  The St. Leonard’s Community Services staff member will sign the consent form and date it; no witness is required.
  2. When a request is received in writing, the St. Leonard’s Community Services staff will ensure the consent form is valid by checking that the client is clearly identified, legal guardianship is correct, the purpose for the consent is indicated and it is signed, dated and witnessed.
  3. Enter the request into the client file.
  4. Review the client file and collate the information requested.  Any unclear requests will be forwarded to the Privacy Officer for clarification and/or direction.  Any reports not written by the person collating the information will be reviewed with the report author or the Manager to ensure the appropriateness of releasing that report.
  5. If the request cannot be completed within thirty (30) days, request an additional thirty (30) day extension.
  6. Indicate on all copies of reports and documents, the date and to whom the information is being sent. 
  7. Ensure the consent and any covering letter is on record in the client file.

G. Risk of Harm

Personal information about an individual may be released without consent if the Health Information Custodian has reasonable grounds to believe that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons (PHIPA 40 (1)).  Furthermore, CFSA allows for information not to be released if it is felt that releasing that information may cause serious physical or emotional harm to a third party.
 
When a St. Leonard’s Community Services staff member identifies what he or she determines to be a significant risk, he or she will immediately consult with his/her Supervisor or Manager.  As needed, they may consult with the Executive Director or Agency legal counsel to determine the appropriate course of action.  This may include notifying the individual and/or the police of the potential risk.  Notwithstanding this policy, St. Leonard’s Community Services staff are still required to report all cases of suspected abuse to the Children’s Aid Society in accordance with Section 72 of CFSA, which prescribes a duty to report child abuse or suspected child abuse.  Any staff who believes on reasonable grounds that a child is, or may be suffering from, or has suffered from child abuse has an obligation to report this to the local Children’s Aid Society.  According to the law, the ultimate responsibility for reporting abuse lies with the person who initially suspected the abuse.

If a senior person, e.g. Supervisor, disagrees that abuse has occurred, the person who initially suspected the abuse still has a legal obligation to report and will do so without fear of reprimand or sanction.

H. Accessing personal information held by St. Leonard’s Community Services

Staff have the right to access their own personal information retained in the possession and control of the Agency by making a request to his/her Supervisor.

Clients have the right to access their own personal information in the possession and control of St. Leonard’s Community Services by making a request to their Counsellor (Primary Worker).  Clients may request a restriction on certain uses and disclosures of their information, amend their health records, obtain an account of disclosures of their personal information, or revoke authorization to use or disclose their personal information except to the extent that action has already been taken and subject to legal exceptions.

I. Notification of lost or stolen information or access by unauthorized persons

If a St. Leonard’s Community Services staff identifies, or has reason to believe, that personal information has been lost or stolen or has been accessed by unauthorized person(s), that staff member will notify the Privacy Officer immediately either verbally or by e-mail.  The notification will be followed by a written submission that includes all pertinent details leading to this assertion. The Privacy Officer will conduct an investigation and, in consultation with the Executive Director, will notify the affected client(s) or staff member(s) and, as required, the police.

J. Concerns or Complaints about information retained by St. Leonard’s Community Services

If a client has a concern or complaint about the information retained by St. Leonard’s Community Services in the client file, the client is encouraged to take the following steps (see Client Service Policy 10-160 Client Complaints):

  • Voice their complaintto a staff member.
  • If the client’s complaint is not resolved to the client’s satisfaction, they can then voice their complaintto a Supervisor or Manager and complete a Client Complaint Form(CS Appendix 11 in the Policies and Procedures Manual).  The Supervisor or Manager will advise the client of the outcome of the complaint in writing within 5 working days.
  • If the client is not satisfied with the Supervisor’s/Manager’s response, all of the pertinent documentation will be forwarded to the Service Director.
  • The Service Director will reply within five working days.
  • If the complaint is not resolved to the client’s satisfaction, allwritten statements will go to the Executive Director for resolution.
  • The Executive Director will inform the Board of Directors of any client complaints at the next scheduled Board meeting.

    • Any staff member who has a concern about personal information retained by St. Leonard’s Community Services will contact his/her Supervisor and/or the Privacy Officer.

    At any time, the client or the staff member has the option to access the office of the Information and Privacy Commissioner at:

    2 Bloor Street East, Suite 1400
    Toronto, ON   M4W 1A8
    1-800-387-0073
    fax: (416) 325-9195
    e-mail: info@ipc.on.ca

    K. Relationship to Other Legislation

    PHIPA prevails over conflicting legislation unless another Act states otherwise.  PHIPA cannot be interpreted to interfere with solicitor-client or other legal privilege, the law of evidence, court orders, or statutory publication bans. 

    Public Posting – See Appendix 1 – Public Posting

     

     Home

     

     

  
Annual Report, Agency Directory & Newsletters
     
  Client/Parent Feedback & Testimonials
     
  Community Updates
     
  Donating to St. Leonard's
     
  Employment & Volunteering at St. Leonard's
     
  Events
     
  FAQ
     
  Funding
     
  Governance
     
  History
     
  Agency Program Directory
     
  Agency Policies
     
  Information Services
     
  Staffing
     
  Student Placements
     
  Upcoming Events