Regulations, professional codes, legislation, and accreditation guidelines all inform how information is collected, used, and disclosed in the Alberta nonprofit sector. Within Edmonton and area’s mental health sector, service providers have identified that clarification on the many available guidelines is needed to ensure they are making informed, thoughtful, and defensible decisions when sharing client-level information.

The Community Mental Health Action Plan (CMHAP) and PolicyWise for Children & Families have partnered to develop this resource to support a clearer understanding of information sharing guidelines for leaders and staff in the mental health sector.

All research undertaken for this resource was conducted by PolicyWise for Children & Families. PolicyWise developed the content for this resource on behalf of the Community Mental Health Action Plan, and in collaboration with the Information Sharing Task Group.”

Know Your Legislation

Four pieces of legislation guide information sharing in Alberta’s mental health sector. Here is a quick overview:

• The Health Information Act (HIA) applies to health information. HIA applies only to health custodians and affiliates of the HIA. Nonprofits should know when they employ or contract with a custodian or affiliate. It is up to custodians to inform affiliates of their obligations.
• The Freedom of Information and Protection of Privacy Act (FOIP) applies to cases when personal informa- tion is at issue, but not health information, and a public body is involved. FOIP could apply for example, to the contracts, funding agreements, and proposals created when a nonprofit enters formal agreements with the government.
• The Personal Information Protection Act (PIPA) applies to cases when personal information is at issue,
  but not health information, and a private-sector organization is involved. PIPA only applies to the nonprofit organizations to the extents that the organization collects, uses or discloses personal information in connection with commercial activities (see section 56 (1)(a)(b)(2)3)). Examples of commercial activities could include charging registration fees, or the selling of donor lists. Consider that anytime money is chang- ing hands, PIPA may apply.
• The Children First Act applies when information regarding the health, security, education, safety, and well-being of children and youth is at issue. Service providers and custodians may disclose personal information about a child to other service providers and custodians if it is deemed in the best interests of the child (Manhas, 2017).Nonprofits are required to know which legislation applies to them. It is possible that you do not fall under any of these Acts, but the information here may provide useful insight to help guide you in your decision making.

Understand Consent

Share The Least Amount Necessary

Sharing the right amount of information can be tricky. Here are some tips to help you make a situation-specific decision:

After Collecting, Using or Disclosing Information

Document

Document each circumstance you share information in the client’s file. This can be a simple notation on the appropriate release of information, or in the form of a case note.

Safeguard Personal Information

Organizations and programs should have administrative, technical, and physical safeguards in place to protect information. You can find resources in the Protecting Personal Information: A Workbook for Non-profit Organizations (Government of Alberta, 2010). This workbook includes some common-sense security practices:

• Password-protect devices with sensitive information on them.
• Store client information in a locked filing cabinet or desk drawer.
• Keep firewalls and anti-virus software up to date.
• Board members, employees, and volunteers receive information about their obligation to protect personal information (p. 14-16).

Nonprofits governed by PIPA, HIA, or FOIP are required to report privacy breaches. The Office of the Privacy Commissioner of Alberta defines privacy breaches as “a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information.” OIPC resources to assist reporting a privacy breach can be found here.

Protect The Client’s Right To Access Their Own Information

Both PIPA and the HIA acknowledge that individuals have a right to access their own health or personal infor- mation. Acknowledge and uphold an individual’s right to access information about themselves and to request corrections of it. The Alberta OIPC can provide more information on making an access request here.

Scenarios

The following three scenarios can clarify how PIPA and the Children First Act legislation inform information-sharing in the nonprofit sector.

Commercial Activities and PIPA

Manhas (2017) provides the following overview of two cases adjudicated by the Office of the Information and Privacy Commissioner (OIPC), which offer guidance on PIPA and commercial activities:

Legal Aid Society of Alberta Case (2013)

In this case, the Applicant requested access to his personal information held by the Legal Aid Society of Alberta (LASA) and considered their response incomplete [27]. The Applicant then complained to OIPC.

The Adjudicator first considered whether PIPA applied to LASA. First, the Adjudicator recognized that the determination of whether a commercial activity occurred will be on a case-by-case basis. Second, the mere exchange of a service for a fee does not in itself indicate a commercial activity, rather PIPA intends to include trade or business-like activity. The Adjudicator noted that “… PIPA is meant to apply to non-profit organizations that are carrying out activities as though they are a business.” LASA could not be distinguished “from an operational or service standpoint” from a private law practice when LASA assessed individuals for legal aid coverage, arranged for legal services to be provided, and provided legal services. As such, LASA’s collection of personal information for these purposes was subject to PIPA.

Fairways Villas (2011)

In the Fairways Villas South Homeowners’ Association case, an appropriately incorporated nonprofit managed and maintained the Fairways Villas lands for a monthly fee. It also sent emails to the Complainant regarding lawn care and sprinkler testing. Because the maintenance services were provided in exchange for a monthly fee, the Homeowners’ Association was subject to PIPA for email disclosures as this was in direct connection to a commercial activity.

Children First Act

A community-based nonprofit was working with a 14 year old. A number of supports were being provided, including mental health outreach. An outreach worker had to call 911 when the youth became violently ill during a meeting and an overdose was suspected.

The first responders who arrived on scene requested the client’s name and medical history. If information regarding the health, security, education, safety, and well-being of children and youth is at issue, the Children First Act applies. The outreach worker also considered Reasonableness and Consent.

Although the client could not provide consent to disclose information, the outreach worker considered that the request for the name to be reasonable. Additionally, the outreach worker determined that sharing the client name and relevant medical information with the first responders was acting in the best interest of the child as it is defined under the Children First Act.