First Nations and Inuit Health Information System (FNIHIS)

Home and Community Care (HCC)/ Electronic Service and Delivery Template (ESDRT)

The HCC/ESDRT login page is password-protected for authorised users only. This application is intended for the First Nations and Inuit Home and Community Care Program.

Start the application

Electronic Human Resource Tracking Tool (e-HRTT) Privacy Policy & Legacy Info

e-SDRT plus e-HRTT = e-SDRT Version 5.0 available APRIL 1, 2009

On April 1, 2009, e-SDRT/e-HRTT Version 5.0 will be available to all users. This new version incorporates the 3 new worksheets that make up the new Electronic Human Resource Tracking Tool (e-HRTT). e-HRTT is an enhancement to e-SDRT that enables communities to capture information related to human resources. It replaces the current hard copy report.

Please use e-HRTT to submit your 2008 - 2009 Contribution Agreement Human Resource Tracking Report.
Training sessions are being held in every Region. If you have not had, or been scheduled to attend, a training session, please contact your Regional Home and Community Care Program Coordinator.

The e-SDRT system will not be available on March 31, 2009 to allow for the transition to Version 5.0.

On April 1, 2009:

1. Contact your Regional Help Desk to obtain access to e-HRTT. It is up to the community to determine who should have access.
2. Download e-SDRT/e-HRTT Version 5.0:
   1. Go to: Education
   2. Right click on the e-SDRT/e-HRTT Version 5.0 icon
   3. Select: Save Target As
   4. Name and save to desktop (or wherever you save your e-SDRT worksheets)
   5. Select: Open
   6. Select: Enable Macros (see note below)
   7. Enter data
   8. Save

Note: To check to see if you have enabled your macro, click on the Calculator button located in the top middle of the e-HRTT HR Staff Worksheet. The Calculator will not work if you have not enabled the macros.

3. Upload e-HRTT data:

The process for uploading e-HRTT data is the same as for uploading e-SDRT data. You can upload your e-HRTT data on its own or with your 2009 e-SDRT data.

Most common reasons for not being able to upload successfully:

• Community/Tribal Council Name is not entered correctly. Spelling must exactly match the name in the system files. If you are not sure of the spelling, go to Education Links and click on the 'Valid Community Names' icon
• Macros were not enabled (see above)

4. Start a new worksheet:

When you have saved and uploaded your monthly data, save the e-SDRT/e-HRTT worksheet a second time and name the second/new file with the next month's date. Then delete the old e-SDRT Service Delivery data and the Client Demographic data that will not be used in the new month. This process eliminates the need to copy and paste e-HRTT data every month.

Upgrades to e-SDRT

There is only one minor change to the e-SDRT worksheets this year:

• On the Home Care Services worksheet, Number of Home Visits has been changed to Number of Home Visits/Events. This change will more accurately reflect the times spent doing Case Management.
  
  Note: Case Management is a large part of a nurse's workload. Please remember to track your Case Management time in e-SDRT. If you have any questions re: what is included in Case Management, consult the on-line e-SDRT/e-HRTT Manual which can be accessed at Education Links, or contact your Nurse Advisor.

There are a few changes to the e-SDRT Reports:

1. Number of types of reports has been reduced. The quarterly and semi-annual reports have been eliminated. Monthly and Annual reports will continue to be generated. The Annual reports will provide you with year-to-date information. This change has been made because, due the amount of data, the system is no longer able to generate all of the reports in a timely fashion.
2. The Mandatory and Non-Mandatory Reports will be combined into one eSDRT report. This change has been made to reflect the increase in mandatory, and decrease in non-mandatory, fields over the past few years. This change will take effect September 2009.
3. The e-SDRT system will no longer allow you to upload data that is more than 18 months old. This change has also been made due to the amount of data and slow system report generation. There is no time limit for e-HRTT data.
4. The reports content will be expanded to include Number of Active Clients (by month, fiscal year and calendar year). An Active Client is defined as a client who has received home care services within the designated time frame. This change will take effect September 2009.
5. The Community Space Report will only be generated if there is a value greater than 0 in the report. This will eliminate the number of pages of the report. This change will take effect September 2009.

Discharge Client

Please, Please, Please discharge your clients from e-SDR

It may take a few extra minutes each month to discharge the clients but by not discharging them, the data, and hence our reporting ability is being negatively impacted

1. The number of HCC clients being reported by e-SDRT is much higher than the number of clients who have actually received services over the year. In some communities, the number of 'active' clients is almost equal to the population of the entire community!
2. The Average Length of Stay for HCC clients is showing as being over 500 days. While many of the clients are long term, this is not the average!
3. It is not possible to calculate numbers related to the average number of hours of service to the average client. By not discharging clients, the numbers indicate we have an enormous number of clients, each of who receive very few hours of care per year! (number of service delivered hours divided by the number of clients)
4. 'Reason for Discharge' provides the program with important information.

Protecting Personal Information

The Protecting Personal Information (PPI) course is designed to present key concepts related to privacy and confidentiality in preparation for your future use of eHealth software applications.

Please contact your respective regional support to request access code and/or reference material for Protecting Personal Information(PPI) training.

• Privacy Resources Below

Home and Community Care Program

Users of the electronic Service Delivery Reporting Template (e-SDRT) and the electronic Human Resource Tracking Tool (e-HRTT) can get copies of the documents listed below by contacting their regional Help Desk.

• eSDRT/eHRTT - Excel Spreadsheet v5x0
• e-SDRT/HCC User Training Guide v5.0
• e-HRTT User Training Guide v5.0
• eSDRT Excel Spreadsheet v5x0
• eHRTT Excel Spreadsheet v5x0

Help Desk

Alberta Region
Help Desk (877) 495-5334 Toll Free
Fax (780) 495-2687
Health Canada
9700 Jasper Ave., Suite 730
Edmonton AB T5J 4C3

Saskatchewan Region
Help Desk (877) 772-7715 Toll Free
Fax (306) 780-7137
Health Canada
2045 Broad Street, 5th Floor
Regina SK S4P 3T7

Manitoba Region
Help Desk (800) 846-6428 Toll Free
Fax (204) 984-1940
e-Health Solutions Unit
Manitoba Regional Office
First Nations and Inuit Health Branch
300 - 391 York Ave
Winnipeg MB R3C 4W1

Ontario Region
Help Desk (800) 241-2751 Toll Free
Fax (613) 952-0177
Health Canada
1547 Merivale Road, 3rd Floor
Ottawa ON K1A 0L3

Quebec Region
Help Desk (877) 543-5353 Toll Free
Fax (514) 283-6567
Health Canada
200 René-Lévesque Blvd. West
East Tower, 2nd Floor, Room 202-145
Montréal QC H2Z 1X4

Atlantic Region
Help Desk (877) 426-4515 Toll Free
Fax (902) 426-8675
Health Canada
1505 Barrington Street, Suite 1525
Halifax NS B3J 3Y6

National Help Desk
(613) 301-2276
Fax (613) 595-0395
Health Canada
340 Legget Drive, Room E107
AL: 2801C
Ottawa ON K1A 0K9

Resources

There are many resources for professional development related to privacy issues. Please note that while we have included several Internet-based resources, their addressing information may be subject to change.

• Privacy Principles
  • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
  • CSA Model Code for the Protection of Personal Information
• Canadian Legislation
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Privacy Act
• United States Legislation
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Legislation, Codes and Standards
  • References
  • Canadian Privacy Overview
  • Privacy Impact Assessments
  • Organizations

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

The Organization for Economic Co-operation and Development (OECD) is composed of 30 member countries that share a commitment to democratic government and the market economy. Through its publications and statistics, the organization covers economic and social issues. The OECD produces internationally agreed instruments; decisions and recommendations to promote a common set of "rules" that foster multilateral agreement.

In September 1980, the OECD issued a set of guidelines designed to protect the privacy of personal information without interrupting the free flow of information between borders. These broad guidelines have become the baseline standard for privacy and data protection initiatives and have influenced most current international agreements, national laws, and self-regulatory policies. The guidelines are broken down into the following eight principles:

1. Collection Limitation
   • There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality
   • Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose Specification
   • The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4. Use Limitation
   • Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except with the consent of the data subject or by the authority of law.
5. Security Safeguards
   • Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
6. Openness

There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

7. Individual Participation

An individual should have the right:

• to confirmation of whether the data controller has data relating to the individual;
• to have communicated, data relating to the individual within a reasonable time, at a charge if any that is not excessive, in a reasonable manner, and in a form that is readily intelligible to the individual;
• to be given reasons if a request is denied and to be able to challenge such denial; and
• to challenge data relating to the individual and, if the challenge is successful to have the data erased, rectified, completed or amended.

8. Accountability

A data controller should be accountable for complying with measures, which give effect to the principles stated above.

CSA Model Code for the Protection of Personal Information

In 1996, the Canadian Standards Association (CSA) released its Model Code for the Protection of Personal Information. It was designed to add uniformity to Canada's "patchwork" of data protection policies and practices.

The code was developed in consensus with industry, government and business representatives and it quickly became regarded as a de facto national standard. The code closely follows the principals set forth by the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The Model Code forms the foundation for the majority of Canadian privacy legislation that has subsequently been developed, including POPIA and PIPEDA. The Code establishes ten principles, or fair information practices, for organizations that collect and use personal information. These ten fair information practices can be found on the following page.

Fair Information Practice

1. Accountability. A public body is responsible for personal information under its control. The chief executive officer of a public body, and his or her designates, are accountable for the public body's compliance with the following principles.
2. Identifying Purposes. The purposes for which personal information is collected shall be identified by the public body at or before the time the information is collected.
3. Consent. The consent of the individual is required for the collection, use, or disclosure of personal information, except where inappropriate.
4. Limiting Collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the public body. Information shall be collected by fair and lawful means.
5. Limiting Use, Disclosure and Retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or expressly authorized by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
6. Accuracy. Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
7. Safeguards. Personal information shall be protected by safeguards appropriate to the sensitivity of the information.
8. Openness A public body shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Individual Access. Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information, except where inappropriate. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance. An individual shall be able to address a challenge concerning compliance with the above principles to the individual or individuals accountable for the public body's compliance.

Personal Information Protection and Electronic Documents Act V (PIPEDA)

• PIPEDA, known as Bill C-6 while in Parliament, became law on April 13, 2000.
• Part One of the bill concerns the privacy of personal information.
• PIPEDA applies to organizations (including associations, a person, trade unions) that collect, use or disclose personal information in the course of commercial activities.
• Personal information is defined as any information that could be used in identifying a particular individual beyond his or her name, title, business address or telephone number as an employee of the organization.
• A commercial activity has a broad definition that includes any transaction or act of a commercial character. This would include the selling or leasing of membership or other fundraising lists.
• This privacy legislation will be implemented in three separate stages.
• On January 1, 2001 the law applied to personal information (except personal health information) collected and used by "federal works", these are federally regulated organizations, such as airlines, banks, and telecommunications companies.
• Certain organizations, such as insurance companies and credit unions, are subject to some federal regulations but are considered to be within provincial jurisdiction under the Constitution and are not "federal works" for purposes of this Act.
• At this stage, the act also applies to disclosures of personal information for consideration across provincial or national border. The information itself must be the subject of the transaction and the consideration is for the Information. An example could be organizations that lease, sel1 or exchange mailing lists or other personal information.
• Beginning January 1, 2002 the Act extends to personal health information for the organizations and activities that have been covered in the first stage.
• Personal health information is defined as information about an individual's mental or physical health, including information concerning health services such as tests and examinations.
• On January 1, 2004 the law extends to any organization that collects, uses or discloses personal information in the course of any commercial activity within a province.
• In provinces with substantially similar privacy legislation, the organizations or activities covered by the provincial law will be exempted from PIPEDA privacy regulations within that province.
• PIPEDA builds on previous privacy best practices. Much of PIPEDA is devoted to codifying the ten privacy principles already set forth in the 1996 Canadian Standards Association (CSA) Model Code for the Protection of Personal Information.
• These ten principles relate to (1) accountability, (2) identifying purposes, (3) consent, (4) limiting collection, (5) limiting use, disclosure and retention, (6) accuracy, (7) safeguards, (8) openness, (9) individual access, and (10) challenging compliance.
• All organizations are required to designate an official(s) to deal with privacy issues and will need to have policies and procedures in place relating to the collection, use and dissemination of information. These policies and practices must be made available to the public.
• One of the most important principles, especially in the health care field, relates to consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
• Organizations must identify the purpose for the information they are collecting and how it may be used and disclosed. Only the minimum amount of information necessary to fulfill the purpose required should be collected.
• Employees who are collecting personal information should be able to explain to individuals the purpose for which the information is being collected.
• If the information will be used for another purpose than originally identified, consent must be obtained again.
• An authorized representative such as a legal guardian or a person that has power of attorney can give consent.
• What a person has consented to must be clearly defined and can be in any form, such as an application form, check-off box or given orally.
• There are exceptions, but generally consent can be withdrawn at any time.
• Consent is not needed when an organization uses personal information solely for journalistic, artistic, literary or personal purposes, such as Christmas card lists.
• Consent would not be needed to use or disclose personal information in certain security or criminal matters, such as warrants and subpoenas.
• When determining if consent is needed, staff should consider the interest of the individual. Therefore, consent would not be needed if the information was already publicly available or if consent could not be obtained in a timely way.
• Explicit consent is not required when the individual would reasonably expect their information to be collected, used or disclosed. For example, pharmacists can assume implicit consent when disclosing patient information to the prescribing physician for the purpose of delivering the service requested. However, they would have to obtain the explicit consent of patients to sell personal information to drug manufacturers for marketing purposes.
• Service cannot be denied as a result of the person's failure to provide their consent for the use of their personal information.
• Any previously collected information must be used in accordance with the new privacy laws (there is no grandfather clause).
• Organizations must take reasonable measures to safeguard personal information. The measures taken must reflect the sensitivity of the information. Security measures could include locked cabinets, computer passwords, and ensuring only staff who need personal information have access to it.
• Under PIPEDA, organizations must use contractual or other means to ensure that third parties with whom they share personal information provide a comparable level of protection.
• Personal information can only be retained as long as it is needed to fulfill the purposes for which it was collected. After this time it must be made anonymous or destroyed.
• With a written request an individual has the right to be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information.
• Organizations must help individuals who request assistance in preparing a written request for access to their information.
• Individuals can challenge the accuracy and completeness of the information and have it amended as appropriate.
• In some circumstances, requests to information can be denied. Examples would include information that contains references to other individuals, for legal or security reasons or if granting access to the information would be prohibitively costly.
• Individuals who believe their personal information has been misused are required to contact the organization's designated privacy official.
• If not satisfied with an organization's response, individuals can complain to the federal Privacy Commissioner. The Commissioner has the authority to audit an organization's privacy practices and is granted much power in summoning witnesses and to compel evidence in cases where voluntary cooperation is not forthcoming. In the event an organization has obstructed the Commissioner or his delegate, then fines between $10,000 and $100,000 may be applied.
• If an organization does not comply with the Commissioner's recommendations, the Federal Court may order an organization to correct their privacy practices. The Court can award damages to a complainant, including damages for humiliation. There is no ceiling on monetary damages that the Court may award.

The Privacy Act

• The Privacy Act took effect on July 1, 1983 and applies to over 150 federal government departments and agencies.
• Federal government records such as employment insurance files, tax records and military records are covered by the Act.
• The Act places limits on the collection, use and disclosure of personal information. For example, the Act limits the collection of personal information to the minimum details needed to operate programs or activities; requires that individuals are informed why their information is being collected and how it will be used; and restricts the use of information to only those purposes specified, unless otherwise allowed by law.
• Personal information is any factual or subjective information about an identifiable individual. This would include an individual's age, name, medical records, and evaluations (e.g. job performance evaluation).
• Personal information is protected regardless of the form it is in, such as video and audiotape of information held "electronically".
• Personal information does not include information that could be found through publicly available resources such as the telephone book.
• The Act allows individuals the right to access and correct personal information about them held by the covered federal government departments and agencies.
• The Privacy Commissioner of Canada is responsible for ensuring that the covered agencies and departments comply with the Privacy Act and individuals may make complaints to the Commissioner's office.
• In his role as an ombudsman, the commissioner attempts to resolve complaints through negotiation and mediation. However, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence.

Health Insurance Portability and Accountability

• HIPAA was passed in 1996, motivated by a desire to make health insurance more affordable and accessible.
• Title II of HIPAA includes a section called Administrative Simplification. This section includes provisions designed to save money for health care businesses by encouraging electronic transactions and at the same time requires new safeguards to protect the security and confidentiality of that information. Administrative Simplification specifically calls for the following standards:
  • Electronic transaction standards
  • Health information privacy (the "Privacy Rule")
  • Security requirements
  • Unique identifiers for employers, providers, health plans and individuals
  • Enforcement procedures
• HIPAA gave congress until August 21, 1999 to pass these Administrative Simplification provisions; when this did not happen the law required the Department of Health and Human Services (DHHS) to craft these standards by regulations.
• HIPAA covers all healthcare providers (e.g. doctors, hospitals and pharmacists) who electronically transmit health claims, health plans (e.g. traditional insurers and HMO's) and "clearinghouses" (those that process health claims information for providers and insurers). Those that contract with other "business associates" to perform some of their essential functions must also comply.
• Those that must comply with HIPAA are called "covered entities".
• For each set of standards, HHS first adopts proposed requirements for public comment; based on this feedback the requirements are revised and final regulations are issued.
• Final regulations have been issued for electronic transaction standards and health information privacy (the "Privacy Rule").
• DHHS issued final electronic transaction standards in August 17, 2000. Covered entities have until October 16, 2003 to comply with these standards.
• All health care providers will be able to use the electronic format to bill for their services and all health plans will be required to accept these standard electronic claims, referral authorizations and other transactions.
• The Privacy Rule was published on December 28, 2000 and compliance is required for the Privacy Rule on April 14, 2003 (small plans have until April 14, 2000).
• HIPAA's Privacy Rule limits the use and release of personal health information and gives patients the right to access and amend their medical records.
• The Privacy Rule provides the first comprehensive federal protection for the privacy of health information and establishes a federal floor of protection or safeguards. State laws that provide stronger protections will continue to apply over and above the new federal privacy standards.
• The Privacy Rule is intended to do the following:
  • Limit the non-consensual use and release of private health information
  • Give patients the right to access their medical records and to know who else has access to them
  • Restrict most disclosures of health information to the minimum needed for the intended purpose
  • Establish new criminal and civil sanctions for improper use or disclosure
• The Privacy Rule protects all medical records and other individually identifiable health information (health information that could be linked to a person) that is transmitted or maintained by a covered entity in any form, whether electronically, on paper, or orally. This information is called "protected health information" (PHI).
• A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI).
• Policies and procedures with respect to PHI must be designed to comply with the standards outline in the Privacy Rule. These policies and procedures must be reasonably designed based on the size and type of activities the covered entity is engaged in.
• These policies and procedures need to be available to the organization's patients in the form of a "notice".
• A covered entity must obtain patient consent before using or disclosing their health care information. Patients must be given the covered entity's notice before consent is obtained.
• Disclosures of health information must be restricted to the minimum needed for the intended purpose.
• Patients must be able to see and get copies of their records, request amendments and see reports of what non-routine disclosures have been made. Generally, a non-routine disclosure is one that is for something other than treatment, payment or health care operations (TPO).
• Covered entities must designate a Privacy Official, train their staff for HIPAA compliance and establish a complaints process.
• The steps taken to comply with the Privacy Rules requirements need to be documented, such as who the privacy officer is and the training that has been developed and implemented.
• The Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) will enforce HIPAA standards, including the Privacy Rule, and access rights for consumers under the rule.
• Improper use or disclosure of PHI is subject to both criminal and civil sanctions. There is civil liability of $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.
• Criminal penalties for knowingly violating patient privacy are as follows:
  • Up to a $50,000 fine and one (1) year in prison for obtaining or disclosing PHI
  • Up to a $100,000 fine and five (5) years in prison for obtaining PHI under false pretenses
  • Up to a $250,000 fine and ten (10) years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

Legislation, Codes and Standards

American Society for Testing and Materials (ASTM)
American Society for Testing and Materials (ASTM)

COACH Guidelines for the Protection of Health Information
COACH Canadian Organization for Advancement of Computers in Health

CSA Model Code for the Protection of Personal Information
Canadian Standards Association (CSA)
Text of the Code

European Union (EU) Directive on Data Protection
The European Union Online
Text of the Directive
U.S. Department of Commerce

Gramm-Leach-Bliley Act
The U.S. Federal Trade Commission website will provide you with an extensive list of information and resources on the Gramm-Leach Bliley Act.
Full text of the Act

Health Insurance Portability and Accountability Act (HIPAA)
US Department of Health and Human Services (HHS)
HHS Office of Civil Rights (OCR)
Full Text of the Privacy Rule

ISO 17799:2000 Code of Practice for Information Security Management
Standards Council of Canada
International Organization for Standardization

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
Organization for Economic Co-operation and Development (OECD)

Personal Information Protection and Electronic Documents Act (PIPEDA)
Parliament of Canada
Office of the Privacy Commissioner of Canada

Privacy Act (Australia)
The Office of the Privacy Commissioner

Privacy Act (Canada)
Parliament of Canada
Office of the Privacy Commissioner of Canada
Text of the Privacy Act

Privacy Act (U.S.)
U.S. Department of Justice
Full text of the Act

Privacy of Personal Information Act (Ontario)
(consultation draft released on February 27, 2002)
"What's New" section of the Information and Privacy Commissioner of Ontario website

References

Barrados, Angie, Making Privacy Policies Work. Public Interest Advocacy Centre, Public Interest Advocacy Centre (PIAC), 2001

• Public Interest Advocacy Centre

Brandeis, Louis and Samuel Warren, "The Right to Privacy", 4 Harvard Law Review 193 (1890).

• Text of the article

Cavoukian, Ann, and Don Tapscott, Who Knows: Safeguarding Your Privacy in a Networked World, Toronto: Random House, 1995.

• This book explores how technology growth and the networked world have facilitated the collection and storage of personal information. The authors' detail how societal and personal privacy has been compromised and measures that can be taken to reverse this trend.

Federal Privacy Commissioner ruling on disclosure of physician information.

Freedom of Information in the Digital Age. The American Society of Newspaper Editors and the First Amendment Center, April 200l.

• American Society of Newspaper Editor
• The Freedom Forum

McInerney vs. MacDonald ruling - patient access

• Montreal University

Privacy Impact Assessment Guidelines -Information and Privacy Office of Ontario

• Information, Privacy and Archives Division

Surveying the Digital Future, UCLA Center for Communication Policy, 2000

• UCLA Center for Communication Policy
• Text of the report

Surviving the Privacy Revolution, Forrester Research, 2001.

• Forrester

Canadian Privacy Overview

Privacy Commissioner of Canada

• The Privacy Commissioner of Canada, George Radwanski, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is an advocate for the privacy rights of Canadians. This website has numerous privacy resources including information on privacy legislation, fact sheets and a "What's New" section.
• Office of the Privacy Commissioner of Canada

Alberta

• Freedom of Information and Protection of Privacy Act
• Health Information Act

Information and Privacy Commissioner of Alberta
Phone: (780) 422-6860
Fax: (780) 422-5682
Email: ipcab@.planet.eon.net
Website: Office of the Information and Privacy Commissioner Alberta

British Columbia

• Freedom of Information and Protection of Privacy Act

Information and Privacy Commissioner of British Columbia
Phone: (250) 387-5629
Toll-free: 1 (800) 663- 7867 (free within B.C.)
Fax: (250) 387-1696
Email: info@oipcbc.org
Website: Office of the Information and Privacy Commissioner

Manitoba

• Freedom of Information and Protection of Privacy Act
• Personal Health Information Act

Office of the Ombudsman
Phone: (204) 982-9.130
Toll-free: 1 (800) 665-0531
Fax: (204) 942-7803
Email: ombusman@ombudsman.mb.ca
Website: Manitoba Ombudsman

New Brunswick

• Protection of Personal Information Act

Ombudsman, Province of New Brunswick
Phone: (506) 453-2789
Toll-free: 1 (800) 561-4021 (free within N.B.)
Fax: (506) 457- 7896
Email: nbombud@gov.nb.ca

Newfoundland

• Freedom of Information Act Privacy Act

Department of Justice of Newfoundland
Phone: (709) 729-2893
Fax: (709) 729-2129
Email: chrisc@.mail.gov.nf.ca
Website: Department of Justice of Newfoundland

Northwest Territories

• Access to Information and Protection of Privacy Act

Information and Privacy Commissioner of the Northwest Territories
5018, 47th Street
Yellowknife, Northwest Territories XIA 2N2
Phone: (867) 669-0976
Fax: (867) 920-2511
Email: atippcomm@theedge.ca

Nova Scotia

• Freedom of Information and Protection of Privacy Act

Freedom of Information and Privacy Review Office
Phone: (902) 424-4684
Fax: (902) 424-8303
Email: uarb.dfardv@gov.ns.ca
Website: Freedom of Information and Protection of Privacy Review Office

Nunavut

• Access to Information and Protection of Privacy Act

Information and Privacy Commissioner of Nunavut
Phone: (867) 669-0976
Fax: (867) 920-2511
Email: atippcomm@theedge.ca

Ontario

• Freedom of Information and Protection of Privacy Act
• Municipal Freedom of Information and Protection of Privacy Act
• Privacy of Personal Information Act (Consultation Draft released Feb. 27, 2002)

Information and Privacy Commissioner of Ontario
Phone: (416) 326-3333
Toll-free: 1 (800) 387-0073 (free within Ontario)
Fax: (416) 325-9195
Email: info@ipc.on.ca
Website: Information and Privacy Commissioner of Ontario

Prince Edward Island

• Freedom of Information and Protection of Privacy Act (Effective November 2002)
• Freedom of Information/Protection of Privacy Implementation

Phone: (902) 569-0567
Fax: (902) 569-7632
Email: slwood@gov.pe.ca
Website: reedom of Information and Protection of Privacy Act

Québec

• Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information
• Act Respecting the Protection of Personal Information in the Private Sector

La Commission d'accès à l'information du Québec
Phone: (418) 528-7741
Fax: (418) 529-3102
Toll-free: 1 (888) 528-7741 (free within Québec)
Email: Cai.Communications@cai.gouv.qc.ca
Website: Accès à l'information du Québec

Saskatchewan

• Freedom of Information and Protection of Privacy Act
• Local Freedom of Information and Protection of Privacy Act
• Health Information Protection Act (delayed to allow time for trustees to prepare for compliance)

Information, Privacy and Conflict of Interest
Commissioner of Saskatchewan
Phone: (306) 522-3030
Fax: (306) 522-3555
Email: grj@gerrandrj.com
Website: Legislative Assembly

Yukon

• Access to Information and Protection of Privacy Act

Ombudsman and Information and Privacy Commissioner of the Yukon
Phone: (867) 667-8468
Fax: (867) 667-8469
Email: email.ombudsman@ombudsman.vk.ca
Website: Yukon Ombudsman and Information and Privacy Commissioner

Privacy Impact Assessments

Treasury Board of Canada Secretariat

• Website: Treasury Board of Canada Secretariat
• PIA Policy and Guidelines

Information and Privacy Commissioner for Alberta

• Website: Office of the Information and Privacy Commissioner Alberta
• PIA Guidelines

Information and Privacy Commissioner of British Columbia

• Website: Office of the Information and Privacy Commissioner
• PIA Guidelines

Information and Privacy Commissioner of Ontario
(MBS Guidelines)

• Website: Information and Privacy Commissioner of Ontario
• PIA Guidelines (scroll to bottom of page)

Organizations

Canadian Consumer Information

• A Canadian government sponsored website with extensive information for consumers, including issues regarding privacy and security.
• Consumer Information

Canadian Institute for Health Information (CIHI)

• A federally chartered, national, not-for-profit organization responsible for developing and maintaining the country's comprehensive health information system.
• Canadian Institute for Health Information

Canadian Organization for Advancement of Computers in Health (COACH)

• Canada's Health Informatics Association promotes understanding and effective utilization of information technologies in the Canadian Healthcare environment.
• Canada's Health Informatics Association

Center for Democracy & Technology

• This organization works to promote democratic values and constitutional liberties in the digital age. The site has a resource library, privacy guide and overviews of privacy legislation.
• Center for Democracy & Technology

Electronic Privacy Information Center

• A public interest research center in Washington, D.C established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values
• Electronic Privacy Information Center

Office of Health and the Information Highway (OHIH)

• The Office was created by Health Canada to serve a key role in matters related to the use of information and communications technologies (ICTs) in the health sector. In this capacity OHIH coordinates, facilitates and manages health infostructure-related activities.

Online Privacy Alliance

• The Online Privacy Alliance is a cross-industry coalition of companies and associations committed to promoting the privacy of individuals online and the respect for consumer privacy. The website contains information with regards to consumer privacy.
• Online Privacy Alliance

Privacy.Org

• Privacy.Org contains daily news, information, and initiatives on privacy. This web page is a joint project of the Electronic Privacy Information Center (EPIC) and Privacy International.
• Privacy.Org

Privacy Exchange

• A global information resource focusing on data protection as it relates to consumers and commerce. Extensive information on privacy across the world can be found here.
• Privacy Exchange

Privacy International (PI)

• PI is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. PI has conducted campaigns throughout the world on privacy issues and its website contains numerous resources, including privacy reports.
• Privacy International

Privacy Law

• A website with extensive resources on all major privacy laws. The website has a US focus but also has international resources.
• Privacy Law

Privacy Rights Clearinghouse

• A non-profit consumer education, research, and advocacy program whose website resources are aimed at educating the public on privacy protection.
• Privacy Rights Clearinghouse

Alberta

Atlantic

British Columbia

Manitoba

New Brunswick

Newfoundland

Northwest Territories

Nova Scotia

Ontario

Pacific

Prince Edward Island

Quebec

Saskatchewan

Yukon