Information Security and Privacy Policy IM-002 May 2018

1. Purpose: Patient Ombudsman will be collecting Sensitive Information that includes personal information (PI) and personal health information (PHI) in order to carry out its business functions described in the Excellent Care for All Act, 2010, S.O. 2010, c. 14 (ECFAA). This document sets out Patient Ombudsman’s policies regarding the management of information security and privacy protection.

Information security refers to methodologies that protect information from unauthorized access, use, disclosure, disruption or destruction regardless of how the information is formatted or whether it is being processed or stored. Included in this document is the protection of privacy, managing security-related risks and limiting potential breach of privacy.

The security of information and the protection of privacy is critical to the success of Patient Ombudsman to provide effective customer service and maintain public trust. Patient Ombudsman shall act as a responsible conservator of information assets entrusted to its care and shall promote a culture of information security and privacy. Loss of confidentiality, integrity, or availability of information and possible breach could adversely affect the achievement of Patient Ombudsman’s mandate and ability to store Sensitive Information.

2. Scope: This policy applies to all Employees of Patient Ombudsman.

3. Definitions: Business Owner: means any program director or equivalent having authority and accountability under legislation or policy for particular business activities and related business records. Employee: means a person employed by, or on contract with the Ontario Health Quality Council to work exclusively for Patient Ombudsman, and a person employed by or on contract to the Ontario Health Quality Council, operating as Health Quality Ontario, and assigned to provide Information Technology support to Patient Ombudsman. This includes the person appointed to be the Patient Ombudsman by the Lieutenant Governor in Council. Information Security & Privacy Classification (ISPC): means a system used to define sensitivity levels of information. The ISPC assigns classifications and communicates the need for safeguards and security measures according to the sensitivity level. 1 | Page Information Security and Privacy Policy Patient Ombudsman ONE Mail: means an encrypted email system supplied by eHealth Ontario to health care organizations. Personal Health Information (PHI): means personal health information as defined in the Personal Health Information Protection Act, 2004 (PHIPA). Personal Information (PI): means personal information as defined in the Freedom of Information and Protection of Privacy Act (FIPPA). In this Policy, PI includes PHI such that every reference to PI is also a reference to PHI. Personal Information Bank (PIB): means a personal information bank as defined in FIPPA. Privacy Breach: means an unauthorized internal or external access to, or collection, use or disclosure of personal information or personal health information. Privacy Impact Assessment (PIA): means a risk management tool used to identify effects that a proposed or existing information system or process may have on an individual’s privacy. Sensitive Information: includes personal information, personal health information and other information deemed confidential by Patient Ombudsman. Threat/Risk Assessment (TRA): means a method used to assess threats and vulnerabilities, document security measures and make recommendations for additional safeguards.

4. Roles & Responsibilities: In this section the Patient Ombudsman, as head of Patient Ombudsman, assigns the following roles and responsibilities to establish Employee accountabilities. The Patient Ombudsman may exercise any of the assigned responsibilities, and responsibilities assigned to the Patient Ombudsman can only be exercised by the Patient Ombudsman. In this section a Manager is a person within Patient Ombudsman with whom another Employee has a direct reporting relationship.

4.1 The Patient Ombudsman a) Review and approve the Information Security and Privacy Policy. b) Provide business direction and demonstrate priorities. c) Exercise the delegated authorities as the head under FIPPA for records in the custody or under the control of Patient Ombudsman; for example, making decisions about access requests, and authorizing the destruction of PI. d) Approve the record retention schedule that would permit the disposition of records at the end of the retention period. e) Investigate any alleged breach of privacy and/or security by an Employee who reports directly to the Patient Ombudsman and take the necessary actions to avoid similar incidents in the future. When appropriate, determine the appropriate disciplinary action for breach of the Policy.

2 | Page Information Security and Privacy Policy Patient Ombudsman 4.2 Executive Director a) Provide direction and oversight for management of security-related risks. b) As the Business Owner, manage the retention and disposition of information. c) Ensure all business operations and the use, collection and disclosure of information are in accordance with this Policy. d) Ensure adequate procedures and training are in place for this Policy and promote a culture of privacy. e) Review PIAs and TRAs and ensure the development and maintenance of a risk assessment program including developing responses and action plans to recommendations, for information security and privacy protection. f) Review privacy incidents, including complaints regarding this office’s privacy practices and privacy breaches. g) In the event of potential or actual privacy breaches relating to services provided to Patient Ombudsman by Health Quality Ontario and under Health Quality Ontario’s control, advise Health Quality Ontario’s Chief Privacy Officer. h) Monitor and track information security and privacy issues and identifiable risks. i) Investigate any alleged breach of privacy and/or security by direct reports and take the necessary actions to avoid similar incidents in the future. When appropriate, determine the appropriate disciplinary action for breach of the Policy.

4.3 Records Management & Privacy Specialist a) Provide recommendation and advice with regard to information security and privacy. b) Review, update and recommend amendments to this Policy based on changes to business functions, development of new procedures and improving trends in information security and privacy. c) Respond to access and privacy inquiries and complaints regarding this office’s privacy practices and safeguards d) Liaise with the Office of the Information and Privacy Commissioner in regard to appeals from decisions arising from freedom of information (FOI) requests, and in regard to privacy breaches. e) Maintain the PIB index f) Provide to Employees information security and privacy awareness and procedures with regard to the use, collection and disclosure of information. g) Report to the Executive Director on matters regarding information security and privacy.

4.4 Employees

a) Employees must comply with the provisions of this policy and all procedures established to carry out this policy, both of which may be amended from time to time.

4.5 Executive Assistant a) Maintain a record of the current and historical versions of this Policy.

3 | Page Information Security and Privacy Policy Patient Ombudsman 5. Principles It is Patient Ombudsman’s policy to manage its functions using the following principles:

5.1 Safeguard and Protect Information Patient Ombudsman shall have physical and electronic safeguards in place to protect information including, but not limited to, PI within its custody and under its control against loss, theft, unauthorized access, disclosure, copying and use. The nature of the safeguards and method of storage will correspond to the sensitivity of the information collected.

5.2 Collection, Use, and Disclosure of Information The Patient Ombudsman’s collection, use and disclosure of personal information is governed in accordance with ECFAA and FIPPA. Employees managing PI will protect privacy based on the provisions set out in FIPPA.

5.3 Security in a Holistic Manner Patient Ombudsman will analyze the security of information and related business services in a holistic manner, with attention to people, process, and technology aspects throughout the information lifecycle and associated services. Resources will be allocated using normal business management practices to ensure alignment of security capabilities and services with the business needs of this office.

5.4 Privacy by Design (PbD) Patient Ombudsman will take an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures as proscribed by the IPC’s Privacy by Design. Patient Ombudsman will take a proactive approach to prevent the invasion of privacy. Privacy protection will be built up front and taken into consideration before processes are implemented.

6. Mandatory Requirements Patient Ombudsman will ensure that the following requirements are met:

6.1 Access Controls a) Patient Ombudsman will establish defined responsibilities and delegations of authority that will assign process controls and segregate duties. b) Access to PI shall be restricted to those who require it to perform their duties and where access is necessary for the administration of this office. c) Paper-based complaint records, which are not electronically scanned, are to be stored in locked cabinets that protect the records from fire and water damage. Only authorized Employees will be granted access.

4 | Page Information Security and Privacy Policy Patient Ombudsman d) Electronic records related to complaint cases will be stored on Patient Ombudsman’s case management system behind the Patient Ombudsman’s firewall. Access to the case management system shall require authorization and password.

6.2 Notice of Collection a) Patient Ombudsman shall notify individuals of the purpose for the intended use of their PI (Notice of Collection). b) Notice of Collection must include the ECFAA’s provisions that authorize collection, the principle purpose for which the PI is intended to be used, and the title, address and phone number of the Records Management and Privacy Specialist who will answer questions about the collection. The Notice of Collection must be included on forms (physical or electronic) that intend to collect PI.

6.3 Collection, Use and Disclosure of Information a) Employees shall only collect, use and disclose PI in accordance with the provisions of ECFAA and FIPPA. b) Employees shall limit their collection, use and disclosure of PI to what is reasonably necessary for the purpose of the collection, use or disclosure and such purpose will be to fulfill the Patient Ombudsman’s mandate as set out in ECFAA and satisfy the related business need. b) Employees are prohibited from collecting, using or disclosing PI where other information will serve the purpose.

6.4 Consent a) Patient Ombudsman must obtain informed consent in order to share PI with Health Sector Organizations (HSOs) and/or the Ministry of Health and Long-Term Care (MOHLTC) unless otherwise permitted or required by FIPPA, ECFAA, or other applicable legislation. Disclosure of information in aggregated or de-identified form does not require consent. b) Subject to the following exception, an Employee will only use an audio recording or captured image of a person where the Employee has obtained that individual’s written consent to do so. If the individual’s consent was not required to audio record or take the image, consent to use the recordings or images is not required. c) With respect to recording audio or capturing images of individuals, Employees shall refer to IT-002 Acceptable Use of IT Resources Policy, section 5.5 d) Patient Ombudsman will require written consent to publish names of third party vendors. e) An Employee obtaining an individual’s consent must document the consent and that documentation shall be retained with and managed in accordance with the related records’ retention series.

6.5 Retention and Disposition of Information

5 | Page Information Security and Privacy Policy Patient Ombudsman a) Patient Ombudsman shall retain information regarding Patient Ombudsman’s own initiative investigations, and complaints process, including complaint investigations according to its records retention schedule approved by the Archivist of Ontario. Disposition of this information, whether by means of destruction or transfer to Archives is also determined by the records retention schedule. b) Administrative related information shall be retained in accordance with the adopted Function-Based Common Record Series. Disposition of this information, whether by means of destruction or transfer to Archives is also determined by this records retention series. c) In accordance with FIPPA, Patient Ombudsman shall retain information containing the PI of individuals for a minimum of one year following last use of the record, unless the individual consents to its earlier destruction. Telecommunications stored digitally that contain PI shall be retained for at least forty-five (45) days after use, except if the individual to whom it relates consents to earlier destruction. d) Any destruction of information related to the business of the Patient Ombudsman must be listed in a Notice of Disposition and approved by the Business Owner. Secure destruction of paper-based information must be processed through Iron Mountain.

6.6 Information Sharing a) Information sharing between Patient Ombudsman and external organizations with regard to PI must be authorized under FIPPA, ECFAA, other relevant legislation, or by the authority of a court of competent jurisdiction. Employees shall not forward Sensitive Information to external organizations via email unless the email system and/or transmission is encrypted. When applicable, ONE Mail will be used to email Sensitive Information. b) Employees may not, during the term of their employment or contract or any time thereafter, directly or indirectly disclose Sensitive Information collected pursuant to the statutory mandate of the Patient Ombudsman under ECFAA to anyone outside of Patient Ombudsman, including to the Board of the Ontario Health Quality Council or to the Ontario Health Quality Council operating as Health Quality Ontario, unless the disclosure is permitted by law and by Patient Ombudsman. c) An information sharing agreement must be approved by the Patient Ombudsman and the receiving organization and must specify the following: i. purpose and scope of the information sharing exercise; ii. legal authority for information sharing; iii. the PI to be shared and how it will be used; iv. how notice of collection of PI will be addressed by Patient Ombudsman and external organization; v. how the external organization will ensure accuracy and security of PI;

6 | Page Information Security and Privacy Policy Patient Ombudsman vi. duration of the information sharing agreement and disposition of PI during and on termination of agreement. Employees must comply with all information sharing agreements to which Patient Ombudsman is a party. d) A contractual agreement with third party vendors that may handle PI under the custody or control of Patient Ombudsman must outline security commitments to protect information and privacy along with a confidentiality agreement.

6.7 Personal Information Bank (PIB) a) Patient Ombudsman will maintain one or more Personal Information Banks containing PI under the control of Patient Ombudsman. The PI in PIBs must be organized or intended to be retrieved by the individual’s name or by an identifying number, symbol or other particular assigned to the individual. b) Patient Ombudsman must maintain an index of PIBs to identify by type and location the records that contain PI under its custody and control. The index must include the following information for each PIB: i. name and location, ii. legal authority for collection, iii. types of PI maintained, iv. how PI is used on a regular basis, v. to whom PI is disclosed on a regular basis, vi. categories of individuals about whom PI is maintained, and vii. policies and practices available to the retention and disposal of PI.

6.8 Privacy Impact Assessment (PIA) and Threat/Risk Assessment (TRA) a) Patient Ombudsman will conduct a PIA when a new project or system is implemented. The PIA shall be conducted early in the project or system development and, if PI is deemed to be involved, privacy must be considered throughout the developmental lifecycle. b) Patient Ombudsman shall use the PIA to identify risks to individuals and institutions. Risk includes identity theft, adverse impact to employment or business opportunities, distress and privacy breaches. c) Patient Ombudsman will conduct a TRA when a new technology system or service is introduced or during a system or infrastructure refresh. The TRA will assess both information technology and physical security risks that include, but are not limited to, loss of information, unauthorized access, and malware or virus threat.

7 | Page Information Security and Privacy Policy Patient Ombudsman 6.9 Information Security and Privacy Classification (ISPC) a) Patient Ombudsman will assign the classification levels of high, medium, low and unclassified to information under its custody and control. These classifications will be based on the recommendations and results of a PIA and/or TRA. Safeguards for each level of classification will be developed based on the TRA process. b) Information shall be inventoried, classified and marked according to its sensitivity.

6.10 Privacy Breach Protocols a) Employees shall report a privacy breach immediately to their manager and shall gather all PI that has been disclosed. All appropriate staff are to be notified and necessary steps must be taken to contain the breach. b) Patient Ombudsman must notify those individuals whose privacy was breached immediately and provide details of the extent of the breach and the specific PI that has been disclosed. c) Patient Ombudsman will inform the Office of the Information and Privacy Commissioner (IPC) of a privacy breach when required.

6.11 Audit Planning a) Patient Ombudsman shall develop an audit plan in response to privacy breaches or complaints against Patient Ombudsman’s privacy practices. The audit will include reviewing access logs and the PI or PHI disclosed, and interviewing subject matter experts. b) Patient Ombudsman will plan periodic record audits with a focus on documents containing PI and/or PHI. Record audits will include examination of access to the file room, the case management system and other computer systems that hold PI and PHI. c) Audits will be recorded in a log and irregularities must be documented and reported to the Executive Director.

7. Effective Date: May 30, 2018

8. Review Date: May 30, 2020

9. Release: Unrestricted

8 | Page Information Security and Privacy Policy Patient Ombudsman