These 10 principles form the basis of the Grand River Hospital's data protection strategy:

Principle 1 - accountability for personal health information

Grand River Hospital is responsible for all personal health information under its custody or control and has designated a chief privacy officer (CPO) who is accountable for the organization's compliance with the following principles. The name of the chief privacy officer designated by Grand River Hospital to oversee its compliance with these principles is a matter of public record. Other individuals within the hospital are also responsible for the day-to-day collection, processing and protection of personal health information, and for complying with this policy.

Principle 2 - identifying purposes for personal health information

Grand River Hospital will identify the purposes for which personal health information is collected at or before the time of collection. The primary purposes are:

  • to provide clinical care to patients of Grand River Hospital;
  • to monitor and evaluate the quality of care and the outcomes resulting from that care;
  • to assess resource utilization in the delivery of care; 
  • to plan for the development and delivery of care and services across the Waterloo Region and surrounding area;
  • to support and promote research and education;
  • to support and promote fundraising as it related to Grand River Hospital; and
  • to meet legal and regulatory requirements.
Principle 3 - consent for the collection, use, and disclosure of personal health information

The knowledge and consent of the individual (or parent/guardian for minors) are required for the collection, use or disclosure of personal health information, except when inappropriate.

Principle 4 - limiting collection of personal health information

The collection of personal health information will be limited to that which is necessary for the purposes identified by Grand River Hospital. Information will be collected by fair and lawful means.

Principle 5 - limiting use, disclosure, and retention of personal health information

Personal health information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. When personal health information is to be used for new purposes, this policy will be updated to reflect these changes. Information will be retained only as long as necessary for the fulfilment of those purposes or as legislated. Disposal of personal health information will be done in a secure and confidential manner.

Principle 6 - ensuring accuracy of personal health information

Personal health information should be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 - ensuring appropriate safeguards for personal health information

Personal health information shall be protected by security safeguards appropriate to the sensitivity of the information, regardless of the format in which it is stored.

Principle 8 - openness concerning policies and practices

Grand River Hospital will make readily available to individuals specific information about its policies and practices relating to the management of personal health information under its custody or control (e.g. hospital website, patient brochures, administration manual and the Intranet).

Principle 9 - individual access to and amendment of personal health information

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal health information and may access, inspect, or copy (upon payment of cost recovery fee) his or her personal health information, subject to legal restrictions. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 - challenging compliance with the Grand River Hospital's privacy, confidentiality and security policy

An individual shall be able to address a challenge concerning compliance with the Grand River Hospital's privacy, confidentiality and security to the chief privacy officer. Complaint procedures will be simple and easily accessible. All complaints will be investigated and remedial action taken when appropriate including, if necessary, amending its policies and practices.