In an effort to maintain standards of care in managing Personal Information (PI) that is in accordance with the Office of the Privacy Commissioner of Canada (OPC), Patients Canada commits to the following 10 principles
- Develops and, on a regular basis, reviews Patients Canada policies and practices to ensure consistent implementation and compliance;
- Ensures all staff and volunteers are trained on the appropriate collection, use and disclosure of personal information and can answer public and donor inquires;
- Handles all inquires and complaints relating to privacy;
- And ensures all third parties to whom Patients Canada provides access to personal information adhere to appropriate standards of care in managing that information.
Prior to a request to collect information, Patients Canada identifies the purposes for which it collects PI, and only collects information necessary for the identified purposes.
PI includes but is not limited to contact information, date of birth, information required for event registration and donations such as credit card or other financial information, volunteer information such as availability and areas of interest, history of involvement with Patients Canada, and information required to maintain an employment relationship with Patients Canada.
PI is required to run Patients Canada events, process donations, issue tax receipts, and is needed for service planning and delivery, health promotion, marketing and fundraising campaigns, documenting stories and general administration of Patients Canada business.
Patients Canada obtains consent at the time of collecting PI. Patients Canada only discloses PI to outside agencies or organizations or individuals if consent has been obtained or the disclosure is permitted or required by law.
Consent must be informed. This means that Patients Canada provides information that a reasonable person would require instantly in the circumstances to make a decision about the collection, use or disclosure of his or her PI. This could include, but is not limited to: the identity of the person who is collecting, using or disclosing the information; the purpose of the collection, use or disclosure; how much information is to be collected, used or disclosed; and the reasonably foreseeable consequences of giving or withholding consent.
Consent can be obtained in person, by phone, by mail, or via the Internet. Consent is only implied if it is obviously based on the actions or inactions of an individual that their consent can be assumed, and their PI is non-sensitive in nature or context.
Consent may be time limited and may be revoked by the individual who gave it.
Patients Canada limits the collection of PI to that which is required for the identified purposes. Such information will be collected directly from the individual donor. However, PI may be collected from other sources with the consent of the donor.
PI is only used and disclosed for the purposes for which it was originally collected unless a specific consent from the individual has been obtained or where the law specifically provides otherwise, such as a search warrant or otherwise permitted under this policy. PI is only retained as long as it is necessary for the fulfillment of the identified purposes and as required by law.
Patients Canada makes reasonable efforts to keep PI as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used. We rely on our donors, volunteers, participants and employees to provide us with accurate information and to notify us if their information needs to be updated.
In addition, Patients Canada has checks in place to ensure information received is accurately entered into our systems.
Patients Canada takes reasonable measures to ensure that PI is kept safe from loss or theft, unauthorized access, use, copying, disclosure or modification. Safeguards include physical, organizational and technical measures, including but not limited to
- Security card access to premises;
- Restriction of employee access to files on a ‘need to know’ basis;
- Confidentiality undertakings by all employees;
- Locking up PI and never leaving it unattended and in plain view;
- Firewalls, anti-virus, strong passwords and software solutions for technical security; and
- Regular reviews of privacy compliance initiatives.
Patients Canada trains all staff on privacy best practices and ensures that employees are aware of the importance of safeguarding any PI that they are privy to.
Patients Canada takes steps to ensure that all staff and volunteers can answer inquiries about the organization’s information-handling practices and can appropriately refer unanswered questions or complaints regarding compliance.
An individual may direct a request for access to their PI to the Privacy Officer. Upon request, Patients Canada will
- Inform individuals of PI held by the organization or its partners about them;
- Explain how this information has been used;
- Provide a list of any organizations to which their PI has been disclosed; and
- Give individuals access to their information.
An individual may challenge the accuracy and completeness of the information and have it amended as appropriate.
In order to safeguard PI, an individual may be required to provide sufficient identification information in order for Patients Canada to authenticate the individual as an event participant, donor, or volunteer and to authorize access to the individual’s file.
Patients Canada shall promptly correct or complete any PI found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, Patients Canada shall transmit to third parties having access to the PI in question, any amended information or information regarding the existence of any unresolved differences.
Individuals will be provided with any help needed to access their PI, including clarifying exactly what they are looking for. Requested information will be provided in a form that is generally understandable – any acronyms, abbreviations or codes in the record will be explained.
Patients Canada will make every effort to satisfy a request for access to PI within 90 days after receipt of the request, however time periods may vary. Depending on the amount of information requested, there may be a nominal fee charged to cover the cost of photocopying and other administrative fees.
Where permitted or required by law, Patients Canada may decline to provide an individual with access to their PI. Under such circumstances Patients Canada will explain the reasons for the refusal.
The organization has procedures in place to receive respond to and track concerns or complaints about its management of PI. The expectation is that by following these procedures, a remedy or corrective action will be undertaken to resolve the issue, including if necessary amending the organization’s policies and procedures.