Security of and Access to Records Flashcards
14.1 Location of records
Practice records must be maintained or stored at the registrant’s primary place of practice, in another location under the sole control of the registrant, under the control of another appointed registrant, or in a professional storage facility obligated to provide confidential and secure storage.
14.2 Security of records
A registrant must ensure that:
a) the records of all their professional services, including those of their
supervisees, are secured, including but not limited to by restricting access to files, locking file cabinets, and providing secure storage for files;
b) the privacy of all client information and data is assured; and
c)
if a professional storage facility is used it maintains appropriate security practices.
14.3 Electronic storage
When information that is required to be prepared, kept, or maintained under this Code is prepared, kept, or maintained by electronic or optical techniques, a registrant must ensure that these techniques are designed and operated so that the information is reasonably secure from loss, tampering, interference, or unauthorized use or access. A registrant must also take all reasonable steps to ensure any electronic/optical storage is updated as necessary to ensure the information remains accessible if previous storage strategies become obsolete
14.4 Handling confidential records
A registrant must maintain the confidentiality of all records under their control in whatever form they are maintained and at all times, including while they are being created, stored, disposed of, accessed, or transferred.
14.5 Copying of documents
Registrants who have determined that they must produce all or any part of their practice record in response to a request or order must, if the circumstances permit, provide a copy of their records rather than the original. Any fees set for copying and releasing records must be set consistently with the requirements of Section 12.0 of this Code. A registrant may contract for off-site professional copying services provided those services are, at a minimum:
Confidential - The employees are bound by a confidentiality agreement;
Secure - Confidential documents are kept secure and separate from the rest of the printing operations; any waste from the copying is retained and shredded; and
Accurate and legible - Services include a 100% quality control page-by- page check of copies against the original sets; services include a legibility check for difficult-to-copy items such as pencil notations; any perceived errors and omissions (e.g., missing pages) are recorded and reported back to the registrant.
14.6 Contingency planning for clients and records
A registrant must:
a) be in compliance with the requirement to name a professional
executor; and
b) make plans in advance so that confidentiality of records and data is
protected in the event of the registrant’s death, incapacity, or withdrawal from the position or practice. Such plans must include consideration of all practice record locations, including institutions and professional storage facilities, if any.
14.7 Transfer on retirement
A registrant may retire or withdraw from the practice of psychology but elect to remain on the College register. In the event a registrant leaves the College register, they must ensure that:
a) b)
each client record for which they have primary responsibility is transferred to another registrant whose identity is made known to the client, the institution, or the project under whose auspices the psychological services were provided, or
each client for whom they have primary responsibility is notified in a timely fashion that the registrant intends to resign and that the client can obtain copies of the client’s own record or have copies provided to such person(s) as the client may direct, subject to Standard 6.12.
14.8 Common filing system
A registrant employed in a multidisciplinary setting where a common filing system is used must:
a) exercise appropriate care when placing information in a common file in order to ensure that their opinions, reports, findings, and recommendations are not misunderstood by members of other disciplines;
b) work with their employer where appropriate to develop written policies and procedures that ensure the maintenance, storage, and access to all practice records and psychology files complies with both privacy legislation and with the registrants’ responsibilities under this Code;
c) educate others in the workplace regarding the privacy and confidentiality obligations of psychologists with regard to psychology practice records under this Code and under privacy legislation, and require some form of confidentiality agreement for others in the workplace who may come in contact with psychology practice records as appropriate;
d) establish written policies and procedures for handling, copying, and destroying psychology practice records, for protecting the confidentiality of psychology practice records, and for ensuring there is a succession plan (as set out in Standard 14.7 of the Code) in the event of the registrant’s death, incapacity, resignation, termination, or withdrawal from employment;
e) prior to seeing clients, clarify if and how record-keeping policies and procedures of the publicly-funded or multidisciplinary setting impact on the confidentiality of clients, and review this information with clients as part of obtaining their informed consent to provide services; and
f)
assume responsibility for the appropriate management of any psychological tests being purchased under the name and qualifications of the registrant, including by ensuring written policies and procedures exist for the storage and handling of these materials in accordance with contractual obligations to the test publisher, the Code of Conduct, and privacy legislation, ensuring that these policies and procedures take into account future changes in psychology staffing, and educating others in the workplace about the proper maintenance and storage of test materials and test results.
14.10 Coding of database information
If confidential information concerning clients is to be entered into a database or system of record keeping which is available to persons whose access has not been authorized by the client, a registrant must use coding or other techniques to avoid the inclusion of personal identifiers.
14.11 Research protocol
If a research protocol approved by an institutional review board or similar body requires the inclusion of personal identifiers, a registrant must ensure that those identifiers are deleted before the information is made accessible to persons other than those to whom the client has authorized access.
14.12 Exception to research protocol
If the deletion required in Standard 14.11 is not feasible, a registrant must take steps to determine that appropriate consent of personally identifiable individuals has been obtained before:
a) the data is transferred to others; or
b) they review the data collected by others.
14.13 Ownership of records
Recognizing that ownership of records and data is governed by legal principles, a registrant must take reasonable and lawful steps to ensure that records and data remain available to the extent needed to serve the best interests of clients, research participants, and appropriate others.