Approved by: Board of Directors
Application: Board, Staff, Volunteers, Students, Clients
Contact: Chair of the Board
Date of Approval: 2005
Date of Last Review: June 2008, January 2011, March 2015, February 2016
“Personal information” includes any information that can be used to distinguish, or identify a specific individual. This information, recorded or not, includes an individual’s name, age, contact information, identification numbers/certificates, medical or financial records, race, ethnic origin, religious affiliation and education. Business contact information and certain publicly available information, such as name, title/position, company address, email and fax is not considered to be personal information.
“Health information” includes any identifiable personal information, recorded or not, that relates to the physical or mental health of an individual including medical history, family medical history and health card number.
“Clients” refers to individuals who access PPT through its many programming areas and services.
“Members” refers to individuals who meet membership eligibility requirements and have paid annual membership fees in full.
“Donors” refers to individuals, organizations and/or corporations that have contributed a monetary or in-kind gift to PPT.
“General Public” refers to individuals, groups or institutions that may provide PPT with some form of personal information but do not fall into the category of a client, member or donor.
Planned Parenthood Toronto (PPT) is committed to protecting the privacy of our clients, members, donors and the general public and to meeting the requirements of the Personal Health Information Privacy Act (PHIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
PPT and its programming areas and services may collect some or all of the following personal and/or health information from clients, members and donors.
Donors and Members
PPT does not trace phone calls or use Call Display services.
PPT uses the personal and health information of clients, members and donors for the following purposes:
PPT discloses personal and health information in the following circumstances:
In addition to the categories mentioned above, information may be disclosed to some third-party contractors for PPT business purposes only. This includes financial audits, insurance and administrative purposes as necessary and appropriate. In these cases, PPT collects the privacy statements of the third-party contractors and makes these available to clients, members and donors upon request.
PPT may otherwise disclose personal and health information as necessary to meet legal, regulatory and security requirements as permitted or required by law. This includes the following situations:
PPT operates and manages a number of websites. PPT does not track Internet provider addresses and does not disclose, sell, trade or share any personal information about visitors to our sites.
PPT does not collect identifiable personal or health information through our web sites. Our web-based financial transactions are filtered through third-party secured sites or by downloadable documents that can be mailed, faxed or emailed to PPT. PPT includes hypertext links to the privacy policies of the third-party secured sites. However, PPT may from time to time or in the future collect personal information in the following ways and purposes:
The collection and use of personal information for these purposes is covered under the “Use of Personal Information” section in this statement.
Other non-identifiable and statistical information is collected by our web sites through a log file generated by our site hosts and may be shared with funders and other health care custodians as required.
PPT uses sessional ID cookies. A cookie is a piece of data stored on the user’s computer tied to information about the user. Usage of a cookie is not linked to any identifying personal information and once users close the browser, the cookie terminates.
Online Chat, Email and Social Media
Some information, such as an email address, is collected and used by PPT staff when responding to service and information requests through PPT’s Email a Question, MSN Chat services and other social media like Facebook and twitter. In these cases, personal information is collected and used for the purposes outlined in this statement.
Emails, Facebook posts, chat logs, twitter posts etc are saved for liability and statistical purposes. PPT does not disclose personal information collected online unless it is required to do so by law. Only authorized staff have access to the information.
Consent to the collection, use and disclosure of personal information may be given in various ways. Consent can be expressed or implied. Consent may also be given by an authorized representative such as a legal guardian or power of attorney. For clients of PPT programs and services, an expressed consent form is used. For donors and members, PPT will assume that, by providing personal information with their donation and/or completed membership form, they consent to our collection, use and disclosure of such information for the purposes identified in this policy. However, PPT will also provide opportunities for donors and members to opt in or out of such information collection, use and disclosure. As well, for purposes of donor recognition (i.e. annual report, PPT web site) PPT will seek explicit consent via telephone, mail or Internet.
Clients, members, and donors may withdraw your consent to our collection, use and disclosure of personal information at any time by doing so in writing, however, PPT may no longer be able to provide certain clinical services if a client chooses to do so.
 Includes any oral, electronic or signed confirmation that allows PPT to collect, use and disclose personal information for purposes outlined in this statement.
 Includes when a client provides information necessary for a service they have requested or where a client has not withdrawn their consent for an identified purpose, such as by using an “opt out” clause provided.
PPT uses the following security measures to protect personal and health information against loss, theft, unauthorized access and disclosure without consent:
Client medical records are stored and disposed of according to the protocols set by the College of Physicians and Surgeons of Ontario.
Donors and Members
Only authorized employees of PPT who require access to personal information in order to fulfill their job requirements will have access to the personal information. As well, all employees and volunteers of PPT sign a confidentiality agreement.
PPT may establish and maintain a file of personal and/or health information for the purposes described in this statement. If a client, member or donor wishes to request access to or make a correction of their personal information in our custody or control, you may submit your request in writing to the following:
The Privacy Officer is appointed by the Executive Director (ED) from among the members of the Management Team. While reviewed by the ED annually, the Privacy Officer remains in the position until a new appointee is named.
PPT’s Privacy Officer is:
Director of Finance and Administration
Planned Parenthood Toronto
36B Prince Arthur Ave.,
Toronto, ON M5R 1A9
Tel: 416.961.0113 ext. 143
If someone believes that their privacy rights are not being respected, suspect their personal information has been improperly collected, used or disclosed, run into any difficulties obtaining access to your personal information or generally believe that PPT is not following the provisions of PIPEDA or the Ontario Health Information Privacy Act, they are entitled to file a complaint. The Office of the Privacy Commissioner of Canada recommends that you first try to settle the matter directly with the organization they are filing a complaint against. PPT does have a privacy complaints procedure. A client, donor or member can find out about the procedure and file a complaint by contacting the Privacy Officer of PPT at the address provided above. If a client, donor or member is not satisfied with PPT’s response to their complaint they may contact the Office of the Information and Privacy Commissioner/Ontario or the Office of the Privacy Commissioner of Canada at the following addresses:
The Office of the Information and Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
The Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON K1A 1H3
This privacy statement may be revised from time to time. If PPT intends to use or disclose personal information for purposes not outlined in this statement, we will make reasonable efforts to notify affected individuals in advance if necessary.
This privacy statement is available upon request and is also available at www.ppt.on.ca/privacy-policy.
Staff, volunteers, students and external agents must keep in strict confidence any information received, observed or otherwise acquired about a client of any of PPT’s programs. Client-related information may be disclosed, discussed or made public only if authorized by the client, or as required by an overriding professional, legal or ethical obligation. Staff, volunteers and students must also guard against client-related information being acquired by anyone unauthorized individual(s).
This policy applies to staff, students, volunteers and external agents and they are required to sign a Privacy and Confidentiality Contract upon commencement of their work or association with PPT.
In accordance with the Ontario Health Information Privacy Act and PIPEDA, the duties of privacy and client confidentiality continue beyond the termination of employment or association with PPT.
When registering as a client, new clients are asked for instructions regarding methods of contacting clients in the future including the use of code names to protect privacy.
Clients’ last names are not used in the course of service delivery except where necessary, and never where they may be overheard. When calling clients from the waiting room, only first names are used.
Volunteers do not have access to the client’s medical record.
Clients wishing to limit access to elements of their personal health information may chose to utilize a “lock box”. Clients can discuss this with the clinical provider.
Confidential matters are discussed with clients in private rooms or where the discussion cannot be overheard, and not at the front desk or in the waiting room.
Clients are not discussed professionally, even without a name, where another client or individual may overhear the discussion.
Charts are located in secured cabinets that are in a separate room from the client waiting area. Charts may also be archived offsite with e certified third party storage facility. A list of documents stored offsite will be kept at PPT. A process for retrieving the documents in a timely manner will also be available at PPT.
Charts, encounter forms and other documentation containing client information are placed in a manner so that other individuals cannot see the information (i.e. face-down on desks whenever not being worked on, computer screen off or viewing access limited), and are locked up or shredded at the end of each workday.
Electronic information kept on-site is stored on a server that has the most recent privacy protection software and hardware. All workstations that connect to the network are password protected. The agency has a wireless network but this is also password protected to restrict access to the network to those individuals with network rights. All mobile storage devices used in the agency are password protected (ie. Laptops, USB storage devices)
Whenever possible, confidential or sensitive information will not be stored on agency laptops. Client data is never transported or stored on mobile devices or taken out of agency. When it is necessary to store confidential information on a lap top, it will be downloaded onto the file server as soon as possible and then deleted from the laptop. When it is necessary to store confidential information on an External Storage Device (USBs) the device will be stored in a locked drawer on-site and the information will be downloaded to the file server as soon as possible and deleted from the laptop.
Staff, students and volunteers do not provide service to clients previously known to them outside of their role with PPT, unless the client agrees in a private discussion with a different staff member.
Clients seen in places other than PPT or program facilities are not acknowledged unless the client makes the first move.
Specific case histories are not used, even without a name, to illustrate one’s experiences in non-professional situations outside of the agency.
PPT monitors all activities in the electronic health record (NOD). All health care providers, employees, volunteers, and third parties are subject to the auditing of all of their activities in NOD. NOD has the ability to audit all users of the system. If a user is unsure of what constitutes authorized or unauthorized use or access in NOD, please speak with your Manager. Audit reports regarding client records are also made available to clients upon request.
Purpose of Auditing
Monitoring and Reporting
The Privacy Officer or designate is authorized to run regular audit reports at least quarterly or more frequently if it is deemed necessary. A list of potential trigger events is included in this procedure, the Executive Director or any Manager can request an audit related to a trigger event at any time.
When access is deemed inappropriate or a privacy breach has been substantiated the Privacy Officer or delegate will notify the ED and it will be determined if the breach was will full or unintentional. Users who unintentionally access PHI inappropriately will be subject progressively to all or any of the following:
Audits will be held during the second month of each quarter. The Privacy Officer will submit to the DMC an Request of Audit Form (Appendix B). However, when there is sufficient reason to believe that a more frequent audit is warranted, the Privacy Officer or designate can initiate a trigger audit.
The date range for all user audits will be for a one month period of time, unless otherwise requested/required, ending on date of audit request or by audit schedule date. Client audits will include the entire chart.
During each audit the DMC will randomly select one chart of a client who has visited PPT in the preceding quarter and one user. The DMC will also pull an audit report that identifies specific high risk charts, these high risk charts will also be audited. This includes:
Audit Trigger Events
Trigger audits will be performed on an as needed basis and can be requested by the Privacy Officer, designate or any Manager when there are enough grounds to believe that it is necessary. Trigger events may include (but is not limited to):
Audit log reports or examined in conjuction with other available information to identify and investigate unexplained or potentially inappropriate access to PHI. An NOD user may have had a good reason for an out-of-the-oridinary access, even though the initial review indicates otherwise. The audit reports and therefore inquire based and a quality improvement tool.
A client may request an audit of their chart that is either general or within a time that the specified. The client should complete a Request for Audit Form. The results should be provided to the client in a timely manner.
A Director or ED can request an audit when a trigger event is identified. They should complete a Request for Audit Form.
Things to look out for in an audit
Examples include but are not limited to:
Clients are entitled to access all information respecting their health status and their contact with PPT, and are entitled to share this information as they may see fit. Clients are entitled to review their clinical records in the presence of a staff member, and are entitled to copies of all documentation in their clinical records. Without detracting from clients’ right to their records, it is recommended to clients that records be reviewed with the assistance of a staff member to ensure full understanding of the contents. Client requests to review their clinical records will be responded to as soon as possible within 30 days.
Telephone calls from clients regarding any client-related matter (appointment scheduling, test results, information from clinical record, and authorizing disclosure to another person) will proceed only if the staff, volunteer, or student confirms the client’s name and birth date.
Telephone calls and mailings to clients follow the client’s selected method of contact on the Intake Form (which may include a code name, contact through an address or phone number other than home, handwritten letters without a return address, etc). Where there is a serious threat to a client’s health and the client’s selected method of contact has failed after three charted attempts, the client will be contacted at her or his home as follows: 3 telephone calls to the home number utilizing “call block” and without leaving a message, followed by 1 mailing of a handwritten letter sent without a return address (all charted/copied).
Staff, students and volunteers have a professional obligation to discuss client-related matters with professional colleagues and/or supervisors as necessary to ensure the highest quality of service provision to clients. While details of the client’s situation may be revealed, the client’s name and identifying information may not be disclosed unless absolutely necessary.
In addition, the organization has an obligation to maintain records and statistics respecting services to clients. Consequently, for these purposes, administrative personnel may access clinical records.
In certain circumstances, staff, students and volunteers are required or entitled to report client-related information despite the general relationship of confidentiality. In these situations, the breach of confidentiality must be strictly limited to that required or allowed, and confidentiality must be maintained with respect to all other client information.
Every breach of confidentiality occurring with justification as outlined in this policy must be detailed in the client’s medical chart. If the duty to report is a non-clinical situation and does not apply to a Health Services client, then an Incident Report must be completed and submitted to the Executive Director
Staff, students and volunteers seeing clients must ensure that clients are aware in advance of these limitations on confidentiality (as may be applicable to their circumstances), so that clients have the opportunity to omit information or refuse testing if so desired. Such discussions must be charted. For example, prior to discussing abuse issues, clients under 16 must be informed of the circumstances in which a report must be made; prior to testing for reportable diseases, clients must be informed that positive results must be reported; prior to beginning counselling, clients must be informed that risk of self-harm or harm to others may result in action being taken to protect the client or others.
Details of the most commonly encountered legal obligations to disclose otherwise-confidential information follow. In addition, physicians have duties under the Highway Traffic Act and the Aeronautics Act to report individuals who are unfit to operate a vehicle or airplane, in certain circumstances.
Staff, students and volunteers may be required to disclose client-related information pursuant to a court Summons, Subpoena or Order. In appropriate circumstances, PPT will oppose such court-imposed breach of confidentiality to the extent possible. Police requests for information will be immediately reported to the Executive Director and will not be granted unless a valid subpoena or client consent can be produced. PPT will seek legal advice when necessary.
Ontario’s Child and Family Services Act imposes a duty on all persons to report to a Children’s Aid Society a belief, based on “reasonable grounds”, that a child (anyone under 16) is in need of protection, and to report the information upon which the belief is based. “In need of protection” refers to a range of circumstances respecting actual or risk of physical, sexual, emotional, developmental harm, or abandonment, by a parent or person in charge of the child, or by another person where the parent fails to protect the child. Staff members who engage in front-line service have an additional, more onerous duty to report based upon a reasonable suspicion of past or current abuse.
The Child and Family Services Act must be referred to, to assess the duty to report in any particular circumstance; the situation at hand must come within a relevant section of the Act (ss. 72 and 37(2)) in order for a report to be made. Students and volunteers must discuss any situation giving rise to a possible duty to report with their supervisor immediately; staff must discuss the situation with at least one other member of the Team before reporting. In circumstances of uncertainty, an anonymous call may be made to a children’s aid society for an opinion on the need to report and the section relied upon; however, this opinion is not binding, and staff may engage in discussion with other Team members, the Manager, the Executive Director, and/or counsel, as appropriate and practicable. Refer to: Part 24 Recognizing and dealing with Child Abuse.
Ontario’s Regulated Health Professions Act imposes a duty on all regulated health professionals (at PPT, this may include nurses, nurse practitioners, physicians and psychologists) to report a named regulated health professional to their College where there are reasonable grounds, obtained in the course of professional practice, to believe that that health professional has sexually abused a client. In addition, the Board and/or the Executive Director must file a report if there are reasonable grounds to believe that a regulated health professional practising at PPT has sexually abused a client. However, in either case, the report cannot include the client’s name without her or his written consent; consequently confidentiality is overridden only with respect to the details of the alleged sexual abuse and the name of the abuser. Reference should be had to Schedule 1 of the RHPA for a complete list of applicable professions and to sections 1, 85.1-85.6 of Schedule 2 for further details of the duties imposed. Similarly, as an internal policy all staff, students and volunteers are required to report in writing to the Executive Director a belief that any other individual associated with PPT has sexually abused a client. The report cannot include the client’s name without her or his written consent; confidentiality is overridden only with respect to the details of the alleged sexual abuse and the name of the abuser. Refer to the Act in the Health Services Manual.
Ontario’s Health Protection and Promotion Act imposes a duty on regulated health professionals to report all “reportable diseases”, including most sexually transmitted infections, to the Department of Public Health, Communicable Diseases Unit. All regulated health professionals at PPT must fulfill their statutory duty to report a professional opinion that a client has a reportable disease.
Ontario’s Mental Health Act allows physicians to facilitate an involuntary detention of a person in a psychiatric facility for up to 72 hours, for the purpose of a psychiatric assessment. Where a physician has examined a person and determines that the person has threatened or engaged in self-harmful or violent behaviour, and is suffering from a mental disorder likely to result in self-harm or harm to others, the physician may complete a “Form 1″ application for psychiatric assessment, overriding client confidentiality to the extent necessary to provide the particulars and have the client taken (usually by police) to an appropriate facility. Refer to section 9 of the Act
While only physicians may act pursuant to this legislation, other front-line staff, students and volunteers who suspect that the criteria may be met must consult with a physician, who may then examine the client. However, clients refusing examination by a physician effectively avoid an involuntary psychiatric assessment, since physicians are precluded from acting without having personally examined the client.
Whether or not a Form 1 is completed, staff, students and volunteers may have additional ethical and/or legal obligations to breach client confidentiality in circumstances of self-harm or harm to others:
PPT accepts the judicially asserted health professional’s “duty to inform” as a circumstance overriding client confidentiality. Consequently, where a client expresses an intention to do serious harm to another individual and there is a likely risk of serious harm, staff, students and volunteers must take all reasonable steps to warn the individual(s) against whom the threat has been made. These steps will generally include contacting the police, contacting the individual(s) directly where possible, and any other appropriate action. The breach of client confidentiality will be limited to the information necessary for the police and/or threatened individual to reasonably understand the risk to her or him. Action in this regard will always be implemented by a staff member, discussed with at least one other Team member, and thoroughly documented.
The “duty to inform” is expected to be incorporated into a standard of the College of Physicians and Surgeons, at which time the above policy may be adjusted to ensure consistency.
Where a client makes a serious suicidal threat and a Form 1 is not applicable, staff, students and volunteers must take action to ensure the safety of the client where such action is ethically prescribed, overriding client confidentiality only to the extent absolutely necessary. Action in this regard will always be implemented by a staff member, discussed with at least one other Team member, and thoroughly documented.
In clinical matters, PPT’s Incident Report will only be completed if any of the situations detailed above present any legality, risk or liability to PPT. In this case only information pertinent to the liability is reported to ensure understanding of the legal concerns. The Incident Report is submitted directly to the Executive Director in this situation.
Staff and students are obligated to report the following:
Youth aged 14 or 15 that is involved sexually with their partner who is 5 years or older than the 14 or 15 year old. A youth aged 12 or 13 that is involved sexually with their partner who is 2 years or older than the 12 or 13 year old.
In the case of unauthorized access, use, theft, loss, or disclosure of client information, the Executive Director will be notified immediately and an incident report will be completed. PPTs response to this type of situation will be determined by the Executive Director and may involve an investigation and or legal action. In all instances the client(s) will be notified immediately.
This protocol outlines procedures to follow in the event of a visit by enforcement authorities to PPT offices or a phone call from an enforcement authority regarding a client. Enforcement authorities include Toronto Police, RCMP, Office of the Chief Coroner, and Children’s Aid Society workers.
PPT will make every reasonable effort to cooperate with enforcement authorities so long as a warrant, court order or subpoena is presented. If a warrant, court order or subpoena is not presented, PPT has no legal obligation to disclose information about or provide access to anyone who is on our property including clients, staff and volunteers.
PPT is committed to protecting the information of our clients, volunteers and staff and in accordance with PPT’s Confidentiality Agreement and federal and provincial rights and privacy laws.
In dealing with visits from law enforcement authorities, PPT will make every effort to minimize the impact that such a visit may have on clients and services.
A warrant, court order or subpoena can be provided in person, by email or fax. If the enforcement authority presents a warrant, court order or subpoena:
If the enforcement authority does not present a warrant, court order or subpoena:
The PPT office is private property and law enforcement authorities should present a warrant, court order or subpoena to enter the building and request information. PPT, however, does not have jurisdiction, rights or liabilities regarding public areas around our building. If the enforcement authority chooses to wait outside PPT property, they are legally entitled to do so. Managers, volunteers and staff should not become involved in enforcement activity by warning individuals that authorities may be waiting for them.
Staff, students, volunteers and external agents at PPT may have access to personal information concerning others, contained in personnel or volunteer files. Such information may be disclosed only (a) to those within PPT who require the information to perform their job duties, (b) to relevant regulatory, judicial, or government bodies, or (c) to others with authorization of the individual.
Staff, students, volunteers and external agents may also have access to confidential organizational information. Internal documents and decisions in draft form or otherwise still in process, and any document or situation stated to be confidential, must not be disclosed or discussed outside of PPT.
The duties of organizational confidentiality continue beyond the termination of employment or association with PPT.
A conflict of interest is a situation in which a staff, student or volunteer’s private or professional interest may affect their judgement (in a real or perceived way). Staff, students and volunteers must operate free from real or perceived conflict of interest.
The following procedures should be applied to avoid this situation: