This bulletin follows our previous bulletin, FIPPA and Ontario Hospitals: Delegation of Authority, in which we discussed best practices in delegating the powers and duties of the Board Chair under the Freedom of Information and Protection of Privacy Act ("FIPPA"). This bulletin is intended to provide a general overview of the purpose of conducting an inventory of records with some additional comments about how to do so and the potential involvement of shared service entities.
Inventory of Records
Have you completed your inventory of records? Conducting an inventory of hospital records is a critical step in implementing FIPPA's requirements. Because the inventory will likely be labour intensive (depending on the hospital's current record-keeping/tracking processes), hospitals are strongly encouraged to complete an inventory of records as soon as possible (if not already completed).
The preparation of an inventory of records serves two main purposes:
- It can compile the information that hospitals are required to submit to the Minister of Government Services (the "MGS") to support the province-wide Directory of Records; and
- It can improve a hospital's responsiveness to freedom of information requests made under FIPPA ("FOI requests"), by ensuring that key hospital personnel are aware of what types of records are in the hospital's custody or control and where those records are located.
Each of these purposes is discussed in greater detail below.
1. Ontario's Directory of Records
FIPPA requires that the Ontario government publish an indexed compilation of certain information about records held by institutions – referred to as the Directory of Records. This Directory sets out a description of each institution that is subject to FIPPA, as well as the types of records maintained by each institution and the contact information for each institution's FIPPA Coordinator. Beginning January 1, 2012, Ontario hospitals will be required to participate in the Directory of Records. As a result, hospitals will need to submit certain information describing their record-holdings to the MGS. In addition to providing the initial information for the Directory, hospitals will be expected to update their information on an annual basis (at a minimum).
The Directory of Records classifies records into categories, the two primary ones being:
- Personal Information Bank ("PIB") - a collection of personal information that is organized and can be retrieved by an individual's name or some other personal identifier—examples include employment contracts, payroll, and volunteer scheduling. (Note: although a PIB could take the form of a database or cabinet of paper files, the information in a PIB could also be dispersed across several physical and/or electronic locations)
- General Record - any record that is not considered to be a PIB—examples include collective agreements, internal communications, external communications, and operational budgets. (Note: record types can be quite specific, for example record types common to hospitals would include the following (as separate record types): fire prevention inspection reports, fire safety plans, fire safety tests, safety training, and emergency and evacuation plans)
Although information about both categories is published by MGS in the Directory of Records, the information about PIBs is more detailed than the information about general records. Therefore, hospitals will need to ensure they compile additional information about PIBS (as discussed below).
The Directory of Records is intended to help requesters make FOI requests to the correct institution and frame their requests in terms that reflect that institution's record-holdings. Requesters can refer to (or be directed to) the Directory of Records and can rely on it to help focus and narrow their FOI requests. This is to the advantage of both hospitals and requesters, as focused and narrow requests generally result in faster search and response times, thereby reducing the amount of hospital resources required to respond to such requests and lowering fees charged to the requester.
2. Internal Roadmap
The act of conducting an inventory of records better familiarizes hospital personnel with the hospital's record-holdings. This increased familiarity will better equip hospital personnel to assist requesters in narrowing their requests, and will likely improve the efficiency of record searches in response to FOI requests.
The information collected as part of the records inventory need not be limited to the information required to be submitted to the MGS for the Directory of Records. While preparing the inventory, hospitals should consider capturing additional details that may assist in future record searches. For example, a hospital could note whether the record type includes drafts or final copies, and the extent to which the record type is normally circulated within and/or outside of the hospital. If this record type is the subject of an FOI request, this additional information can assist the hospital in determining whether any consultations or notifications to affected parties will be needed. Having this additional information at the outset enhances the FIPPA Coordinator's ability to estimate the time needed to respond to the request, which may, in turn, lead to more accurate and efficient communications with the requester about the scope of request, the timing of the hospital's response to the request, and possible fees associated with the request.
Conducting a Records Inventory
- The records inventory should be coordinated by personnel in the FIPPA compliance office or by personnel who will work closely with the FIPPA compliance office.
- Each department should be made aware of the importance of the inventory. Support at the executive level is essential (i.e. hospital executives should be emphasizing the importance of the inventory of records and the need to keep it accurate and up-to-date).
- Standard forms should be developed and used by personnel to gather information as part of the records inventory; the use of standard forms ensures that consistent information is recorded in a consistent manner during the inventory.
- Each department should appoint a lead who can complete or coordinate the inventory in that department. Drawing on the support of each department is essential as personnel in a given department will likely have the best understanding of the records in that department.
- Completed inventory forms should be vetted by the applicable department, and then consolidated into a hospital-wide inventory. The FIPPA compliance office will then prepare the hospital's submission to the MGS in respect of the Directory of Records, and circulate the inventory for use by departments in responding to FOI requests.
What Information to Compile
Hospitals should collect the following information about each type of record (whether general records or records that are part of a PIB):
- the type of record (e.g. contract) and very brief description of the type of record;
- where that type of record is retained;
- the format of that type of record (e.g., paper, electronic);
- the retention period for that type of record (or at least a reference to the hospital's record retention policy); and
- a description of the hospital personnel who are authorized to access that type of record.
In addition to the information noted above, the hospital should also collect the following details with respect to PIBs:
- the legal authority for the PIB (e.g., often this will be the Public Hospitals Act or the Private Hospitals Act, but it may be other relevant statutes or regulations);
- the types of personal information maintained in that PIB;
- the categories of individuals about whom the personal information is maintained in that PIB;
- how the personal information in that PIB is used on a regular basis; and
- any disclosures of the information/records from that PIB to persons outside of the hospital.
Shared Services Entities
If a hospital is a member of a shared services entity and/or a group purchasing organization (in either case, an "SSE"), that SSE likely holds certain records on behalf of its member hospitals. Subject to other FIPPA-related considerations, these records are likely within the control of one or more member hospitals. As a result, hospitals must ensure that any records held by SSEs on the hospital's behalf are included in the hospital's records inventory (and in the Directory of Records). Hospitals must also ensure that SSEs are involved in keeping the hospital's inventory of records up-to-date. It is advisable that all hospitals meet with their SSEs (and the other SSE member hospitals) to coordinate their respective roles in ensuring that each hospital complies with its obligations under FIPPA.
The creation of an inventory of records is a necessary step in a hospital's FIPPA implementation plan. As mentioned previously, creating this inventory is likely to be a significant task given that the inventory of records will reference all records in the control and custody of the hospital. If a hospital has not yet completed this inventory, it should do so on an expedited basis.
This bulletin is part of a series of bulletins on the topic of FIPPA implementation. The next bulletin will address issues relating to shared services entities and the importance of ongoing communication and defined roles in terms of FIPPA compliance.