POLICY

The Phoenix Centre for Children and Families is committed to protecting the privacy of its employees, clients/customers and confidential business information.

Employees are obligated to ensure that personal information to which they may have access remains confidential, is only used for the purposes for which it was collected, is not disclosed without authorization or used for personal gain.

Employees are required to follow all procedures regarding collection, use, and disclosure of personal information as set out in this policy.

Employees who disclose personal information, contrary to this policy will be subject to disciplinary measure, up to and including discharge for cause.

The Manager, Administrative Services is the Agency’s Privacy Officer and is accountable for the implementation of this policy. Any issues or questions regarding this policy should be directed to the Privacy Officer.

PURPOSE

 All employees at one time or another may receive personal, privileged and/or confidential information which may concern other employees, company operations or clients/customers. The purpose of this policy is to preserve the privacy of employees, clients and The Phoenix Centre for Children and Families, by outlining employee obligations and procedures for dealing with personal, privileged and/or confidential information.

SCOPE

 This policy applies to all employees, contractors, subcontractors of the Phoenix Centre for Children and Families or anyone else who is granted access to personal privileged and/or confidential information.

RESPONSIBILITY

Employees are responsible for:

  • keeping their own employee files current regarding name, address, phone number, dependents, etc.
  • being familiar with and following policies and procedures regarding personal information;
  • obtaining the proper consents and authorizations prior to disclosure of personal, privileged and/or confidential information.
  • immediately reporting any breaches of confidentiality to their Supervisor;
  • keeping private passwords and access to personal, privileged and/or confidential data;
  • explaining this policy to clients and referring them to the Manager, Administrative Services if necessary;
  • relinquishing any personal, privileged, confidential or client information in their possession before or immediately upon termination of employment.

Supervisors are responsible for:

  • obtaining consent to the collections and use of personal information from employees;
  • ensuring policies and procedures regarding collection, use and disclosure of information or personal information are consistently adhered to;
  • responding to requests for disclosure after the proper release is obtained;
  • cooperating with the Manager, Administrative Services to investigate complaints or breaches of policy;
  • obtaining from terminating employees prior to their termination any personal, privileged, confidential or client information in their possession;
  • ensuring that disclosure of personal information or personal health information to a Third Party is done with the approval of the Manager, Administrative Services in order to minimize the risk of non-compliance with applicable legislative or regulatory regimes.

Human Resources and/or Payroll personnel are responsible for:

  • ensuring that appropriate consents have been obtained from employees with respect to the collection and use of personal information;
  • maintaining systems and procedures to ensure employee records are kept private;
  • obtaining the proper consents and authorizations prior to disclosure of information contained in employee records;
  • responding to employees’ requests for access to their files;
  • ensuring proper disposal of unnecessary files/information;
  • maintaining separate files to ensure that personal health information is protected;
  • ensuring that disclosure of personal information or personal health information to a Third Party is done with the approval of the Privacy Officer in order to minimize risk of non-compliance with applicable legislative or regulatory regimes.

The Privacy Officer (Manager, Administrative Services) is responsible for:

  • internal compliance with applicable policies or legislation;
  • cooperating with supervisors, human resources and/or payroll personnel in developing internal policies for the collection, use and disclosure of personal information and personal health information of employees and clients;
  • monitoring and responding to Third Party requests for personal information or personal health information;
  • ensuring appropriate consents are obtained for the collection, use and disclosure of personal information and personal health information;
  • where collection, sue or disclosure is permitted without prior consent, notifying individuals of the collection, use and disclosure of personal information and/or personal health information after such occurrence.

ACKNOWLEDGEMENT OF CONFIDENTIALITY

The Agency will make all staff aware of the importance of maintaining the confidentiality of personal and personal health information and other confidential business information. As a condition of employment or affiliation, all new staff must read the Privacy and Confidentiality Policy as part of their orientation process and it is documented on the Staff Orientation Checklist. In addition, personal and/or personal health information obtained in the course of one’s employment or other affiliation with the Agency must remain in the strictest of confidence including when the employment or affiliation with the Agency ceases.

DEFINITIONS

“Personal information” is any information about an identifiable individual and includes race, ethnic origin, colour, sex, sexual orientation, age, marital status, family status, religion, education, medical history, criminal record, employment history, financial status, address, telephone number, and any numerical identification, such as Social Insurance Number. Personal information also includes information that may relate to the work performance of the individual, any allegations, investigations or findings or wrongdoing, misconduct or discipline. Personal information does not include job title, business contact information or job description. Included under personal information are anyone else’s opinions about the individual or the individual’s personal views or opinions, except if they are about someone else.

“Personal health information” is information about an identifiable individual that relates to the physical or mental health of the individual, the provision of health care to the individual, the individual’s entitlement to payment for health care, the individual’s health card number, the identity of the providers of health care to the individual or the identity of substitute decision-makers on behalf of the individual.

“Third parties” are individuals or organizations other than the subject of the records or representatives of the authoriPhoenix Centre for Children and Families. Note that in certain circumstances, the company may be entitled to provide personal information to an external party acting as an agent of the Phoenix Centre for Children and Families.

PROCEDURE

Employee Records

  • An employee’s supervisor, higher level managers, human resources and payroll personnel shall have access to employee records containing personal information. An employee’s supervisor, higher level managers, human resources and payroll personnel will have access to an employee’s personal health information if the Privacy Officer determines that such access is permissible and necessary. Personal information and personal health information will not be disclosed outside of the organization without the knowledge and/or approval of the employee. Notwithstanding the foregoing, the Phoenix Centre for Children and Families will cooperate with law enforcement agencies and will comply with any court order or law requiring disclosure of personal information without the employee’s consent.
  • Employees may request access to review their own file by making arrangements with the Manager, Administrative Services. Employees shall provide at least twenty-four (24) hours notice. Employees may obtain a copy of any document in their file which they have signed previously. No material contained in an employee file may be removed from the file. A Manager will be present during viewing of the file.
  • An employee may provide a written notice of correction related to any data contained in the employee’s file. The notice of correction shall be provided to the Manager, Administrative Services.
  • Employee requests for disclosure of their own personal information to Third Parties must be accompanied by a completed, signed and dated Authorization to Release Information form. Attachment A to this policy is used for this purpose. This form should also be used in dealings with insurance companies with respect to employee benefits and to provide confirmation of earnings to financial institutions for lending purposes.
  • Unless retention of personal information is specified by law for certain time periods, personal information that is no longer required to fulfil the identified purpose shall be destroyed, erased or made anonymous within twelve (12) months after its use.

Client Information

  • Personal, privileged and/or confidential information about customers and clients may only be collected, used, disclosed and retained for the purposes identified by The Phoenix Centre for Children and Families as necessary.
  • Employees must ensure that no personal, privileged and/or confidential client information is disclosed without the client’s consent and then only if security procedures are satisfied. Client information is only to be accessed by employees with appropriate authorization.
  • Unless retention of personal information is specified by law for certain time periods, personal information that is no longer required to fulfil the identified purpose shall be destroyed, erased or made anonymous within twelve (12) months after its use.

Notwithstanding Employee Records (e) and Client Information (d), personal information that is the subject of a request by an individual or a Privacy Commission shall be retained as long as necessary to allow individuals to exhaust any recourse they may have under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Concerns or complaints related to privacy issues must be made, in writing, to the Manager, Administrative Services setting out the details of the concern or complaint. The Manager, Administrative Services shall investigate the matter forthwith and make a determination related to the resolution of the concern(s) or complaint(s).

No employee shall be disadvantaged or denied any benefit of employment by reason that the Phoenix Centre for Children and Families believes that an employee will do anything referred to paragraphs (a), (b), or (c) below or by reason that an employee, acting in good faith and on the basis of reasonable belief,

  • has disclosed to the Privacy Commissioner of Canada that the Phoenix Centre for Children and Families or any other person has contravened or intends to contravene a provision of PIPEDA related to the protection of personal information.
  • has refused or stated the intention of refusing to do anything that it is in contravention of a provision of PIPEDA related to the protection of personal information.
  • has done or stated an intention of doing anything that is required to be done in order that a provision of PIPEDA related to the protection of personal information not be contravened.

An employee who is found to be in breach of this policy will be subject to discipline up to and including discharge for cause.

COMPLIANCE, MONITORING, AUDITING & CONSEQUENCES

Access, use, disclosure and sharing of Personal and/or Personal Health Information will be monitored and all suspected breaches of this Policy will be investigated by the Privacy Officer. Actions to be taken will be determined by the Management Team in consultation with the Privacy Officer, Legal Counsel, and/or other Agency stakeholders according to the nature of the breach and parties involved.

Agency operational areas and programs conduct appropriate reviews and audits of their systems and processes to ensure compliance with Agency policies and standards. 

BREACH OF POLICY

Staff will report any real or suspected breaches of this Policy in connection with any Agency program or activity immediately upon becoming aware. All reports must be made to the Privacy Officer. Staff may report real or suspected breaches without any fear of reprisal.

All incidents involving theft or loss of Personal and/or Personal Health Information will be promptly addressed for containment, investigation, reporting, and remedial actions.

If an Agency staff identifies, or has reason to believe, that Personal and/or Personal Health Information has been lost or stolen or has been accessed by unauthorized person(s), that staff member will notify the Privacy Officer immediately either verbally or by e-mail. The notification will be followed by a written submission that includes all pertinent details leading to this assertion. The Privacy Officer will conduct an investigation and, in consultation with the Executive Director/Delegate, will notify the affected client(s) or staff member(s), appropriate Ministry, and, as required, the police.

COMPLAINTS

Clients or other members of the public who complain about a breach of their personal privacy or who express concern about the collection or use of their Personal and/or Personal Health Information should be directed to the Privacy Officer. Such complaints from members of the public will be accepted either with the member of the public being identified or in an anonymous format. Complaints regarding another Social Service Provider should be referred to that agency. At any time, a client or staff member has the option to access the office of the Information and Privacy Commissioner at:

2 Bloor Street East, Suite 1400, Toronto, ON M4W 1A8
1-800-387-0073
Fax: (416) 325-9195
Email the Information and Privacy Commissioner