1. Accountability for Personal Information
The Renfrew Victoria Hospital is responsible for personal information under its custody or control and through the CEO, (Corporate Privacy Officer) or designate, who is accountable for the Renfrew Victoria Hospital’s compliance with the following principles:
- The name of the Corporate Privacy Officer is a matter of public record.
- The Hospital is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The Hospital will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
- In order to ensure compliance the hospital will:
- Implement procedures to protect personal information.
- Establish procedures to receive and respond to complaints and inquiries regarding privacy.
- Train and communicate to staff about the privacy policies and practices.
- Develop information to explain the policies and procedures.
2. Identifying Purposes for the Collection of Personal Information
At or before the time personal information is collected, the Hospital will identify the purposes for which personal information is collected, primarily direct patient care delivery, the administration of the health care system, to conduct research and statistics and to comply with legal and regulatory requirements.
- The identified purposes are specified at or before the time of collection to the individual from whom the personal information is collected.
- When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use and patient consent will be secured.
- Persons collecting personal information will be able to explain to individuals the purposes for which the information is being collected.
3. Consent for the Collection, Use and Disclosure of Personal Information
- Consent must be provided by the patient or legal designate in order for the hospital to use personal information. The act of seeking and consenting to treatment provides sufficient consent to use personal information.
- Personal information can be collected, used or disclosed without the individual’s knowledge and/or consent in the following circumstances:
- consent cannot be obtained for legal, medical or security reasons
- the information is being collected for the detection and prevention of fraud or for law enforcement
- the individual is a minor, seriously ill, mentally incapacitated or otherwise unable to give consent
- the Hospital does not have a direct relationship with the individual, who is therefore not available to give consent
- Where feasible, consent will be requested at the time of collection of information. Exceptions may include circumstances, for example, where the hospital needs to use information for a purpose not previously identified.
- The way in which the hospital seeks consent may vary, depending on the circumstances and type of information collected.
- An admission form will be used to seek consent, collect information and inform the individual of potential uses. By signing the form, the individual is consenting to the specified uses
- Check-off boxes will be used to restrict disclosure of names and addresses to other organizations. Individuals not checking off the box are assumed to consent to transfer of information to third parties.
- Written consent may be provided at the time of admission or treatment.
- Oral consent may be provided when information is collected by telephone.
- Implied consent would generally be appropriate when the information is less sensitive.
- An individual may withdraw consent at any time, subject to legal restrictions and reasonable notice and at that time will be informed of the implications of such withdrawal.
4. Limiting Collection of Personal Information
The collection of personal information will be limited to that which is necessary for the purposes identified by the Hospital. Information will be collected by fair and lawful means.
- The Hospital will not collect personal information indiscriminately. Both the amount and type of information collected will be limited to that which is necessary to fulfill the purposes identified.
- The Hospital will not collect information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
5. Limiting Use, Disclosure and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
- If using personal information for a new purpose, the Hospital will document this purpose.
- The Hospital will develop guidelines and implement procedures with respect to the retention of personal information, including minimum and maximum retention periods.
- Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous in accordance with hospital policy.
6. Ensuring Accuracy of Personal Information
Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
- Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
7. Ensuring Safeguards for Personal Information
Security safeguards appropriate to the sensitivity of the information will protect personal information.
- The security safeguards will protect personal information in all formats against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. These methods of protection will include:
- Physical measure, for example, locked filing cabinets and restricted access to offices;
- Organizational measures, for example, limiting access on a “need-to-know” basis, including limiting access, and
- Technological measures, for example, the use of passwords, encryption, and audits.
- The Hospital will inform employees of the importance of maintaining the confidentiality of personal information. As a condition of employment, all employees/agents (e.g., employee, clinician, physician, allied health, volunteer, researcher, student, consultant, vendor, or contractor) must sign the hospitals Confidentiality Agreement.
8. Openness about Personal Information Policies and Practices
The Hospital will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- The Hospital will make information about its privacy policies available to the public. This information will include:
- The means to contact the Chief Executive Officer (Corporate Privacy Officer), or designate, to whom complaints or inquiries can be forwarded;
- The means of gaining access to personal information held by the Hospital, through the Chief Executive Officer (Corporate Privacy Officer) ;
- A description of the type of personal information held by the Hospital, including a general account of its use;
- Documentation that explains the Hospital’s policies, standards, or codes, and
- The type of personal information that is made available to related organizations.
9. Individual Access to their own Personal Information
Upon request, an individual will be informed of the existence, use and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- In certain situations, the Hospital may not be able to provide access to all the personal information it holds about an individual. Exceptions to this include cases where information is prohibitively costly to provide, contains references to other individuals, or when disclosure is prohibited for legal, security, or commercial proprietary reasons.
- Upon request, the Hospital will inform an individual whether or not it holds personal information about the individual. The Hospital will provide an account of the use that has been made of this information.
- The Hospital will respond to an individual’s request within a reasonable time and cost. The requested information will be made available in a form that is generally understandable. For example, an explanation of abbreviations and codes will be provided.
- When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Hospital will amend the information as acquired.
- When a patient’s challenges cannot be resolved to the satisfaction of the individual, the Hospital will record the substance of the unresolved challenge.
10. Challenging Compliance with the Renfrew Victoria Hospital’s Privacy Policies and Practices
An individual will be able to address a challenge concerning compliance with the above principles to the Corporate Privacy Officer.
- The Hospital will maintain an easily accessible procedure for receiving and responding to complaints or inquiries about its policies and practices relating to the handling of personal information.
- The Hospital will inform individuals who make inquires or lodge complaints of the existence of relevant complaint procedures.
- The Hospital will investigate all complaints. If a complaint is found to be justified, the Hospital will make appropriate measure, including, if necessary, amending its policies and practices.