SE Health is committed to protecting the privacy, confidentiality and security of personal information under our custody or control, including personal health information of our clients/residents. The protection of privacy is an organizational priority and SE Health ensures accountability and transparency in its information practices. To ensure knowledge transfer of the requirements and processes involved in protecting privacy at SE Health, the organization requires all new employees complete the privacy training course, Privacy 101, within the first week of employment.
SE Health complies with the Protection of Personal Information and Electronic Documents Act (Canada) (PIPEDA) and/or provincial or territorial privacy legislation, as applicable, as well as privacy best practices. Where SE Health handles personal information on behalf of a partner organization, it adheres to legislative requirements applicable to that relationship, which may include the Health Insurance Portability and Accountability Act (US) or other requirement.
This Policy applies to all “agents” of SE Health, which includes employees, volunteers, independent contractors or other service providers acting on behalf of SE Health with respect to personal information. This Policy applies to personal information, in any form, that is collected, used or disclosed by SE Health or its agents, in the course of SE Health’s operations.
SE Health reviews this Policy on a regular basis to ensure that it is relevant and remains current with changing technologies and laws.
SE Health’s adopts the 10 privacy principles set out in the National Standard of Canada Model Code for the Protection of Personal Information, which is Schedule 1 to PIPEDA (“Privacy Principles”).
SE Health is responsible for protecting personal information in its custody or under its control and has a designated Privacy Officer who is accountable for the organization’s compliance with this Policy.
SE Health’s Corporate Integrity Officer is the designated Privacy Officer for SE Health and can be contacted at firstname.lastname@example.org. The Corporate Integrity Officer will work in cooperation with the Chief Information Officer, who is SE’s designated Security Officer, to investigate and address all suspected privacy breaches involving electronic platforms.
The Chief Information Officer (CIO) and the Information Security Officer (ISO) are responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. They direct staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks, respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures.
SE Health’s agents are responsible for complying with organizational and professional obligations in respect of the personal information they collect, use, disclose, handle or access in the course of their duties. Agents shall only collect, use, disclose, access, modify or dispose of personal information as necessary to perform their duties and as authorized by SE Health.
2. Identifying Purposes
SE Health identifies the purposes for which personal information is collected at or before the time that the information is collected. SE Health collects personal information directly from the client/resident, or person authorized to act on the client/resident’s behalf. Personal information may be collected from other sources, with consent, or if the law permits.
The primary purpose for which SE Health collects personal information is providing health care or assisting with the provision of health care. In order to provide services, SE Health collect personally identifying information about its clients/residents, such as name, address, telephone number, financial information, date of birth and gender. It also collects personal health information such as information relating to a client/resident’s physical or mental health, or the provision of care or services to the client/resident.
Other purposes include compliance with legal and regulatory requirements, the administration of the organization and the health care system, payment, quality improvement, research and education.
The knowledge and consent of the client/resident is required for the collection, use or disclosure of personal information, except as permitted or required by law. In order to be knowledgeable, SE Health makes reasonable efforts to ensure that the individual knows the purpose for which the personal information is being collected, used or disclosed, and that consent may be withdrawn.
The way in which SE Health seeks consent may vary, depending on the circumstances and type of information. Consent may be express (oral or written) or implied.
A client/resident may withdraw their consent by contacting the Privacy Officer, however, such withdrawal is not retroactive. SE Health will inform the individual of the implications of withdrawing their consent.
4. Limiting Collection
SE Health limits the collection of personal information to that which is necessary for the purposes identified. Information is collected by professional, fair and lawful means.
5. Limiting Use, Disclosure and Retention
SE Health does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the client/resident or as required by law. Only those agents of SE Health with a business need-to-know, or whose duties reasonably so require, are authorized to access personal information of clients/residents.
SE Health retains personal information in accordance with specified record retention schedules as per its Records Management Policy.
SE Health makes reasonable efforts to ensure that personal information collected, used or disclosed by or on its behalf is accurate, complete and up-to-date, as is necessary for the purposes for which it is to be used.
SE Health safeguards personal information in its custody or control by utilizing security measures and practices to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. SE Health utilizes security safeguards that are appropriate to the sensitivity of the information. These include physical measures (i.e. locked cabinets, restricted access, security clearances); organizational measures (i.e. access limited on a “need to know” basis) and technological measures (i.e. passwords, encryption, audits).
SE Health uses contractual or other means to provide a comparable level of protection when personal information is being processed or handled on its behalf.
SE Health conducts quarterly and random audits of its electronic data systems and monitors its privacy compliance. The organization also conducts annual privacy audits of practices, policies and procedures as well as conducting an ethical hack of electronic systems.
Failure to comply with this Policy and the Privacy Principles may result in disciplinary action, up to and including dismissal for agents, termination of contracts or other action.
SE Health has developed privacy and security policies and practices that are compliant with applicable legislation and rules. Information about SE Health’s privacy practices is publicly available.
9. Individual Access
Clients/residents or a person authorized to make decisions on behalf of a client/resident, have a right to access personal information that SE Health holds about them, subject to limited and specific exceptions. A client/resident is entitled to challenge the accuracy or completeness of his or her personal information and request to have it amended, as appropriate.
The client/resident’s health record, whether written or electronic, is the property of SE Health. The information in the record belongs to the client/resident and the client/resident may request access to their record in accordance with this Policy.
Requests for access or correction relating to personal information must follow SE Health’s Release of Client/Employee Information - Procedure.
10. Challenging Compliance
Individuals are encouraged to bring any concerns or issues regarding privacy to the Privacy Officer for discussion, review and response. The Privacy Officer may seek external advice, where appropriate, before providing a final response to individual complaints.
Clients/residents may contact the applicable provincial or federal Privacy Commissioner if they have concerns about SE Health’s privacy practices. Clients/residents are encouraged to first use SE Health’s internal information and complaint procedure.
Any failure to comply with these principles and this policy may result in the organization taking any or all of the following actions:
- termination of employment;
- termination of contract;
- monetary fines and/or
- legal prosecution.
If you have any questions or concerns with respect to your personal health information or our information practices, you may contact our Privacy Officer at:
90 Allstate Parkway, Suite 300
Markham, Ontario L3R 6H3