The Privacy Charter is our commitment to you. It is our organization-wide policy on how all employees, agents, and contractors of ABJHI protect your information.
ABJHI Privacy Charter
This Privacy Charter explains the type of personal, confidential, and health information we collect, how it is used, and the steps we take to ensure the information is handled appropriately.
What is Personal Information?
Personal information is information about an identifiable individual. Personal information includes such things as names, provincial health numbers, postal and email addresses, dates of birth, financial information, treatment information, encounters with the health system, health outcomes as well as opinions, preferences, and feedback.
ABJHI is responsible for protecting the privacy and security of personal information under its control, including any personal information that is acquired through agreements with care providers, Alberta Health Services, or other third parties. This includes information that is stored electronically or physically, and information that is archived awaiting destruction. Our agents, employees, and contractors must abide by our privacy policies and procedures and receive robust training in how to secure personal information.
We have developed and implemented this Privacy Charter to achieve and communicate our accountabilities.
ABJHI identifies the purpose for which we collect personal information. This applies to information that is directly collected by ABJHI or acquired under the terms of an affiliation, data sharing, research, or other services agreement.
We collect, use, and disclose personal information to:
- conduct provincial quality assurance surveillance;
- inform on clinical quality improvement activities;
- perform resource planning, service demand modeling, and other health system management functions on behalf of the AHS Bone and Joint Health Strategic Clinical Network;
- provide feedback to clinicians and health administrators on the quality of health services and outcomes;
- evaluate clinical programs and projects;
- identify opportunities to improve health outcomes and operational efficiencies;
- participate in research projects (with the approval of appropriate research ethics boards);
- evaluate new health technologies and procedures;
- detect trends in health outcomes and predict future system needs;
- administer fundraising campaigns and donor management activities;
- keep interested stakeholders up-to-date on developments in bone and joint health service delivery; and
- perform other purposes as may, from time to time, be permitted by law.
ABJHI collects only the personal information for the purposes we have identified or otherwise permitted by law. We only collect as much information as is essential to carry out the purpose for which we are collecting it.
Personal information will be collected directly from individuals and indirectly via care providers, routinely recorded information in health data systems, or through indirect interactions with electronic systems (e.g. web site log files, transaction records).
Use and Disclosure
Our data and reporting systems are designed to limit access to personal information by our staff to the minimum level required to perform our duties. This means that our analysts do not have routine access to personally identifying information, such as names, addresses, provincial health numbers, etc.
Even within our walls, only the people responsible for doing the analysis and reporting have direct access to individual non-identifying records. All other users must access aggregated and/or de-identified results.
When needed (e.g. to help a doctor perform a chart review or investigate patient outcomes), ABJHI staff must request access to personal information on an exception basis from the Director of Technical Operations. The Director reviews all requests to ensure that they comply with the law and all confidentiality and data sharing agreements.
We follow the principle that restricting access to data is the easiest way to prevent an unauthorized disclosure.
The rules for disclosures of personal health information to third parties are explicitly defined in our agreements with care providers and Alberta Health Services and are compliant with the Health Information Act. ABJHI can only disclose grouped results with a minimum of 6 individuals per group. Any request for more granular groupings of data or individual records requires express written approval from the data custodian or, where applicable, is specifically communicated to the individual during the consent process.
ABJHI does not sell or share any personal information with marketers, newsletters, contact lists, vendors, or other commercial third parties.
ABJHI has access to routinely collected health information under legal agreements with many care providers and Alberta Health Services for the purposes of ongoing quality assurance monitoring and quality improvement planning. These agreements define the specific uses and disclosures of information that ABJHI is allowed to perform.
These services are called a “secondary use of routinely collected health information” and are allowed under the Health Information Act without informed consent. We perform these services under contract with the care providers and Alberta Health Services and we have submitted a Privacy Impact Assessment with the Office of the Information and Privacy Commissioner to ensure that the privacy and security of this information is protected.
All other information, including individual contact information, participant and subscriber data, billing information, and data collected for research or other purposes is collected with informed consent. The method of obtaining consent depends on the circumstances and the sensitivity of the information. Consent may be oral or written, express or implied.
Express consent (verbal, written or electronic) is obtained to collect, use, or disclose sensitive personal information and research information. Implied consent is obtained where a) a customer, partner, or other collaborative relationship already exists, b) express consent has been previously given, or c) the purpose of collecting the information is obviously apparent to the person (e.g., payment processing information for a donor).
Consent preferences can be changed at any time by contacting ABJHI.
Individuals may decide to opt out of receiving information circulars, newsletters, fundraising, or promotional materials at any time. Individuals may withdraw or refuse consent by contacting us (email or phone). The request will be promptly processed but may not be in time to prevent communications already in progress.
Individuals have a right to access the personal information in our custody and may request a copy of this personal information. As an affiliate of health data custodians, ABJHI will re-direct all requests for health records to the appropriate data custodian.
ABJHI retains the right to charge reasonable fees to cover the administrative costs associated with fulfilling data access requests as permitted by law.
ABJHI has assessed the privacy risks to personal information and implemented administrative, technical, and physical safeguards to minimize the risk. Examples of these safeguards include office policies and procedures that ensure confidential information cannot be seen by unauthorized people, having employees sign confidentiality and non-disclosure agreements, and electronic security measures like firewalls, password protection, and encryption to protect sensitive information.
We take efforts to ensure that personal information in our custody is accurate and complete before using or disclosing it. However, much of our data comes from other data systems over which we have no control. We correct inaccurate or incomplete information in our systems wherever possible, but we may be unable to influence the accuracy or completeness of the data in its originating data source. It is the responsibility of those custodians and repository owners to make corrections in their systems as appropriate.
Retention and Destruction of Records
ABJHI follows all legal and/or institutional requirements for records retention. We securely destroy all data following the proscribed retention period.
For research data, this typically means we securely destroy data after 10 years from the end of the research study. Routinely captured health data is retained forever. Billing data for donations is destroyed immediately after processing and donor contact information is retained for 5 years from the final transaction.
Monitoring and Enforcement
We regularly assess our health information safeguards and ensure our employees, contractors, and agents are aware of and follow all safeguards. We have monitoring systems in place to detect possible security breaches, and investigate all privacy complaints, breaches, and suspected breaches.
We have sanctions in place for anyone who deliberately or inadvertently breaches, or attempts to breach, our safeguards. We will take appropriate measures to remedy any issues, including amending our policies, revising procedures, disciplining and/or terminating staff, etc.