|Statement of Fair Information Practices: Introduction
Public Health Ontario (PHO) is an arm's-length government agency dedicated to protecting and promoting the health of all Ontarians and reducing inequities in health. As a hub organization, PHO links public health practitioners, front-line health workers and researchers to the best scientific intelligence and knowledge from around the world.
PHO provides expert scientific and technical support relating to infection prevention and control; surveillance and epidemiology; health promotion, chronic disease and injury prevention; environmental and occupational health; health emergency preparedness; and public health laboratory services to support health providers, the public health system and partner ministries in making informed decisions and taking informed action to improve the health and security of Ontarians.
PHO’s general policies and procedures with respect to information practices and privacy principles are available for public viewing in printed and electronic forms. In addition, specific purposes for collection of information are identified prior to the collection of information in research and other data sharing arrangements permitted by law and necessary for PHO’s objectives.
In order to carry out its legislated tasks of research and support, PHO will need to collect personal health information from health care providers and organizations as well as public health and government agencies. This may include identifying information as well as health histories, records of hospital visits, and follow-up medical care.
The framework for PHO’s privacy standards is founded on internationally recognized Fair Information Practices; including the CSA Model Code for the Protection of Personal Information (CAN/CSA-Q830-96). This Model Code is the basis of Canadian and provincial privacy legislation.
PHO is governed by the requirements of the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act. PHO is required to comply with the requirements of the legislation and does so by incorporating the principles of the Model Code, widely agreed upon privacy principles, standards and other relevant guidance.
The Model Code’s 10 principles are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
PHO’s Statement of Fair Information Practices discusses each principle individually as it applies to the operation of the agency.
1. Accountability for personal health information
PHO is responsible for personal health information within its custody or control. This applies to information used by PHO and its employees, contractors, consultants, agents, researchers or by a research partner in the course of working for or with PHO.
PHO’s president and chief executive officer and its privacy officer are responsible for PHO’s compliance with policies, practices and procedures to safeguard privacy, confidentiality and security.
2. Identifying purposes for personal health information
PHO will use personal health information and may disclose the information to researchers or other agencies and organizations working with PHO, in accordance with this policy, relevant legislation, and the mandate of PHO. For instance, PHO may use your information to:
- conduct research or compile statistics
- to track, monitor or analyze health and disease trends
- to inform and address infectious emergencies
- to provide laboratory services
- to educate the public and health care professionals
- to develop new health care treatments and tools
3. Consent for collection, use, and disclosure of personal health information
PHO acknowledges the principle of consent in respect of the collection, use and disclosure of personal health information. PHO has established procedures for obtaining consent for the direct collection of personal health information from an individual, as required by law, as well as the use and disclosure that follows this manner of collection. PHO will rely on primary information collectors to ensure the appropriate consent is obtained from the individual in all other cases of collection.
4. Limiting collection of personal health information
PHO collects personal health information from health information custodians, government and public agencies, and prescribed registries and entities in accordance with relevant law in order to fulfil its legislative mandate. PHO only collects as much information as is necessary for these purposes.
5. Limiting use, disclosure and retention of personal health information
PHO only uses information for the purposes for which it was collected and information will be retained and/or disclosed only as necessary and in accordance with the law and these policies.
6. Accuracy of personal health information
PHO will ensure that all personal health information within its custody or control will be as accurate, complete, and up-to-date as is required and will comply with legislative provisions respecting accuracy when disclosing information. PHO will ensure that all personal health information disclosed to another party is as accurate, complete, and up-to-date as is required and possible in the circumstances.
7. Safeguards for personal health information
PHO has developed, implemented and will enforce physical, administrative, and technical safeguards to ensure the security and confidentiality of all personal health information within its custody or control. Regular audits are conducted to monitor compliance with privacy requirements and full investigations will be completed to address any real or potential security vulnerabilities.
8. Openness about information practices
Information about PHO’s policies and procedures with respect to privacy and information practices are available in printed and electronic form. Further requests for information or answers to questions or concerns may be obtained from the privacy officer.
9. Access to and correction of personal health information
PHO will assist individuals to access their personal health information to the best of its ability wherever it is required to do so, in accordance with its legislative responsibilities.
In respect of information indirectly collected by PHO from primary or secondary information collectors, the individual will be referred to the original record holder for access to the complete record of personal health information and to request corrections.
10. Challenging compliance
|Who can I contact for further information?
Questions or comments regarding PHO’s practices or the administration of the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act may be directed to the Office of the Privacy Officer, by e-mailing email@example.com.
|How to make an access request
A request can be made by writing to the privacy officer, identifying in as much detail as possible the information you are requesting and any other information that will help us locate the records.
A $5.00 application fee per request is required and is payable to Public Health Ontario.
Please submit your request, in writing, to:
Public Health Ontario
Suite 300, 480 University Avenue
Toronto, ON M5G 1V2
We respond promptly to your request
We will deal quickly with your request and respond to you within 30 days. If we need to extend the time, or we have to refuse your request, we will tell you why, subject to any legal restrictions. We will notify you of the new deadline, the reasons for the extension, and your rights under applicable legislation respecting the extension.
We protect other people's privacy when we make information available to you
Some files may include the personal information of an individual or have information confidential to PHO. As we must protect everyone's confidentiality and legal rights we cannot make these files available to you. However, we will make available to you any factual information contained in such files.
I'm not satisfied with how my personal information is being handled
If you feel that PHO has improperly managed your personal information, you should discuss your concerns with PHO’s privacy officer by e-mail at firstname.lastname@example.org. Or you can write to:
Public Health Ontario
Suite 300, 480 University Avenue
Toronto, ON M5G 1V2
You have a choice
Internet communications that contain personal information are neither secure nor verifiable. It is recommended that unencrypted personal information should never be circulated over the Internet or by e-mail. If you choose not to use the Internet to provide personal information to PHO, you can contact us by mail.
If your complaint is not resolved to your satisfaction, you have the right to complain to the Information and Privacy Commissioner of Ontario. The Commissioner can be reached at:
The Information and Privacy Commissioner of Ontario
T: 416-326-3333 or 1-800-387-0073