What is privacy and confidentiality, and how to make sure that clients' and employees' personal information is appropriately collected, used, and disclosed?
2. 2
Introductions
Presenter Introduction
Introductions around the room
Agenda
Discuss Privacy and Security
Support your practices around the protection of personal
information
Provide opportunity to discuss privacy and security questions,
challenges, and ideas
3. 3
Right to be left alone,
Right to be secure in one’s home and free from unwanted
interference.
In the context of modern privacy law, privacy means having
control over one’s personal information.
Choice of whether to disclose information at all
Control over with whom, and to what extent it is shared
Control over how it is used
Don’t lose control once you’ve released your information “into
the wild“
What is Privacy?
4. 4
What is Confidentiality?
Noun. “The state of keeping or being kept secret or private”
Obligation of an employee and an organization to ensure that
personal information is kept secure, and
is collected, used, accessed, disclosed, and disposed of
only as authorized
5. 5
Information that can be used to identify someone. Examples:
name, address, gender, image, education, income, date of
birth, driver's license number,
photographs,
financial information,
medical and genetic information,
employment history
Categories of p.i.
Not business contact information
Not work product information
Personal Information is…
6. www.fnha.ca
…but does not include…
(a) contact information, or (b) work product information.
(a) Information used to contact an individual at a place of business
(b) Information prepared by individuals or employees in the context of
their work or business. E.g. a work report prepared and signed by an
employee would be that employee’s work product information.
Non-identifiable or aggregate
information, e.g. statistical
information about groups of
individuals, is not personal
information.
6
7. www.fnha.ca
FIPPA vs. PIPA
Freedom of Information and Protection Act
(FIPPA) governs public sector
– Access and Privacy
Personal Information Protection Act (PIPA)
governs private sector
– Privacy (no provision for access to
corporate Information)
FNHA and FNHSOs are subject to PIPA, not FIPPA.
8. Personal information may reside…
Appointment books
Calendars
Front desk/Reception
Sign-in/sign-up sheets
Conversations
Mail
8
File room
Printers
Fax
Computers
Office/Desks
Shredder, shred bin,
Recycling bin
10. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 1. Accountability
“Organization shall designate someone to be accountable for the
management of personal information.”
Privacy Officer or equivalent to:
Ensure compliance with the privacy law
Respond to access requests, inquiries
and complaints
Under PIPA, you must have a written statement describing your
information practices (“policy”), how to request access; how to make a
complaint, etc. (“procedures”)
Privacy Policy, IT Security Policy, Acceptable Use Policy, Privacy Breach
Management Procedure
11. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 2. Identifying Purposes
“An organization must clearly identify the purposes for which
personal information is collected, either before or at time of
collection.”
You must explain individuals:
what personal information to collect
for what purposes, and
how you intent to use the information
before or at the time of collection.
Use the “reasonable person test” – think
about whether a reasonable person
with no special interest would consider
the way your business handles personal information appropriate.
12. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 3. Obtaining consent
“You almost always needs an individual's consent whenever you collect,
use or disclose their Personal Information.”
Consent = permission, agreement, authorization
Express – notifications involved. Verbal or in writing.
Implied – notification is not needed. Obvious situations.
“Informed Consent”
Capacity to consent
No presumption based on age
Clients can change or withdraw consent
You may collect information without consent,
but only in limited and specific circumstances
13. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 4. Limiting Collection
“You should collect only the minimum amounts of Personal
Information required to achieve the purpose that you stated.”
Before or at the time of the collection
Clients shall be given enough information
about the collection (“informed consent”).
Contact information must be provided
(e.g., privacy office).
Remember: Collecting too much information puts
your organization at risk
“Data is a toxic asset and saving it is dangerous” – Bruce Schneier
14. www.fnha.cawww.fnha.ca
10 Privacy Principles – 5. Limiting Use, Disclosure, and Retention
“You must limit use and disclosure of Personal Information to the
original purpose that was explained to the person whose personal
information you collected.”
If your business wants to use P.I. for a
new purpose, you need to go back and
obtain new consent for the purpose.
If the P.I. is used to make a decision
that affects someone….it must be kept
at least one year after using it
As soon as it is no longer needed for
any legal or business reason, it must be
destroyed or anonymized.
15. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 6. Accuracy
“The organization must make a reasonable effort to ensure the personal
information it collects is accurate, complete, and up-to-date.”
An individual may request the correction of his/her personal
information
If the record is incorrect or incomplete
(for the purposes for which it was
collected or is used), the organization
must correct the record unless an
exception applies
If your organization does not make the correction you must annotate
the personal information noting that a correction was requested but not
made.
16. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 7. Safeguards
“The organization needs to implement security safeguards to ensure that
its staff or contractors handle personal information properly, and to
prevent privacy breaches.”
Security safeguards protect personal
information from inappropriate
collection, use, access, and disclosure.
Security is the mechanism to protect
privacy and includes:
Physical Safeguards
Administrative Safeguards
Technical Safeguards
17. www.fnha.ca
PASSWORD PROTECTION
Do not use common passwords that can easily be guessed.
Use passphrase, instead of password:
@ ! # $ %
I bought my house for $1
Take the first letter of each word = Ibmhf$1
“Treat your password like your
toothbrush. Don't let anybody else
use it, and get a new one every six
months.” — Clifford Stoll
17
The 10 Privacy Principles – 7. Safeguards (continued)
18. www.fnha.ca
ACCESS CONTROL – ROLE-BASED, RULE-BASED
18
The 10 Privacy Principles – 7. Safeguards (continued)
Limit access to P.I.
Sensitive information is
shared on a “need-to-know”
basis.
Ensure all staff know how to
properly and confidentially
handle P.I. and the steps
required for dealing with a
breach.
19. www.fnha.ca
PRIVACY BREACH: The loss of, unauthorized access to or unauthorized
disclosure of personal information resulting from a breach of an
organization’s security safeguards.
1. Contain the breach
2. Evaluate the risk
i. identify what P.I. compromised and
assess the potential impact.
ii. determine whether notification is
necessary to those affected.
iii. RROSH = Real Risk of Significant Harm
3. Notification – OIPC, police or the RCMP.
4. Prevention strategies - for the future to make sure it doesn't happen
again. Review and update privacy management program and ensure
staff are provided regular privacy training as well as refresher training.
The 10 Privacy Principles – 7. Safeguards (continued)
20. www.fnha.ca
The 10 Privacy Principles – 7. Safeguards (continued)
Real Risk of Significant Harm
Risks to their physical safety/security risk
Identity fraud or theft
Hurt, humiliation, reputation damage,
damage to relationships
Loss of business or employment
opportunities
Loss of trust
Financial exposure
To notify, or not to notify?
However, regardless of how severe the breach may be, it is a generally a
good practice to be transparent by reporting it.
It may very well save your organization's reputation in the long run.
21. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 8. Openness
“Be open about your information management policies and
procedures.”
Upon request, you need to make the following information available for
any clients, customers or employees:
the title and contact information
of your designated privacy officer,
the process and individual can
follow to access their own P.I., and
information on your policies and
practices surrounding personal
information.
22. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 9. Individual Access
Every individual has a right to access his/her personal (health)
information, subject to limited exceptions
Where a restriction on access
applies, an individual has a right
to access to that part of the
record that can be severed
Organization must respond as
soon as possible to a written
access request, but no later
than 30 days after receiving
the request, subject to extension
Organization may still give access if the request is oral or without a
formal request
23. www.fnha.ca
The 10 Privacy Principles – 9. Individual Access (continued)
MAY refuse to give someone their Personal Information when:
solicitor-client privilege.
confidential commercial information.
investigation or proceeding that is still going on.
MUST refuse to give someone their Personal
Information if:
the disclosure could reasonably be expected to:
threaten the safety or physical/ mental health of another individual.
cause immediate or serious harm to the safety or to the physical/
mental health of the requester.
If it would reveal Personal Information about someone else.
23
24. www.fnha.cawww.fnha.ca
The 10 Privacy Principles – 10. Challenging Compliance
“Any person to question and challenge and organization's compliance
with the Personal information Protection Act.”
Organizations are required by PIPA to develop a process to respond to
privacy complaints.
Develop written complaint handling policies and procedures that
anyone can access.
Organizations should investigate to resolve all complaints received
(OIPC)
26. www.fnha.ca
What is your organizational policy for social media?
Content communicated via social media is unprotected and publicly
accessible.
Remember: Social media is not free,
you are “paying” your personal
information.
TIP – Protecting Privacy on Social
Media:
Create strong passwords
Use enhanced privacy options offered by social media sites
Have the latest anti-virus/anti-spyware software installed
26
Social Media
27. www.fnha.ca
A phishing website (a.k.a. "spoofed" site) tries to steal your account,
password or other confidential information by tricking you into
believing you are on a legitimate website.
Tips to help you identify:
Incorrect company name – www.paypa1.com.
The hyperlinked URL is different from the one shown
The email:
Has improper spelling or grammar
Urges you to take immediate action
Includes suspicious attachments
Ask Login Credentials, Payment Information
or other Sensitive Information
27
Beware of Phishing
28. www.fnha.ca
When talking about work it often involves
patients/staff
Be aware of your surroundings
Respect the privacy of patients
& co-workers – avoid names
Wait for the right opportunity
Find a private location or
lower your voice
Walking and Talking – We All Do It!
29. www.fnha.ca
How to Protect Privacy in Daily Work?
“Mind your own business.”
“Need to know”: only access the
records and information that are
necessary for you to perform
your job duties.
Do not share your account
information with others or
use someone else’s account.
29
30. www.fnha.ca
Storing & Disposing of Paper
File all clinical information in patients charts.
Lock up paper records when unattended.
Shred unwanted paper or place in shredding bin.
Do not recycle or trash paper with Personal Information.
If unsure, contact privacy office.
Do not remove papers with Personal
Information from your worksite unless
approved and is necessary.
Report any loss or theft of paper or
electronic devices immediately to your
manager and privacy office.
30
31. www.fnha.ca
Voice mail, and Faxing
Don’t leave messages containing any
personal information on voice mail.
Don’t leave incoming and outgoing
mail in unattended receptacles.
When faxing, follow procedures:
Use cover sheet.
Confirm fax number before
keying (x 3).
Arrange and Confirm prompt
Fax pick-up.
31
32. www.fnha.ca
Email, and Text Messaging
Email = postcard.
Sending and receiving Personal Information by email vs. fax
How sensitive? How much? How often?
Password-protected attachment
Shared Drive; SFTP; VPN
Do not send or forward Personal Information to any unauthorized email
addresses (e.g. Gmail, Shaw, Telus)
If a patient requests to communicate by email or text messaging:
Be smart.
Minimize – or remove - personal information.
NEVER text Personal Information!
32
33. www.fnha.ca
Final Takeaway: Privacy Do’s and Don‘ts
Don’t….
use email to send confidential
patient or employee information
access health records unless it’s
necessary for your job duty
share confidential information
with those who do not have a
“need to know”
discuss patient information in an
unsecure area
collect more personal
information than is necessary
Do….
pre-program numbers in fax
machines to avoid dialing errors
safeguard confidential patient or
employee information at all
times
report privacy incidents to your
manager or Privacy Office
immediately
34. 34
Need help for privacy?
Privacy Office privacy@fnha.ca
604-693-6844
Toll Free 1-844-364-7748
Kevin Kim, Privacy Manager
604-693-6784
Kevin.Kim@fnha.ca
Margaret Lee, Privacy Analyst
604-693-6710
Margaret.Lee@fnha.ca