CLIENT RECORDS COLLECTION & DISCLOSURE POLICY
SECTION 1 - INTRODUCTION
This Client Records Collection & Disclosure Policy (the “CRCD Policy”, or the “Policy”) describes the personal information that Clayman Pharmacy collects from or about its clients, the channels through which it collects this information, how it uses this information, and to whom it discloses that information.
The policy applies to all Clayman Pharmacy employees (whether full-time or part-time), employee contractors, independent contractors, vendors, partners, suppliers, occasional help, volunteers, students, co-ops, officers, directors, shareholders (so long as it remains a Canadian Controlled Private Corporation), and anyone working at or acting on behalf of Clayman Pharmacy, and who are privy to personal information.
|Authorized Representative||A person who has confirmed permission to act and make decisions on behalf of someone else. This authorization may exist for a specific purpose or duration, or it may in place indefinitely.|
|Chief Privacy Officer||A member of the Clayman Pharmacy executive management team who is appointed with the responsibility for managing the risks and business impacts of privacy laws and policies.|
|Disclosure||Personal information about an individual being provided to someone other than the individual or an Authorized Representative.|
|Explicit Consent||An individual, or an Authorized Representative, clearly presented with the option to agree or disagree with the collection, use, or disclosure of personal information prior to receiving any services.|
|Implicit or Implied Consent|
|Informed Consent||This means an individual or Authorized Representative providing consent after they are informed about the expected benefits, potential risks, alternative courses of action, and the likely consequences of receiving or not receiving services, and having the opportunity to ask questions.|
|Manager||A member of the Pharmacy personnel who is responsible for a department or is a people manager.|
|Non-Records||Any material that is not related to clients. This may include, but is not limited to: administrative data, communications, transient memoranda, notes and memoranda having limited or short-term value or usefulness. Non-Records can be generated and/or destroyed at any time without having the need to consult this policy. Purging of non-records is encouraged so as to avoid keeping unnecessary and cumbersome files. Examples of non-records include draft client reports, draft budgets, copy of a staff letter.|
|Opt-out Consent||This means that an individual is given the option to decline consent. If the individual does not clearly decline consent, consent is granted. Optout Consent is usually done in writing.|
|Personal Health Information||
Recorded information about an identifiable individual that relates
Includes any factual or subjective information, recorded or not,
about an identifiable individual. This includes information in any
form, such as:
|Personal Identifiable Information|
A piece of Personal Information (including Personal Health Information) that when used alone, or in conjunction with other pieces of Personal information (including Personal Health Information) can be used to identify a specific individual.
For example, a name is Personal Identifiable Information. An address is Personal Information, but not Personally Identifiable. A birthday is Personal Information, but not Personally Identifiable. However, a birthday with an address together may be Personally Identifiable Information.
|Pharmacy Personnel||A member of the Service Team who is an employee, employed contractor, volunteer, occasional worker, officer, or director of the Pharmacy.|
|Premises||A physical location of the Pharmacy as set out in any of its licenses.|
|Service Team||Refers to those who are involved in providing pharmacy services to a particular client. This includes employees (whether full-time or part-time), employee contractors, independent contractors, vendors, partners, suppliers, occasional help, volunteers, students, co-ops, officers, directors, shareholders (so long as it remains a Canadian Controlled Private Corporation), and anyone working at or acting on behalf of Clayman Pharmacy. Once initial informed consent is obtained from the client, members of their service team are assumed to be included in that consent and can collect, use and disclose the client’s personal information for the provision of services to the client, unless they know that the client has expressly withheld or withdrawn consent.|
|Substitute Decision Maker||See “Authorized Representative”|
1.4 Related Internal Documents
- Employee Confidentiality Agreement
- Records Retention and Destruction Policy
1.5 Legislative Context
The Pharmaceutical Act (Manitoba) -
- Pharmaceutical (General Matters) Regulation 194/2013 - https://web2.gov.mb.ca/laws/regs/current/_pdf-regs.php?reg=194/2013
- Pharmaceutical Regulation 185/2013 - https://web2.gov.mb.ca/laws/regs/current/_pdf-regs.php?reg=185/2013
The Personal Health Information Act (Manitoba) -
- Personal Health Information Act Regulation 245/97 - https://web2.gov.mb.ca/laws/regs/current/_pdf-regs.php?reg=245/97
- Personal Information Protection and Electronic Documents Act (“PIPEDA”) (Federal) - https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html
SECTION 2 - POLICY
2.1 PolicyClient records are to be collected and disclosed in a manner consistent with this Policy and applicable legislations to safeguard the privacy of clients in relation to the following criteria.
- The collection and disclosure as prescribed by various municipal, provincial and federal statutes that govern the Pharmacy
- The collection and disclosure prescribed by professional standards for the Pharmacy as communicated by the Manitoba College of Pharmacists
- Other criteria as established by the Pharmacy
SECTION 3 - RESPONSIBILITY & PROCEDURE
3.1 Maintaining a Privacy Culture
The need to secure and maintain the privacy of collected information is not assumed to be done, nor is it to be taken for granted, but is to be actively practiced by the Pharmacy. Paper records are to be kept in file drawers and never left unattended in any place where the public has right of access. Verbal exchanges should be undertaken with full awareness of the privacy level of surroundings for any collection or exchange of personal information. Digital information is to only be accessed in private environments, whether inside or outside of the Premises.
The Pharmacy Manager and any other Manager, shall be responsible for the training, education, and monitoring of the pharmacy personnel for maintaining this culture. Any personnel not maintaining this culture shall be identified and will need to undergo proper education and testing prior to being given access to Personal Information.
3.2 Collection of Client Information & Program Registration
In order to support clients of the Pharmacy with the services they request it is vital to collect Personal Information from individual clients. The following procedures need to be followed not only to comply with privacy legislation, but to honour the trust clients place in the Pharmacy by disclosing 4 their personal information whether it be at the time of inquiry, registration, requesting services, or requesting support for those services throughout the time they remain a client of the Pharmacy.
Therefore, all personnel are responsible to collect information from clients in a manner consistent with Privacy Principles. Personal information may be documented in either a hard copy or digital format, depending on the nature and purpose of the information that is collected, and the channel through which the client chooses to interact with the Pharmacy.Consistent with Privacy Principles, the Pharmacy will:
- Identify the purposes for which personal information is collected prior to collection.
- Obtain the informed consent of the individual for the collection, use, or disclosure of the collected information.
- Limit collection of information to what is necessary for the purposes of providing Pharmacy services
- Use fair and lawful means to collect information.
- Limit use and disclosure of personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
- Retain only as long as necessary the personal information collected for the fulfillment of those purposes as outlined in Records Retention and Destruction Policy.
- Ensure accuracy, completeness and up-to-date status of personal information as is necessary for the purpose for which it is used.
3.3 Obtaining Informed Consent
- Consent must be related to the requested service
- Client must be adequately informed prior to consenting
- Client must have the opportunity to ask questions and all questions must be answered.
- If a person declines to provide consent, no pressure or influence will be placed upon the person to provide consent
3.4 Disclosure of Client Records
- As required to provide the requested services
- As instructed by the client
- As instructed by an Authorized Representative
- As required by law
Pharmacy personnel will clearly identify the purposes for which Personal Information will be or is being Disclosed.
- Evaluate the request on the basis of the type, purpose and requesting party and whether other information can serve the purpose for which disclosure of personal information is sought
- Obtain and document consent from the individual about whom personal information is requested (a digital or hard copy of the signed consent form should be retained)
- the date of consent and date of disclosure should be noted in the file.
- Seek assistance from an appropriate internal resource (e.g. manager, Chief Privacy Officer), if a request is unusual or if there is uncertainty about whether disclosure should be made.
3.5 Withdrawal of Consent
Should the client at anytime decide to withdraw their previously granted consent for the disclosure of information, Pharmacy personnel must ensure that this is properly documented on hard copies and digital files to ensure consistency between the two.
3.6 Client Access to Personal Records
Except under special circumstances, clients have the right to access their service records. In creating digital experiences, the Pharmacy will always endeavour to allow Clients self-serve access to Personal Information they have entered, and Personal Information created to provide them with the Pharmacy Services requested. In situations where digital Personal Information is not available, or where non-digital Personal Information is requested, Pharmacy personnel should require Clients to request access in writing, although a verbal request may be acceptable based on the nature of the request. Pharmacy personnel will aim to provide access to personal records within 3 business days. At the very least, Pharmacy personnel are to contact the client within 3 business days to explain why the request will take longer than expected. In no circumstances will the Pharmacy personnel take longer than 5 business days to provide a client access to personal records without the approval of an Officer of the Pharmacy.
Any decision to deny a client access to Personal Information will require the approval of an Officer of the Pharmacy and must be accompanied by an explanation to the client as to why the request was denied.
If it is necessary to deny a client access to only a portion of their Personal Information, than access to any portion that can be provided should be provided and should be accompanied by an explanation to the client as to why the balance of the request was denied.
3.7 Client Request to Correct/Update Their Personal Record
A client may request that Personal Information be corrected. All requests for correction that cannot be made by the client themselves must be made in writing by the client, or their substitute decision maker. Any request to correct information must be reviewed by a Manager.
Any request to update/correct a Client’s Personal Information must be completed in 2 business days unless exception status is approved by a Manager.
3.8 Appeal to Chief Privacy Officer
At any time a client, prospective client, or Authorized Individual can make a request to the Pharmacy’s Chief Privacy Officer for a clarification, explanation, or review of a decision of the Pharmacy personnel.
The Chief Privacy Officer will review any such request and respond to the requestor within 30 business days.
SECTION 4 - GOVERNANCE
4.1 Policy Owner
This policy is the responsibility of the Chief Privacy Officer to maintain