This is an official version. Copyright © 2007: Queen's Printer, Important Information
Newfoundland
and Labrador
Centre
for Health Information Regulations (Filed Under the authority of section 16 of the Centre for Health Information Act, the Lieutenant-Governor in Council makes the following regulations. Dated at Robert C. Thompson REGULATIONS Analysis 1. Short title 2. Code adopted 3. Policies and procedures 4. Safeguards 5. Persons bound 6. Notice 7. Privacy impact statement 8. Terms and conditions 9. Disclosure of identifiable personal information 10. Other release of personal information 11. Review Short title 1. These
regulations may be cited as the Centre
for Health Information Regulations. Code adopted 2. The centre shall adopt the Canadian Standards Model Code for the Protection of Personal Information (CAN/CSA Z830-96), including all revisions and amendments to that Code. Policies and procedures 3. (1) In addition to the requirements of the Code adopted under section 2, the centre shall establish and implement policies and procedures to facilitate the implementation of and ensure compliance with the Centre for Health Information Act, these regulations and the Code, which shall include policies and procedures to (a) restrict access to personal information by the centre's employees to personal information that the employee needs to know to carry out the purpose for which the personal information was collected or authorized; (b) protect the confidentiality of personal information that is to be disclosed by the centre to a person in a jurisdiction outside the province, which shall include a written agreement respecting the disclosure of that information; (c) provide for the proper disposal of records to minimize the risk of unauthorized access to personal information; and (d) deal with the particular issues associated with the storage of personal information according to the form in which it is kept. (2) The centre shall, in establishing policies and procedures under this section, consider the degree of sensitivity of the personal information to be protected. Safeguards 4. (1) The
centre shall provide those reasonable administrative, technical and physical safeguards
which it considers necessary to protect the privacy, confidentiality and
security of personal information which is collected, used, disclosed, stored or
disposed of by the centre. (2) Safeguards referred to in this section shall include (a) technological systems reasonably considered appropriate to protect the privacy, confidentiality and security of personal information; (b) reasonable security
arrangements to protect personal information against such risks as unauthorized
access, collection, use, disclosure or disposal; (c) the designation of a person in the centre who shall be responsible for (i) overseeing the privacy, security, and confidentiality of personal information, and (ii) responding to
inquires and receiving complaints from the public; (d) publishing on the centre's website the internal privacy procedures of the centre, which shall also be available to the public at the centre at reasonable times; and (e) appropriate safeguards for the disposal of personal information, including shredding of physical documentation and the permanent deletion of electronic files. Persons bound 5. (1) The centre shall ensure that all employees, agents, persons under contract to perform services for the centre and persons using personal information at the centre are aware of the duties imposed under the Centre for Health Information Act, these regulations and the Code adopted under section 2, and the policies and procedures established by the centre. (2) The centre's employees, agents, persons under contract to perform services for the centre and persons using personal information at the centre shall comply with (a) the Centre for Health Information Act, these regulations and the Code adopted under section 2; and (b) the policies and
procedures established by the centre. Notice 6. The centre shall give notice of the collection, use or disclosure of personal information by publishing on its website and in its annual report an exhaustive list of all the databases used in its operations. Privacy impact statement 7. (1) A privacy impact assessment shall be prepared on all health information systems where the disclosure and storage of personal information is involved, and a privacy impact statement shall be prepared further to the completion of the privacy impact assessment on a case by case basis. (2) A privacy impact statement prepared under
subsection (1) shall be available to the public upon request at reasonable
times. Terms and conditions 8. The terms and conditions for release of personal information under the Acts referred to in paragraph 16(d) of the Centre for Health Information Act shall be specified under agreements concerning the release of the personal information between the centre and the appropriate body acting under that particular Act. Disclosure of identifiable personal information 9. The centre may disclose identifiable personal information for a research purpose, including statistical research, only where (a) the research has been
approved by a local not-for-profit research ethics board; (b) the research purpose
cannot reasonably be accomplished unless that personal information is provided
in individually identifiable form; (c) any record linkage is
not harmful to the individuals that personal information is about and the benefits
to be derived from the record linkage are clearly in the public interest; (d) the centre and the
person to whom the information is being disclosed have signed a written
agreement with specific conditions relating to the following: (i) security and confidentiality
of personal information, (ii) the removal or
destruction of individual identifiers at the earliest reasonable time, (iii) the prohibition of any subsequent use or disclosure of that personal information in individually identifiable form without the express written authorization of the centre, and (iv) an agreement to
comply with the approved conditions, the Centre
for Health Information Act, these regulations and the centre's policies and
procedures. Other release of personal information 10. The centre may disclose personal information to a health information network established by the government of the province or another body in which personal information is recorded for the purpose of facilitating (a) the delivery, evaluation or monitoring of a program that relates to the provision of health care or payment for health care, or (b) review and planning that relates to the provision of health care or payment for health care. Review 11. The
minister shall, within 3 years of the coming into force of these regulations,
review them to assess whether there is a continued need for the regulations, in
whole or in part. ©Earl G. Tucker, Queen's Printer |