Privacy legislation is based on 10 principles.
Accountability - An organization is responsible for information under its control, including information transferred to a third-party
Identifying purposes - Patients have the right to know what information is collected, how it is used, shared, retained, and disposed of. The purpose must be identified at, or before time of collection. The patient has the right to, and must be given the opportunity to accept or reject the uses.
Consent - Knowledgeable consent is required from the patient to collect, use, share and retain information. Implied consent is used for most core activities of the hospital, with other forms of consent.
Similar to Consent to Treatment, Consent to Collect, Use and Share Information is based on the person's capacity to understand and there is no age of consent.
Limiting collection - Collect only the information that is necessary to accomplish the intended, informed purpose.
Limiting use, disclosure and retention - Information must not be used or disclosed for purposes other than those for which it was collected (except by consent/by law) and must be retained only as long as required for the intended purpose.
Accuracy - Patients have the right to request correction or amendments to their records, if they feel they are inaccurate.
Safeguards - Organizations must implement appropriate safeguards to protect personal information against loss, theft, unauthorized access, use, disclosure, copying. Strategies include physical measures e.g. locked doors and filing cabinets, technology measures e.g. passwords to network systems and organizational measures e.g. "need to know"
Openness - To be open and honest with patients and the community regarding our information management practices. (See Privacy web site, including FAQ)
Individual access - Patients have the right to access their information, including viewing or requesting a copy of their health record. (See Health Records web site for more information)
Provide recourse - Patients have the right to express their concerns regarding our information practices, including their rights to take the concerns directly to the Privacy Commissioner of Ontario