Privacy Policy

Community Living Essex County Privacy Policy

Policy Statement

Community Living Essex County is committed to maintaining confidentiality and protecting the privacy of the personal information it collects, uses or discloses on behalf of the individuals we support, employees we hire or other individuals who interact with us throughout the course of our activities. Compliance will be maintained with all relevant legislation including the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA) and Personal Health Information Protection Act (Ontario) (PHIPA).

Scope

To preserve the confidentiality of personal information we collect and the privacy of the people we support/families and employees, this policy outlines employee obligations and the procedures to be followed when dealing with such personal, privileged and/or confidential information. This policy applies to all employees and to anyone who is granted access to personal, privileged and/or confidential information about a person supported and/or about employees.

This Policy addresses two broad issues:

  • The way in which Community Living Essex County collects, uses, discloses and protects personal information as well as privileged and confidential information.
  • The right of the people supported/families and employees or a third party to have access to personal information, and if necessary, to correct the information.

Definitions

Person

An individual we support, a member of their family, guardian, trustee, an employee, a volunteer, a person being recruited to support one of our fundraising initiatives or others we do business with, and any individual from whom or about whom we collect Personal Information.

Personal Information

Personal information is factual or subjective information, recorded or not, about an identifiable person. It includes but is not limited to name, home address, telephone numbers, age, sex, marital or family status, identifying numbers such as social insurance number, drivers licence or passport, race, national or ethnic origin, colour, religious or political beliefs or associations, educational history, medical history, disabilities, blood type, employment history, financial history, criminal history, anyone else’s opinions about a person, a person’s personal views or opinions, and name, address and phone number of parent, guardian, spouse or next of kin.

Consent

The knowledge and consent of the person are required for the collection, use or disclosure of personal information. Consent is obtained from the person about to receive supports or the new employee, to collect, store, use and exchange or disclose personal information for the purposes stated herein at the time of acceptance of service or in the hiring agreement. This consent may be express or implied.

Personal Health Information

Personal health information means information about an identifiable person that relates to the physical or mental health of the person, the provision of health care to the person, the person’s entitlement to payment for health care, the person’s health care number, the identity of providers of health care to the person or the identity of substitute decision-makers on behalf of a person.

Third Party

Third party means individuals or organizations other than the subject of the records or representatives of Community Living Essex County who may request or provide personal information.

Legal Requirements

Community Living Essex County will do its utmost to abide by the ten fair information principles of PIPEDA.

1. Accountability/Privacy Officer

The Privacy Officer is responsible for ensuring that Community Living Essex County is in compliance with the PIPEDA and PHIPA and the policy and procedures contained therein. The Manager of Human Resources is designated as the Privacy Officer.

2. Purpose of the Collection of Personal Information

Personal information is collected by Community Living Essex County from a person. The purpose for which personal information is collected shall be identified at or before the time the information is collected.

All personal information is used for one or more of the following purposes:

  1. confirm the person’s identity, communicate with the person, respond to inquiries from the person, to provide the person with support and services, to fulfill the legal and business requirements of the Community Living Essex County and/or to ask for their financial support and to provide donor recognition for charitable gifts.
  2. to determine eligibility of a person to receive support and services or to be offered employment;
  3. fulfill legislated and reporting requirements (such as but not limited to, Ontario Disability Support Program, Canada Pension Plan, Employment Insurance, Income Tax);
  4. to provide a high quality of support;
  5. to protect individuals receiving support, employees and Community Living Essex County from legal activity:
  6. to provide information about educational seminars or workshops, notice of professional development, career or volunteer opportunities or participation in special interest groups;
  7. to support research, analysis and overall management of supports and services;
  8. from time to time personal information may be shared with third party vendors, suppliers, data processors, and other providers responsible for administering supports or services on behalf of the person and ensure the health and safety of the person. Any such third party will be required to have policies in place regarding the collection and use of personal information which are consistent with this policy.

3. Consent

The knowledge and express or implied consent of the person are required for the collection, use or disclosure of personal information. Consent is obtained from the person about to receive supports or the new employee, to collect, store, use and exchange or disclose personal information for the purposes stated herein at the time of acceptance of service or in the hiring agreement. See Confidentiality/Release of Confidential Information policy (ADM-100-04).

4. Limiting Collection of Information

The personal information collected is limited to what is necessary to achieve the purposes stated above, in 2. Purpose of the Collection of Personal Information. The collection of information will be by open, fair and lawful means. The method of collection may include, but is not limited to, from the person, in person, over the telephone, by fax or by correspondence via mail or e-mail or on the internet through our website or by any other means.

5. Limiting Use, Disclosure and Retention of Information

Personal information will only be used for the purpose stated above, in 2. Purpose of Collection of Personal Information. A separate explicit consent is obtained from the person or unless required or allowed by law. If a person’s personal information is disclosed or exchanged with a third party, such as another service provider, Community Living Essex County will take reasonable steps to ensure that such party agrees to comply with the provisions of PIPEDA and PHIPA. A person’s personal information will be retained as long as necessary to achieve the stated purposes and to comply with legislation and regulations regarding records retention. When information is no longer required to be kept, this Agency will follow policies and procedures as stated in Management of Individual Records (PROG 300-03) and Personnel Records (PER 100-07). Privacy statements to protect personal information may be used on various forms.

6. Accuracy

All best efforts will be undertaken to maintain the accuracy and currency of all personal information contained in our files and to update such information when advised by the person of a change.

7. Safeguards

Community Living Essex County commits to doing its utmost to protect the personal information in its possession from unauthorized access, disclosure, copying, use, error, loss or modification. Personal information about a person, both paper and electronic, will be stored in files to which only authorized personnel have access. The storage area will be locked and computer files protected by passwords. All employees and Members of the Board of Directors sign an Oath of Confidentiality (PER-06) in which they acknowledge their duties subject to this policy and Rules of Conduct (PER-100-04).

8. Openness

A Copy of this policy will be posted on the website. Paper copies are available at each location operated by the Agency and further, copies are available upon request from the Privacy Officer.

9. Individual Access

All persons shall have access to the paper and electronic files containing their personal information, as per Personnel Records policy (PER-100-07) and Management of Individual Records (PRO-300-03).

10. Challenging Compliance

A person who has a complaint concerning compliance with these principles shall address the complaint to the Privacy Officer. The procedures are set out under Complaint Procedures.

Responsibility

Privacy Officer is responsible for:

  • receiving and responding to questions/complaints regarding privacy.
  • internal compliance with applicable policies and legislation;
  • act as a resource in developing internal policies for the collection, use and disclosure of personal information, personal health information and other confidential data.
  • through established policies and training; ensure appropriate consents are obtained for the collection, use and disclosure of personal information and third party requests.

Management is responsible to ensure:

  • through established policies and training; ensure appropriate consents are obtained for the collection, use and disclosure of personal information and third party requests.
  • polices and procedures regarding collection, use and disclosure of personal information are consistently adhered to;
  • that systems and procedures are in place to ensure records are kept private;
  • requests from persons for access to their files are responded to;
  • proper disposal of unnecessary files/information as per policy;
  • cooperation with the Privacy Officer to investigate complaints or breaches of policy;
  • that disclosure of personal information or personal health information to a third party is done with the approval of a Director in order to minimize the risk of non-compliance with applicable legislative or regulatory regimes;
  • this policy is explained to the people we support, their families and others and referring them to the Privacy Officer if necessary.
  • that employees return any personal, privileged and/or confidential information in their possession upon request, or before or immediately upon, termination of employment.

Employees are responsible for:

  • understanding and following policies and procedures regarding personal, privileged and/or confidential information;
  • keeping their own employee files current regarding their personal information; including consent to disclose.
  • immediately reporting any breaches of confidentiality to the Privacy Officer;
  • keeping private passwords and access to personal information privileged and confidential;
  • explaining this policy to the people we support, their families and others and referring them to the Privacy Officer if necessary;
  • returning to management, any personal, privileged and/or confidential information in their possession upon request, or before or immediately upon, termination of employment.

Complaint Process

Questions or complaints regarding a breach in privacy may be resolved by following the Appeals Process for Individuals/Families (PROG-200-05) or the Employee Concern Process (PER-100-03) or by contacting the Privacy Officer who will assist you through the process.

Approved on November 5, 2008