The purpose of this policy is to ensure that all Team Members of the Steeves & Rozema Group (S&R) are aware of and adhere to the ten principles of privacy. During the course of conducting business it may be necessary to collect personal information. In an effort to ensure the privacy of all clients, residents and employees and the protection of their Personal Information (PI) the following practices will be followed by S&R as the custodians of the information.
All Steeves & Rozema properties and homes are responsible for PI under its control and shall designate an individual or individuals who are accountable for the organization's compliance with adhering to the ten privacy principles
Personal Information (PI) - Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- Gender, age, date of birth, marital status, partner's information, financial information (credit records, loan records etc.), pictures, biometrics, personal contact information, ID numbers (SIN, OHIP No. etc.), ethnic origin or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions; and
- Employee files, medical records (also PHI), existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
*personal information does not include the name, title, business address or telephone number of an employee of an organization"
PIPEDA (Personal Information Protection and Electronic Documents Act) - Personal Information & Protection of Electronic Documents Act is a Federal Consent Based Act (April 23, 2000), which applies to the Canadian private sector. It applies to organizations who collect, use or disclose information in course of commercial activities
PRIVACY ACT – Is a Federal Authority based Act (July 1, 1983), which imposes obligations on 150 Federal Government Departments and Agencies.
- Privacy Act (July 1, 1983)
- PIPEDA (Personal Information Protection and Electronic Documents Act - April 13, 2000)
5.0 ROLES & RESPONSIBILITIES
Principle 1 – Accountability
- The CEO of Steeves & Rozema has ultimate accountability for protecting the Personal Information of clients, residents and team members. The CEO may be supported in this activity by delegating the day-to-day operational privacy responsibilities to other individuals. All team members share responsibility for adhering to the organization's privacy policies and procedures.
- The name and contact information of the individual designated to oversee the compliance with the principles, the privacy officer, is available upon request.
- The privacy officer shall implement policies and practices to give effect to this policy, including:
- Implementing procedures to protect personal and personal health information
- Establishing procedures to receive and respond to complaints and inquiries;
- Training team members and communicating to team member's information about privacy principles and practices.
Principle 2 – Identifying Purposes
The custodian at or before the time the information is collected shall identify the purpose for which PI is collected. The primary purposes are the delivery of services, quality management, billing and meeting legal and regulatory requirements.
- Identifying the purposes for which PI is collected at or before the time of collection allows us to determine the information needed to fulfill these purposes.
- The identified purposes are specified at or before the time of collection to the individual from whom the PI is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An admission or application for services form, for example, may give notice of the purposes.
- When PI has been collected if it is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless law requires the new purpose, the consent of the individual is required before information can be used for that purpose.
- Persons collecting PI should be able to explain to individuals the purposes for which the information is being collected.
Principle 3 – Consent
- The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Note: In certain circumstances PI can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Acquiring consent may be impossible or inappropriate when the individual is cognitively impaired, seriously ill or psychotic and the substitute decision maker is not available. Organizations are advised to follow the rules provided in the Health Care Consent Act and Substitute Decisions Act.
- Consent is required for the collection of PI and the subsequent use or disclosure of this information. Typically, the S&R will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when S&R wants to use information for a purpose not previously identified).
- The principle requires "knowledge and consent". We will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
- In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual seeking service/admission should reasonably expect that the the person collecting the information in addition to using the individual's name and address for administration purposes, would also contact the individual to advise on the availability of the room in the facility. On the other hand, an individual would not reasonably expect that PI given to a health-care professional would be given to a company selling health-care products, unless consent was obtained. Consent shall not be obtained through deception.
- The way in which the custodian seeks consent may vary, depending on the circumstances and the type of information collected. The custodian will generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. An authorized representative can also give consent.
- Individuals can give consent in many ways. For example:
(a) An admission form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) A check-off box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) Consent may be given orally when information is collected over the telephone; or
(d) Consent may be given at the time that individuals use an organization's product or service.
- An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform the individual of the implications of such withdrawal.
Principle 4 – Limiting Collection
- S&R will only collect PI for lawful purposes permitted by PIPEDA and by other Acts i.e. Privacy Act (SIN).
- PI will be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
- PI shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. PI will be retained as long as necessary for the fulfillment of the purpose.
- S&R will use and disclose PI for the purpose identified. If S&R uses or discloses PI for a new purpose, it will document this purpose and obtain consent, e.g., for promotion.
- If PI is used or disclosed without an individual's consent in a circumstance that requires consent, S&R will make a note of such use and/or disclosure, and inform the individual of the use or disclosure at the first reasonable opportunity. S&R will keep the note as part of the record about the individual or in a form that is linked to those records.
- S&R may disclose PI where the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to an individual, a person or group of persons.
Principle 6 – Accuracy
- S&R will take reasonable steps to ensure PI is as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- S&R will not routinely update PI, unless such a process is necessary to fulfill the purposes for which the information was collected.
Principle 7 – Safeguards
- Security safeguards appropriate to the sensitivity of the information will protect PI
- S&R's security safeguards will protect PI against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. S&R will protect PI regardless of the format in which it is held, e.g., verbal, paper or electronic.
- S&R ensures that the records of PI and PHI in its custody and control are retained, transferred and disposed of in a secure manner.
- The methods of protection include:
- Physical measures, for example, locked filing cabinets and restricted access to offices;
- Organizational measures, for example, acceptable use policies of S&R communication systems, limiting access to information on a "need-to-know" basis; and
- Technological measures, for example, the use of user identification and passwords to access S&R information systems.
- S&R makes its employees, volunteers and other agents aware of the importance of maintaining the confidentiality of PI. As a condition of employment, all S&R employees and volunteers must sign the S&R confidentiality agreement and agree to adhere to the information practices.
- Care is taken in the disposal or destruction of PI, to prevent unauthorized parties from gaining access to the information.
- S&R will notify an individual at the first reasonable opportunity if PI is stolen, lost or accessed by unauthorized persons.
Principle 8 – Openness
- S&R will make readily available to individuals specific information about its policies and practices relating to the management of PI
- S&R sets out its information practices in writing and makes this information available in a form that is generally understood.
- S&R sets out its information practices on its policies and practices available in a variety of ways. For example, S&R has brochures available throughout the facilities, it will mail information to family members and it will also provide online access to its Privacy Statement.
Principle 9 – Individual Access
- Upon written request, an individual will be informed of the existence, use and disclosure of his or her PI and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, S&R may not be able to provide access to all the PI that it holds about an individual. Exceptions to the access requirements will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include:
- Access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to an individual or group of individuals,
- Information that is prohibitively costly to provide; information that contains references to other individuals,
- Information that cannot be disclosed for legal reasons,
- Information that is subject to solicitor-client or litigation privilege.
In addition, S&R may provide personal information about tenants or occupants to providers of utilities, services and or commodities to the buildings (including, without limitation, gas, electricity, water, telephone and cable TV), for the purpose of expediting the applicable services.
- S&R will provide an individual with access to his or her record of PI, except in limited circumstances. If S&R refuses an access request, the individual is entitled to make a complaint to the Office of the Information and Privacy Commission of Ontario
- S&R will provide a request form to enable the individual to access his or her record. S&R will make all efforts to provide the requested PI as soon as reasonably possible, but not later than 30 days.
- S&R may charge the individual seeking access a fee
- An individual may request S&R to correct his or her PI if he or she believes that the record is inaccurate or incomplete. An individual must successfully demonstrate the inaccuracy or incompleteness of PI and give S&R the necessary information to correct the record
- S&R will notify persons to whom the record was previously disclosed, of the correction except where the correction would not affect the provision of health or other benefits.
- S&R is not required to correct PI that consists of a record that was not originally created by S&R, if S&R does not have sufficient knowledge, expertise or authority to correct the record or the record consists of a professional opinion made in good faith about the individual.
Principle 10 – Challenging Compliance
- An individual will be able to address a challenge concerning compliance with the above principles to S&R's Privacy Officer
- An individual who has grounds to believe that S&R has contravened PIPEDA may make a complaint in writing utilizing the Privacy Complaint form HR 7.5.4b and forward it to the Privacy Office at Head Office.
- The Privacy Officer will respond to all complaints or inquiries about its information practices relating to the handling of personal information.
- If an individual wants to complain to the Information and Privacy Commissioner S&R will inform them how to lodge a complaint.
- If a complaint is found to be justified through the internal or external complaint review process, S&R will take appropriate measures, including, if necessary, amending its information practices.
The Steeves & Rozema Group reserves the right to change this policy from time to time. If a material change is made, this policy will be updated immediately. We recommend that periodically you review this policy to ensure that you are aware of any changes that may have occurred. All privacy policies are available from any member of the management team. Your continued reading of the policy and use of our site following the posting in any changes shall constitute your acceptance of these changes.