How to Build and Implement Your Own Privacy Management Plan

Part III – Develop Policies and Procedures for Implementation

In Part I – The Ten Guiding Principles and Part II – Risk Analysis Self Assessment, you learned the ten guiding principles of privacy, you identified what information is PII and you identified what policies and procedures you already have in place, or should have.

In Part III, using the answers from your risk analysis self assessment, you can now define and document each of your policies and procedures for implementation, using the following fourteen principles:

1. Specify the purposes for collection of PII
   
   1. You must clearly identify why the information is being collected and how it will be used. This must be done at or before the time the information is collected.
   2. Inform the client why the information is needed and keep a record that they were informed. In your Intake, Health History and consent and waiver forms, be sure to include a Statement of Purpose.
   3. If the information is to be used for a different purpose, you must document the new purpose and obtain valid consent before using it for that purpose.
   4. Tip: In your risk assessment and ongoing information collection, review all information in your care to ensure that a specific purpose has been identified and documented, specific to its use. This is particularly important for returning clients who have a new purpose for their visit.
2. Obtain and document valid consent.
   
   1. Full knowledge and valid consent of a person is required for the collection, use, or disclosure of personal information, except where inappropriate. Quote, “Consent is considered valid only if it is reasonable to expect that individuals to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure, to which they are consenting.” (PIPEDA)
   2. Tip: Make sure that all staff and service providers have a ready answer to explain to clients in simple terms, why personal information is being collected.
3. Restrict collection, use and disclosure, specific to its purpose
   
   1. The collection of personal information must be limited to what is necessary for the purposes which have been identified by the organization or sole practitioner. Information must be collected using fair and lawful methods.
   2. Personal information must not be used or disclosed for any purpose other than that for which it was collected; the only exceptions are when the individual gives valid consent or there is a requirement by law. Personal information must only be retained for as long as is necessary for the fulfillment of those purposes.
   3. Tip: Be familiar with the statement of purpose for collection of information in order to restrict information, only to that which is required. Never collect information because you “might need it in the future”.
   4. Verify PII to be correct, complete and current. Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. It is your responsibility to minimize the chance of using inaccurate information as the basis for decisions made about an individual or by a third party to whom that information was disclosed.
4. Ensure that security measures are appropriate relative to sensitivity and risk of exposure.
   
   1. Design and implement security policies as part of your Privacy Management Program.
   2. Use security protection measures that are appropriate to the sensitivity of the information. For example:
      1. Physical: such as locking filing cabinets, locked file rooms, electronic surveillance and or alarms.
      2. Electronic media: passwords/two factor authentication, encryption, firewalls, access control levels, password protected screen savers for display monitors, and restrictions against storing PII on portable storage devices.
      3. Business organization measures: security clearance, need-to-know access only, staff non-disclosure agreements and security training.
5. Establish and maintain a current timetable for retention and destruction of PII
   
   1. Annually, check the regulatory colleges of all practitioner modalities for any changes in the “Required Retention period for PII“. Make it a requirement for practitioners to inform the clinic owner and official Privacy Officer of regulatory changes and when they are to take effect. Keep a dated record of any changes made.
   2. Using step #10 in the Mini Guide Part II – “Risk Analysis Self Assessment”, require practitioners to keep track of and record Retention Period expiry dates for each client in their Client Notes section, as well as a note that a “New Purpose for Visit” Intake Form is required for their next appointment.
   3. It is good practice to hold a monthly staff meeting (for example, first Tuesday of each month), for practitioners to confirm that they are keeping such notes and that they are up to date. The clinic owner/Privacy Officer should keep minutes of each monthly meeting.
   4. Where regulated Retention Periods are much longer, (up to sixteen years), “c.” above, ensures that only current relevant information is collected for the purpose for which it is required.
6. Define policy, procedures and educate staff how to process client inquiries, requests for access and complaints.
   
   1. See “Staff Training Tips” below.
   2. Clients have a right to view and verify that the PII they have provided, is accurate and correct. Clients do not have unconditional right of access to unvetted clinical notes and other documents created by practitioners and third-party specialists. These may contain PII belonging to other private identities. Therefore, practitioners must review all documentation requested and redact all PII belonging to such other private identities, before releasing to the client or client’s lawyer.
7. Define protocols and procedures that staff must follow in the event of an incident or breach.
   
   1. Step 1. On request by a complainant, staff and practitioners must provide the name and contact information of the official Privacy Officer and schedule an appointment to discuss their complaint in private.
   2. Step 2. Explain in point form, to the complainant, the policies and procedures that are in place, to protect PII as required by the Privacy Acts. (i.e. staff training, monthly and quarterly meetings, record keeping and front desk procedures. Keep in mind that personal contact information such as full name, email and phone number, if not directly connected to PII, are NOT protected information under the Privacy Acts. This will be for the Privacy Officer to explain.
   3. Keep a hard copy “cheat sheet” at the front desk for staff to make reference.
   4. On discovery of a breach of PII, your official Privacy Officer is required by Law, to prepare and submit a data breach report that details the circumstance of the breach, the duration of the breach, the number and identities of clients who may have been affected, what corrective and preventive measures have been taken to remedy the breach and prevent further breach. The report must also include auditable proof of compliance with all of The Ten Guiding Principles.
   5. Organizations and individuals who collect PII for commercial activity, are obligated to report a data breach to the Privacy Commissioner of Canada. This requirement is mandatory and without which, compliance cannot be proved.
   6. All clients who may have been affected during the period of the breach, must also be notified.
8. Conduct ongoing risk assessments at each stage of information handling and whenever any handling procedure is changed.
   
   1. Keep a log book of any procedure and policy changes in the handling of PII. Record: Date; Name of procedure and what changed; Test new procedure for vulnerabilities; Details of new policy; Circulate hard copy of new policy to all staff and practitioners. Use this log book to update staff and practitioners at each monthly staff meeting.
9. Establish appropriate management procedures for third party service providers, ensuring for example that you obtain and document answers to these seven questions from Part II of this Mini Guide, “Risk Analysis Self Assessment”:
   
   1. What is PII used for?
   2. Where is PII kept?
   3. What security measures are there to protect PII?
   4. Who has access?
   5. Who uses PII?
   6. Who is PII shared with?
   7. How long does PII need to be kept?
10. Establish and implement an appropriate staff training program.
    
    1. New staff and practitioners must become familiar with the requirements of the clinic’s Privacy Management Plan and Program, before they begin working at the clinic and with clients.
    2. This Mini Guide – Parts I, II and III, or other training materials that are substantially the same and based directly on the Privacy Acts of their Province and the overreaching Privacy Act PIPEDA, are essential reading and greatly speed up and simplify the training process.
    3. Involve new staff and practitioners to seek out and identify any weaknesses in the clinic’s privacy policies and procedures and present them at their first monthly staff meeting.
11. Frequently evaluate your privacy management program, making revisions where necessary.
    
    1. Encourage staff and practitioners to be vigilant to any unforeseen vulnerabilities in the handling and processing of PII and immediately bring to the attention of the official Privacy Officer.
    2. At monthly staff and practitioner meetings, invite feedback and suggestions from staff and implement if required.
    3. On a quarterly basis, review monthly staff meeting minutes to ensure all recommended management program revisions have been implemented.
12. Be ready to demonstrate your privacy management program and its active implementation.
    
    1. Because PII may accidentally be revealed in an actual demonstration, it is better that you simply go through the ten questions listed in the Mini Guide Part II – Risk Analysis Self Assessment and explain that in developing your Privacy Management Plan and Program, these are your minimum standards that you maintain.
13. Create an electronic or hard copy outline explaining your privacy management program, making it accessible to your clients.
    
    1. This need only be a single laminated Letter size page with bullet points taken from the headings of the above fourteen principles and displayed at the reception desk.
    2. If you use an online clinic and practice management platform that automatically tracks your digital compliance activities and enables you to produce an auditable digital compliance report, then you may also include the key data points that are tracked.
    3. Include at the end, the name and contact details of your official Privacy Officer.

Staff Training Tips

Make sure that you and your staff can respond to the following questions:

1. What do I say to a client when they ask what our privacy policies are?
2. What is valid consent and how do we obtain it?
3. How do I acknowledge and process a request for access to personal information?
4. When receiving a complaint about a privacy matter, who should I refer the complaint to? (Make sure that all staff and practitioners know who your official Privacy Officer is.)
5. How do we actively protect personal information and do we have any new initiatives in this respect?

In Conclusion – Accountability is the foundation upon which to carry out a privacy and security audit of your sole practice or organization’s information handling, processing, disclosure and storage policies and procedures.

The first step to becoming compliant with the various Privacy Acts is to review all of your daily practice activities and assess each activity for possible vulnerabilities.

Complying with Privacy Acts is the last thing on your mind until you receive a complaint! Knowing how to respond rapidly, is not only professional, it is also the first essential step in proving compliance and demonstrating accountability to your client.

Whether you are a clinic owner, sole practitioner or practitioner within a group, it is your responsibility to build and implement an effective privacy management plan.

Quality electronic scheduling, practice and clinic management software service providers are custodians of your, and your clients’ PII and must comply with the Privacy Acts for data protection, including data in transmission to and from the service. However, this only applies to data within their control. It does NOT apply to the physical policies and procedures required of practitioners and clinic staff, which in reality, comprises approximately 85% of the risk of PII data exposure!

Here are the key principles of building and implementing your plan:

• Perform a risk analysis self-assessment;
• Create an action plan and privacy management protocols based on that assessment;
• Implement the plan protocols on a daily basis;
• Review and revise the plan regularly; and
• Train staff to follow the plan protocols

Simply put, within your team, develop a culture of privacy and security awareness and actively engage your team on a daily basis. Peace of mind is being able to provide a spontaneous response to any complainant, if or whenever challenged on a privacy matter. Hesitation or an inadequate response can quickly lead to requiring to retain the services of a lawyer. Let’s not go there!

Remember, you should always assume that PII data can be compromised. As long as you can prove that you have taken every reasonable step to protect the PII in your care, in compliance with the Privacy Acts Guidelines, then you are above legal reproach.

†For reasons of accepted international compliance, including EU data Protection Law, the privacy act chosen to exemplify these principles and procedures is the federal Personal Information Protection and Electronic Documents Act of Canada (PIPEDA). Although the federal government may exempt from PIPEDA certain organizations and activities in Provinces that have enacted their own “substantially similar” privacy legislation, which include personal and health information in the private sector, PIPEDA continues to apply in all interprovincial and international transactions by all organizations subject to the Act. This article includes reference to current revisions to the act, when the Digital Privacy Act (formerly known as Bill S-4), received Royal Assent in June 2015, resulting in a number of significant amendments to Canada’s federal private sector privacy law, as well as amendments that came into effect on November 1, 2018 making Reporting and Documentation of compliance activities, mandatory.

Disclaimer: This is not an in-depth guide to specific details of the guidelines of each privacy act but an interpretation and brief overview of the essential principles and protocols of the guidelines. As always, you must rely on the official guidelines of the privacy acts and any regulatory body specific to your industry and your jurisdiction. It is the hope that this Mini Guide will help to minimize your learning curve, help you to quickly navigate the official guidelines of your jurisdiction, understand your responsibilities and prepare you to take immediate steps to minimize risk. The material in this Mini Guide is copyright protected and authored by Geoffrey Spooner, Chief Privacy Officer of Click4Time Software Inc. This Mini Guide on How to Develop and Implement a Privacy Management Plan, is applicable for compliance, regardless of whether you manage your practice and/or clinic using pen and paper or any online practice management software service company.