Overview:
Privacy of personal information is governed by Ontario’s information and privacy commissioner which is similar to those of the federal privacy commissioner. All RNR Patient Transfer Services Inc. personnel must adhere to the rights and privacy of everyone they come in contact with.
Policy:
RNR Patient Transfer Service Inc. (the organization) is committed to respecting the privacy of individuals and recognizes the need of people with whom we do business (clients, patients, etc.) and employees for the appropriate management and protection of any Personal Information that you agree to provide to us.
Our Privacy Management Plan includes guidelines on the collection, storage, use and retention of Personal Information as follows:
Collection: The organization collects personal information about individuals (clients, suppliers, employees, etc.) in order to better manage its business. The organization will make all reasonable efforts to fully inform such individuals about the planned use/disclosure. The organization will limit the collection and use of personal information to that required for valid business purposes or to comply with legislation.
Accuracy: The organization will make every reasonable effort to ensure that the personal information it collects and uses is accurate and complete. Individuals providing personal information will have the opportunity to review and correct their personal information, and on written request by an individual to whom the information relates, the organization will modify the information as required.
Storage: The organization will store personal information using hard copy and/or electronic means in such a way as to prevent unauthorized collection, access, use, disclosure or disposal of the personal information.
Retention: The organization will establish a retention period for all personal information collected. This period may be related to legislation other than PIPEDA (i.e. Employment Standards or contractual obligations).
Disclosure: The organization will not disclose personal information unnecessarily to employees or any third party, unless the effected individual consents.
Access: The organization promotes individual’s right of access to personal information about themselves. The employer will provide access to information upon request, within a reasonable time. Access will be provided according to established procedures.
No client or team member information can be discussed or released without proper consent of the individual in which the matter pertains to. The Personal Information Protection and Electronic Documentation Act (PIPEDA) requires all persons under a company’s employment not to release documents via electronic means (i.e. e-mail, fax) with a client’s or team member name or private information, without proper consent and notation.
A copy of the PIPEDA regulations is on file at all Company locations of work for review. This information is also available online for personal research. Team members may also acquire clarification from RNR management for interpretation or clarification of the PIPEDA rules and regulation, at any time.
Privacy Breach Guidelines
Step 1: Contain the Breach
Take immediate steps to contain the breach. These steps include:
• Stop the unauthorized practice
• Immediately contact the RNR Privacy Officer (listed below)
• Recover the records
• Shut down the system that was breached
• Revoke access or correct weaknesses in physical security
• Management to contact the police if the breach involves theft or other criminal activity
• Contact affected individuals if they may need to take further steps to mitigate or avoid further harm
Step 2: Investigate the Breach
Once the breach has been contained, RNR management is to conduct an internal investigation. This investigation should be conducted by the Privacy Officer. It may be conducted on an informal or formal basis depending on the nature of the breach. A breach investigation should address the incident on a systemic basis.
An internal investigation must include the following elements:
• Individuals with information about the breach should document details of the privacy breach and provide them to the Privacy Officer as quickly as possible
• Evaluate the immediate and ongoing risks
• Inventory and review safeguards in place prior to incident
• Findings and recommendations
• Write Incident Report.
The following are questions that are to be addressed when conducting an internal investigation:
A. What were the circumstances that lead to the breach?
B. Could the incident have been avoided?
C. Was the breach accidental or intentional?
D. Is there a risk of a repeat incident?
E. What measures need to be put in place to avoid a future similar incident?
Step 3: Assess and Analyze the Breach
A. Is PI/PHI involved?
• What data elements have been breached? Generally, the more sensitive the information, the higher the risk. PHI, Social Insurance Numbers, and/or financial information that could be used for identity theft are examples of sensitive information.
• What possible use is there for the information? Can the information be used for fraudulent or otherwise harmful purposes?
B. What is the cause and extent of the breach?
• What is the root cause of the breach?
• Is there a risk of ongoing or further exposure of the information?
• What short-term and long-term steps have been taken to minimize the harm?
• What was the extent of the unauthorized collection, use or disclosure, including the number of likely recipients and the risk of further access, use or disclosure, including in mass media or online?
• Is the information encrypted or otherwise not readily accessible?
• Is the information de-identified, statistical or aggregate only?
C. How many are affected by the Breach?
• How many individuals are affected by the breach?
• Who was affected by the breach: employees, public, contractors, clients, service providers, other organizations?
D. What is the foreseeable harm resulting from the Breach?
• Is there any relationship between the unauthorized recipients and the data subject?
• What harm to the individuals will result from the breach? Harm may include:
– Security risk (e.g. physical safety)
– Identity theft or fraud
– Loss of business or employment opportunities
– Hurt, humiliation, damage to reputation or relationships
• What harm could result to RNR as a result of the breach? For example:
– Loss of trust in the organization
– Loss of assets
– Financial exposure
• What harm could result to the public as a result of the breach? For example:
– Risk to public health
– Risk to public safety
Step 4: Notification: Who, When and How to Notify
The key consideration in deciding whether to notify affected individuals should be whether notification is necessary in order to avoid, mitigate or address harm to an individual whose PI/PHI has been inappropriately collected, used or disclosed. Review the risk assessment to determine whether or not notification is required; document any analysis and decisions.
RNR collects PI/PHI which means the Company is responsible for notifying affected individuals when a privacy breach occurs.
If the breach occurs at a third party entity that has been contracted to maintain or process PI/PHI, the breach should be reported to the originating Organization, which has primary responsibility for notification.
When: Notification of individuals affected by the breach should occur as soon as possible. However, if law enforcement authorities have been contacted, those authorities should be consulted to determine whether notification should be delayed in order not to impede a criminal investigation. Ensure all such discussions are documented.
How: The preferred method of notification is direct (by telephone, letter or in person) to affected individuals. This method is preferred where:
• The identities of individuals are known
• Current contact information for the affected individuals is available
• Affected individuals require detailed information in order to properly protect themselves from the harm arising from the Breach, and/or affected individuals may have difficulty understanding an indirect notification due to mental capacity, age, language, or other factor
Indirect notification – website information, posted notices, media – should generally only occur where direct notification could cause further harm, is prohibitive in cost, contact information is lacking, or where a very large number of individuals are affected by the Breach such that direct notification could be impractical. Using multiple methods of notification in certain cases may be the most effective approach.
What: Notifications should include the following information:
• Recognize the impacts of the breach on affected individuals and consider offering an apology
• Date of the breach
• Description of the breach (a general description of what happened)
• Description of the breached PI/PHI (e.g. name, credit card numbers, SINs, medical records, financial information, etc.)
• The steps taken to mitigate the harm to date
• Next steps planned and any long term plans to prevent future breaches
• Steps the individual can take to further mitigate the risk of harm. Provide information about how individuals can protect themselves e.g. how to contact credit reporting agencies (to set up a credit watch), how to change a health services number or driver’s license number
• Contact information of RNR’s Privacy Officer, who can answer questions and provide further information
Others to Contact:
Management should consider if any other organizations or government bodies require contact including, but not limited to:
• Police: If theft or other crime is suspected
• Insurers or others: If required by contractual obligations
• Credit card companies and/or credit reporting agencies: It may be necessary to work with these companies to notify individuals and mitigate the effects of fraud
Step 5: Prevention
Once the immediate steps are taken to mitigate the risks associated with the breach, take the time to thoroughly investigate the cause of the breach. This should ultimately result in a plan to avoid future breaches. This may require an audit of physical, administrative and technical safeguards. RNR’s plan should also include a requirement for an audit at the end of the process to ensure that the prevention plan has been fully implemented.
As a result of such evaluations, RNR should develop, or improve as necessary, adequate long term safeguards against further breaches. Policies should be reviewed and updated to reflect and implement the recommendations gleaned from the investigation. Policy review and updates should occur regularly thereafter.
For further information contact:
Chief Privacy Officer (CPO)- Rob Rivait
Phone: (705) 327-0070
Address:
25 Front Street S.
Upper Level
Orillia, Ontario
L3v 4s1.