|Manual||Governance, Finance and Human Resources/Systems|
|Effective date:||January 2014|
|Last updated:||March 2023||Policy or Procedure No. HRS28|
YouthLink recognizes the importance of maintaining the privacy, security and accuracy of personal information, including personal health information, in accordance with applicable privacy legislation including Ontario Personal Health Information Protection Act, 2004 (“PHIPA”). YouthLink is committed to protecting the privacy of all clients, employees, board members, volunteers and student placements.
The purpose of the policy is to outline YouthLink’s policy for the collection, use, disclosure and protection of personal and personal health information, of our clients, employees, board members, volunteers and student placements
This policy sets out the principles and procedures that YouthLink follows in meeting our privacy commitments to our clients, employees, board members, volunteers and student placements and complying with applicable privacy legislation including Ontario Personal Health Information Protection Act, 2004 (PHIPA)
All employees, volunteers and student placements are required to sign a Confidentiality Agreement, on their initial orientation, binding them to maintaining the confidentiality of all personal or personal health information to which they have access. (See YouthLink HR Policy on Confidentiality).
Clinical staff will explain to clients their rights and responsibilities from the beginning of their contact and throughout the course of their service from YouthLink. All clients will be provided with a written statement that describes the agency’s privacy practices and the contact information of the Privacy Officer.
“Personal information” is defined as information about an identifiable individual or as information that allows an individual to be identified. It includes but is not limited to the following:
- race, national or ethnic origin, colour, religion, age, gender, sexual orientation, or marital or family status of the individual;
- information relating to employment or educational history;
- information relating to medical, psychiatric, psychological history, prognosis, condition, treatment or evaluation;
- any identifying number (e.g. S.I.N.), symbol or other particular assigned to the individual;
- telephone numbers and / or home address;
- personal opinions of, or about, an individual;
- the individual’s name where it appears with or reveals other personal information;
- correspondence sent to YouthLink by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence;
- employee information including curriculum vitae, salary and benefits, disciplinary action and bank account information;
- identifiable images of individuals.
Information about individuals acting in their business or professional capacity such as name and title, work address (including office location), work telephone number, YouthLink’s email address, etc. is not personal information.
“Personal Health Information” includes any information about an individual’s health or health care history. It includes but is not limited to the following:
- physical or mental health of the individual, including family health history;
- health care provided including the identification of health care provider(s);
- payments or eligibility for health care;
- an individual’s health number;
- the individual’s substitute decision-maker.
A “Health Information Custodian” as provided under the Ontario Personal Health Information Protection Act, 2004 (PHIPA) includes health care practitioners, institutions and agencies that hold custody or control of personal health information. As an agency providing community mental health services, YouthLink is a Health Information Custodian under PHIPA.
“Express Consent” means permission that must be specifically obtained from the client. “Implied Consent” means that staff or the agency may conclude from the surrounding circumstances that the client would agree to the collection, use of disclosure of his / her personal health information.
YouthLink will inform clients, employees, board members, volunteers and student placements about the agency’s privacy policies and procedures on their first involvement / employment at YouthLink.
YouthLink will collect, use and disclose personal or personal health information with the informed consent of individuals, unless such information is required or authorized by law (e.g. specific sections of the Labour Relations Act, Occupational Health & Safety Act etc.).
An individual’s express, written consent will be obtained before or at the time of collecting personal or personal health information as outlined in Section 6 (Client Record) of the Client Service Manual. The purposes for the collection, use or disclosure of the information will be provided to the individual at the time of seeking his or her consent. Once consent is obtained from the individual to use his / her information for those purposes, YouthLink has the implied consent of the individual to collect or receive any supplementary personal information that is necessary to fulfil the same purpose. Express consent from the individual will be obtained if, or when, a new use is identified.
An individual may limit the information that YouthLink is able to share or to limit those with whom YouthLink can share the information. Such limitations, however, may restrict the services and / or programs YouthLink is able to provide. If the client chooses not to provide YouthLink with essential information, it is possible that YouthLink may not be able to provide the client with service or program opportunities.
YouthLink will always do its best to resolve any concerns that the client may have so that YouthLink can provide him/her with programs and services in the best way possible.
An individual may also withdraw his / her consent, whether express or implied, at any time by providing written notice to YouthLink, but the withdrawal of the consent shall not have retroactive effect.
3. Collection, Use & Disclosure
YouthLink is committed to provide our clients with the best possible services to meet their needs. In order to achieve the above, YouthLink may collect, use or disclose personal health information, when applicable, for the following purposes:
- To provide clients with quality counselling / treatment programs and services;
- To provide clients with personal and community health programs and services;
- To allow YouthLink to contact and maintain communication with its clients;
- For professional supervision related to the work of the agency with our clients;
- To communicate with and make referrals to other providers, including specialists and other health, mental health and social service agencies;
- To comply with any legal or regulatory requirements including Children’s Mental Health Ontario’s Accreditation site review;
- To allow chart audits to be conducted by qualified professional to ensure that YouthLink is doing a good job;
- For quality assurance purposes that include accreditation of the agency; and
- For such other reasons related to the purposes listed above.
YouthLink will only use or disclose personal or personal health information for the purpose specified unless the law requires that information be disclosed. Appropriate consent from clients will be obtained if YouthLink wishes to collect, use or disclose personal health information for any purpose other than our main activities.
On our website and online properties, YouthLink follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.
Like many other websites, YouthLink uses “cookies”. These cookies are used to store information including visitors’ preferences (e.g. accessibility preferences), and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information. Users can disable cookies by looking up the options and settings in their specific web browser.
Personal or personal health information will be retained for as long as necessary to fulfill the identified purposes or for as required by law.
YouthLink will take precautionary steps that are reasonable in the circumstances to ensure the security of personal and personal health information, of clients, employees, board members, volunteers and student placements in order to protect it from theft, loss and unauthorized use, disclosure, copying, modification or disposal or similar risks.
To protect the privacy and confidentiality of personal and personal health information, YouthLink will ensure that the following security measures are followed:
- All paper files are stored in locked cabinets or behind a locked door when not in use. Access to work areas where active files may be in use is restricted to YouthLink employees only.
- All paper files containing confidential information will be destroyed by placing them in one of the locked shredding boxes and shredded by a professional shredding company.
- All electronic files are kept in a secured data base and are password protected; the system tracks all users. YouthLink’s internet router or server has firewall protection sufficient to protect the security of all personal information. When no longer required, electronic files are securely deleted so that the record is not recoverable by any known means.
- Employee access to personal or personal health information of individuals will be restricted only to those who need to know the information for the purposes of their work.
- Original records will be kept at YouthLink and will not be shared.
- Personal information will not be transferred by email or other electronic form.
- Copies of released records are placed in sealed envelopes marked “confidential” and sent by courier.
- Released records should not be faxed except under conditions such as:
- Individuals have given written authorization to release the information through fax or by phone. A copy of the authorization should be documented in the individual’s file.
- Where it is questionable that the receiving party has a confidential fax machine, YouthLink will call ahead to the receiving party to ensure someone is available to collect the information being transmitted;
- YouthLink fax referral sheet must be used identifying that the information is “confidential” and the name of the recipient of the information.
- No information will be released over the phone unless the identity of the person making the telephone request is verified and confirmed.
- Client files will be kept at YouthLink for three years. Thereafter, all inactive files will be stored offsite with a professional records management and storage company for at least 20 years for residential clients and 10 years for all other clients. Any hard copy files to be destroyed will be sent back to YouthLink Head Office and securely shredded onsite by a professional shredding company. Matching electronic files will be destroyed at the same time.
- An individual whose personal information is stolen, lost or accessed by unauthorized persons shall be notified at the first reasonable opportunity.
- We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security.
6. Right of Access
An individual may request to access his / her personal or personal health information by submitting a written request to YouthLink’s Privacy Officer. The request must contain sufficient detail to enable YouthLink to identify and locate the personal information being sought with reasonable efforts.
YouthLink will strive to make the requested information available within 30 days, or provide written notice for an extension of not more than 30 days where additional time is required to fulfill the request.
If a request is refused in full or in part, YouthLink will notify the requested individual in writing, providing the reasons for refusal and the recourse available.
7. Accuracy and Right to Request for Correction
YouthLink will make reasonable efforts to ensure that all personal information, including personal health information, is as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information has been collected, use, retained and disclosed. Individuals are requested to notify YouthLink of any change in personal information.
An individual may submit a written request to YouthLink to correct any inaccurate or incomplete record of his / her personal or personal health information that is in YouthLink’s custody. The request should be submitted to the Privacy Officer at YouthLink and must provide sufficient detail to identify the personal information and the correction being sought. The Privacy Officer will respond in writing within 30 days as to whether the request is granted or refused or provide written notice for an extension of not more than 30 days where additional time is required. The record will
either be amended or the individual will be notified of any reasons why such an amendment cannot be made.
8. Enquiries or Complaints
Any questions, comments or complaints on privacy issues are to be directed, in writing, to YouthLink’s Privacy Officer as follows:
Senior Director, Human Resources
636 Kennedy Road
Tel: 416-967-1773, ext. 227
Upon verification of the individual’s identity, the Privacy Officer will make every effort to address concerns and respond in a timely manner.
An individual who is not satisfied with the findings or response from the Privacy Officer may contact the Information and Privacy Commission in writing as follows:
Information and Privacy Commission
2 Bloor Street East, Suite 1400
7.0 NON-COMPLIANCE: Failure to comply with this policy may result in disciplinary action up to and including termination of employment or cessation of service contract.
8.0 No exceptions: No exceptions to the policy without the approval of the CEO and the Board of Directors.