Guidelines for the Communication of Personal Information and Personal Health Information

Before communicating Personal Information (PI) or Personal Health Information (PHI) by fax, email, phone, mail, or through social media or similar applications, authorized persons subject to the Privacy Policy are responsible for reviewing and taking into account the following guidelines.

General Guidelines
Fax Guidelines
Email Guidelines
Phone Guidelines
Mail/Courier Guidelines
Social Media Guidelines

General Guidelines

1. Verify the necessity

在曼尼托巴省的领导下Freedom of Information and Protection of Privacy Act(FIPPA) and个人健康信息法(PHIA),the University may communicate PI or PHI only for the purpose for which the information was collected or disclosed. Communication may also be authorized if the individual the information is about provides consent or communication is otherwise authorized under FIPPA or PHIA. This includes both internal use and external disclosure. In all situations, the communication must be limited to the least amount of PI or PHI necessary to accomplish the purpose.

Communicating PI or PHI increases the likelihood that the information may be inadvertently received by an unintended recipient, leading to a potential privacy breach by the sender or recipient. For this reason, PI or PHI should be communicated only as necessary.

2.考虑灵敏度

所有的PI和PHI都是敏感的，有些特别敏感。在沟通PI或PHI之前，授权人员必须考虑信息的敏感性，并决定是通过电话，邮件，传真，电子邮件，第三方托管的系统还是通过社交媒体进行通信。一些信息可能被认为太敏感而无法分享。

如果认为合适的通信，请始终选择适合这种情况的最安全的方法。应谨慎行事，特别是敏感的信息。

Especially sensitive information

Credit card, banking, and other financial information
Driver’s license, passport, social insurance number or similar government-issued identification
Date of birth
Password information or the means to decrypt a password
Personal health information
Other important identifiers

3. Consider the volume

Communicating large volumes of PI or PHI increases the potential impact of a privacy breach. Always communicate the minimum amount of information possible. If it is necessary to communicate a larger volume of PI or PHI, choose the most secure method appropriate to the circumstances.

4. Consider the urgency

The fastest method is not always the best choice. Communicating PI or PHI by email or fax, for example, is quick but may be less secure than sending it in the mail or by courier. Always consider how quickly the recipient requires the PI or PHI and choose the most secure method appropriate to the circumstances.

5.验证信息

Before communicating PI or PHI, ensure that it is the most accurate and up to date information available.

6.验证收件人的身份

If communication is appropriate, take steps to verify the identity of the recipient to ensure they are authorized to receive the information.

If a request is made in person, photo identification (such as a driver’s license or UWinnipeg student card) and another piece of identifying information should be requested. If a request for disclosure is made over the phone or by email or fax, identifying information should be requested and verified against known information.

识别信息可能包括：

a photocopy or scanned copy of a UWinnipeg student card
a copy of a signed request, letter of authority or similar document authorizing the individual to receive the information
confirmation of home address, telephone number, date of birth
confirmation of student or employee number
确认另一个唯一标识符
确认其他信息与信息相关的个人应知道的信息

Do not communicate PI or PHI unless satisfied with the recipient’s identity and that he or she is authorized to receive the information.

Fax Guidelines

1. Faxes should be sent and received in secure areas segregated from the public. Do not leave faxed documents unattended.

2. The amount of PI or PHI being faxed must be limited to the minimum required to fulfill the intended purpose.

3. PI or PHI may be severed or redacted, or replaced with unique identifiers or codes, if it does not negatively affect the remaining record.

4. Fax cover sheets marked confidential or similar shall be used and must indicate the:

sender's name, title, department, fax and phone number
recipient’s name, title, department, fax and phone number (if available)
total number of pages faxed

5. When appropriate to the circumstances, senders should telephone or email in advance to advise the recipient that a confidential fax is to be expected and to confirm the fax number.

6. Before sending a fax, the entered number should be double-checked to ensure accuracy with the recipient’s number.

7. The sender should verify using the fax confirmation report that the message was sent successfully, and make sure that no documents are left behind at the fax machine.

8.传真封面和确认表应该后悔ained along with the original faxed records in accordance with all applicable legislation, regulation, and University policy.

9.预先编程的传真号码应经常验证以确保准确性。

Email Guidelines

1. PI or PHI may be emailed only when no other more secure communication method is appropriate to the circumstances.

2. Encryption/password protection (Hyperlink) should be used whenever practicable.

3. Emails should be sent only from @uwinnipeg.ca email addresses.

4. Only the minimum amount of PI or PHI necessary shall be emailed.

5. PI or PHI may be severed or redacted, or replaced with unique identifiers or codes, if it does not negatively affect the remaining record.

6. Consider using an email disclaimer.

7. When appropriate to the circumstances, senders should telephone or email ahead to advise the recipient that a confidential email is to be expected and to confirm the email address.

8.在发送邮件之前,地址and the content of the message should be double-checked. The sender also should verify that the list of intended recipients is accurate and appropriate.

9. The sender should verify the email was sent successfully by requesting both a delivery receipt and a read receipt.

10.发送电子邮件应按照所有适用的立法，法规和大学政策保留。

11. Email addresses should be routinely verified for accuracy.

Phone Guidelines

1. Verify the other party’s identity before discussing PI or PHI (see General Guidelines, item 6).

2. Do not discuss PI or PHI in the presence of those who are not authorized to know the information or in public, unsecured, or open places.

3. Communicate only the minimum amount of PI or PHI necessary.

4. Exercise caution if leaving a voice message and disclose as little, if any, PI or PHI as possible. Voice messages should not contain especially sensitive information (see General Guidelines, item 2).

5. Phone numbers should be routinely verified for accuracy.

Mail/Courier Guidelines

1.只能邮寄最低必需的PI或PHI量。

2. PI or PHI may be severed or redacted, or replaced with unique identifiers or codes, if doing so does not negatively affect the remaining record.

3. When appropriate to the circumstances, senders should telephone or email ahead to advise the recipient that a confidential letter is to be expected and to confirm the mailing address.

4. Secure, opaque envelopes marked confidential or similar shall be used. Envelopes shall only reveal the minimum amount of information that is necessary for identification and use.

5. Before sending a letter, the address and content should be double-checked to ensure accuracy.

6. Couriers should be used and tracking numbers obtained whenever appropriate to the circumstances for the communication of especially sensitive information.

Social Media Guidelines

1. The University’s Privacy Policy applies to the use and disclosure of PI and PHI on social media and information distribution sites such as Dropbox.

2. Exercise caution when using social media platforms as terms and conditions may conflict with the University’s Privacy Policy as well as applicable legislation including FIPPA and PHIA. Contact the Information and Privacy Officer for advice.

3. Do not use social media to communicate especially sensitive information.

4. Do not use social media to communicate PI without the consent of the individual the PI is about. Some exceptions may apply e.g. posting of crowd shots from University events.

5. Avoid associating the PI with other identifiable information about the individual (e.g. by linking to the individual’s social media account) without the individual’s explicit consent.

6. Ensure privacy settings are activated to limit public access where appropriate.

For more information,contact the Information and Privacy Officer.