The Freedom of Information and Protection of Privacy Act...

Privacy Training for Researchers

The Freedom of Information and Protection of Privacy Act (FIPPA)The Personal Health Information Act (PHIA)

Access and Privacy OfficeThe University of Manitoba is committed to the principles of access to information and the protection of privacy as they are outlined within the Province’s access and privacy legislation The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA).

These Acts provide the public with the right of access to records in the custody or under the control of the University of Manitoba, while safeguarding the privacy of individuals.

Access and Privacy Office

Access and Privacy OfficeThe Access and Privacy Office is responsible for the implementation and central administration of FIPPA and PHIA at the University of Manitoba.

The Office responds to all access to information requests for the University, investigates breaches of personal information or personal health information, and provides privacy training to University staff, students, faculty and researchers. The Office also provides advisory and administrative support services for the management of University records.


Access and Privacy OfficeThe Access and Privacy Office is a part of the Office of Fair Practices and Legal Affairs, and is located on the second floor of the Elizabeth Dafoe Library, Fort Garry Campus:

Access and Privacy Office233 Elizabeth Dafoe LibraryUniversity of ManitobaWinnipeg, MB, R3T 2N2Fax: (204) 474-9308Email: [email protected]


mailto:[email protected]

Privacy Training OverviewThe PHIA training program consists of:

a) Reviewing the Access and Privacy Policy and Procedures The University has Access and Privacy Policies and Procedures that provide specific rules about access to and protection of Personal Information held by the institution.

b) Reviewing the PHIA training presentation c) Signing the PHIA Pledge of Confidentiality


http://umanitoba.ca/access_and_privacy/governance.html

Privacy Training Overview• Legislation and Key Definitions• Collection, Use, and Disclosure of Information• Security and Storage of Information• Research at the University• Ethical Duties of Confidentiality• Breaches of Confidentiality• Privacy Quiz• Your Privacy Obligations• Pledge of Confidentiality


The Freedom of Information and Protection of Privacy ActThe Freedom of Information and Protection of Privacy Act (FIPPA) provides the legislation framework for managing the information practices of Personal Information (PI) in Manitoba.

Researchers associated with the University of Manitoba must be compliant with FIPPA when their research includes the collection and use of Personal Information.


The Freedom of Information and Protection of Privacy ActThe purposes of FIPPA are:

• to provide the right to examine or receive a copy of your own PI, or general information held by the public body;

• to provide the right to request corrections to your own PI;• to establish rules for collection, use and disclosure of PI;

and• to provide for an independent review of the actions of a

public body under the Act.


The Personal Health Information ActThe Personal Health Information Act (PHIA) provides the legislation framework for managing the information practices of Personal Health Information (PHI) in Manitoba.

Researchers associated with the University of Manitoba must be compliant with PHIA when their research includes the collection and use of Personal Health Information.


The Personal Health Information ActThe purposes of PHIA are:

• to provide the right to examine or receive a copy of your own PHI;

• to provide the right to request corrections to your own PHI;• to establish rules for collection, use and disclosure of PHI;• to control the collection, use and disclosure of the Personal

Health Identification Number (PHIN); and• to provide for an independent review of the actions of a

trustee under the Act.


Key Definitions• What is Personal Information? • What is Personal Health Information?• What is a Record?• What is Privacy?• What is Confidentiality?


Key DefinitionsWhat is Personal Information?


iStock.com/DragonImages

http://www.istockphoto.com/

Personal Information is…Recorded information about an identifiable individual including: • name, home contact information

• age, sex, sexual orientation, marital or family status

• ancestry, race, colour, nationality, national or ethnic origin

• religion, creed, religious belief, association or activity

• person health information

• blood type, fingerprints, hereditary characteristics

• political belief, association or activity

• education, employment or occupation, history of these three

• source of income, financial circumstances, activities or history


Personal Information is…Continued…• own personal views, except if about another person

• views or opinions about the individual expressed by another person*

• identifying number, symbol or other particular assigned to the individual (i.e. student number or employee number)

• criminal history including regulatory offences

* It is important to note that the views or opinions that you have regarding another individual belongs to that individual. When a view or opinion about an individual is recorded, that information becomes that individual’s Personal Information.


Key DefinitionsWhat is Personal Health Information?


iStock.com/twinsterphoto


Personal Health Information is…Recorded information about an identifiable individual that relates to:• the individual’s health, or health care history, including genetic information about

the individual;

• the provision of health care to the individual, including a doctor’s note;

• payment for health care provided to the individual, and includes bills, receipts, etc.;

• the PHIN and any identifying number, symbol or particular assigned to an individual; and

• any identifying information about an individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.


Key DefinitionsWhat is a Record?

Photo supplied by iStock


http://www.istockphoto.com/stock-photo-19482462-online-news-concept.php?st=7765bcf

What is a Record?A Record or Recorded Information

Means a record of information…

In any form: written, photographed, recorded or stored in any manner, on any storage medium; or

By any means: electronic, graphic, or mechanical means. Examples include X-ray, voicemail, fax or email.


What is a Record?Examples of Records

• Files• Emails• Databases• Documents• Photographs• Rough notes and drafts• Text messages and instant messaging


Key DefinitionsWhat is Privacy?


iStock.com/AlexLMX


What is Privacy?Privacy means an individual’s right to be free from intrusion or interference from others.

An important aspect of privacy is the individual’s right to control access to their Personal Information and Personal Health Information.


Key DefinitionsWhat is Confidentiality?


iStock.com/ziquiu


What is Confidentiality?The obligation of a public body or trustee to protect the Personal Information and Personal Health Information entrusted to it, to maintain the secrecy of the information and not misuse or wrongfully disclose it.

All persons associated with the University of Manitoba are responsible to protect all Personal Information and Personal Health Information.


What is Confidentiality?Accessing, using and disclosing Personal Information and/or Personal Health Information is acceptable only when required to do your job.

Discussions about identifiable individuals should not take place in public places or in the presence of people who do not need to know the information.


What is Confidentiality?Individuals have an expectation that the University of Manitoba will protect the privacy, confidentiality and security of the Personal Information and Personal Health Information in it’s custody.

As a person associated with the University of Manitoba, it is your responsibility to hold all Personal Information and Personal Health Information in the highest of confidence.


Collection of Information


iStock.com/dolgachov


Collection of Information


Individuals are to be notified about the purpose for which their Personal Information and/or Personal Health Information (collectively “information”) is being collected.

Notification and details regarding the purpose of the research and how the information collected will be used takes place within the Informed Consent Form.

Remember to only collect as much information as is necessary to accomplish the purpose of your research.

See our Research Informed Consent – Notification Statement website for more information.

http://umanitoba.ca/access_and_privacy/Research_Notification.html

Use and Disclosure of Information


iStock.com/XiXinXing




You can only use and disclose the Personal Information and/or Personal Health Information that was collected as part of the research project for the purpose(s) outlined in the Informed Consent Form.

If you want to use the information collected for secondary purposes (not outlined in the original REB submission and Informed Consent Form), you must obtain consent from all of the participants to use their information for the secondary purposes, as well as submit an amendment to your protocol.



You cannot use or disclose Personal Information and/or Personal Health Information:

• In the presence of those that are NOT entitled to the information; or

• In public places, such as elevators, lobbies, cafeterias, off premises, etc.

Be aware of your surroundings. Personal Information and/or Personal Health Information is best discussed in a closed setting.

Security and Storage of Information


iStock.com/Oliver_Le_Moal




All Personal Information and Personal Health Information must be properly secured and maintained in order to protect its privacy, confidentiality, accuracy, and integrity.

Additionally, all Personal Information and Personal Health Information must be protected from accidental destruction or deterioration, or loss for the entirety of the records’ lifetime.



Protecting the integrity of the information means the preservation of its content. This would provide confidence that the information has not been tampered with or modified other than as authorized.

Preservation of content is maintained by protecting and securing the information throughout collection, access/retrieval, use, disclosure/transfer, and storage.



The University of Manitoba is obligated under FIPPA and PHIA to protect Personal Information and Personal Health Information by adopting reasonable administrative, technical, physical and electronic safeguards, that ensure the confidentiality, security, accuracy and integrity of the information.



Administrative Safeguards:

• Policies and Procedures; Guidelines and Resources

• Privacy training and signing of the Pledge of Confidentiality

• Proper management of swipe cards or key access

• Secure print codes at printers/fax machines

http://umanitoba.ca/access_and_privacy/governance.html

http://umanitoba.ca/access_and_privacy/resources.html



Technical Safeguards:

• Role-based profiles on new or existing information management systems

• Base profiles on the individual’s role, which determines the level of access required

• Multiple levels of authentication for high degree of sensitive information



Physical Safeguards:

• Arrange office furniture to limit the ability of others to access your files

• Locks on doors and filing cabinets

• Clean off your desk at the end of the day (implement a Clean Desk Policy as an Administrative Safeguard)



Electronic Safeguards:

• Encryption of files for transmission or transport

• Passwords on all devices

• Up-to-date anti-virus software

• Firewalls



Portable Devices

Personal Information and Personal Health Information should not be stored or carried on electronic portable devices unless for an authorized purpose. If the use of portable devices is absolutely necessary, and authorized, appropriate safeguards, such as encryption and passwords must be put in place to ensure that the information is protected.

Refer to the University’s “Travelling with Records Guidelines.”

http://umanitoba.ca/admin/vp_admin/ofp/fippa/media/Travelling_With_Records.pdf

Research at the University


iStock.com/bee32




Both FIPPA and PHIA allow approved research to take place, but it requires that the appropriate provisions are in place to ensure the privacy of the individuals participating in the research.

When conducting research, the highest standard of rules must be applied to the use of Personal Information and Personal Health Information.



If the research is conducted in connection with the University of Manitoba, review and approval must come from one of the five Research Ethics Boards:• Biomedical Research Ethics Board (BREB)

• Health Research Ethics Board (HREB)

• Psychology/Sociology REB

• Education/Nursing REB

• Joint-Faculty REB



At the Bannatyne Campus, most research is reviewed and approved by the BREB or the HREB.

The BREB reviews all research ethics protocols involving clinical trials and other biomedical research interventions.

The HREB reviews research involving the behavioral sciences, surveys, examinations of medical records and protocols of generally lesser risk.



At the Fort Garry Campus, three boards review and approve research: Education/Nursing REB: Faculties of Education, Kinesiology and Recreation Management, Extended Education, Engineering, and the College of Nursing

Psychology/Sociology REB: Faculty of Social Work, Departments of Sociology, Psychology, and Counseling Services

Joint-Faculty REB: Remaining Faculties and Departments



Researchers using information/data held by Manitoba Centre for Health Policy (MCHP) must fulfill several reviews and approvals:

• HIPC Health Information Privacy Committee;• HREB approval from the UM. An HREB from another

institution will be considered if it is accompanied by a letter indicating that the review is accepted by that institution;

• MCHP internal review.



Depending on the data source other approvals may be required. A full explanation is found at U of M website:

Manitoba Centre for Health Policy (MCHP) Applying for Access

http://umanitoba.ca/faculties/medicine/units/community_health_sciences/departmental_units/mchp/resources/access.html



Researchers collect, access, use, and share information about research participants during the course of research.

Tri-Council Policy Statement defines five classes of information to be aware of:

a) Identifyingb) Identifiablec) De-identified/codedd) Anonymizede) Anonymous



a) Identifying information: The information identifies an individual through direct identifiers (e.g., name, address, social insurance number, or personal health identification number).

b) Identifiable information: The information could be used to re-identify an individual through a combination of indirect identifiers (e.g., date of birth, place of residence, or unique personal characteristic) using reasonably foreseeable means.



c) De-identified/coded information: Identifiers are removed and replaced with a code. Depending on access to the code, it may be possible to re-identify specific individuals (e.g., individuals are assigned a code name and the principal investigator retains a list that links the code name with the individual’s actual name so data can be re-linked if necessary). Researchers who have access to the code and the data have identifiable information.



d) Anonymized information: Information is irrevocably stripped of identifiers, and a code is not kept to allow future re-linkage.

e) Anonymous information: Information never had identifiers associated with it (e.g., anonymous surveys).

Ethical Duties of Confidentiality


Researchers have an ethical duty to ensure the confidentiality of the records throughout their lifespan and ensure that they protect information from unauthorized:

• Collection

• Access

• Use/Disclosure

• Loss/Theft

• Modification



Researchers have ethical duties of confidentiality, which mirror the rules in privacy legislation:

• Must safeguard information

• Must not misuse information

• Must not wrongfully disclose information

This applies to information obtained directly from participants or via third parties (other researchers or organizations).



REBs are looking for these ethical duties of confidentiality in their processes for approvals:

• A researcher must be able to explain confidentiality provisions to REBs and to participants

• A researcher must understand and explain any disclosure requirements to participants, such as legal requirements for disclosure (example: Child and Family Services Act)



• The retention of all research data is very important, regardless if it involves Personal Information or Personal Health Information.

• Researchers must include a data management plan that outlines the processes and procedures to destroy or remove identifying information as soon as possible.

• Researchers must identify intended retention periods in the REB submission for all data, and they may be asked to justify the rationale for a certain period of retention in the application.



• Researchers must ensure that the information they collect is not used for secondary purposes.

• If the information is going to be used for another reason, such as another research project, they must obtain consent from the participants.

• If data-linking between datasets and research projects is going to take place, the REB would need to approve the data-linking.

Retention of Research Data


• Researchers must outline policies and procedures to destroy or remove identifying information as soon as possible.

• Researchers must identify intended retention periods in the REB submission for all data.

• Researchers may be asked to justify the rationale for a certain period of retention in the application.

Breach of Privacy


iStock.com/XiXinXing


Breach of Privacy


A Breach of Privacy occurs when Personal Information and/or Personal Health Information is collected, accessed, used, disclosed, transported, transmitted, transferred or destroyed other than as authorized, or when the accuracy, confidentiality or integrity of the information is compromised.

Breach of Privacy


A Breach of Privacy occurs when Personal Information and/or Personal Health Information is: • Accessed by someone not entitled to that information,

including “snooping”;• Shared (used or disclosed) with those not entitled to that

information;• Removed from the University without authorization;• Lost or stolen devices;• Not appropriately safeguarded;

Breach of Privacy


Or, when:• The integrity of a record is compromised; and/or• You collect more Personal Information and Personal Health

Information than is required to do your research.

Breach of Privacy


If you know or suspect a Breach of Privacy has occurred, immediately notify:

• Your Research Ethics Board Coordinator, who will then notify the Access and Privacy Office; and

• Submit an appropriate Adverse Event report to your REB.

Breach of Privacy


The Access and Privacy Office, in consultation with others, will decide whether an investigation is necessary;

If the decision is “yes,” the Access and Privacy Office will:• inquire into the incident/allegation

• consult with appropriate persons to determine whether a breach has occurred

• document findings

• recommend disciplinary action, if applicable

Privacy Quiz


iStock.com/cacaroot


Privacy Quiz


Which of the following statements are true about consent?

• An individual may give consent subject to conditions, such as limitingwhich information can be used or disclosed, or setting a time frame inwhich the consent applies.

• An individual who has given consent to the use or disclosure of personalhealth information may withdraw their consent by notifying the trustee.

• A withdrawal of consent does not have to be retroactive.

• Express consent does not need to be in writing.

• All of the above.

Privacy Quiz


What type of disciplinary action may be taken if it is confirmed that youused or disclosed Personal Health Information in violation of PHIA?

• A verbal or written warning

• Suspension

• Termination of employment, contract, association or appointment with theUniversity of Manitoba

• A report to the appropriate professional regulatory body

• Any of the above

Privacy Quiz


You use a laptop as part of your research data collection and analysis. You keepthe laptop on premises at the University, and lock it up at the end of the day in afiling cabinet that is located within a locked office. The research data includesinformation of identifiable individuals. Are there any other safeguards that youshould put in place to protect the confidentiality of the information?

• No, it’s kept in a locked cabinet in a locked office, that is sufficient.

• Add a password to the laptop.

• Encrypt the data.

• Add a password to the laptop AND encrypt the data.

Privacy Quiz


You use a laptop as part of your research data collection and analysis. You keepthe laptop on premises at the University, and lock it up at the end of the day in afiling cabinet that is located within a locked office. The research data includesinformation of identifiable individuals. Are there any other safeguards that youshould put in place to protect the confidentiality of the information?

• No, it’s kept in a locked cabinet in a locked office, that is sufficient.

• Add a password to the laptop.

• Encrypt the data.

• Add a password to the laptop AND encrypt the data. Laptops are often targets ofbreak and enters. If your office is broken into, or your laptop is removed from thepremises for any other reason, the data would not be properly safeguardedwithout a password and encryption.

Privacy Quiz


You are leaving work after a long day. Just as you get to the parking lot younotice a USB drive lying on the ground. What should you do?• Do nothing and leave it there.

• Pick it up and take it home for your own personal use.

• Take it to the Access and Privacy Office.

• Take it to the nearest lost and found.

Privacy Quiz


You meet an individual through your involvement in a research project. You feel thatthere is a connection and would like to contact them about meeting up for coffee.You were too shy to ask them in person, so you look up their contact information inthe electronic system you are using for research and copy down their email address.When you are at home, you send them an email using your Yahoo account (not yourwork account) to see if they are interested in meeting. Is this a violation of thatindividual’s privacy?

• Yes

• No

Privacy Quiz


You meet an individual through your involvement in a research project. You feel thatthere is a connection and would like to contact them about meeting up for coffee.You were too shy to ask them in person, so you look up their contact information inthe electronic system you are using for research and copy down their email address.When you are at home, you send them an email using your Yahoo account (not yourwork account) to see if they are interested in meeting. Is this a violation of thatindividual’s privacy?

• Yes – You have access to that information only for the purpose in which it wascollected, for research, not for any other use.

• No

Your Privacy Obligations


1. All University employees and persons associated with the University are responsible for protecting the security and confidentiality of all Personal Information and Personal Health Information that is obtained, handled, viewed, heard, or learned, in the course of their work or association with the University.

2. Personal Information and Personal Health Information shall be protected during its collection, access, use, retention, storage and destruction.



3. You may only use or disclose Personal Information and/or Personal Health Information in the discharge of your responsibilities and duties (including reporting duties imposed by legislation) on a need to know basis.

4. Discussion regarding Personal Information and/or Personal Health Information shall not take place in the presence of persons not entitled to such information, or in public places (elevators, lobbies, cafeterias, off premises, etc.).



5. Unauthorized use or disclosure of confidential information shall result in a disciplinary response up to and including termination of employment, contract, association, or appointment with the University of Manitoba.

6. A confirmed breach of confidentiality may result in disciplinary action and be reported to the individual’s professional body.



7. All individuals who become aware of a possible breach of the security or confidentiality of Personal Information and/or Personal Health Information shall follow the procedures outlined under “Breach of Privacy.”

Pledge of Confidentiality



At the University, a Personal Health Information Pledge ofConfidentiality is required of individuals as a condition of theiremployment, appointment, contract, or association withdesignated faculties, programs and offices, and as a condition ofresearch involving humans.

Please note: There is no “FIPPA Pledge of Confidentiality”. ThePHIA Pledge of Confidentiality is the only pledge that you arerequired to complete.



To obtain your University of Manitoba Personal Health Information Pledge of Confidentiality declaration form, click here.

Submit your completed form by saving your completed form to your computer and send it as an attachment to [email protected].


http://umanitoba.ca/access_and_privacy/pledge.html


Thank you!


If you have questions about the training presentation, please contact the Access and Privacy Office at:

E-mail: [email protected]

All images are used with permission from Microsoft unless otherwise noted.

Issued: February 14, 2020


The Freedom of Information and Protection of Privacy Act...

Documents

Transcript of The Freedom of Information and Protection of Privacy Act...