Guidance on information sharing in multi-sectoral risk intervention models

This guidance document was developed by the Ministry of the Solicitor General (formerly the Ministry of Community Safety and Correctional Services) (ministry), in consultation with its inter-ministerial, policing and community partners and the Office of the Information and Privacy Commissioner of Ontario (IPC). It was developed for agencies and organization and their staff (professionals) who participate in multi-sectoral risk intervention models, such as Situation Tables.

While different types of multi-sectoral risk intervention models are in use across Ontario and Canada, this document generally will refer to them as Situation Tables for ease of understanding.

Situation Table participants represent a variety of sectors such as the justice, health, and child, youth and family services, and other sectors involved in the prevention, reduction, or elimination of serious harm (including those working to address intimate partner violence).
Note: For additional guidance for professionals working to prevent intimate partner violence, see the IPC’s Sharing Information in Situations Involving Intimate Partner Violence: Guidance for Professionals.

Not all aspects of the information sharing principles and Four Filter Approach outlined in this document are prescribed in legislation, and some may not be mandatory for your specific agency/organization. Together, these principles and this approach form a framework intended to guide professionals (for example, police officers, educators from the school boards, mental health service providers, child, youth and family services providers, etc.) who are engaged in Situation Tables that involve sharing information, particularly personal information or personal health information (personal information). In this context, personal information should be understood to mean any information in oral or recorded form that could be used - on its own, or in combination with other available information to identify an individual.

The sharing of personal information requires compliance with provincial privacy legislation, including the Freedom of Information and Protection of Privacy Act (FIPPA), Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the Personal Health Information Protection Act (PHIPA), and Part X of the Child, Youth and Family Services Act (CYFSA), as well as other pieces of legislation by which professionals are bound.* For example, information about individuals dealt with under the Youth Criminal Justice Act (YCJA) is subject to additional restrictions, including restrictions that prohibit police and other justice sector service providers from accessing, using or disclosing this information except in prescribed circumstances and within prescribed timelines. In addition, it is an offence for anyone to access or disclose YCJA information without authorization. As such, professionals must carefully consider YCJA related restrictions before engaging in any YCJA related information sharing activities.   
Note: This guidance uses the term “sharing” to refer to disclosure and focuses on the disclosure of personal information when there is an objective risk of serious harm to the health or safety of one or more individuals. It does not focus on permissible collection(s) and use(s) of personal information. Agencies/organizations, and their staff, must ensure they are permitted to collect and use the personal information provided to them and otherwise comply with provincial privacy legislation.

Before engaging in a multi-sectoral risk intervention model, all professionals should familiarize themselves with the applicable legislation, confidentiality and information sharing agreements and professional codes of conduct or policies that apply to their respective agency/organization.

Considerations should also be made for undergoing a Privacy Impact Assessment (PIA) and entering into a confidentiality and information sharing agreement. Conducting a PIA and entering into confidentiality and information sharing agreements is recommended to ensure that adequate standards for the protection of personal information are followed. These steps become all the more important when the multi-sectoral group includes agencies/organizations that are not covered by provincial privacy legislation.

For information on PIAs, refer to the IPC’s “Planning for Success: Privacy Impact Assessment Guide” and “Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act” which are available online.

Once the decision has been made to participate in a multi-sectoral risk intervention model, such as a Situation Table, agencies/organizations should also ensure transparency by making information about their participation publicly available, including the contact information of an individual who can provide further information or receive a complaint about the agency/organization’s involvement.

Information contained in this document should not be construed as legal advice.

Information sharing principles

Information sharing is critical to the success of Situation Tables and partnerships that aim to mitigate risk and enhance the safety and well-being of Ontario communities. Professionals from a wide range of sectors, agencies and organizations are involved in the delivery of services that address risks faced by vulnerable individuals and groups. These professionals are well-placed to notice when an individual(s) is at an “acutely elevated risk” of harm. Collaboration among these professionals is vital to harm reduction.

Recognizing that a holistic, client-centered approach to service delivery is likely to have the most effective and sustainable impact on improving and saving lives, professionals involved in this approach, who are from different sectors and governed by different privacy legislation and policy, should consider the following common set of principles. It is important to note that rules governing the collection, retention, use and disclosure of personal information are set out in legislation. The approach and principles discussed in this guidance document have been developed to support professionals to use their judgment and make information sharing decisions in compliance with relevant legislation and policy for the greatest benefit of individual(s) at risk.

Consent

Whenever possible, the ideal way to share personal information about an individual is by first obtaining that individual’s consent (for example, consistent with the requirements in section 42(1)(b) of FIPPA, section 32(b) of MFIPPA, sections 18, 29 and 30 of PHIPA, and sections 286 and 287 of the CYFSA). While this consent may be conveyed by the individual verbally or in writing, professionals should document the consent, including with respect to the date of the consent and the scope of the consent (for example, what information will be shared, with which organizations, for what purpose(s), and whether the consent comes with any restrictions or exceptions or has been updated or withdrawn by the affected individual).

When a professional is engaged with an individual(s) that they believe is at an acutely elevated risk of harm and would benefit from the services of other agencies/ organizations, they may have the opportunity to ask the individual(s) for consent to share their personal information. However, in some serious, time-sensitive situations, there may not be an opportunity to obtain consent. In these instances, professionals should refer to pieces of legislation, including privacy legislation, which may allow for the sharing of personal information absent consent. 

With or without consent, professionals may only collect, retain, use or disclose personal information in a manner that is consistent with legislation (that is, FIPPA, MFIPPA, PHIPA, CYFSA and/or other applicable legislation to which the agency/organization is bound), and they must always respect applicable legal requirements, including the data minimization requirements in section 30 of PHIPA and section 287 of the CYFSA.

Professional codes of conduct

It is the responsibility of all professionals to consider and adhere to their relevant professional codes of conduct and standards of practice.  As in all aspects of professional work, any decision to share information must be executed under appropriate professional discipline. This presumes the highest standards of care, ethics and professional practice (for example, adherence to the policies and procedures upheld by the profession) will be applied if and when information is shared. Decisions about disclosing information must also consider the professional, ethical and moral integrity of the individuals and agencies/organizations that will receive the information. The decision to share information must only be made if the professional is first satisfied that the recipient of the information will also protect and act upon that information in accordance with established professional and community standards and legal requirements. As this relates to collaborative community safety and well-being practices, this principle reinforces the need to establish solid planning frameworks and carefully structured processes and agreements.

Do no harm

First and foremost, this principle requires that professionals operate to the best of their ability in ways that will more positively than negatively impact those who may be at an acutely elevated risk of harm. Decisions to share information in support of an intervention must always be made by weighing out the benefits that can be achieved for the well-being of the individual(s) in question against any reasonably foreseeable negative impact associated with the disclosure of personal information. This principle ensures that the interests of the individual(s) will always remain a priority consideration for all those involved.

Duty of care

Public officials across the spectrum of human services assume within their roles a high degree of professional responsibility — a duty of care — to protect individuals, families and communities from harm. For example, the first principle behind legislated child protection provisions across Canada is the duty to report, collaborate and share information as necessary to ensure the protection of children. Professionals who assume a duty of care are encouraged to be mindful of this responsibility when considering whether or not to share information.

Due diligence and evolving responsible practice

Professionals are encouraged to document, evaluate and exchange information about their information sharing-related decisions, in a de-identified manner. These activities are encouraged to help agencies and organizations build a stronger and broader base of privacy compliant practices, as well as evidence of the impact and effectiveness of information sharing.

When it comes to questions about information sharing and privacy compliance, professionals are encouraged to first seek any clarifications they may require from within their respective organizations. The IPC is available to provide general information and guidance to assist institutions, health information custodians and services providers in understanding their obligations under FIPPA, MFIPPA, PHIPA and Part X of the CYFSA. For those seeking feedback or guidance on new programs, projects, technologies, or processes, please see the IPC’s policy consultations webpage. The IPC may also be contacted by email at info@ipc.on.ca, or by telephone (Toronto area: 416-326-3333, long distance within Ontario: Toll-free: 1-800-387-0073TTY: 416-325-7539).

Note that FIPPA, MFIPPA, PHIPA and Part X of the CYFSA provide civil immunity for any decision to disclose or not to disclose made reasonably in the circumstances and in good faith.

Acutely elevated risk

For the purposes of the following Four Filter Approach, “acutely elevated risk” refers to a situation negatively affecting the health or safety of an individual, family, or specific group of people, where professionals are permitted to share personal information under provincial privacy legislation to eliminate or reduce an objective risk of serious harm to one or more individuals. For a disclosure to be considered permissible, it must comply with the applicable disclosure provision.

In particular, section 41(1)(h) of FIPPA, section 32(h) of MFIPPA, section 40(1) of PHIPA and section 292(1)(g) of the CYFSA provide for harm reduction related disclosures.

Section 42(1)(h) of FIPPA and section 32(h) of MFIPPA read:

An institution shall not disclose personal information in its custody or under its control except in compelling circumstances affecting the health or safety of an individual if upon disclosure notification is mailed to the last known address of the individual to whom the information relates.

Section 40(1) of PHIPA reads:

A health information custodian may disclose personal health information about an individual if the custodian believes on reasonable grounds that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.

“Significant risk of serious bodily harm” includes a significant risk of serious physical or serious psychological harm. Like other provisions of PHIPA, section 40(1) is subject to the mandatory data minimization requirements set out in section 30 of PHIPA.

Section 292(1)(g) of the CYFSA reads:

A service provider may, without the consent of the individual, disclose personal information about an individual that has been collected for the purpose of providing a service, if the service provider believes on reasonable grounds that the disclosure is necessary to assess, reduce or eliminate a risk of serious harm to a person or group of persons.

Like other provisions of Part X of the CYFSA, section 292(1)(g) is subject to the mandatory data minimization requirements set out in section 287.

Note: This guidance uses the phrases “acutely elevated risk” and “objective risk of serious harm” to describe or refer to the harm related disclosure rules in FIPPA, MFIPPA, PHIPA and the CYFSA. However, the harm related disclosure rules in PHIPA and the CYFSA address the harm threshold in somewhat more detailed and stringent terms. It is critical that all agencies/organization ensure they are familiar with the disclosure rules that apply to them prior to making any related disclosure decisions.

Four Filter Approach to information sharing

In Situation Tables, professionals meet to discuss whether to launch an intervention. Such discussions may require the sharing of personal information about an individual(s). For that reason, the ministry encourages professionals to obtain express consent of the individual(s) before the collection, retention, use and disclosure of personal information. If express consent is obtained to disclose personal information to specific agencies/organizations involved in a multi-sectoral risk intervention model for the purpose of harm reduction, the disclosing professional may rely on consent to disclose personal information and collaborate with the specific agencies/organizations for that purpose.

If it is not possible to obtain express consent and it is still believed that disclosure is required, professionals at Situation Tables are encouraged to comply with the Four Filter Approach outlined below.

Under the Four Filter Approach, the disclosing agency/organization must have the authority to disclose, and each recipient agency/organization must have the authority to collect and use the personal information. The question of whether an agency/organization “needs-to-know” depends on the circumstances of each individual situation or discussion.

Agencies/organizations involved in Situation Tables be reviewed on a regular basis. Agencies/organizations that are rarely involved in interventions should be removed from the table and contacted only when it is determined that their services are required.

Filter one: Initial agency/organization screening

The first filter is the screening process by the professional that is considering engaging partners in a multi-sectoral intervention. Professionals must only bring forward situations where they believe that the discussion subject(s) is at an acutely elevated risk of harm as defined above. The professional must be unable to eliminate or reduce the risk without bringing the situation forward to the group. This means that each situation must involve risk factors beyond the agency/organization’s own scope or usual practice – including through its usual approach to making bilateral referrals for service – and thus represents a situation that could only be effectively addressed in a multi-sectoral manner. Professionals must therefore examine each situation carefully and determine whether the risks posed require the involvement of multi-sectoral partners. Criteria that should be considered at this stage include:

The intensity of the presenting risk factors, as in: Is the presenting risk of such concern that the intrusion on an individual’s privacy occasioned by bringing the situation forward for multi-sectoral discussion can be justified?

Is there an objective risk of serious harm if nothing further is done?

Would that harm constitute substantial interference with the health or well-being of a person and not mere inconvenience to the individual or agency/organization?

Did the agency/organization do all it reasonably could to mitigate the risks before bringing the situation forward?

Do the risks presented in this situation apply to the mandates of multiple agencies/organizations?

Do multiple agencies/organizations have the mandate to intervene or assist in this situation?

Is it reasonable to believe that disclosure to multi-sectoral partners will help eliminate or reduce the anticipated harm?

Before bringing a discussion forward, professionals should identify in advance the relevant agencies/organizations that are reasonably likely to have a role to play in the development and implementation of the harm reduction strategy.

Filter two: De-identified discussion with partner agencies/organizations

At this stage, it must be reasonable for the professional to believe that disclosing information to other agencies/organizations will eliminate or reduce the risk posed to, or by, the individual(s). The professional then presents the situation to the group in a de-identified format, disclosing only descriptive information that is reasonably necessary.  Caution should be exercised even when disclosing de-identified information about the risks facing an individual(s), to ensure that later identification of the individual(s) will not inadvertently result in disclosure beyond that which is necessary at filter four. This disclosure should focus on the information necessary to determine whether the situation as presented meets both the threshold of acutely elevated risk, outlined above, and the need for, or benefit from, a multi-agency intervention, before any identifying information is disclosed.

The wide range of sectors included in the discussion is the ideal setting for making a decision as to whether acutely elevated risk factors across a range of professionals are indeed present. Focus the discussion on relevant risk factors and, even then, avoid discussing an individual’s circumstances in precise terms where it is not necessary to do so (for example, refer to an age range rather than a precise age, avoid referring to a precise diagnosis, address, or location, etc.). If the circumstances do not meet the threshold of acutely elevated risk, no personal information may be disclosed, and no further discussion of the situation should occur. However, if at this point the presenting agency/organization decides that disclosing personal information (for example, the individual’s name and address) to some agencies or organizations is necessary to help eliminate or reduce an acutely elevated risk of harm to an individual(s), the presenting agency/organization may agree to disclose necessary information to those agencies/organizations identified at filter three as those specific agencies/organizations reasonably necessary to engage in planning and implementing the intervention.

Filter three: Identifying the intervening agencies/organizations

If it is decided that the threshold of acutely elevated risk has been met, the next step is for the group to determine which agencies/organizations are reasonably necessary to plan and implement the intervention. Additionally, the presenting agency should inform the table of whether the individual has consented to the disclosure of his or her personal information to any specific agencies/organizations. All those agencies/organizations that have not been identified as reasonably necessary to planning and implementing the intervention must then leave the discussion until dialogue about the situation is complete. The only agencies/organizations that should remain are those to whom the individual has expressly consented to the disclosure of his or her personal information, as well as those that the presenting agency reasonably believes require the information in order to eliminate or reduce the acutely elevated risk(s) of harm at issue.

Filter four: Full discussion among intervening agencies/organizations only

At this final filter, identifying information may then be shared with those agencies/organizations that were identified at filter three as being reasonably necessary to involve in planning and implementing the intervention. Adherence to this “need-to-know” approach should be supported in advance by way of an information sharing agreement that binds all the involved agencies/organizations.

At this final filter, only agencies/organizations that have been identified as having a direct role to play in an intervention meet to discuss the personal information required in order to inform planning for the intervention. This meeting must be held separately from the larger group. Disclosure of personal information in such discussions must remain limited to the personal information that is deemed necessary to assess the situation and to determine appropriate actions. Sharing of information at this level should only happen to enhance care.

After this sub-group is assembled, if it becomes clear that a further agency/organization should be involved, then professionals could involve that party, bearing in mind the necessary authorities for the collection, use and disclosure of the relevant personal information.

If at any point in the above sequence it becomes evident that resources are already being provided as required in the circumstances, and the professionals involved are confident that elevated risk is already being mitigated, there shall be no further discussion by the professionals other than among those already engaged in mitigating the risk.

The intervention

Following the completion of filter four, an intervention may take place to address the needs of the individual, family or specific group of people, and to eliminate or mitigate their risk of harm. At many Situation Tables, the intervention may involve a “door knock” where the individual is informed about, or directly connected to, a service(s) in their community. In all cases, if consent was not already provided prior to the discussion being brought forward (for example, at a multi-sectoral risk intervention model such as a Situation Table), obtaining consent to permit any further sharing of personal information in support of providing services must be a priority of the combined agencies/organizations responding to the situation.

Individuals should be free to accept an offer of services and refuse to consent to further information sharing at the Situation Table. If upon mounting the intervention, the individual(s) being offered the services declines, no further action will be taken, including any further information sharing at the Situation Table.

Notice and transparency

Institutions such as school boards, municipalities, hospitals and police services are required to provide written notice to individuals following the disclosure of their personal information under section 42(1)(h) of FIPPA and section 32(h) of MFIPPA.

The written notification required under these sections may be made through methods other than being “mailed to the last known address.” Regardless of the method by which the required notice is provided, the individual should be provided with a card, document or record that:

  • lists the names and contact information of the agencies/organizations to whom their personal information was disclosed (for example, at filter four)
  • contains a brief description of the purpose and scope of the information disclosed

Even where this practice is not required, it is recommended that all individuals be provided with written notice of the disclosure of their personal information. This should generally be done when the intervention is being conducted or shortly thereafter, unless providing the notice itself could reasonably be expected to cause serious harm, in which case the notice may be delayed until that risk has abated.

In addition, section 16 of PHIPA requires health information custodians, and section 311 of the CYFSA requires service providers, to make a written statement available to the public containing a general description of the relevant information practices related to a multi-sectoral risk intervention model such as a Situation Table. If a health information custodian or service provider discloses personal information outside of the scope of the description of their information practices, they must comply with the applicable notification requirements in section 16(2) of PHIPA and section 311(2) of the CYFSA.

All agencies and organizations participating in Situation Tables are encouraged to be transparent about their information sharing policies, procedures and practices; for example, proactively disclosing governance documentation on their websites, such as their current information sharing agreements and a general description of how they use and disclose individuals’ personal information and how individuals can learn more.

Report back

Following an intervention (for example, at a subsequent Situation Table meeting), participating agencies or organizations may want to provide an update regarding the intervention to the multi-sectoral group, including those agencies/organizations that did not participate in the intervention. The character and scope of such a “report back” phase is dependent on professionals receiving express consent from the individual(s).

Unless express consent to being identified to the entire group is given by the individual(s), the report back must be limited to the date of closure and an indication that the discussion can be considered closed, or whether the intervening agencies/organizations need to discuss further action. If the discussion is being closed, limited information may also be shared regarding the reason for closure (for example, services mobilized). Either way, without express consent, report backs must be conducted in a de-identified manner, with a focus on pertinent information about the risk factors, protective factors and agency/organization roles that transpired through the intervention.

Data minimization and record retention

It is critical that agencies/organizations comply with applicable legal requirements under provincial privacy legislation with respect to personal information they collect, use, retain and disclose, including requirements related to accuracy, security, preservation, retention and disposal. Agencies/organizations should also develop and implement effective records and information management practices* and comply with information handling rules and safeguards specified in their organization’s policies and procedures. 
Note: For guidance on record-keeping and records information management practices, see the IPC’s guidance on FIPPA andMFIPPA: Bill 8 — The Recordkeeping Amendments, Improving Access and Privacy with Records and Information Management, and Webinar on Records Information Management.

To support compliance, this section discusses data minimization, the use of pseudonyms, and the retention and disposal of personal information.

Data minimization

Data minimization refers to the practice of reducing the amount of personal information that is collected, used, retained and disclosed to that which is necessary to achieve a legitimate (that is, authorized) purpose. Data minimization is a fundamental privacy principle that, when applied throughout the information life cycle, will protect privacy and enhance security. Data minimization is also a legal requirement under section 30 of PHIPA and section 287 of the CYFSA. In the context of Situation Tables, agencies/organizations implement data minimization by:

  • Not collecting, using, retaining or disclosing personal information if other information will serve the harm reduction purpose.
  • Not collecting, using, retaining or disclosing more personal information than is reasonably necessary to meet the harm reduction purpose.
  • Not collecting, using or retaining personal information from, or disclosing personal information to, more agencies/organizations than is necessary to meet the harm reduction purpose.

Data minimization practices include creating and using a pseudonym, maintaining records or databases that are easily redacted or severable and limiting the subject line and contents of electronic messages.

Use of pseudonyms versus personal information

Only newly assigned unique “pseudonymous” (that is, randomized) alpha-numeric characters should be used to keep track of individual discussions at a Situation Table, rather than identifying or quasi-identifying information such as an individual’s initials, address or telephone number. Careful management of this tracking responsibility is vital, including to ensure that such tracking is done in a de-identified manner.

The only exceptions to this pseudonymous approach to record keeping at a Situation Table relate to the need to document information sharing and intervention related decisions and activities. In this regard, the agency/organization that brings an individual discussion forward, as well as the planning and intervening agencies/organizations, should record some information about each such use of personal information. Other professionals involved at filters two or three should not keep any notes, particularly those that contain personal information. If any such notes are kept, they should be securely destroyed unless their retention is legally required.

Retention and disposal of personal information

Agencies and organizations are required to retain and dispose of personal information in their custody or control in a secure manner. Personal information should only be retained for as long as necessary to serve the intended purpose, or as legally required. This includes retaining personal information for at least one year after use or as long as necessary to facilitate an individual’s right to seek access to their own personal information.

These requirements apply to personal information contained in emails or other forms of electronic communications. In addition, note that agencies/organizations should ensure that all copies of emails containing personal information on portable devices are double-deleted (for example, from both your email inbox and trash folder) once their retention is no longer required and they have already been documented in the individual’s record.

Participating agencies and organizations should also consider developing or updating relevant records retention schedules, in accordance with their policies and procedures, as well as applicable legal requirements, to outline the length of time records must be kept and what will happen to those records after that time has elapsed (for example, will they be securely destroyed or transferred to the Archives of Ontario). Generally, records retention schedules should contain a description of the records (including volume and format), the length of time that the records are to be retained by the agency/ organization, the length of time records may need to be retained in offsite storage and a decision as to whether they will be transferred to an archive or destroyed at the end of the retention period.

Virtual and digital communication

Virtual and digital delivery of Situation Tables has become an integral part of enhancing the safety and well-being of Ontario communities. Virtual and digital collaboration involves sharing information via audio, video, email and text-based communication channels. These forms of digital communications offer significant convenience for agencies/organizations, but also introduce or amplify privacy and security concerns. Risks include unauthorized collection, access, use, retention and disclosure of personal information about individuals, related non-compliance with privacy laws and other legal requirements and damage to agency/organization trust and reputation.

To support compliance with privacy and security requirements and best practices, this section highlights examples of some important privacy and security considerations related to the use of virtual and digital communication systems at Situation Tables. Remember, however, that personal information should not be shared through such communication channels - including through email - unless consent to such sharing has been obtained, or such sharing complies with an applicable disclosure provision (for example, as discussed above in the section on acutely elevated risk).

Audio and video conferencing

As Ontario has adapted to new working environments, many Situation Tables turned to audio and videoconferencing services to help connect with colleagues and host meetings.

Remote conferencing presents challenges for protecting privacy. Consider that such platforms or services could collect and retain personal information contained in video, audio and chats; broadcast video streams to multiple parties over insecure networks; and disclose information to unauthorized parties.

Agencies/organizations should review best practices when conducting virtual multi-sectoral risk intervention discussions. Recommended best practices include:

  • controlling access to the conferencing platform and services, including by ensuring properly updated and configured software
  • ensuring there are no unauthorized persons in attendance or within hearing or viewing distance of a virtual meeting, including by requiring the use of passwords to log in, and requiring attendees to participate from a private space and wear headphones
  • disabling participants’ ability to record calls or meetings
  • holding breakout sessions at Filter 4 to avoid disclosing personal information to any partners that are not required at Filter 4.

Electronic messaging

Email is one of the dominant forms of communication today. Agencies/organizations have come to rely on email’s convenience, speed and economy. While email offers many benefits, it also poses risks to the privacy of individuals and to the security of personal information. It is important for agencies/organizations to understand these risks and take steps to mitigate them before using email in their communications.

Agencies/organizations must implement technical, physical and administrative or policy safeguards to protect personal information in transit and at rest. This requirement applies to any email communications involving this type of information.

Technical safeguards include encryption, which scrambles the contents of an email so that only those with access to a secret key or password can unscramble and read it. Encryption minimizes the risk of unauthorized collection, use or disclosure of information. It is expected that encryption be used in the context of email communication among agencies/organizations, except in exceptional circumstances.  Similarly, agencies/organizations sending email communications to an individual(s) involved in a situation should, where feasible, use encryption. Prior to using unencrypted email, agencies/organizations must notify relevant individuals about their written email policy and obtain their consent. Agencies/organizations should also ensure that all electronic devices are password protected.

Physical safeguards seek to prevent unauthorized use of computing devices with access to stored messages or message attachments. This would include not lending technology, such as cell phones or laptops, to anyone without authorization, and ensuring print copies of messages or documents are securely stored under lock and key. All personal information, including technology that contains personal information, should be stored in an appropriate, secure area to prevent unauthorized access.

Administrative or policy safeguards include:

  • limiting the exposure of unencrypted personal information in the message subject line, in the body of the email and in any attachments
  • providing a notice in an email that the information received is confidential
  • communicating from professional rather than personal accounts
  • confirming and ensuring that contact information is kept up to date
  • restricting access to email systems and emails on a need-to-know basis

Access to information requests and privacy complaints

Individuals have the right to request access to and correction of their own records of personal information, and to file privacy complaints under applicable provincial privacy legislation (for example, FIPPA, MFIPPA, PHIPA and Part X of the CYFSA). Individuals also have the right to request access to any general records held by institutions subject to FIPPA or MFIPPA. In addition, individuals have a right to appeal or make a complaint to the IPC if they are not satisfied with the response provided by an institution, health information custodian or service provider to their access or correction request or privacy complaint.

All agencies/organizations participating in a Situation Table should help to ensure that potential requestors and complainants have access to relevant and up-to-date contact information for any agency/organization that may be responsible for addressing a requestor or complainant's concerns (for example, institutions, health information custodians or CYFSA service providers). Participating agencies/organization should also be prepared to help direct requestors/complainants to the applicable institution, health information custodian or CYFSA service provider, and provide contact information as needed.

Agencies/organizations subject to provincial privacy legislation (for example, institutions, health information custodians or CYFSA service providers) have additional responsibilities when it comes to assisting requestors and complainants. Additional information about their responsibilities with respect to responding to privacy complaints and access and correction requests can be found on the IPC’s website.

Agencies and organizations also have responsibilities to provide services to individuals consistent with the Ontario Human Rights Code, including in relation to a mental health related disability, and while informal processes may be employed to augment or improve requestor and complaint-related rights, they must not be used to frustrate or deny rights or avoid any duties provided for under provincial privacy legislation.