Personal tools

CAISI Approach

Author: Natalie Comeau


CAISI aims to balance the following elements:

  • Increased access and privacy
  • Increased access and client control over access
  • Increased access and client autonomy

CAISI aims to facilitate adherence to legislated requirements and best practises by (a) subjecting our policies, practices and features to as many assessments as possible, (b) incorporating as many requirements as possible as IT features in the CAISI system, and (c) providing supports for agencies in upholding their non-technical responsibilities.


Privacy and Security Definitions

Privacy: the interest of individuals in controlling their information; the requirement for others to control information flow (by balancing privacy with openness)

Security: prevention of or protection against danger, i.e. unauthorized access to information, through specific measures

Privacy requires more work than simply making sure an IT system has technical safeguards; security is only one of many aspects of privacy.

Without security measures, privacy cannot be fully protected.


Key Components of the CAISI Privacy & Security Approach

1. Balance

CAISI uses a balanced approach to privacy and security. It is necessary to keep balance between increasing access and ensuring that clients control this access to their information. Sharing information can increase the efficiency and effectiveness of service. CAISI wants personal information to work for people who are homeless - by making information more available, CAISI hopes homeless clients will get better care. However, clients must trust that their information will be kept private. CAISI also wants people who are homeless to have control over the use of their information.

Support for a balanced approach to privacy and security can be found in government and the laws enacted therein:

“While information must be kept private and secure, it must also be available quickly for the purposes of health care. Enabling the effective and efficient sharing of personal health information for the provision of health care while, at the same time, ensuring that patients can trust that their information will be kept private is key to creating a workable framework for health information privacy.?" (Perun, Orr & Dimitriadis. Guide to the Ontario Personal Health Information Protection Act. Irwin Law Inc. 2005, p.2)

The 2002 Romanow report states that people should have access to, and control over, their own information. The report also states that, the sharing of personal health information is needed for better health care. While there are concerns about privacy and security, a number of mechanisms for the safe sharing of information can be implemented.


2. Distributed Governance & Clear Expectations

Agencies wanting to work together (disclose and receive information) can form a cluster. Clusters are centered on the needs of their clients; a cluster can be bound by geography or can transcend it. The development team will provide guidance and support to agencies/clusters that use CAISI. The development team may provide third party services (hosting, customization, etc.) upon written agreement with an agency or cluster.

CAISI clearly outlines the expectations and responsiblilities of all parties involved (including clients, agencies, development team, etc.) in its policies and recommendations. Agencies are responsible for the management of their client data, and for monitoring use and addressing concerns that arise through a Privacy and Security Officer. Clusters are responsible for ensuring that agencies implement privacy and security measures and engage and inform clients about the system. The development team is not responsible for client data or any action that may influence it, other than services stated in written agreements.


3. Special Considerations

CAISI includes specific features to help staff care for people who are homeless. For example, providers can search for clients by name, date of birth or gender, and can verify client identity with pictures. Health care providers can also search by health card number. This scheme ensures that non-health care providers can search for clients, prevents clients from stealing identities, and maintains accuracy of file identification. As another example, the consent form includes a short comprehension assessment to increase confidence that consent is informed.

In addition to technical features in the CAISI system, the CAISI Project supports agencies in creating a comprehensive privacy approach that combats the barriers faced by people who are homeless, rather than exacerbating them. In the area of privacy, complaints and appeals mechanisms may be hard for them utilize, for example. Careful attention should be paid to policies and procedures, such as properly training staff about non-technical disclosures of information (ex. talking to a coworker in the hall).

It is necessary to keep balance between increasing access to information by service providers and ensuring that clients retain control over access to their information. CAISI wants personal information to work for people who are homeless - by making information more available, CAISI hopes homeless clients will get better care. However, clients must trust that their information will be kept private.


Key Issue: Capacity and Consent

Because of the population involved, determining competence is important in the CAISI Project. Determining competence will occur when deciding if a client is capable of giving consent.

Competence (or the capacity for consent) involves two parts:

  1. The ability to understand the situation (e.x. how personal information will be used)
  2. The ability to appreciate the consequences of decisions (e.x. giving or withholding consent to use personal information)

PHIPA is very clear that mental illness, being unable to communicate, and disagreeing with care providers are not grounds for deeming a client to be incompetent.

Three main questions can be asked by (1) care providers, to determine competence, and (2) clients, to assess the situation and decide whether to give or withhold consent. These three questions are:

  • What is the purpose of (the program, procedure, use of information, etc.)?
  • What are the risks?
  • What are the benefits?


Key Issue: Evidence-Based Advocacy

Population-level advocacy is a key piece of the CAISI Project. Many agencies currently collect information on their clients, and many more are seeking fast, easy ways to get current statistics on their clients.

Current laws actually encourage the use of personal health information for research and other forms of data gathering that will ultimately lead to better care:

“It is clear that the collection, use, and disclosure of personal health information is crucially important for the provision of health care… The First Ministers recognized the need to collect meaningful health information to assess progress made in achieving improvements in the health care system… This recognition built on comments included in the report of the Commission on the Future of Health Care in Canada, which highlighted the importance of better information sharing systems to government and provider accountability to Canadians. The Information and Privacy Commissioner has also acknowledged that activities like health research are vital to the development of new treatments and cures for diseases. PHIPA includes special rules concerning the use and disclosure of personal health information for research purposes. These special rules reflect the importance of health research in the steady improvement in health care capabilities, which benefit us all. The research rules in the Ant reflect an effort to harmonize as much has possible the protect ion of the privacy of personal health information with the public interest served by health research.��? (Perun, Orr & Dimitriadis. Guide to the Ontario Personal Health Information Protection Act. Irwin Law Inc. 2005, p.442-443)

De-identified information will be used in all research and population-level reports. Research involving identifiable information will be subject to an ethical review.


Privacy Framework

The following documents detail the CAISI approach to privacy & security:

  • CAISI Development Team Privacy and Security Policy
  • CAISI Security Safeguards (including technical, administrative & physical features)
  • CAISI Privacy Features
  • Privacy & Security Benefits of Switching from Paper to CAISI
  • Completed and ongoing assessments of legislative requirements & best practices
  • Privacy Impact Assessments (PIAs)

The following documents are provided to support agencies using CAISI:

  • Model contracts
    • Model Staff Confidentiality Agreement
    • Model Administrator Confidentiality Agreement
    • Model Hosting Agreement & Server Hosting Selection Criteria
    • Sample Data Sharing Agreement, criteria for data sharing agreements


  • Protocols & procedures for building trust between agencies
    • Multiple user guides
    • Agency Staff Roles & Responsibilities
    • Privacy Officer Duties
    • Software Specifications & Technical Requirements
    • Mobile & External Prococols
    • Account Creation Procotol


  • Sample notification materials for informed consent by clients
    • Model statement of information practices (long poster)
    • Sample notification of data sharing (short poster to supplement existing statements)
    • Sample brochure including statement of information practices
    • FAQ sheet: Why pictures


  • Privacy training materials for use with staff
    • Presentation
    • Fact sheet
    • Manual

Document Actions

« July 2020 »