This guideline was reviewed by the CAP Executive, November 26, 2004 and published in the 2005 CAP Winter Newsletter. This guideline was reviewed and approved by the CAP Executive, June 18, 2005.
Society has values and expectations about the appropriate handling of personal health information. These are expressed (in increasing specificity and concreteness) as:
- Ethical frameworks (codes, guidelines)
- Laws and Regulations
- Policies and Procedures
The document we will strive to craft falls under the category of “ethical framework”.
In 1979, recognizing that trust regarding personal data privacy is essential for a healthy international marketplace, the Organization for Economic Cooperation and Development (OECD) released a set of fair information principles known as the Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. These were meant to harmonize national privacy legislation in OECD member countries.
The OECD Guidelines encompass eight principles:
1. Collection limitation
2. Data quality
3. Purpose specification
4. Use limitation
5. Security safeguards
7. Individual participation
In Canada, the OECD Guidelines are the basis of specific laws and policies such as:
- Canadian Privacy Act, Government of Canada (1983)
- Model Code for the Protection of Personal Information, Canadian Standards Association (1996)
- Policy Statement: Ethical Conduct for Research Involving Humans, Tri-Council MRC/NSERC/SSHRC (1998)
- Health Information Privacy Code, Canadian Medical Association (1998)
- Principles and Policies for the Protection of Personal Information, Canadian Institute for Health Information (2002)
The CSA Model Code is endorsed by many Canadian companies as the minimum national standard on privacy protection. It in turn forms the basis of the federal Personal Information Protection and Electronics Document Act (PIPEDA, 2000)
Some provinces have enacted or intend to enact legislation to deal specifically with the collection, use, and disclosure of personal health information, e.g. Ontario’s Personal Health Information Protection Act (PHIPA, 2004). The CSA Model Code forms the basis of most provincial privacy legislation passed since 1996.
In view of this legislative patchwork, health organizations that operate across provincial or national boundaries should consult the CSA Model Code.
Guidelines for the Protection of Health Information, Canada’s Health Informatics Association, 2004
Canadian Standards Association’s Model Code for the Protection of Personal Information
Many Canadian companies have implemented voluntary codes to safeguard their customers' privacy rights. Such codes are based on the premise that clients' personal information should not be misused, and that individuals should have access to their own personal information.
In 1996, the Canadian Standards Association (CSA) developed a voluntary code based on the work of the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, created by the international Organization for Economic Cooperation and Development (OECD). The CSA’s version, its Model Code for the Protection of Personal Information, has been endorsed by many Canadian companies as the national standard on privacy protection.
The ten basic principles of the Code are:
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
An individual shall be able to address a challenge concerning compliance with the above principles to the designate individual or individuals accountable for the organization's compliance.