Below are frequently asked questions about privacy and protecting personal health information at POGO.
Authority
Q: How is POGO authorized to use health information collected in Ontario?
A: POGO is named as a prescribed entity for the purposes of section 45 of Ontario’s Personal Health Information Protection Act, 2004. Under this designation, POGO can receive, use and disclose personal health information without consent, for analyzing and compiling statistical information that helps manage, evaluate, monitor, allocate resources and plan for our health care system. In addition, POGO and other researchers may also conduct research using personal health information. POGO and researchers must comply with section 44 of the same act (PHIPA, 2004), which outlines strict legal requirements that researchers must follow in order to use and disclose personal health information within POGO’s database, POGONIS (Pediatric Oncology Group of Ontario Networked Information System).
POGO receives personal health information from many sources, including persons or organizations in the health sector defined as “health information custodians” under the Ontario’s Personal Health Information Protection Act, 2004, such as the Ministry of Health, physicians, hospitals, laboratories, pharmacies and long-term care homes.
In order to maintain this privilege, POGO must have in place policies, practices and procedures to protect the privacy of individuals whose personal health information POGO receives, and to maintain the confidentiality of that information. These policies, practices and procedures are reviewed and approved by the Information and Privacy Commissioner of Ontario every three years.
Q: Why does POGO need health information?
A: POGO uses personal health information to improve the circumstances of Ontario’s children with cancer, their families, survivors and caregivers, through the development, implementation and continual refinement of an accessible, well-integrated provincial childhood cancer system.
This personal health information helps POGO assess how well the childhood cancer health system is performing, identify areas of strength, recommend areas that need improvement and then plan and coordinate programs and services to meet the ongoing needs of children with cancer, caregivers and healthcare professionals.
The scope of POGO’s activities includes:
- Identifying and analyzing trends, patterns and outcomes of children with cancer
- Identifying gaps in the delivery of cancer care services
- Developing, implementing and evaluating new programs of care, and identifying the optimal location of such programs
- Evaluating the financial and economic implications of childhood cancer control programs
- Assessing the status of survivors and their related quality of life
- Providing information to policy makers and the government to help shape decision-making to reflect the needs of children in Ontario with cancer
In addition, POGO may collect and use personal health information to conduct research related to childhood cancer treatment. Prior to collecting and using personal health information for research purposes, POGO complies with all the requirements of the Personal Health Information Protection Act, 2004.
Q: How is the health information reported?
A: POGO reports health information only through the interpretation of aggregate data, not individual data. That is to say, no individual can be identified from the reports. Most information is published in medical journals or in special reports for a variety of stakeholders, including the Ministry of Health.
Q: Can I see these reports?
A: Yes, anyone can access these reports. Requests for these reports can be made by contacting POGO’s Privacy Officer.
Information Collection
Q: What types of health information does POGO collect?
A: POGO receives personal health information abstracted from medical records of hospitals in the province of Ontario who treat childhood cancer patients or childhood cancer survivors. POGO also receives personal health information from other administrative databases, registries and surveys, such as those from patients and their families and Vital Statistics Canada. In addition, POGO receives personal health information from other entities and persons who maintain registries of personal health information that are prescribed in the Ontario’s Personal Health Information Protection Act, 2004, such as Ontario Health (Cancer Care Ontario).
Q: What other types of information does POGO collect?
A: POGO collects information related to the financial assistance received by families from POGO; information from community nursing services provided by the POGO Interlink Nursing Program; and information related to hospital staffing, which is used to help understand how many professionals are needed and where. Publicly available information, such as population estimates and Statistics Canada census area profiles, are also collected.
Q: How do you know the health information is correct?
A: POGO conducts regular audits with the persons or organizations that supply personal health information to POGO.
Q: Am I identified by name in the database held by POGO?
A: The POGO database (POGONIS) contains personal identifiers. However, only a limited number of employees who require access to these identifiers in carrying out their responsibilities have access to these identifiers in a secured data centre.
Information Sharing and Access
Q: Do you give other people information that could identify me?
A: POGO only discloses your personal information or personal health information with your consent or as permitted or required by law, including the Ontario’s Personal Health Information Protection Act, 2004 and its regulation.
Q: Can I see the information that POGO has about me?
A: POGO does not provide individuals with access to their personal health information, but rather, refers the individuals or their substitute decision-makers to the responsible healthcare provider.
Information Security
Q: How do you protect my health information?
A: Rigorous privacy and security policies, practices and procedures for the protection of personal health information have been implemented and are based on Ontario’s Personal Health Information Protection Act, 2004 and on the ten guiding principles found in the Canadian Standards Association Model Code, which is part of the federal Personal Information Protection and Electronic Documents Act.
All POGO staff undergo mandatory privacy training and annually sign a confidentiality agreement.
POGO’s comprehensive security audits and controls address the organization’s operational, technological and physical space. For example, there are strict policies that limit access to personal information in POGO’s custody. POGO’s facility has continuously tracked card key access and video surveillance. Personal information, including personal health information, is stored in a secure area within the POGO office, which can only be accessed by a few designated employees. The database server has no external connection to guarantee the security of the information. Computer passwords are frequently changed, firewalls and computer software are in place for tracking activity and data encryption techniques are always employed.
Finally, the expertise of external security personnel is used to test the integrity of POGO’s security and to ensure it is up to date with technology.
Q: How long do you keep the health information and how is the health information destroyed?
A: POGO’s mandate requires that it hold personal health information on an ongoing basis in order to satisfy long-term follow-up of pediatric oncology treatment and outcomes. For specific research purposes, POGO retains personal health information as long as is necessary to fulfill the purpose of the research projects for which the personal health information was collected.
Electronic files are securely deleted (magnetized or erased), paper is shredded by bonded professional shredding companies, CDs are perforated and broken and tapes are securely destroyed with a magnetizing device.
Research Ethics
Q: How do you ensure that research studies done at POGO are conducted ethically?
A: All research studies conducted by POGO are conducted in compliance with the requirements of the Ontario’s Personal Health Information Protection Act, 2004, which includes the preparation of a written research plan and obtaining Research Ethics Board approval of the research plan prior to using personal health information. In addition, all research studies undergo review by POGO scientists to ensure that the research plan investigates important health questions and that the study methodology is appropriate.
Q: Do you have a commercial interest in the research? Who supports research at POGO?
A: No. As a non-profit charitable organization, POGO’s research is not supported by commercial interests.
Funding is received from a variety of sources, including the Ontario Ministry of Health, the POGO Development Office (fundraising), the POGO Chair in Childhood Cancer Control and other granting foundations.
Q: Do you sell the information you have about me?
A: No.
Accountability
Q: Who makes sure that POGO is conducting its work appropriately?
A: POGO is accountable to the Ontario Ministry of Health.
POGO’s Privacy Officer ensures that all collections, uses and disclosures of personal information, including personal health information, comply with all applicable laws including the Ontario’s Personal Health Information Protection Act, 2004. As an example, POGO’s Privacy Officer ensures that prior to the use of personal health information for research purposes and prior to the disclosure of personal health information for research purposes without consent, a research plan must be prepared in accordance with the requirements of the Ontario’s Personal Health Information Protection Act, 2004 and the plan must receive Research Ethics Board approval.
POGO also undergoes electronic security audits by external security experts to protect the confidentiality and security of personal information and personal health information.
Additionally, policies, practices and procedures implemented by POGO to protect privacy and confidentiality are reviewed and approved by the Information and Privacy Commissioner of Ontario every three years.
Q: Who is responsible for the security of the health information and protecting privacy interests?
A: The CEO of POGO and the POGO Privacy Officer are responsible for ensuring the security and confidentiality of the personal health information.
For more information, please contact our Privacy Officer.