30
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario Information and Privacy Commissioner

Taking Steps to Protect Privacy

Embed Size (px)

DESCRIPTION

Taking Steps to Protect Privacy. A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario Information and Privacy Commissioner. Justice Horace Krever on Health Privacy. - PowerPoint PPT Presentation

Citation preview

Page 1: Taking Steps  to Protect Privacy

Taking Steps to Protect Privacy

A presentation to Hamilton-area

Physiotherapy Managers

by

Bob Spence

Communications Co-ordinatorOffice of the Ontario Information

and Privacy Commissioner

Page 2: Taking Steps  to Protect Privacy

Justice Horace Krever on Health Privacy

The individual having to provide information is in an even more difficult predicament. He or she does not know what part of the information is truly essential…how much of that information is stored, where and for how long it is stored, how well it is protected from destruction and disclosure, what is the real potential for unwarranted access, and what, realistically, he or she can do about the situation, if the answers to these questions were known.

- Krever Commission, 1980

Page 3: Taking Steps  to Protect Privacy

In the Public Eye

Privacy is the No. 1 issue going into the 21st Century

-Wall Street Journal, January 24, 2000

Page 4: Taking Steps  to Protect Privacy

Overview

1. Introduction to the IPC

2. What privacy is – and isn’t

3. Fair Information Practices

4. Need for health privacy legislation

5. Federal privacy legislation

6. Ontario’s proposed Act

7. Summary and questions

Page 5: Taking Steps  to Protect Privacy

Is the Information and Privacy Commissioner part of the government?

The Commissioner, similar to the Ombudsman, is an officer of the legislature and is independent of the

government of the day to ensure impartiality.

Page 6: Taking Steps  to Protect Privacy

IPC’s Five Key Roles

• resolving appeals when government organizations refuse to grant access to information

• investigating privacy complaints about government-held information

• ensuring that government organizations comply with both Acts

• research on access and privacy issues in order to advise on proposed legislation and programs

• educating the public

Page 7: Taking Steps  to Protect Privacy

Ontario’s Existing Privacy Acts

Freedom of Information and Protection of Privacy Act (effective 1988)

Municipal Freedom of Information and Protection of Privacy Act (effective 1991)

Page 8: Taking Steps  to Protect Privacy

Privacy Defined

Information Privacy: Data Protection

• Freedom of choice, control;

• Informational self-determination; and

• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual.

Page 9: Taking Steps  to Protect Privacy

What Privacy is Not

Security Privacy

(A common misconception)

Page 10: Taking Steps  to Protect Privacy

Privacy and Security: The Difference

AuthenticationData IntegrityConfidentialityNon-repudiation

Privacy; Data ProtectionFair Information Practices

Security

Page 11: Taking Steps  to Protect Privacy

Fair Information Practices

Accountability

Consent

Limiting use, disclosure,

and retention

Safeguards

Individual access

Identifying purposes

Limiting collection

Accuracy

Openness

Challenging compliance

Page 12: Taking Steps  to Protect Privacy

Accountability

Someone within the organization is directly responsible for protecting personal information.

It’s not enough to have a privacy policy: someone has to bear responsibility.

Page 13: Taking Steps  to Protect Privacy

Identifying Purposes

Make sure your patients know why you are collecting personal information – and how it will be used and disclosed.

If you ask for a customer’s telephone number, who will be calling, and why?

Page 14: Taking Steps  to Protect Privacy

Consent

Ask permission before collecting, using, or disclosing personal information.

If you are considering sharing your mailing list, ask your patients first if they consent to this.

Page 15: Taking Steps  to Protect Privacy

Limiting Collection

Limit the collection of personal information to that which is necessary to fulfil the specified purpose.

If you don’t need a particular piece of personal information, then don’t collect it. The less personal information you collect, the easier it is to manage.

Page 16: Taking Steps  to Protect Privacy

Limiting Use, Disclosure, Retention

Limit use of personal information to those purposes for which you have consent.

If you collect information for a specific purpose, you should not use it for anything else.

Page 17: Taking Steps  to Protect Privacy

Accuracy

Personal information should be accurate, complete, and up-to-date.

Inaccurate information is a problem for you and your patients. Imagine the flawed decisions that could be based on an inaccurate report.

Page 18: Taking Steps  to Protect Privacy

Safeguards

Personal information must be stored with adequate security measures.

If you keep personal information on file, it should be kept secure. More sensitive information should be afforded a greater degree of security.

Page 19: Taking Steps  to Protect Privacy

Openness

Information practices and policies should be transparent, and customers should be made aware of them.

All organizations should have an easily accessible privacy policy, written in simple language. Web sites should have their privacy policies clearly posted.

Page 20: Taking Steps  to Protect Privacy

Individual Access

Individuals must have the right to inspect and correct their personal information.

This is not simply a right; it is also essential to ensure accuracy of information.

Page 21: Taking Steps  to Protect Privacy

Challenging Compliance

Customers must have some recourse if any of the other principles should be violated.

It’s not enough to have a Chief Privacy Officer; there has to be some forum for complaint and redress.

Page 22: Taking Steps  to Protect Privacy

Why Legislate Fair Information Practices for Health?

Foundation for protection and trust for health care reform;

Consistent, predictable rules across the health sector, and right of access;

Unique nature of health information.• Extremely sensitive information that is

frequently used, disclosed for purposes beyond providing care.

Page 23: Taking Steps  to Protect Privacy

Health Privacy is Critical

The need for privacy has never been greater• Extreme sensitivity of personal health

information• Differing rules across the health sector; most

areas currently unregulated• Increasing electronic exchanges of health

information• Development of health networks• Growing emphasis on improved use of

technology including electronic patient records

Page 24: Taking Steps  to Protect Privacy

Federal Privacy Legislation

Personal Information Protection and Electronic Document Act (PIPEDA)

Staggered implementation:• Federally regulated businesses, 2001• Federal health sector, 2002• Provincially regulated private sector, 2004

Page 25: Taking Steps  to Protect Privacy

Privacy of Personal Information Act, 2002

A draft of the new bill has been released for public comment. This represents the first step towards Ontario’s first privacy law covering

the private sector and health sector.

Page 26: Taking Steps  to Protect Privacy

Ontario’s Privacy of Personal Information Act, 2002

Integrated health and private sector privacy protection Guide to Ontario’s Consultation on Privacy

Protection• www.cbs.gov.on.ca/mcbs/english/56Y2QL.htm

Privacy of Personal Information Act, 2002• www.cbs.gov.on.ca/mcbs/english/56Y2UJ.htm

IPC submission to MCBS• www.ipc.on.ca/english/pubpres/reports/cbs-0202.pdf

Ontario Medical Association submission• www.oma.org/phealth/privinfo.pdf

Page 27: Taking Steps  to Protect Privacy

Be prepared to answer questions

such as…

Page 28: Taking Steps  to Protect Privacy

Five Key Questions

Why are you asking for this information?How will my information be used?Who will be able to see my information?Will there be any secondary uses?How can I control my data?

Page 29: Taking Steps  to Protect Privacy

Obtaining Consent

Opt-in• An individual’s personal

information cannot be used unless he checks off a box, etc., that says the information can be used.

Opt-out• An individual’s personal

information can be used unless he checks off a box, etc., saying it cannot be used.

Page 30: Taking Steps  to Protect Privacy

How to Contact Us

Bob Spence

Communications Co-ordinator

Information & Privacy Commissioner, Ontario

80 Bloor St. W., Suite 1700, Toronto, M5S 2V1

Phone: 416-326-3939

Web: www.ipc.on.ca

e-mail: [email protected]