REPORT PREPARED FOR THE OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO IN RESPECT OF PHIPA REQUIREMENTS FOR REVIEW AND APPROVAL OF PRESCRIBED PERSONS AND PRESCRIBED ENTITIES INSTITUTE FOR CLINICAL EVALUATIVE SCIENCES (ICES) www.accessprivacy.com SUBMISSION 31 AUGUST 2011 2 Table of Contents Introduction .......................................................................................................................................................... 5 Background ........................................................................................................................................................... 5 Part 1 - Privacy Documentation ......................................................................................................................... 12 1. Privacy Policy in Respect of ICES’ Status as Prescribed Entity ...............................................................12 2. Policy and Procedures for Ongoing Review of Privacy Policies, Procedures and Practices .....................20 3. Policy on the Transparency of Privacy Policies, Procedures and Practices ..............................................21 4. Policy and Procedures for the Collection of PHI .......................................................................................22 5. List of Data Holdings Containing PHI.......................................................................................................25 6. Policy and Procedures for Statements of Purpose for Data Holdings Containing PHI .............................25 7. Statements of Purpose for Data Holdings Containing PHI ........................................................................26 8. Policy and Procedures for Limiting Agent Access To and Use of PHI .....................................................26 9. Log of Agents Granted Approval to Access and Use PHI.........................................................................33 10. Policy and Procedures for the Use of PHI for Research ............................................................................34 11. Log of Approved Uses of PHI for Research ..............................................................................................34 12. Policy and Procedures for Disclosure of PHI for Purposes other than Research ......................................34 13. Policy and Procedures for Disclosure of PHI for Research Purposes and the Execution of Research Agreements ................................................................................................................................................36 14. Template Research Agreement ..................................................................................................................42 15. Log of Research Agreements .....................................................................................................................43 16. Policy and Procedures for the Execution of DSAs ....................................................................................43 17. Template Data Sharing Agreement ............................................................................................................44 18. Log of Data Sharing Agreements ..............................................................................................................45 19. Policy and Procedures for Executing Agreements with Third Party Service Providers in Respect of PHI45 20. Template Agreement for All Third Party Service Providers .....................................................................46 21. Log of Agreements with Third Party Service Providers ............................................................................47 22. Policy and Procedures for the Linkage of Records of PHI ........................................................................47 23. Log of Approved Linkages of Records of PHI ..........................................................................................50 24. Policy and Procedures with Respect to De-identification and Aggregation ..............................................51 25. Privacy Impact Assessment Policy and Procedures...................................................................................54 26. Log of Privacy Impact Assessments ..........................................................................................................57 27. Policy and Procedures in Respect of Privacy Audits .................................................................................57 28. Log of Privacy Audits ................................................................................................................................59 29. Policy and Procedures for Information (Privacy/Security/Policy) Breach Management ..........................59 30. Log of Privacy Breaches ............................................................................................................................63 31. Policy and Procedures for Privacy Complaints and Privacy Inquiries ......................................................64 32. Log of Privacy Complaints & Privacy Inquiries ........................................................................................67 33. Policy and Procedures for Privacy Inquiries ..............................................................................................68 Part 2 - Security Documentation ........................................................................................................................ 69 1. Information Security Policy .......................................................................................................................69 2. Policy and Procedures for Ongoing Review of Security Policies, Procedures and Practices....................72 3. Policy and Procedures for Ensuring Physical Security of PHI ..................................................................73 4. Log of Agents with Access to ICES Premises ...........................................................................................77 5. Policy and Procedures for Secure Retention of Records of PHI and de-identified Information ...............77 6. Policy and Procedures for Secure Retention of Records of PHI on Mobile Devices ................................79 7. Policy and Procedures for Secure Transfer of Records of PHI .................................................................81 8. Policy and Procedures for Secure Disposal of Records of PHI .................................................................83 3 Table of Contents 9. Policy and Procedures Relating to Passwords ...........................................................................................86 10. Policy and Procedures for Maintaining and Reviewing System Control and Audit Logs ........................87 11. Policy and Procedures for Patch Management ..........................................................................................87 12. Policy and Procedures Related to Change Management ...........................................................................89 13. Policy and Procedures for Back-Up and Recovery of Records of De-identified Information and PHI ....94 14. Policy and Procedures on the Acceptable Use of Technology ..................................................................95 15. Policy and Procedures in Respect of Security Audits ................................................................................97 16. Log of Security Audits ...............................................................................................................................99 17. Policy and Procedures for Information Security Breach Management ...................................................104 18. Log of Information Security Breaches .....................................................................................................109 Part 3 - Human Resources Documentation....................................................................................................... 113 1. Policy and Procedures for Privacy/Security Training and Awareness ....................................................113 2. Log of Attendance at Initial Privacy/Security Orientation and Ongoing Privacy/ Security Training .....119 3. Policy and Procedures for the Execution of Confidentiality Agreements by Agents ..............................119 4. Template Confidentiality Agreement with Agents ..................................................................................121 5. Logs of Executed Confidentiality Agreements with Agents ...................................................................121 6. Job Description for the CPO ....................................................................................................................122 7. Job Description for the CISO ...................................................................................................................122 8. Policy and Procedures for Termination or Cessation of the Employment or Contractual Relationship .123 Part 4 - Organizational and Other Documentation ........................................................................................... 125 1. Privacy and Security Governance and Accountability Frameworks .......................................................125 2. Security Governance and Accountability Framework .............................................................................130 3. Terms of Reference for Committees with Roles with Respect to the Privacy Program and/or Security