Epilepsy Ontario :: Epilepsy Ontario and PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA)

What is PIPEDA?

PIPEDA was implemented in January of 2004, to help protect people's privacy, and personal information. It is an Act which was passed by the Federal Government of Canada and is overseen by the Privacy Commissioner of Canada. It was created in response to the many concerns about safety and privacy in this technological age. It is easy for businesses to obtain information about an individual without their knowledge, and so this Act is supposed to help prevent such unauthorized gathering of personal information, and the collection of an excessive amount of information, when it is unnecessary. This act has been slowly integrating into the business world since January 2001. Over the years, it has branched out to apply to more organizations and types of information collected (in January 2001 it was only applicable to personal information dealt with in the course of commercial activities by federal works, undertakings and business. As of 2004, all Canadian businesses are required to comply with the privacy principles.). It is trying to harmonize the needs of organizations which have to collect information, and the rights of the individual to privacy.

How does it affect the individual?

PIPEDA provides the individual with an opportunity to view and (if necessary) correct the information that an organization possesses pertaining to that individual. It also requires that an organization get your consent before using or disclosing any information about you. It ensures that any information gathered about a person will be protected, and not provided to anyone else without that person's knowledge of this occurring. Personal information must be used for the limited purposes for which it was collected, stored securely and accessible for correction and inspection. If there are any issues that you have with an organization that could fall under PIPEDA (i.e. any of the sections have been contravened) then you have the right to contact the Privacy Commissioner of Canada, and all matters discussed will be held in confidence. Essentially, this law is trying to help the individual maintain a certain amount of control over their personal information and its exposure to others.

What is Personal Information?

What falls under personal information is any "information about an identifiable individual that includes any factual or subjective information, recorded or not in any form. The legislation also covers sensitive personal information, which may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership, financial information and sexual preferences." However, personal information does not include the office telephone number, business address, name and job title of an employee (i.e. any information on a business card), as this is not as subjective, or private.

How does this apply to Epilepsy Ontario?

Although Epilepsy Ontario is not involved in commercial activities, it still must adhere to PIPEDA's guidelines regarding the collection and management of personal information. Under this new Act a few alterations must be made to the present state of affairs. Here are the new requirements:
A Privacy Officer must be appointed - He or she must be responsible for implanting policies and procedures, as well as insuring that Epilepsy Ontario is in accordance with all privacy laws.
A Privacy Audit must be done - This is an overview of how information is dealt with, including where it is kept, what happens to it when it is no longer applicable, etc.
Ensure that the website is properly dealing with information and addressing concerns of how data is managed.
Ensure that all staff members are aware of PIPEDA and its implications.

Filing a Complaint

If an employee feels that his/her privacy is being infringed upon, or that a company has contravened any parts of PIPEDA (including recommendations set forth in Schedule 1), he/she can contact the Privacy Commissioner. All information and details exchanged will be kept confidential. A person is able to contact the Commissioner before any wrong acts are committed, if they feel that the acts will most certainly be committed in the near future. The telephone number of the Privacy Commissioner of Canada is 1 800 282 1376.

When does it not apply?

PEPIDA does not concern an individual's collection of personal information, such as a greeting card list. Also exempt is an organization's transactions concerning any collection of information for journalistic, artistic or literary purposes.

Note on the Privacy Policy of Epilepsy Ontario

In order to protect the privacy of the employees, volunteers and clients of Epilepsy Ontario we have adopted ten privacy principles contained within the Canadian Standards Association Model Code for the Protection of Personal Information, which is the national standard of Canada. Epilepsy Ontario has also taken steps to become compliant with applicable laws in Canada that protect personal information.

The Ten Commandments of PIPEDA

1. Accountability - A Privacy Officer must be appointed (and carry out all the necessary tasks, including developing and implementing personal information policies). Privacy Officers for Epilepsy Ontario are: David Harper for staff and volunteers and Lawton Osler for the Board of Directors.

2. Identifying Purposes - Before collecting or disclosing any information the purposes must be clearly and distinctly stated.

3. Consent - Before using a person's information their consent must be given. The person must be aware of the reasons for their data being used, including when a new use is identified.

4. Limiting Collection - If information is not necessary then it need not be collected. As well, the reasons for information collection must always be true and clear- no deceptions.

5. Limiting use, disclosure, and retention- Information obtained from an individual will not be used for any purposes other than those which were clearly stated from the start, unless the individual consents. Any information that is no longer of use to the organization will be destroyed.

6. Accuracy - The information that is kept at Epilepsy Ontario must be valid, and up-to-date. When making decisions about individuals or disclosing information it will first be verified that the information is, in fact, accurate.

7. Safeguards - All personal information obtained by Epilepsy Ontario will be stored securely, and protected against unauthorized access, disclosure, copying, use or modification.

8. Openness - Epilepsy Ontario's Privacy Policies must be easily understood, and available for anyone to read.

9. Individual access - Any individual has the right to know what personal information Epilepsy Ontario has about them, and for what purposes it is being used. This individual can amend any personal information if they see fit, and should be provided with a copy if they so wish.

10. Provide recourse - Simple complaint procedures must be in place, and complainants must be informed (if they ask) about methods to solve their issues, such as contacting the Privacy Commissioner. All complaints must be investigated, and if the complaint is valid then new policies must be created to ensure that all privacy is upheld.

For more information refer to: http://www.privcom.gc.ca/

October 15, 2004