PRIVACY AND INFORMATION MANAGEMENT A Guideline For Alberta Veterinarians

Transcription

1 OVERVIEW Canada is protected by two federal privacy laws. The Privacy Act covers the personal information handling practices of the federal government. The private sector has a new privacy law (The Personal Information Protection and Electronic Documents Act or PIPEDA). In Alberta, the private sector has a privacy law (The Personal Information Protection Act or PIPA). For more information check out the Information and Privacy Commissioner of Alberta website at You can go online to receive PIPA and A Guide For Businesses And Organizations at and PIPEDA and A Guide For Businesses And Organizations at TERMINOLOGY ORGANIZATIONS AND ACRONYMS The Personal Information Protection Act or PIPA, The Personal Information Protection and Electronic Documents Act or PIPEDA, The Information Access and Privacy or IAP, The Freedom of Information and Protection of Privacy Act or FOIPP, The Health Information Act or HIA, The Health Professions Act or HPA, and Professional Regulatory Organizations or PROs. WHEN DID PIPA TAKE EFFECT? The Personal Information Protection Act or PIPA came into effect on January 1 st, WHAT IS PIPA? The Personal Information Protection Act or PIPA provides guidelines that govern how private sector organizations can collect, use, or disclose personal information in the course of commercial activities. It balances an individual s right to privacy with the need of organizations to collect, use or disclose personal information for legitimate business purposes. The Act requires organizations to have safeguards in place to secure personal information from unauthorized access, disclosure, use, or tampering. The Act also provides information on acceptable uses for gathering an individual s personal information. It also provides rules regarding an individual s right to access their own personal information. WHO DOES PIPA APPLY TO? The Personal Information Protection Act or PIPA is intended to cover the entire private sector. There are a few exceptions, however, the Privacy Act applies to anyone who carries on commercial activities which will include most Veterinarians. PIPA applies to organizations which are described as corporations, unincorporated associations, trade unions, partnerships, and individuals acting in a commercial capacity or any person acting on behalf of an organization. Professional Regulatory Organizations (PROs) are defined as an organization incorporated under a Professional Act. PIPA applies to any collection, use or disclosure of personal information. Personal Information is described as including any factual or subjective information, recorded or not, about an identifiable individual. Personal Information can include information in any form, such as: name, gender, age, colour, ethnic origin, blood type, income, ID numbers, education, family status; health history, health conditions, or health services received by them; activities, views, evaluations, opinions, comments, social status, disciplinary actions, religion, political involvement; employee files, credit and/or loan records, medical records, existence of a dispute between a consumer and a merchant, intentions such as to acquire good or services or to change jobs. Page 1

2 Personal Information collected prior to January 1 st, 2004 is considered to have been collected with consent. Personal Information is protected by the Act, whereas Business Information is not covered. Business Information is described as information you may find on a business card. WHAT IS NOT COVERED BY PIPA? The collection, use, or disclosure of personal information to which FOIP or HIA applies. Provincial or territorial governments and agents of the crown in right of a province. Information in a court file. An employee s name, title, business address or phone number. An individual s collection, use, or disclosure of personal information strictly for personal purposes (i.e.: personal greeting card list). An organization s collection, use, or disclosure of personal information solely for journalistic, artistic or literary purposes. WHAT ARE YOUR RESPONSIBILITIES UNDER PIPA? The Personal Information Protection Act or PIPA reflects the realities of the business world and was a collaborative effort by government, consumers and business groups. Below is a list of ten principles of fair information practices, summarized as follows: 1. Accountability: Appoint an individual to be responsible for your organization s compliance. This individual will protect all personal information or transfer to a third party for processing and develop and implement personal information practices and policies. 2. Identifying Purposes: You need to identify the reasons for the collection, use, and disclosure of obtaining the individual s personal information. Identify any new purpose for the individual s personal information and obtain the individual s consent prior to using it. 3. Consent: Obtain the individual s consent for the collection, use, and disclosure of their personal information in a meaningful way as well as when a new use is identified. 4. Limiting Collection: Do not deceive, mislead or collect personal information indiscriminately. 5. Limiting Use, Disclosure, And Retention: Collect, use, and disclose personal information that is necessary for the purpose for which it is intended. Have guidelines and procedures in place for the retaining and destroying of personal information. 6. Accuracy: Minimize the possibility of using incorrect information. 7. Safeguards: Protect personal information against loss, theft, unauthorized access, disclosure, copying, use or modification regardless of the format in which it is in. 8. Openness: Have policies and procedures in place for the management of personal information and inform your customers, clients and employees of them and make them understandable and easily available. 9. Individual Access: When requested, inform individuals if you have any personal information about them, explaining how it has been used and provide a list of any organizations for which it has been disclosed. Give individuals access to their information and correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient. 10. Provide Recourse: Develop simple and easily accessible complaint procedures. Investigate all complaints received, inform complainants of avenues or recourse including your organization s complaint procedures, industry associations, regulatory bodies and the Privacy Commissioner of Alberta. Take appropriate actions to correct information handling procedures. Page 2

3 WHERE DO I START AND WHAT NEEDS TO BE DONE? Start by implementing a privacy policy and procedure system. This provides a process for Veterinarian s to review and revise their organization s practices. Documentation with safeguards is key and we should all be in a good position for that already with few adjustments. You must appoint an Information Officer, preferably a senior person within your organization who will be responsible for overseeing your organization s compliance with privacy obligations. The privacy policy would cover: Reviewing the organization s policies and practices for collecting, using, and disclosing personal information (including conducting an audit of the current personal information practices of the organization). Implementing procedures to safeguard personal information (i.e.: locked filing cabinets, restricted access, security clearances, need-to-know basis, passwords, encryption, virus protection and firewalls). Ensuring individuals (i.e.: clients) have the right to access and correct any personal information that is incorrect. Implement a retention and destruction of information policy. Train the organization staff in the personal information policies. Act as the contact person for inquiries from the public or clients. Ensure there is a process in place for handling complaints. The policies must be understandable and made available to the public. You can provide this several ways post the policy on your organization s website, post it in your reception area or provide a copy to new clients on their first visit and to those who request a copy. Organizations will need special consent to disclose personal information outside of the organization. There are several ways to define your privacy policies depending on your organization. Where a veterinary clinic has multiple people working together, you can have separate policies or a blanket policy that covers everyone. Implement a privacy policy that works for your particular situation. WHAT ARE THE RESTRICTIONS? Veterinarians will need to obtain consent for the collection, use, and disclosure of personal information. Please note that this is different from consent for treatment. Like any consent, it can be obtained in writing, verbally or implied consent. When it comes to solely providing services to the client, consent may be implied, however, the Veterinarian should explain the purpose for which information is being collected and obtain some form of consent. There are some exceptions with obtaining personal information that do not require consent (i.e.: to investigate a breach of law or contract where obtaining consent would compromise the investigation) or in certain emergency situations (i.e.: medical crisis). Areas in which change may be required are: Where the Veterinarian collects information about other individuals (i.e.: family history). Where the Veterinarian collects information about the client from other individuals (i.e.: client s previous Veterinarian, family members of the client). Where the Veterinarian collects information to be shared with others who are also providing services or advising the client (i.e.: team treatment). Page 3

4 Where there is a likelihood of an ongoing relationship and the information will be used for ongoing services, especially where this is not obvious to the client (i.e.: collecting a baseline assessment of client health should there be a need to provide broader treatment later on). Where third parties will have access to the information (i.e.: legal, billing or financial purposes). Where the Veterinarian will use the information for related purposes (i.e.: billing the client or a third party later). Where the Veterinarian will use or disclose the information for secondary purposes (i.e.: quality control, regulatory accountability, research). Where the Veterinarian may sell the practice later on and will need to provide prospective purchasers with access to client information enabling the purchaser to conduct a due diligence review. Veterinarians are required to collect the least amount of information required for the purposes for which it is intended. You should not collect financial information about clients who pay the full account at the time of service. WHAT SAFEGUARDS NEED TO BE IN PLACE? Veterinarians may need to review some of their policies regarding client confidentiality. Personal information should not be sent through over the internet and all personal information being disposed of should be shredded prior to recycling. Confidential client files should not be left on a computer screen for anyone to see just as not everyone should have access to client files. WHAT ARE ACCESS AND CORRECTION RIGHTS? The Privacy Act states that any individual has the right to see any personal information Veterinarians hold regarding them. You should help them to understand the information contained such as abbreviations and technical terms. You have an obligation to let the individual know whom you have forwarded their personal information to and why. If the individual believes any of their personal information is wrong, they can ask to have it corrected. You cannot correct opinions. Anything you mutually agree is wrong must be corrected and you must notify all third parties of the correction. If you and the individual disagree that there is an error, you must record the disagreement and notify all third parties who receive the contested information. Disagreements about corrections can be taken to the Information and Privacy Commissioner of Alberta for review. Exceptions to giving an individual access to their personal information would be: Legal privilege Proprietary information Investigation information Mediation/arbitration Safety issues WHAT ARE THE GUIDELINES REGARDING EMPLOYEE INFORMATION? Employee information is treated differently from customer information. Organizations will have to determine what is reasonably required for establishing, managing or terminating employment relationships. Don t assume anything, the burden of proof will likely be on the organization. Page 4

5 Employee includes and individual who performs a service for the organization including: Under contract or agency relationship Student Participant Volunteer Apprentice WHAT SHOULD AN INTERNAL COMPLAINT SYSTEM LOOK LIKE? Organizations must have an internal complaints system in place to handle concerns about privacy practices. This system should have: A designated individual to receive, respond and ensure prompt investigation to all complaints. An easily accessible, simple to use complaints procedure which includes, o Acknowledgement of complaint received o Investigation of complaint, and o Providing a decision with reasons A process to respond to complaints that are justified including making changes to privacy policies. Notifying the public of external resources including the ABVMA and the Provincial Information and Privacy Commissioner. WHO ENSURES COMPLIANCE WITH THE PRIVACY LEGISLATION? Veterinarians will be held accountable with respect to compliance with the Privacy Act to the Provincial Information and Privacy Commissioner and to the ABVMA. The Information and Privacy Commissioner of Alberta functions as an ombudsman and has the following responsibilities: Investigating all complaints about an organization s personal information handling practices including entering their premises and summonsing documents and witnesses. Mediating and conciliating such complaints. Auditing the personal information handling practices of an organization. Making a public report of poor personal information practices by an organization. Seeking remedies for a breach of the Privacy Act in the courts. To contact the Information and Privacy Commissioner of Alberta, contact: Frank Work Information and Privacy Commissioner of Alberta 410, Street Edmonton, Alberta T5K 2J8 Phone: (780) Fax: (780) ipcab@planet.eon.net Website: Page 5

6 PENALTIES AND DAMAGES An individual can pursue damages for loss or injury suffered as a result of breach of privacy. If convicted of an offence, fines are: Up to $10,000 for individuals Up to $100,000 for businesses IN SUMMARY Review your practices. Be fair and reasonable. Due diligence is expected, not perfection. Use common sense. Designate an individual(s) responsible for compliance with the Act. Talk to your employees. Assist your employees. Deal with complaints and inquiries effectively. Keep in mind it is always better to avoid a complaint rather than having to deal with one! Where conduct involves a breach of core professional values, the ABVMA will have reason to take regulatory action. Every Veterinarian is obliged to comply with the law and many breaches of the Privacy Act by a Veterinarian may warrant some regulatory action. ACKNOWLEDGEMENTS Field Law Privacy and Information Management, October 2, 2003 Challenges and Guidance for Professional Regulators Field Law Perspectives For The Professionals, July 2004 By Field Law s Professional Regulatory Group Office of the Privacy Commissioner of Canada The College of Veterinarians of Ontario (CVO) Richard Steinecke What Every Veterinarian Needs To Know About Privacy Legislation Steinecke Maciura LeBlanc Grey Areas, August 2003, No. 66 A Commentary On Legal Issues Affecting Professional Regulation Page 6