Information Sharing Resource for Service Providers

Regulations, professional codes, legislation, and accreditation guidelines all inform how information is collected, used, and disclosed in the Alberta nonprofit sector. Within Edmonton and area’s mental health sector, service providers have identified that clarification on the many available guidelines is needed to ensure they are making informed, thoughtful, and defensible decisions when sharing client-level information.

The Community Mental Health Action Plan (CMHAP) and PolicyWise for Children & Families have partnered to develop this resource to support a clearer understanding of information sharing guidelines for leaders and staff in the mental health sector.

All research undertaken for this resource was conducted by PolicyWise for Children & Families. PolicyWise developed the content for this resource on behalf of the Community Mental Health Action Plan, and in collaboration with the Information Sharing Task Group.”

Before You Begin

Know Your Legislation

Four pieces of legislation guide information sharing in Alberta’s mental health sector. Here is a quick overview:

  • The Health Information Act (HIA) applies to health information. HIA applies only to health custodians and affiliates of the HIA. Nonprofits should know when they employ or contract with a custodian or affiliate. It is up to custodians to inform affiliates of their obligations.
  • The Freedom of Information and Protection of Privacy Act (FOIP) applies to cases when personal informa- tion is at issue, but not health information, and a public body is involved. FOIP could apply for example, to the contracts, funding agreements, and proposals created when a nonprofit enters formal agreements with the government.
  • The Personal Information Protection Act (PIPA) applies to cases when personal information is at issue,
    but not health information, and a private-sector organization is involved. PIPA only applies to the nonprofit organizations to the extents that the organization collects, uses or discloses personal information in connection with commercial activities (see section 56 (1)(a)(b)(2)3)). Examples of commercial activities could include charging registration fees, or the selling of donor lists. Consider that anytime money is chang- ing hands, PIPA may apply.
  • The Children First Act applies when information regarding the health, security, education, safety, and well-being of children and youth is at issue. Service providers and custodians may disclose personal information about a child to other service providers and custodians if it is deemed in the best interests of the child (Manhas, 2017).Nonprofits are required to know which legislation applies to them. It is possible that you do not fall under any of these Acts, but the information here may provide useful insight to help guide you in your decision making.

Client consent to collect, use, and disclose information is the first consideration for service providers when asked to disclose client information. Here are some quick tips about consent:

  • Consent to collect, use, and disclose information is different than consent for services.
  • Organizations must inform individuals of the purpose for collecting information, the proposed and potential uses of that information, the cases in which disclosures will be made without consent, and the storage and disposal of that information.
  • Consent can be verbal, in writing, or gained electronically (written is always preferable and encouraged, and is mandatory under accreditation standards).
  • Clients should always be informed about circumstances in when consent is not needed to disclose information:
    • If the client is a child and it is determined to be in their best interest to share that information
    • When a child is in need of protection
    • When disclosure is required to prevent clear and imminent danger to the client or others and
    • When legal requirements demand that confidential material be revealed.
  • Consent forms that list a number of organizations, services, or people the service provider may want to share information with, and require the client to check off who they can share with (aka “boilerplate consent forms”), are not recommended and in some cases are unacceptable. Instead, a time-bound Release of Information form should be created as needed.
  • Clients have the right to withdraw consent at any time.
  • Document each time you share information in the client’s file.

A helpful resource on consent was jointly issued by the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia.

Questions to Consider – Consent
  • Do I have consent to share information?

  • Am I able to obtain client consent?

  • Does the client know and understand how this information will be used?

Understand Reasonableness

When it comes to collecting, using, and disclosing information, PIPA asks that we consider reasonableness. PIPA defines reasonableness to be “what a reasonable person would consider appropriate in the circumstances”. The concept of reasonableness applies in all situations where you might be asked to share a client’s information.

Questions to Consider – Reflect on Reasonableness
  • What would another service provider in the same situation do?

  • Does the person requesting
    information have a reason to ask for this information?
  • Would my client consider this ask to be a reasonable request?
  • Is it reasonable to decline sharing any information until client consent can be obtained?

In The Moment

Share The Least Amount Necessary

Sharing the right amount of information can be tricky. Here are some tips to help you make a situation-specific decision:

After Collecting, Using or Disclosing Information

Document

Document each circumstance you share information in the client’s file. This can be a simple notation on the appropriate release of information, or in the form of a case note.

Safeguard Personal Information

Organizations and programs should have administrative, technical, and physical safeguards in place to protect information. You can find resources in the Protecting Personal Information: A Workbook for Non-profit Organizations (Government of Alberta, 2010). This workbook includes some common-sense security practices:

  • Password-protect devices with sensitive information on them.
  • Store client information in a locked filing cabinet or desk drawer.
  • Keep firewalls and anti-virus software up to date.
  • Board members, employees, and volunteers receive information about their obligation to protect personal information (p. 14-16).

Nonprofits governed by PIPA, HIA, or FOIP are required to report privacy breaches. The Office of the Privacy Commissioner of Alberta defines privacy breaches as “a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information.” OIPC resources to assist reporting a privacy breach can be found here.

Protect The Client’s Right To Access Their Own Information

Both PIPA and the HIA acknowledge that individuals have a right to access their own health or personal infor- mation. Acknowledge and uphold an individual’s right to access information about themselves and to request corrections of it. The Alberta OIPC can provide more information on making an access request here.

Scenarios

The following three scenarios can clarify how PIPA and the Children First Act legislation inform information-sharing in the nonprofit sector.

Commercial Activities and PIPA

Manhas (2017) provides the following overview of two cases adjudicated by the Office of the Information and Privacy Commissioner (OIPC), which offer guidance on PIPA and commercial activities:

In this case, the Applicant requested access to his personal information held by the Legal Aid Society of Alberta (LASA) and considered their response incomplete [27]. The Applicant then complained to OIPC.

The Adjudicator first considered whether PIPA applied to LASA. First, the Adjudicator recognized that the determination of whether a commercial activity occurred will be on a case-by-case basis. Second, the mere exchange of a service for a fee does not in itself indicate a commercial activity, rather PIPA intends to include trade or business-like activity. The Adjudicator noted that “… PIPA is meant to apply to non-profit organizations that are carrying out activities as though they are a business.” LASA could not be distinguished “from an operational or service standpoint” from a private law practice when LASA assessed individuals for legal aid coverage, arranged for legal services to be provided, and provided legal services. As such, LASA’s collection of personal information for these purposes was subject to PIPA.

Fairways Villas (2011)

In the Fairways Villas South Homeowners’ Association case, an appropriately incorporated nonprofit managed and maintained the Fairways Villas lands for a monthly fee. It also sent emails to the Complainant regarding lawn care and sprinkler testing. Because the maintenance services were provided in exchange for a monthly fee, the Homeowners’ Association was subject to PIPA for email disclosures as this was in direct connection to a commercial activity.

Children First Act

A community-based nonprofit was working with a 14 year old. A number of supports were being provided, including mental health outreach. An outreach worker had to call 911 when the youth became violently ill during a meeting and an overdose was suspected.

The first responders who arrived on scene requested the client’s name and medical history. If information regarding the health, security, education, safety, and well-being of children and youth is at issue, the Children First Act applies. The outreach worker also considered Reasonableness and Consent.

Although the client could not provide consent to disclose information, the outreach worker considered that the request for the name to be reasonable. Additionally, the outreach worker determined that sharing the client name and relevant medical information with the first responders was acting in the best interest of the child as it is defined under the Children First Act.