This policy describes POPLAR (“POPLAR”, “we”, “us”, “our”) general privacy and information practices with respect to the personal information and personal health information that we may collect, how we use personal information and personal health information, and the manner in which personal information or personal health information may be disclosed or shared by us (“Privacy Policy”).
-
Personal information means information about an identifiable individual.
-
Personal health information is information about an individual which relates to: physical or mental health of the individual, including family health history; providing of health care to the individual, including the identification of a person as a provider of health care to the individual; invoicing for health care in respect of the individual. Personal health information includes other identifying information that is contained in a record that contains personal health information.
Permissions
Following permission from a physician, nurse practitioner or group holding data (Health Information Custodian), we will securely collect and manage Electronic Medical Record data. Our approach to data collection, de-identification, cleaning, standardization, coding and forwarding to approved, authorized recipients follow Ontario’s Personal Health Information Protection Act (PHIPA) and the principles outlined in the Tri-Council Policy Statement 2 (TCPS2) (2022), Chapter 5, Section D “Consent and Secondary Use of Information for Research Purposes”:
Researchers who have not obtained consent from participants for secondary use of identifiable information shall only use such information for these purposes if they have satisfied the REB that:
-
identifiable information is essential to the research;
-
the use of identifiable information without the participants' consent is unlikely to adversely affect the welfare of individuals to whom the information relates;
-
the researchers will take appropriate measures to protect the privacy of individuals and to safeguard the identifiable information;
-
the researchers will comply with any known preferences previously expressed by individuals about any use of their information;
-
it is impossible or impracticable to seek consent from individuals to whom the information relates; and
-
the researchers have obtained any other necessary permission for secondary use of information for research purposes.
Collection and Use of Personal Information and Personal Health Information
The information that we will collect may include your name, date of birth, address, personal and family health history, health card information, invoicing, health insurance information, records of your visits, and the care that you received. Personal Identifiers will be securely partitioned away from clinical data and will not be accessible to unauthorized staff or researchers.
We may use your personal information and personal health information for research following Research Ethics Board approval, compile statistics, provide data for health system use and for quality improvement, meet legal requirements, and fulfill other purposes permitted or required by law. Your personal health information may be disclosed back to physicians, health care professionals, and staff directly involved in your health care for quality improvement purposes, or for your primary care provider to review and notify you of research projects that may be of interest to you.
We may use personal information and personal health information to generate de-identified and/or aggregated information so that it does not contain any information that either alone or with other information could identify an individual. We may use such de-identified and/or aggregated information for research purposes following Research Ethics Board approval, for activities to improve the quality of care, or to evaluate health care services. POPLAR also will enter in agreements to provide de-identified data sets to non-commercial recipients (ICES, the Canadian Primary Care Sentinel Surveillance Network, Diabetes Action Canada) to generate insights into treating and preventing illness and monitoring our health care system. We do not sell data under any circumstances.
Sharing of Personal Information and Personal Health Information
Under certain circumstances, POPLAR will disclose your personal information or personal health information:
-
When you have expressly consented to the disclosure;
-
When we are authorized to do so without your consent.
All recipients of data are contractually obligated by us to provide an equivalent level of protection for your personal information to the level of protection that we provide.
Security Safeguards
We have instituted appropriate safeguards in our efforts to ensure that the personal information and personal health information that we collect is protected. Our Internal Privacy Policy governs the manner in which all staff and researchers access and manage patient information. All staff and researchers accessing data are required to sign a confidentiality and acceptable use agreement and are required to have privacy training.
Physical safeguards, such as facility access controls are in place in order to protect personal information and personal health information.
Our information system uses passwords and firewalls to protect the system from inappropriate accesses and from Internet users. The security capabilities of the patient information system are also upgraded on an ongoing basis.
If your personal health information is stolen, lost, or accessed by unauthorized persons, we will notify you at the first reasonable opportunity.
We caution that no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.
Retention of Personal Information and Personal Health Information
POPLAR will retain your personal information and personal health information only for so long as is necessary to fulfill the purpose for which it was collected and to meet our legal and contractual obligations. Where personal information is no longer needed, it will be securely destroyed or permanently anonymized or de-identified.
All personal information and personal health information is stored and retained within Canada at a highly secure data centre, currently the Centre for Advanced Computing in Kingston, Ontario.
Opting out of the data
You have the right to opt-out of data collection. Please approach your primary care provider or a member of their staff. They will notify their Network’s Research Officer, or the designated contact at POPLAR. Alternatively, please email us at info@poplarnetwork.ca.
No data relating to patients who decline to participate will be extracted once we receive a removal request from a patient. We note that it may be impossible to withdraw data that has been processed and shared with other data partners. Studies using aggregated data may have already been published. In these cases of total withdrawal being impossible, patient’s identities will continue to be protected.
We will delete any personal information we have about you, unless we are required to keep it by law or deleting it is impossible.
Questions and Concerns
If you have any questions or concerns regarding our information and privacy protection practices, please contact us at info@poplarnetwork.ca
If you are unsatisfied with the response provided by POPLAR, you may also submit a written complaint to the Information and Privacy Commissioner of Ontario at the following address:
Information and Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
www.ipc.on.ca
1-416-326-3333
1 (800) 387-0073 (within Ontario)
Modification to Privacy Policy
We reserve the right to change our Privacy Policy. A revised Privacy Policy will apply only to data collected subsequent to its effective date. Any revisions will be posted at least 10 days prior to its effective date.