|Manual||Governance, Finance and Human Resources/Systems|
|Effective date:||January 2014||Policy or Procedure No. HRS28|
YouthLink recognizes the importance of maintaining the privacy, security and accuracy
of personal information, including personal health information, in accordance with
applicable privacy legislation including Ontario Personal Health Information Protection Act,
2004 (“PHIPA”). YouthLink is committed to protecting the privacy of all clients,
employees, board members, volunteers and student placements.
The purpose of the policy is to outline YouthLink’s policy for the collection, use,
disclosure and protection of personal and personal health information, of our clients,
employees, board members, volunteers and student placements
This policy sets out the principles and procedures that YouthLink follows in meeting
our privacy commitments to our clients, employees, board members, volunteers and
student placements and complying with applicable privacy legislation including
Ontario Personal Health Information Protection Act, 2004 (PHIPA)
The Senior Manager, Human Resources is the designated Privacy Officer for YouthLink
areas. All clinical staff are designated agents of the Health Information Custodian (i.e.
and personal health information, which they may obtain through the course of their
duties and responsibilities at YouthLink.
All employees, volunteers and student placements are required to sign a
Confidentiality Agreement, on their initial orientation, binding them to maintaining the
confidentiality of all personal or personal health information to which they have access.
(See YouthLink HR Policy on Confidentiality).
Clinical staff will explain to clients their rights and responsibilities from the beginning
of their contact and throughout the course of their service from YouthLink. All clients
will be provided with a written statement that describes the agency’s privacy practices
and the contact information of the Privacy Officer.
“Personal information” is defined as information about an identifiable individual or as
information that allows an individual to be identified. It includes but is not limited to
- race, national or ethnic origin, colour, religion, age, gender, sexual orientation, or
marital or family status of the individual;
- information relating to employment or educational history;
- information relating to medical, psychiatric, psychological history, prognosis, condition, treatment or evaluation;
- any identifying number (e.g. S.I.N.), symbol or other particular assigned to the individual;
- telephone numbers and / or home address;
- personal opinions of, or about, an individual;
- the individual’s name where it appears with or reveals other personal information;
- correspondence sent to YouthLink by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence;
- employee information including curriculum vitae, salary and benefits, disciplinary action and bank account information;
- identifiable images of individuals.
Information about individuals acting in their business or professional capacity such as
name and title, work address (including office location), work telephone number,
YouthLink’s email address, etc. is not personal information.
“Personal Health Information” includes any information about an individual’s health
or health care history. It includes but is not limited to the following:
- physical or mental health of the individual, including family health history;
- health care provided including the identification of health care provider(s);
- payments or eligibility for health care;
- an individual’s health number;
- the individual’s substitute decision-maker.
A “Health Information Custodian” as provided under the Ontario Personal Health
Information Protection Act, 2004 (PHIPA) includes health care practitioners, institutions
and agencies that hold custody or control of personal health information. As an agency
providing community mental health services, YouthLink is a Health Information
Custodian under PHIPA.
“Express Consent” means permission that must be specifically obtained from the client.
“Implied Consent” means that staff or the agency may conclude from the surrounding
circumstances that the client would agree to the collection, use of disclosure of his / her
personal health information.
YouthLink will inform clients, employees, board members, volunteers and student
placements about the agency’s privacy policies and procedures on their first
involvement / employment at YouthLink.
YouthLink will collect, use and disclose personal or personal health information with
the informed consent of individuals, unless such information is required or authorized
by law (e.g. specific sections of the Labour Relations Act, Occupational Health & Safety Act
An individual’s express, written consent will be obtained before or at the time of
collecting personal or personal health information as outlined in Section 6 (Client
Record) of the Client Service Manual. The purposes for the collection, use or disclosure
of the information will be provided to the individual at the time of seeking his or her
consent. Once consent is obtained from the individual to use his / her information for
those purposes, YouthLink has the implied consent of the individual to collect or
receive any supplementary personal information that is necessary to fulfil the same
purpose. Express consent from the individual will be obtained if, or when, a new use is
An individual may limit the information that YouthLink is able to share or to limit
those with whom YouthLink can share the information. Such limitations, however,
may restrict the services and / or programs YouthLink is able to provide. If the client
chooses not to provide YouthLink with essential information, it is possible that
YouthLink may not be able to provide the client with service or program opportunities.
YouthLink will always do its best to resolve any concerns that the client may have so
that YouthLink can provide him/her with programs and services in the best way
An individual may also withdraw his / her consent, whether express or implied, at any
time by providing written notice to YouthLink, but the withdrawal of the consent shall
not have retroactive effect.
3. Collection, Use & Disclosure
YouthLink is committed to provide our clients with the best possible services to meet
their needs. In order to achieve the above, YouthLink may collect, use or disclose
personal health information, when applicable, for the following purposes:
- To provide clients with quality counselling / treatment programs and services;
- To provide clients with personal and community health programs and services;
- To allow YouthLink to contact and maintain communication with its clients;
- For professional supervision related to the work of the agency with our clients;
- To communicate with and make referrals to other providers, including
specialists and other health, mental health and social service agencies;
- To comply with any legal or regulatory requirements including Children’s
Mental Health Ontario’s Accreditation site review;
- To allow chart audits to be conducted by qualified professional to ensure that
YouthLink is doing a good job;
- For quality assurance purposes that include accreditation of the agency; and
- For such other reasons related to the purposes listed above.
YouthLink will only use or disclose personal or personal health information for the
purpose specified unless the law requires that information be disclosed.
Appropriate consent from clients will be obtained if YouthLink wishes to collect, use or
disclose personal health information for any purpose other than our main activities.
Personal or personal health information will be retained for as long as necessary to
fulfill the identified purposes or for as required by law.
YouthLink will take precautionary steps that are reasonable in the circumstances to
ensure the security of personal and personal health information, of clients, employees,
board members, volunteers and student placements in order to protect it from theft,
loss and unauthorized use, disclosure, copying, modification or disposal or similar
To protect the privacy and confidentiality of personal and personal health information,
YouthLink will ensure that the following security measures are followed:
- All paper files are stored in locked cabinets or behind a locked door when not in
use. Access to work areas where active files may be in use is restricted to
YouthLink employees only.
- All paper files containing confidential information will be destroyed by placing
them in one of the locked shredding boxes and shredded by a professional
- All electronic files are kept in a secured data base and are password protected;
the system tracks all users. YouthLink’s internet router or server has firewall
protection sufficient to protect the security of all personal information. When no
longer required, electronic files are securely deleted so that the record is not
recoverable by any known means.
- Employee access to personal or personal health information of individuals will
be restricted only to those who need to know the information for the purposes of
- Original records will be kept at YouthLink and will not be shared.
- Personal information will not be transferred by email or other electronic form.
- Copies of released records are placed in sealed envelopes marked “confidential”
and sent by courier.
- Released records should not be faxed except under conditions such as:
- Individuals have given written authorization to release the information
through fax or by phone. A copy of the authorization should be
documented in the individual’s file.
- Where it is questionable that the receiving party has a confidential fax
machine, YouthLink will call ahead to the receiving party to ensure
someone is available to collect the information being transmitted;
- YouthLink fax referral sheet must be used identifying that the information
is “confidential” and the name of the recipient of the information.
- No information will be released over the phone unless the identity of the
person making the telephone request is verified and confirmed.
- Client files will be kept at YouthLink for three years. Thereafter, all inactive files
will be stored offsite with a professional records management and storage
company for at least 20 years for residential clients and 10 years for all other
clients. Any hard copy files to be destroyed will be sent back to YouthLink Head
Office and securely shredded onsite by a professional shredding company.
Matching electronic files will be destroyed at the same time.
- An individual whose personal information is stolen, lost or accessed by
unauthorized persons shall be notified at the first reasonable opportunity.
- We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security.
6. Right of Access
An individual may request to access his / her personal or personal health information
by submitting a written request to YouthLink’s Privacy Officer. The request must
contain sufficient detail to enable YouthLink to identify and locate the personal
information being sought with reasonable efforts.
YouthLink will strive to make the requested information available within 30 days, or
provide written notice for an extension of not more than 30 days where additional time
is required to fulfill the request.
If a request is refused in full or in part, YouthLink will notify the requested individual
in writing, providing the reasons for refusal and the recourse available.
7. Accuracy and Right to Request for Correction
YouthLink will make reasonable efforts to ensure that all personal information,
including personal health information, is as accurate, complete and up-to-date as is
necessary to fulfill the purposes for which the information has been collected, use,
retained and disclosed. Individuals are requested to notify YouthLink of any change in
An individual may submit a written request to YouthLink to correct any inaccurate or
incomplete record of his / her personal or personal health information that is in
YouthLink’s custody. The request should be submitted to the Privacy Officer at
YouthLink and must provide sufficient detail to identify the personal information and
the correction being sought. The Privacy Officer will respond in writing within 30 days
as to whether the request is granted or refused or provide written notice for an
extension of not more than 30 days where additional time is required. The record will
either be amended or the individual will be notified of any reasons why such an
amendment cannot be made.
8. Enquiries or Complaints
Any questions, comments or complaints on privacy issues are to be directed, in writing,
to YouthLink’s Privacy Officer as follows:
Senior Manager, Human Resources
747 Warden Avenue
Tel: 416-967-1773, ext. 227
Upon verification of the individual’s identity, the Privacy Officer will make every effort to address concerns and respond in a timely manner.
An individual who is not satisfied with the findings or response from the Privacy Officer may contact the Information and Privacy Commission in writing as follows:
Information and Privacy Commission
2 Bloor Street East, Suite 1400
7.0 No exceptions: No exceptions to the policy without the approval of the Executive
Director and the Board of Directors.