MANITOBA GOVERNMENT INVENTORY OF PERSONAL INFORMATION SYSTEMS WORKSHEET Here are a few important pointers to help you fill out the Worksheet: Read the Inventory Instructions. Print copies of this Worksheet. Manually fill out one Worksheet for each personal information system. Use the glossary at the end of this Worksheet to find definitions and examples for underlined words.* Enter the answers from each Worksheet into an Online Inventory Form. *NOTE: Definitions and examples for underlined words in the Online Inventory Form are located in a Help Box attached to each question, rather than in a glossary at the end of the form.
Please enter all of the following information so that we know which Personal Information System this Inventory applies to: Department: Branch: Program Area: Name of Personal Information System: Date Inventory Completed: Note You only need to fill this in for the online form. 2
PART A PERSONAL HEALTH INFORMATION 1. What personal health information is collected? Please check all that apply: Health information (e.g. information relating to physical health or disability, mental health or disability, spiritual health or disability, health care history, genetic information) Health care information (e.g. information relating to diagnosis, treatment, health maintenance, disease and injury prevention, health promotion, prescription drugs, prescribed medical devices or equipment) Payment for provision of health care (e.g. information relating to the amounts physicians bill to Manitoba Health for treatment provided to patients) Incidental identifying information obtained in the course of the provision of health care or the payment for health care (e.g. name and address of a patient admitted to a hospital) Unique personal health identifiers (e.g. PHIN personal health identification number) None this system contains NO personal health information [go to Question 11] Other personal health information 2. Who is the personal health information about? Please check all the categories that apply: Program clients Government employees Third parties (e.g. service providers, contractors, agents) Other categories of individuals 3
3. How many people (clients, government employees or third parties) have personal health information in this system? Fewer than 1,000 Between 1,000 to 10,000 More than 10,000 4. Why does your area need this personal health information? Please check all that apply: Program requirement (e.g. to carry out an existing function or activity in your department) Health care requirement (e.g. to provide health care) Health research requirement (e.g. to conduct approved health care research projects) Legal requirement (e.g. to enforce or comply with a law; to implement or comply with a treaty, arrangement or agreement; for investigation or enforcement involving health care payments or fraud; for existing or anticipated legal proceedings) Financial requirement (e.g. to obtain payments for health care) Information management requirement (e.g. for information management and technology services) Accountability requirement (e.g. for audit, review or risk management purposes; to deliver, evaluate, monitor, research or plan the provision or payment for health care) Health and safety requirement (e.g. to provide health care, to prevent or lessen a serious and immediate threat to someone s health or safety) Other reasons 4
5. What personal health information in this system is disclosed outside of the department? Please check all that apply: Health information (e.g. information relating to physical health or disability, mental health or disability, spiritual health or disability, health care history, genetic information) Health care information (e.g. information relating to diagnosis, treatment, health maintenance, disease and injury prevention, health promotion, prescription drugs, prescribed medical devices or equipment) Payment for provision of health care (e.g. information relating to the amounts physicians bill to Manitoba Health for treatment provided to patients) Incidental identifying information obtained in the course of the provision of health care or the payment for health care (e.g. name and address of a patient admitted to a hospital) Unique personal health identifiers (e.g. PHIN personal health identification number) None NO personal health information is disclosed [go to Question 7] Other personal health information 6. Who is personal health information in this system disclosed to? Please check all that apply: Program clients Another Manitoba department, public body or trustee Other provincial governments Federal government Private sector information managers Other third parties (e.g. service providers, contractors, agents) Other categories of individuals 5
7. How is personal health information in this system maintained, stored, transported and/or transmitted? Please check all that apply: Paper Computer program, database or network Removable hard disk or magnetic tape Diskette, USB flash drive, CD, DVD or other electronic media Blackberry, digital voice recorder, PDA or other portable electronic devices Other 8. How often is personal health information in this system transported and/or transmitted? Please check all that apply: Daily Weekly Monthly Other 9. Is this system covered by a records schedule? Yes No 10. What would be the impact for individuals if the personal health information in this system was improperly used, released, tampered with or destroyed? Extremely serious impact (e.g. loss of life, loss of personal safety, significant financial loss, social hardship) Serious impact (e.g. serious loss of personal privacy, loss of confidence in a government program, financial loss, damage to relationships or damage to reputations) Little or no impact (e.g. information is readily available to the public) 6
PART B PERSONAL INFORMATION 11. What personal information is collected? Please check all that apply: Contact information (e.g. name, address, telephone number, facsimile number, e-mail address) Demographic information (e.g. age, gender, marital status, family status, sexual orientation, ancestry, race, skin color, nationality, national origin, ethnic origin, citizenship) Unique personal identifiers (e.g. SIN social insurance number, drivers license number, birth certificate number, passport number, treaty number, client number, signature, fingerprint) Educational information (e.g. education level, educational history) Employment and occupational information (e.g. current employment, employment history, occupational history) Financial information (e.g. salary, source of income, credit history, credit card details, bank account details, purchase transactions, financial activities) Religious information (e.g. religious beliefs, activities, association) Political information (e.g. political beliefs, activities, association) Legal information (e.g. record of criminal convictions, sentencing information, probation) Opinions (e.g. an individual s views or opinions, except about someone else; anyone else s opinions about the individual) None this system contains NO personal information [go to end to fill out contact information you do not need to answer any more questions] Other personal information 12. Who is the personal information about? Please check all categories that apply: Program clients Government employees Third parties (e.g. service providers, contractors, agents) Other categories of individuals 7
13. How many people (clients, government employees or third parties) have personal information in this system? Fewer than 1,000 Between 1,000 to 10,000 More than 10,000 14. Why does your area need this personal information? Please check all the categories that apply: Program requirement (e.g. to implement an existing program in your department, to carry out an existing activity in your department) Legal requirement (e.g. to enforce or comply with a law; to implement or comply with a treaty, arrangement or agreement; to enforce a legal right against any person; for security or crime prevention, for existing or anticipated legal proceedings) Financial requirement (e.g. to make payments from your department; to assess and collect fines, debts, taxes or payments owing to your department) Administrative requirement (e.g. to manage or administer personnel in your department) Information management requirement (e.g. for records management or archival purposes, for information technology services) Accountability requirement (e.g. for audit purposes; to monitor, evaluate or audit programs or services sharing costs with the Government of Canada; to verify someone s eligibility for a program, service or benefit; to assess data linking, bulk disclosure or research requests) Health and safety requirement (e.g. to protect or assess someone s mental or physical health or safety) Other reasons 8
15. What personal information in this system is disclosed outside of the department? Please check all that apply: Contact information (e.g. name, address, telephone number, facsimile number, e-mail address) Demographic information (e.g. age, gender, marital status, family status, sexual orientation, ancestry, race, skin color, nationality, national origin, ethnic origin, citizenship) Unique personal identifiers (e.g. SIN social insurance number, drivers license number, birth certificate number, passport number, treaty number, client number, signature, fingerprint) Educational information (e.g. education level, educational history) Employment and occupational information (e.g. current employment, employment history, occupational history) Financial information (e.g. salary, source of income, credit history, credit card details, bank account details, purchase transactions, financial activities) Religious information (e.g. religious beliefs, activities, association) Political information (e.g. political beliefs, activities, association) Legal information (e.g. record of criminal convictions, sentencing information, probation) Opinions (e.g. an individual s views or opinions, except about someone else; anyone else s opinions about the individual) None NO personal information is disclosed [go to Question 17] Other personal information 16. Who is personal information in this system disclosed to? Please check all the categories that apply: Program clients Another Manitoba department or public body Other provincial governments Federal government Other third parties (e.g. service providers, contractors, agents) Other categories of individuals 9
17. How is personal information in this system maintained, stored, transported and/or transmitted? Please check all that apply: Paper Computer program, database or network Removable hard disk or magnetic tape Diskette, USB flash drive, CD, DVD or other electronic media Blackberry, digital voice recorder, PDA or other portable electronic devices Other 18. How often is personal information in this system transported and/or transmitted? Please check all that apply: Daily Weekly Monthly Other 19. Is this system covered by a records schedule? Yes No 20. What would be the impact for individuals if the personal information in this system was improperly used, released, tampered with or destroyed? Extremely serious impact (e.g. loss of life, loss of personal safety, significant financial loss, social hardship) Serious impact (e.g. serious loss of personal privacy, loss of confidence in a government program, financial loss, damage to relationships or damage to reputations) Little or no impact (e.g. information is readily available to the public) 10
GLOSSARY COLLECT: In this context, collect means to gather, request, require or receive information. DISCLOSE: In this context, disclose means to share, give or release information to an individual or organization outside of the department. INFORMATION MANAGER: An individual or organization in the private sector providing information management services (such as processing, storing, destroying personal health information) or information technology services (such as designing, implementing, auditing information systems). PERSONAL HEALTH INFORMATION: Recorded information about an identifiable individual that relates to his or her health, health care or payment for health care. It includes any contact information, such as name and address, which is collected in the course of providing or paying for health care. Examples: Reports about an individual s illness, medical condition or treatment; drug test results; Personal Health Identification Number (PHIN). PERSONAL INFORMATION: Information about an identifiable individual that has been recorded in some way. In most cases, it will be hand-written, typed or entered into a database. Examples: Information about an individual s finances, source of income, employment, occupation, education, housing, marital or family status, criminal history, political views and activities, personal opinions, age, gender, race, ethnic origins, blood type, fingerprints, and an identifying number or symbol such as the Social Insurance Number (SIN), driver s license, treaty card number. PERSONAL INFORMATION SYSTEM: For the Privacy Project, a system for recording, storing or sharing personal information, including personal health information, to support a function or activity of a program. Examples: If they contain personal information or personal health information client or case files, application forms or reports, databases or other electronic systems, personnel files (official files and convenience copies). PUBLIC BODY: A government department (including Minister s office), agency, Crown corporation, or the Executive Council Office. 11
RECORDS SCHEDULE: A formal plan, approved by the Archivist of Manitoba, which identifies government records and establishes how long they must be kept. A records schedule is required as part of the Manitoba Government s process to securely dispose of records. The website for Government Records at http://www.gov.mb.ca/chc/archives/gro/index.html has further information about creating records schedules. TRANSMIT: In the context of handling information, transmit means to move information electronically from one location to another. TRANSPORT: In the context of handling information, transport means to move information physically from one location to another. TRUSTEE: A health professional, health care facility, public body, or health services agency that collects or maintains personal health information. 12