B.C. ABORIGINAL NETWORK ON DISABILITY SOCIETY (BCANDS)
The B.C. Aboriginal Network on Disability Society is entrusted and responsible to ensure the protection and privacy of personal information in relation to its employees, clients and their families / support systems under the British Columbia Personal Information Protection Act (PIPA) which governs non-BCANDS employee personal information, and the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governing employee information.
As an Indigenous service agency, BCANDS not only works to ensure compliance with PIPA and PIPEDA, but also the privacy principles of Indigenous Ownership, Access and Possession (OCAP). BCANDS therefore is accountable for the privacy and security of both individual personal information and the First Nation / Indigenous community information it collects, uses, accesses, discloses and retains.
Personal Information: Relates to information about an individual in an identifiable form, including but not limited to, name, age, gender, home address, telephone number, social insurance number, personal health number, status number, religion, marital status, First Nation / Indigenous ancestry and membership, income, personal health information, education and employment.
* Personal Information does not include Contact Information (please see below) or Work Product Information (please see below)
Contact Information: Relates to information that would enable a person to be contacted at a place of employment or business and includes name, position name and / or title, business telephone, business address, business email, or business fax number.
Work Product Information: Relates to information prepared or collected by an individual or a group as part of their responsibility or activities relating to the individual or group’s employment or business. The collection of this information does not include personal information about any individual who was not involved in the preparation or collection of the personal information.
Personal Information Protection and Electronic Documents Act – (PIPEDA): PIPEDA is a federal legislation that governs employee personal information collected, used, disclosed, accessed and retained by BCANDS (i.e. employment information).
Indigenous Ownership, Control, Access and Possession – (OCAP): OCAP is a set of principles regarding privacy that supports the Indigenous community / group to own, control, access and possess information about their people / membership and is directly tied to self-determination. OCAP allows a community or group to make decisions regarding the why, how, and by whom as it pertains to community or group information, its collection, uses and sharing.
Privacy Officer: The person or persons responsible to ensure the adherence, implementation and compliance with all relevant privacy legislation by all BCANDS employees, the Board of Directors and / or our agents.
3. BCANDS ACCOUNTABILITY:
A) BCANDS is responsible to manage and safeguard all personal information of employees, the Board of Directors, clients and all others that it has under its custody and control.
B) BCANDS recognizes and respects the rights of privacy for all persons with respect to their personal information.
C) BCANDS will only collect, use and disclose personal information in the promotion of the Society’s mandate and in adherence to the obligations of this policy.
D) BCANDS is accountable for the protection, privacy and safeguard of all personal information under the control of the Society.
4. Privacy Officer:
BCANDS will appoint and maintain a Privacy Officer(s) to oversee and implement this policy and to ensure compliance with all applicable legislation (PIPA, PIPEDA) pertaining to personal information by the Society.
The BCANDS Privacy Officer will also ensure the integration and adoption of the principles defined by Indigenous OCAP. Delegation of certain Privacy Officer responsibilities to other BCANDS employees with be at the Privacy Officers discretion in consultation with senior management.
The BCANDS Privacy Officer shall be responsible for the following:
- Provide oversight for the collection, use, access, disclosure, retention and disposal of personal information in the possession and control of the Society;
- Develop, implement, review and maintain up-to-date and relevant privacy, security and confidentiality policies and procedures;
- Monitor and evaluate, with recommendations made to leadership as per the Society’s compliance with privacy policies and procedures
- Collaborate, as necessary, with legal entities to review contractual terms and conditions to ensure compliance to privacy requirements per legislation and “best practise” models;
- Receive and respond to privacy questions, queries and complaints;
- Ensure any corrections to individual personal information, upon request;
- Coordinate individual information access request;
- Assist / support any investigation of alleged privacy breeches; and
- Assist, support and cooperate with the British Columbia Information and Privacy Commissioner on investigations, complaints, or formal inquiries.
5. Third Parties:
BCANDS is responsible for all Personal Information in its possession or custody, including information that has been transferred to a third party for processing or use. BCANDS will ensue the use of contractual or other mechanisms to provide a comparable level of protection while the Personal Information is being processed or accessed by a third party.
6. Compliance to Policy by Employees and / or Contractors
1. BCANDS employees and / or contractors are responsible to ensure the appropriate and secure handling of all Personal Information collected, used, disclosed, retained and disposed, relating to all aspects of the operations, administration and management of BCANDS programs and services.
2. All BCANDS employees and / or contractors are required to comply with this policy for the collection, retention, use or disclosure of personal information.
3. All BCANDS employees and / or contractors must fully understand the importance of maintaining the confidentiality of personal information and must affirm their understanding through signing a confidentiality agreement or clause respecting confidentiality within their employment contract or agreement.
7. BCANDS Privacy Procedures:
To ensure knowledge and compliance, BCANDS shall, on an ongoing basis, implement procedures and strategies to ensure full implementation of this policy, including but not limited to:
1. Develop, review and implement procedures to protect personal information
2. Develop, review and implement procedures to receive and respond to privacy complaints and inquiries
3. Develop and implement staff training regarding BCANDS policies and procedures, purpose and explanation
8. BCANDS Identifying Purpose:
1. BCANDS shall clearly identify and convey the purpose for which personal information is collected.
2. BCANDS will convey the purpose(s) for which personal information is collected, either orally or in writing before or at the time of collection.
3. BCANDS will document the purposes for which personal information is being collected and will only collect information necessary for that identified purpose.
4. BCANDS employees should be able to adequately explain the purposes for which the information is being collected.
5. Should personal information that has been collected be used for a purpose not previously stated, the new purpose shall be identified by BCANDS and disclosed to the individual prior to use. Consent from the individual is required before information can be used for that purpose, unless legislation requires the new purpose.
9. BCANDS Collection of Personal Information:
BCANDS collects, uses, discloses, and retains personal information for the following purposes:
- To enrol clients in BCANDS programs and services;
- To provide health and disability services;
- To understand the service needs of the client;
- To meet regulatory requirements;
- For the administration and management of employees;
- For the administration of and management of health , disability and educational programs and services;
- Conducting program and service reviews / evaluations aimed at improving BCANDS programs and services;
* The collection of personal information will be restricted to that which is necessary for the purpose which is identified by BCANDS.
- BCANDS will obtain knowledgeable, informed consent of clients, directors and employees, to collect use or disclose personal information except where BCANDS is authorized to do so without consent.
- BCANDS will seek an individual’s consent to collect, use and / or distribute personal information. In some situations consent to use and / or disclose personal information may be sought after the information has been collected but before use (i.e. BCANDS want to use information for a purpose not previously identified to the individual)
- BCANDS will not require an individual to consent to the collection of information, use and / or disclosure of personal information beyond that required to fulfill the specified and legitimate purposes.
Consent can be provided in writing or it can be implied where the purpose for collecting, using and / or disclosing the personal information would be considered obvious and the individual voluntarily provides personal information for that purpose.
On providing reasonable notice to BCANDS any individual may withdraw consent to the collection, use and / or disclosure of personal information about the individual at any time, subject to any BCANDS legal obligations or requirements.
11. Collection Limitations:
The collection of personal information shall be limited to that which is necessary for the purposes identified by BCANDS. All information shall be collected by fair, transparent and lawful means.
- BCANDS will only collect information necessary to fulfill the identified stated purposes.
- BCANDS will specify the type of information collected as part of its information handling policies and practices.
12. Restricting Information Use, Disclosure and Retention:
- BCANDS will not use or disclose personal information for purposes other than those for which it was collected except with the consent of the individual or as required by law. BCANDS will retain personal information as long as necessary for the fulfillment of those purposes.
- BCANDS will only use and / or disclose personal information where necessary to fulfill the purposes identified by BCANDS at the time of collection.
- BCANDS will not use and / or disclose personal information for any additional purposes unless the Society obtains consent to do so.
- BCANDS will retain personal information only as long as necessary to fulfill identified purposes and as required by law and contractual obligations, unless the individual was not an employee or enrolled in a BCANDS program or service. Should BCANDS use personal information to make decisions that directly affects the individual; BCANDS will retain that personal information for a minimum of ten years for liability reasons. Personal information pertaining to minors are maintained for 10 years after the age of majority.
- Personal information that is no longer required to fulfill the identified purpose(s) will be securely destroyed, erased or made anonymous. BCANDS will develop and implement procedures to govern the appropriate and secure destruction of personal information with reference to any minimum retention periods required by law or regulations.
- BCANDS will not sell any personal information to any parties.
13. Accuracy of Information:
BCANDS will ensure that all personal information is accurate, complete and up-to-date for the purposes for which it is to be used.
- BCANDS will make reasonable efforts to ensure that personal information is accurate and complete where it may be used to make a decision about an individual or disclosed to another organization.
- Individuals may request corrections to their person information in order to ensure its accuracy and completeness. All requests to correct personal information must be made in writing to the BCANDS Privacy Officer and provide sufficient detail to identify the individual and the personal information to be corrected.
- BCANDS will amend the personal information, as appropriate, and send the corrected information to any organization to which BCANDS has disclosed the personal information to in the previous year. Should the correction not be made, BCANDS will record that the requested correction has been received but not made and advise the individual.
BCANDS will ensure that personal information is protected at all times by security safeguards appropriate to the sensitivity and the format of the information.
BCANDS will ensure the security of personal information and protect personal information from unauthorized access, use, collection, disclosure, copying, modifications and disposal.
The following security measures will be used by BCANDS to ensure that personal information is adequately and appropriately protected;
- Locked filing cabinets
- Locked offices where personal information is stored
- Implementation of restricted and confidential usernames, passwords, firewalls, etc.
- Restricted access of BCANDS employees and Board as appropriate
- Requiring all service providers to meet the privacy and security requirements of the Society, as defined by the Society through contract terms
BCANDS will use appropriate security methods to destroy personal information, e.g. shredding documents, deleting computer stored information.
15. Individual Access to Information:
Upon request, BCANDS will inform individuals of the existence, use and disclosure of personal information about the individual and will provide the individual with access to that information upon request.
Individuals have the right to access their personal information subject to limited exceptions as follows;
- Information is protected by solicitor – client privilege
- Disclosure of information could reasonably be expected to threaten the safety or physical or mental health / welfare of an individual other than the individual who made the request
- Disclosure of information can reasonably be expected to cause immediate or grave harm to the safety or the physical or mental health of the individual who made the request
- Disclosure of information would reveal personal information about another individual
- Disclosure of information would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his / her identify; or
- Any other reasons as set out under the PIPA and PIPEDA legislation
Requests to access personal information must be made in writing to the BCANDS Privacy Officer and provide sufficient detail to identify the individual and the information being requested. A request to access personal information must be made to the BCANDS Privacy Officer.
BCANDS will, upon request, inform individuals of the source of their personal information, how BCANDS uses their personal information, and whom their personal information has been disclosed, as applicable.
BCANDS will make the personal information available within 30 days or provide written notice of an extension where additional time is required to fulfill a request.
A nominal fee may be charged to an individual who makes a request for personal information who is not an employee of BCANDS.
Should an individual be required by BCANDS to pay a fee for services provided, BCANDS will;
1. Provide the applicant a written estimate of the fee (costs) before providing the service, and
2. May require the applicant to pay a deposit for all or part of the fee
Upon request of an individual who has provided personal information, BCANDS shall disclose the name, job title and the contact information of the employee of BCANDS who is able to answer the individual’s questions about the collection of their personal information. The identity of the individual(s) designated by BCANDS as Privacy Officer shall be known upon request.
BCANDS will make available to individuals specific information about its policies, procedures and practices relating to its handling of personal information.
17. Challenging Compliance:
An individual may challenge BCANDS compliance with this policy and applicable legislation. Individual may submit this challenge directly to the BCANDS Privacy Officer or to the BC Office of the Information and Privacy Commissioner.
BCANDS will respond to complaints about its policies and practices of the handling of personal information.
BCANDS will acknowledge, document, investigate and address any complaint it receives.