The Government of Canada has implemented
new privacy legislation as of January 1, 2004 - The Personal Information
and Electronic Documents
Act. It includes provisions that control the handling of information for
all business entities that collect any information from individuals for
any purpose. The basic principle of the legislation is that "an organization
may collect, use or disclose personal information only for purposes that
a reasonable person would consider are appropriate in the circumstances" The
Act also requires that the organization take active steps to protect its
controlled information, and establish a set of procedures to accomplish
this. The purpose and procedure of our information collection is as follows:
1. We are collecting information for the purpose of treating our patients. To
accomplish that purpose, we must collect personal demographic information, and
medical histories, to allow us to make the judgments we need to make. This includes
a wide variety
of lifestyle and life event information relevant to the subject's physical and
mental health. To prejudge the relevance of specific information would limit
the ambit of judgment of our staff, and therefore we are reluctant to limit the
scope of information gathering. One can only say in advance that information
that would have no ramifications for medical analysis would be irrelevant, and
the Limiting Collection Principle would apply to such information.
2. No collected information shall be used for any purpose other than the treatment
for which we were retained, except under the terms of the Act, or in pursuance
to other duties imposed on us by other statutes and regulations. An example of
such statutory release of information would be our obligation to report to our
regulator, the College of Physiotherapists of Ontario.
3. Consent will be solicited and obtained from each client in writing before
any treatment is commenced after the patient has been advised of the purpose
for collecting information. Information will be retained for the period of our
statutory responsibility, 10 years. Thereafter, demographic information and basic
medical information shall be retained in our database. Personal information contained
in files shall be destroyed after 10 years.
4. Patients shall be apprised of the scope of the information retained for
them, and be given the opportunity to correct inaccurate information in writing
addressed to the Information Manager. Such corrections shall be added to the
subject's file, and any electronic information adjusted accordingly.
5. The physical security of the information shall be maintained by securing
it in locked premises, and actively restricting access to it. Electronic information
shall be protected by limiting access to approved users with passwords and similar
electronic protection methods.
6. Patients will be afforded access to their information upon provision of
requested releases in accordance with the Act.