- Implied consent to collect, use, and disclose your information
- Express consent to disclose your information
- Exceptions to consent requirements
- UWaterloo privacy contact persons
- UWaterloo privacy officer
- The Information and Privacy Commissioner of Ontario
- Materials from the Information and Privacy Commissioner Ontario
- UWaterloo guidelines and policies
- Other relevant materials
This privacy document applies to the Campus Wellness services at University of Waterloo.
At UWaterloo, information is collected, used, and disclosed in a manner consistent with provincial legislation, such as the Freedom of Information and Protection of Privacy Act (FIPPA), R.S.O. 1990 and the Personal Health Information Protection Act (PHIPA), 2004.
In keeping with Ontario legislation, UWaterloo has a consistent approach to protecting personal information, including health information. Ontario legislation requires anyone that provides you with health care1 to protect your personal health information. Personal health information means identifying information about an individual in oral or recorded form such as:
- the physical or mental health of the individual (including information that consists of the health history of the individual’s family),
- the providing of health care to the individual (including the identification of a person as a provider of health care to the individual),
- payments or eligibility for health care or coverage for health care in respect of the individual,
- an individual’s health number, or
- any other information about an individual that is included in a record containing personal health information that is maintained for the purpose of providing care or health services.
Individuals who work in Campus Wellness must let you know what we do with your personal health information. In certain situations, we must ask your permission before we collect, use, or disclose it. We are not allowed to collect personal health information where it is not necessary or to collect, use, or disclose more information than is necessary. Privacy legislation also gives you the right, with some exceptions, to see your personal health information and to ask for it to be changed or corrected if you think it is inaccurate or incomplete.
As part of our privacy program, we have this Privacy Statement and have designated a Privacy Contact Person for each of the UWaterloo services covered by this document. This Privacy Statement describes our privacy practices and tells you how you can exercise your rights.
When you seek services from Campus Wellness, we assume that we have your permission to collect, use, and disclose your personal health information among individuals who provide or assist in providing health care to you. The ability to share information about you provides professionals involved in your care with a framework to access and use your personal health information as necessary in order to deliver coordinated and timely care, as well as to ensure the effective and efficient operation of the services provided.
For the purpose of providing care to you or assisting in providing care, your personal health information is stored securely by UWaterloo in an Electronic Health Record. Personal health information in your UWaterloo Electronic Health Record is accessed on a need-to-know basis when accessing specific information is reasonably necessary to provide care to you at UWaterloo. Those accessing personal health information about you abide by the applicable provisions of Ontario privacy legislation; UWaterloo privacy, confidentiality and security of information policies; as well as relevant professional Colleges, Associations, and other regulatory bodies.
Personal health information in your UWaterloo Health Record is accessible within and between Campus Wellness by individuals who provide direct care to you or who may be consulted as necessary in the provision of your care. As well, personal health information in your UWaterloo Electronic Health Record is accessible to support staff in order to perform authorized services such as scheduling appointments, facilitating referrals, and managing information security.
Ontario privacy legislation (i.e., PHIPA) allows for your personal health information to be disclosed to your other health care providers outside of Campus Wellness so they can provide you with ongoing care and follow-up. When such a decision is made, legislative requirements within PHIPA are followed.
You should let us know if you do not want us to use, share, or give out some or all of your personal health information. This can be done when you sign the Personal Health Information and Privacy Consent Form at Campus Wellness. You are free to withdraw consent at any time for the collection, use, or disclosure of your personal health information by providing notice to us. If you do not consent for your personal health information to be accessible through your Electronic Health Record between Campus Wellness, a notation of this will be made within the system. In addition, if you choose to limit how we give out some or all of your personal health information, you should be aware that when we give out your personal health information to others, we are required to tell other services you access when the information is incomplete and the missing information is reasonably necessary for the provision of your health care or assisting in the provision of your health care. For example, we would be obliged to inform others that some personal health information is inaccessible as a result of it having been “locked” by the individual when that locked information is considered reasonably necessary for the provision of health care. Please note that any restrictions that you place on your personal health information do not apply to uses or disclosures required by law, professional or institutional practice, or when disclosure of that personal health information is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to an individual or group of persons.
Except as outlined above or as required by law, your personal health information in your UWaterloo Electronic Health Record will not be disclosed by Campus Wellness to people who do not provide you with health care, like:
- your insurance company or your employer;
- a health care professional for reasons other than providing you with health care;
- your academic advisors, professors, university administration, family or friends.
In cases where you would like us to disclose personal health information about you to others, your express consent is required. This may be obtained verbally, in writing, or by electronic means.
There are certain situations where personal health information can be disclosed without consent. Campus Wellness may decide or are legally required to use and/or disclose some of your personal health information without consent in a number of situations including the following:
- In order to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons or in compelling circumstances affecting the health or safety of an individual;
- When there is reasonable grounds to suspect that a child (under age 16) or a resident of a long-term care home is or may be in need of protection;
- We may also report when there are reasonable grounds to suspect that a person age 16 or 17 years old is or may be in need of protection;
- For the purpose of a legal proceeding or complying with a court order, or for the purpose of administration and enforcement of various Acts by professional Colleges, Associations, and other regulatory bodies;
- Reported sexual abuse by a regulated health professional/regulated professional;
- To process payments through government programs, like the Ontario Health Insurance Plan (OHIP);
- To report certain information, such as a health condition that makes you unfit to drive or to report certain diseases to public health authorities;
- To identify a person who has died;
- To give the spouse or child of the person who has died personal health information to assist them in making decisions about their own care;
- To give information to certain registries or planning bodies that use personal health information to improve health care services or health system management, as long as strict privacy protections are in place;
- To assist health researchers for research, as long as strict privacy requirements are met;
- To improve or maintain the quality of care or the quality of any related program or service offered by u\UWaterloo Campus Wellness;
- For risk management and legal purposes;
- To allocate resources to our programs and services;
- To assess a person’s ability to make health care and other important decisions;
Disclosure of personal health information when your consent is not required is referenced in Your Health Information and Your Privacy in Our Office (PDF) and occurs in accordance with the following guidelines: Practice Tool for Exercising Discretion: Emergency Disclosure of Personal Information by Universities, Colleges and other Education Institutions (PDF) and Fact Sheet: Disclosure of Information Permitted in Emergency or other Urgent Circumstances (PDF).
A final limit to personal health information and privacy is as follows: in order to provide health care to the UWaterloo campus community, we use a computerized schedule which is accessible to authorized individuals from Campus Wellness. This system is password protected and is located on a password-protected network. When you access service at Campus Wellness your name is entered into this computerized schedule.
The law protects you by making sure your personal health information is never shared for marketing purposes unless you expressly consent.
Campus Wellness may collect, use, or disclose personal health information for fundraising if you expressly consent. However, if the information provided consists only of your name and mailing address, your implied consent can be inferred provided that:
- Fundraising is for charitable or philanthropic purposes related to Campus Wellness;
- Campus Wellness has provided, or has made available, notice to you (at the time of receiving health care) of the intention to use or disclose the personal health information for fundraising purposes, along with information on how you can easily opt out;
- You had not opted out within 60 days from the time the notice had been provided to you;
- Solicitations contain an easy opt-out from any further solicitations; and
- No solicitations contain information about your health care or state of health.
From time to time, Campus Wellness may be involved in research projects designed to improve our service, and may invite you to consider participating in one of these. In such instances, it is our practice to follow guidelines adopted by the professional organizations to which researchers belong. These guidelines could include the Canadian Code of Ethics for Psychologists (PDF) (Canadian Psychological Association, 2000), the Code of Ethics and Standards of Practice Handbook (PDF) (2008) for the Ontario College of Social Workers and Social Service Workers, and Ethics in Research with Human Participants (American Psychological Association, 2000).
In addition, we abide by the guidelines for research involving human participants established by the Office of Research Ethics (ORE) at UWaterloo. Any human research must first be reviewed and receive ethics clearance by either the ORE or the UWaterloo Human Research Ethics Committee. Their review involves a number of things such as evaluating the goals and benefits of the research in relation to risks associated with the procedures; ensuring safeguards are in place to mitigate the risks; determining how the consent process is to occur (which includes considering whether obtaining consent directly is impracticable); confirming that the informed consent document (as applicable) is complete and understandable; and determining whether adequate safeguards are in place to protect the privacy of individuals and the confidentiality of their personal health information.
In certain instances (for example, when research involves collection of information through interviews, focus groups, questionnaires, and surveys) your consent is required. In other instances (for example, when research involves analysis of previously collected data or file information where identifiable information has been removed) your consent may not be required. In cases where your consent may not be required, additional requirements as outlined in PHIPA are followed. For example, researchers shall use your personal health information only for the purpose set out in the research plan, not publish information in a form that could identify you, and not contact you unless you have said they can. If you are invited to participate in research, you should keep in mind that it is voluntary. Your decision to take part or not take part in research will have no impact on the services you receive from us.
Campus Wellness is continually seeking to improve the quality of services offered to students, staff, and faculty at UWaterloo. In order to help us improve, we invite feedback, both orally and/or in writing, from those who access our services. Any information gathered, including ratings and/or written comments, is used only for administrative, statistical, or report-writing purposes. At no time will identifying personal health information be used, shared, or given out.
We have taken the following steps to ensure that your records (paper or electronic) are secure and protected against theft, loss, unauthorized use or disclosure and unauthorized copying, modification or disposal:
- Paper records containing personal health information are either under supervision or secured in a locked or restricted area.
- Electronic records containing personal health information are located on a password-protected network and are accessed on hardware (e.g., computer, laptop, cell phone, USB flash drive) that is password protected and is under supervision or is always secured in a locked or restricted area. In addition, electronic records containing personal health information on any mobile device (e.g., laptop, cell phone, USB flash drive) are encrypted.
- If paper or electronic records containing personal health information are removed from the office, they are transported via secure means and are under the constant control of the clinician or are always secured in a locked or restricted area.
- Each staff member and Independent Contractor in Campus Wellness is trained to collect, use and disclose personal health information only as necessary to fulfil their duties and in accordance with privacy legislation.
- Each staff member and Independent Contractor must sign the Campus Wellness Confidentiality Agreement prior to being given access to any personal health information.
- In the event of any unauthorized use or disclosure of personal health information: individuals will be informed at the first reasonable opportunity, a note will be made in the individual’s record of personal health information, and the note will be kept as part of the records or in a form that is linked to the records.
- To ensure staff compliance with these privacy guidelines, Campus Wellness conducts audits of our Electronic Health Record and reports any breaches to the Privacy Commissioner (IPC).
- Personal health information is protected in accordance with:
- Campus Wellness guidelines, for example: Personal Information and Privacy: Guidelines for Working Outside the Office (PDF).
- UWaterloo policies and guidelines, for example: Policy 46 - Information Management and data encryption.
- Information and Privacy Commissioner Ontario guidelines and requirements, for example: Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office (PDF), Fact Sheet: Encrypting Personal Health Information on Mobile Devices (PDF), and Fact Sheet: Health-Care Requirement for Strong Encryption (PDF).
Campus Wellness needs to retain personal health information for some time to ensure that we can answer any questions you might have about the services provided and for our own accountability to external regulatory bodies. However, in order to protect your privacy, we do not want to keep personal health information for too long.
In order to decide how long to keep your personal health information, each Service follows the guidelines established by the various professional organizations to which clinicians belong, as well as according to UWaterloo guidelines: Policy 46 – Information Management and UWaterloo Information and Privacy. Unless otherwise required by law, Campus Wellness keep records in accordance with the longest applicable retention requirements.
We destroy confidential paper files and electronic information securely according to UWaterloo guidelines (confidential shredding and media disposal) as well as according to guidelines set out by the Information and Privacy Commissioner Ontario (Fact Sheet: Secure Destruction of Personal Information (PDF) and Get rid of it Securely to keep it Private: Best Practices for the Secure Destruction of Personal Health Information (PDF))
You have the right to see and to get a copy of the personal health information that Campus Wellness holds about you. Often, all you have to do is ask (orally or in writing) and confirm your identity. Campus Wellness will follow requirements for access as outlined within PHIPA and in accordance with UWaterloo guidelines and policies. We will identify what records we might have about you and try to help you understand any information you do not understand (short forms, technical language, etc.). We may need to charge a nominal fee to cover the costs of retrieving the documentation and copying.
There may be situations where we are unable to provide you with access to some or all of your record. For example, when the personal health information relates to another individual, law enforcement, legal proceedings, or is subject to legal privilege you may not get to see or obtain a copy of the record. Similarly, when the personal health information could reasonably be expected to result in a risk of serious harm to the treatment or recovery of yourself or a risk of serious bodily harm to yourself or another person, you may not be able to have access to or to obtain a copy of some or all of the information in the record.
We will respond to your request for access to your record as soon as possible. If we are not able to respond within 30 days, we will contact you and let you know in writing the reason for the delay. If we cannot give you access for reasons such as those outlined above, we will notify you within 30 days, if at all possible. A written notice will explain why we cannot give you access to some or all of your record.
If you believe that your record of personal health information is inaccurate or incomplete, you have the right to ask for it to be corrected. Depending on the corrections you are requesting, a written request showing how our files are inaccurate or incomplete is often required. We will respond to your request as soon as possible. If we are not able to respond within 30 days, we will contact you and let you know in writing the reason for the delay.
Requests for corrections apply to factual information and not to any professional opinions or observations made in good faith. We are obligated to correct personal health information where it is demonstrated, to our satisfaction, that the record is in fact inaccurate or incomplete and where the necessary information to correct the record is provided. Any changes will be done carefully so the original record remains visible or by ensuring that the corrected version is readily available.
In some situations (e.g., in matters of professional opinion and observation, or with respect to information created by others), we may not be able to make a correction and will let you know the reason. If you choose, you can attach a statement of disagreement to your record indicating any correction you requested that was not made. You can also ask to have this statement made available to those who see the record.
If you have any questions or concerns, or if you would like to see or correct any of your personal health information, then please speak directly to the staff person who has been involved in the provision of your care. We want to resolve concerns directly with you.
If you are not satisfied with the response to your request, you may contact either of the Privacy Contact Persons designated for Campus Wellness. These individuals are available to assist you with any concerns or decisions regarding privacy.
Sometimes we may be unable to resolve all your concerns about how your personal health information has been handled, even after you have worked to resolve your concern with the staff involved in the provision of your care and the designated privacy contact person for the service with which you’re involved. In that case, you may choose to contact the UWaterloo privacy officer.
Alternatively, or in the event you are dissatisfied with how UWaterloo has responded, you can contact the Information and Privacy Commissioner of Ontario. The Commissioner is the person who has general responsibility for ensuring requirements of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and PHIPA are followed.
You can contact the Commissioner about any decision, action or inaction that you believe is not in compliance with the Act, including:
- if you are unable to resolve with us a concern about how your personal health information has been handled;
- if you are unable to see all of your personal health information, or have concerns about a delay in responding to your request;
- if you feel your personal health information in your record is incorrect and you have been unable to persuade us to correct the information; or
- if you disagree with the fee that we charged to see or get a copy of your personal health information.
You must express your concerns in writing within specific time frames designated by the Commissioner, who will try to resolve the matter through mediation. If your concerns cannot be resolved in this way, the Commissioner has the power to investigate and to make an order that sets out what must happen.
UWaterloo privacy contact persons
- Melissa Craig, CHIM, Health Information Specialist, Campus Wellness
519-888-4096 ext. 40880
UWaterloo Privacy Officer
- Kathy Winter
firstname.lastname@example.org 519-888-4096 ext. 36101
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Toll-free: 1-800-387-0073 (within Ontario)
Text Tel. (TTY)/Tel. Device for the Deaf (TDD): 416-325-7539
This document provides general information only and is not legal advice as to all rights and obligations under Ontario legislation.
- Freedom of Information and Protection of Privacy Act (R.S.O. 1990)
- Municipal Freedom of Information and Protection of Privacy Act (R.S.O. 1990)
- Personal Health Information Protection Act (2004)
- Personal Information Protection and Electronic Documents Act (PIPEDA, 2004)
- Information and Privacy
Information and Privacy Commissioner Ontario (2005). Your Health Information and Your Privacy in Our Office (PDF)
Information and Privacy Commissioner Ontario (2005). Frequently Asked Questions: Personal Health Information Protection Act (PDF)
- Working Outside the Office
Information and Privacy Commissioner Ontario (1998). Privacy and Confidentiality When Working Outside the Office
Information and Privacy Commissioner Ontario (2001). Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office (PDF)
- Security of Personal Health Information
Information and Privacy Commissioner Ontario (2007). Fact Sheet: Encrypting Personal Health Information on Mobile Devices (PDF)
Information and Privacy Commissioner Ontario (2010). Fact Sheet: Health-Care Requirement for Strong Encryption (PDF)
Information and Privacy Commissioner Ontario (2012). Fact Sheet: The Secure Transfer of Personal Health Information (PDF)
- Disclosure of Personal Health Information
Information and Privacy Commissioner Ontario (2006). What to do When Faced with a Privacy Breach: Guidelines for the Health Sector(PDF)
Information and Privacy Commissioner Ontario (2008). Practice Tool for Exercising Discretion: Emergency Disclosure of Personal Information by Universities, Colleges, and other Educational Institutions (PDF)
Information and Privacy Commissioner Ontario (2005). Fact Sheet: Disclosure of Information Permitted in Emergency or Other Urgent Circumstance (PDF)
- Destruction of Personal Health Information
Information and Privacy Commissioner Ontario (2009). Fact Sheet: Get Rid of it Securely: Keep it Private: Best Practices for the Secure Destruction of Personal Health Information (PDF)
Information and Privacy Commissioner Ontario (2005). Fact Sheet: Secure Destruction of Personal Information (PDF)
- General Information and Privacy
- Security of personal health information: Policy 46 - Information Management
- Data encryption/electronic security
- Record retention and destruction of personal health information: Policy 46 - Information Management
- Confidential shredding procedures
- American Psychological Association (2000). Ethics in Research with Human Participants.
- Canadian Psychological Association (2000). Canadian Code of Ethics for Psychologists.
- Canadian Psychological Association (2001). Practice Guidelines for Providers of Psychological Services.
- College of Nurses of Ontario
- College of Physicians and Surgeons of Ontario
- College of Psychologists of Ontario (2005). Standards of Professional Conduct.
- Ontario College of Social Workers and Social Service Workers (2008). Code of Ethics and Standards of Practice Handbook.
1Health care means any observation, examination, assessment, care service or procedure provided for a health related purpose (e.g., in order to diagnose, treat, or maintain an individual’s physical or mental condition; for prevention of disease or injury, for health promotion).