Baycrest’s Privacy Code was developed to guide Baycrest in its collection, use and disclosure of personal information, including personal health information. It applies to the personal information of:
- Baycrest clients
- Anyone who has provided personal information to Baycrest through a commercial transaction (e.g., when signing up for an education course offered by Baycrest, or purchasing a service or product from Baycrest)
The Baycrest Privacy Code is based on fair information practices, as reflected in both the provincial legislation, the Personal Health Information Protection Act, 2004 (PHIPA), and the federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Baycrest is responsible for the information in its custody or control, and its president and chief executive officer is ultimately accountable for compliance with its Privacy Code. The president and chief executive officer has designated members of Baycrest’s senior management team to act on his behalf on matters relating to privacy. Other individuals within Baycrest are responsible for the day-to-day collection and processing of personal information.Baycrest has given effect to its Privacy Code by:
- Using security safeguards to protect personal information
- Implementing procedures to receive and respond to complaints and inquiries on privacy related matters
- Educating Baycrest employees, appointed medical staff, clinical and research fellows, scientists, students and volunteers about its privacy policies and practices
- Developing publicly available materials that explain Baycrest’s policies and procedures
- Using contractual or other means to protect personal information it discloses to third parties
At or before the time the information is collected, Baycrest identifies to the individual from whom it collects personal information (and explain as necessary) the purposes for the collection. This allows Baycrest to determine the information it needs to collect to fulfill these purposes.
Baycrest collects personal information for purposes related to client care, administration and management of the health care system, administration and management of Baycrest’s programs and services, research, teaching, statistics, fundraising, and in order to comply with legal and regulatory requirements.
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified. Unless the new purpose is permitted or required by law, consent is required before the information can be used for that purpose.
The consent of the individual or his or her legally authorized representative (for example, a substitute decision-maker such as an attorney for personal care or family member) is required for the collection, use, or disclosure of personal information, except where the law permits or requires otherwise. Baycrest will obtain the individual’s express consent, or rely on implied consent, in accordance with the law and Baycrest policy.
Individuals can give consent in many ways. For example, it may be given in a particular manner (orally or in writing), or at a particular time (such as when the individual receives a service or treatment). An individual may withdraw consent at any time, but the withdrawal cannot be retroactive. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.
Baycrest limits the amount and type of personal information it collects to that which is necessary to fulfill the purposes identified. It is collected in a manner that does not mislead or deceive about the purpose for the collection.
Personal information is used, disclosed and retained only as long as is necessary to fulfill the purposes for which the information was collected, except with the consent of the individual or as permitted or required by law.
Baycrest has developed guidelines and has implemented procedures with respect to the retention and destruction of personal information, as permitted or required by law.
To the extent reasonably possible, personal information will be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, is generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Baycrest does not routinely update personal information, unless this is necessary to fulfill the purposes for which the information was collected.
Baycrest has implemented security safeguards for the personal information it holds, including:
- Physical measures (such as locked filing cabinets and restricted access to offices where personal information is held)
- Organizational measures (such as permitting access on a “need-to-know” basis only)
- Technological measures (such as the use of passwords, encryption, and audits)
Baycrest has taken steps to ensure that the personal information in its custody and control is protected against theft, loss and unauthorized use or disclosure, and from unauthorized copying, modification, and disposal.
Baycrest makes its employees, appointed medical staff, researchers, clinical and research fellows, scientists, students and volunteers aware of the importance of maintaining the confidentiality of personal information, and has incorporated privacy into its orientation and core curriculum training.
Baycrest will make readily available specific information about its policies and practices relating to the management of personal information, in a form that is generally understandable, including:
- The name or title, and the address, of the person(s) accountable for Baycrest’s privacy policies and practices, and to whom complaints or inquiries can be forwarded
- the means of gaining access to personal information held by Baycrest
- a description of the type of personal information held by Baycrest, including a general account of its use and disclosures
- a copy of brochures or other information that explains Baycrest’s privacy policies, standards, or codes
- what personal information is made available to related organizations (e.g. Baycrest Foundation)
Upon request, Baycrest will inform an individual of the existence, use and disclosure of his or her personal information and he or she will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it corrected as appropriate.
The reasons for denying or restricting access will be provided to the individual.
An individual may be required to provide sufficient information to permit Baycrest to provide an account of the existence, use, and disclosure of his or her personal information. The information provided will only be used for this purpose.
Baycrest responds to access requests within the timeframes set by law, and at a reasonable cost. The requested information is made available in a form that is generally understandable. Baycrest may also choose to make health information available through a health care professional.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, Baycrest will correct the information as required. Otherwise, the individual may require that a statement of disagreement be attached to the record of personal information.
Upon request of the individual, the corrected information or statement will be transmitted to third parties to whom the information in question has recently been disclosed.
Please contact the Interim Chief Privacy Officer at 416-785-2500 ext. 3126, or by e mail at: firstname.lastname@example.org if you have questions or concerns about Baycrest’s compliance with these principles. You may also make a complaint to the Information and Privacy Commissioner/Ontario, by calling 416-326-3333 or toll-free at 1-800-387-0073, or visit her website at: http://www.ipc.on.ca/.