Privacy and Confidentiality Policy
Approved
by the National Board of Directors, May 4, 2002
The Multiple
Sclerosis Society of Canada has always been aware of its responsibilities
in safeguarding the privacy of people with MS, members, clients and
donors. Since June 1989, the Multiple Sclerosis Society of Canada Confidentiality
Policy has protected the privacy and confidentiality of people with
multiple sclerosis. This Privacy and Confidentiality Policy supersedes
the 1989 Confidentiality Policy since it both includes and extends those
requirements.
PIPEDA
and the Multiple Sclerosis Society of Canada
This policy
is based on the 10 principles of the federal Personal Information Protection
and Electronics Documents Act (PIPEDA) that guide how organizations
collect and use personal information. These principles are:
- Identifying
Purposes
- Accuracy
- Accountability
- Safeguards
- Consent
- Openness
- Limiting
Collection
- Individual
Access
- Limiting
Use, Disclosure & Retention
- Challenging
Compliance
In addition,
the Multiple Sclerosis Society of Canada has developed its own policies
and regulations about the collection, use and disclosure of information
which in most instances are more restrictive than those of PIPEDA and/or
provincial/territorial legislation. The Opal Information System Data
Sharing Principles (approved by the National Board of Directors, June
9, 2001) secure Multiple Sclerosis Society of Canada information to
authorized users only and further restrict access to individual health
information only to authorized Individual and Family Services staff
and volunteers or their designates. The Opal IS Data Sharing Principles
also stipulate that Multiple Sclerosis Society of Canada members will
not be solicited (approached for donations and/or participation in other
fund raising activities) on the basis of their memberships without their
express prior consent. (See Appendix I for
the full text of the Opal IS Data Sharing Principles.)
Phase I of the federal Personal Information Protection and Electronics
Documents Act (PIPEDA) came into force January 1, 2001. This phase covers
the exchange of personal information as a commercial activity by federal
works, undertakings or businesses and the disclosure of personal information
as a commercial activity across provincial or national borders. Phase
II came into effect January 1, 2002 and adds the exchange of personal
health information as a commercial activity to PIPEDA. Phase III comes
into effect January 1, 2004 and will extend the act to all commercial
activities within all provinces and territories unless there is substantially
similar provincial or territorial privacy legislation in force.
An activity
that is included in the definition of “commercial activities” in
PIPEDA is
“the selling, bartering or leasing of donor, membership or other
fund raising lists”. The act does not regulate non-commercial activities
even in the area of health information. However, since those activities
are currently or probably will be regulated by various provincial or territorial
legislation in the future, the Multiple Sclerosis Society of Canada considers
PIPEDA the standard by which personal and health information should be
protected. In provinces and/or territories with more stringent privacy
policies, Multiple Sclerosis Society of Canada activities within those
jurisdictions should meet the requirements of both the provincial/territorial
legislation and PIPEDA.
Definitions:
Multiple
Sclerosis Society of Canada – The Society is defined as including
all levels of the organization, its national office, divisions, chapters
and units and volunteers acting in a staff capacity.
Personal information – Under PIPEDA,
personal information is defined as information about an
identifiable individual, but does not include the name,
title or business address or telephone number of an employee
of an organization. The history of an individual’s
donations to the Multiple Sclerosis Society of Canada is
personal information.
Personal
health information – Under PIPEDA, personal health
information is defined to mean, with respect to an individual, whether
living or deceased:
| a) |
Information
concerning the physical or mental health of the individual; |
| b) |
Information
concerning any health service provided to the individual; |
| c) |
Information
concerning the donation by the individual of any body part
or any bodily substance of the individual or information
derived from the testing or examination of a body part
or bodily substance of an individual; |
| d) |
Information
that is collected in the course or providing health services
to the individual; or |
| e) |
Information
that is collected incidentally to the provision of health
services to the individual. |
The Multiple
Sclerosis Society of Canada considers information about whether a person
has multiple sclerosis to be personal health information.
Usage in
this Policy – As used in this Privacy and Confidentiality Policy, the term personal
information is inclusive of personal health information unless
the latter term is used exclusively. In that case, it applies only to
personal health information.
Multiple
Sclerosis Society of Canada Property
Any and all
records referred to in the document as being personal information or
personal health information are and will remain the property of the
Multiple Sclerosis Society of Canada. Volunteers and staff are required
to maintain the privacy and confidentiality of all records in any and
all formats both while acting as an active volunteer or staff member
and after they leave the Multiple Sclerosis Society of Canada.
Privacy
and Confidentiality Principles
Principle
1 -- Accountability
The Multiple Sclerosis Society of Canada is responsible for personal
information under its control and will designate an individual or individuals
to ensure the Society is in compliance with the Privacy and Confidentiality
Policy and PIPEDA principles. The individual designated within the Multiple
Sclerosis Society of Canada is the Vice-President, Communications. In
addition, within each division, the chief staff person (president or executive
director) will be accountable for compliance within his/her respective
division in consultation with the Vice-President, Communications. Chapters/units
will designate an individual to be accountable for compliance in consultation
with their division chief staff person. Divisions have an obligation to
oversee how chapters/units carry out the Privacy and Confidentiality Policy.
| 1.1 |
|
The
Multiple Sclerosis Society of Canada will implement practices
and procedures to carry out the policy, including: |
| |
a) |
Implementing
procedures to protect personal information; |
| |
b) |
Establishing
procedures to receive and respond to complaints and inquiries
from individuals regarding their personal information; |
| |
c) |
Training
volunteers and staff and communicating to volunteers and
staff information about the Multiple Sclerosis Society
of Canada's Privacy and Confidentiality Policy and practices;
and |
| |
d) |
Developing
information to explain the Multiple Sclerosis Society of
Canada's Privacy and Confidentiality and practices. |
Principle
2 –
Identifying Purposes
The Multiple Sclerosis Society of Canada, at or before the time
information is collected, will identify the purposes for which personal
information is collected. The identified purposes will be specified at
or before the time of collection to the individual from whom the personal
information is collected. When personal information that has been collected
is to be used for a purpose not previously identified, the Multiple Sclerosis
Society of Canada is obligated to communicate the new purpose to each
individual and obtain his/her consent to use the information.
Principle
3 –
Consent
The knowledge and consent of the individual are required for
the collection, use, or disclosure of personal information, except where
inappropriate. It is anticipated that instances in which knowledge and
consent of the individual would not be required would be extremely rare
and would include legal, medical or security reasons which would have
to be fully documented.
| 3.1. |
Typically,
the Multiple Sclerosis Society of Canada will seek consent
for the use or disclosure of the information at the time
of collection. The form of the consent sought by the Multiple
Sclerosis Society of Canada may be either express or implied,
depending upon the circumstances and the sensitive nature
of the personal information. |
| 3.2. |
Express consent
is required from an individual before the Multiple Sclerosis
Society of Canada will disclose personal health information
about that individual to an external organization or individual. |
| 3.3. |
Implied consent
is considered to be sufficient for fund raising purposes
to allow the trade of limited personal information (name
and home address only) about a donor to another charitable
organization if the individual has been informed that his/her
personal information might be used in this manner and he/she
has been given an opportunity in a clear and meaningful
way to opt out. |
Principle
4 – Limiting Collection
The collection of personal information will be limited to that
which is necessary for the purposes identified by the Multiple Sclerosis
Society of Canada. Information will be collected by fair and lawful means.
Principle
5 – Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes
other than those for which it was collected, except with the consent of
the individual or as required by law. Personal information will be retained
only as long as necessary for the fulfillment of those purposes.
Principle
6 – Accuracy
Personal information will be as accurate, complete, and up-to-date
as is necessary for the purposes for which it is to be used. Personal
information that is used on an ongoing basis, including information that
is disclosed to third parties, will generally be accurate and up-to-date,
unless limits to the requirement for accuracy are clearly set out. Individuals
will always have the opportunity to contact the Multiple Sclerosis Society
of Canada to update their personal information.
Principle
7 – Safeguards
Security safeguards appropriate to the sensitivity of the information
will protect personal information. The security safeguards will protect
personal information against loss or theft, as well as unauthorized access,
disclosure, copying, use, or modification. The Multiple Sclerosis Society
of Canada will protect personal information regardless of the format in
which it is held.
Principle
8 – Openness
The Multiple Sclerosis Society of Canada will make readily available
to individuals specific information about its policies and practices relating
to the management of personal information.
| 8.1 |
|
The
information made available will include: |
| |
a) |
The
name or title, and the address, of the person who is accountable
for the Multiple Sclerosis Society of Canada's policies
and practices and to whom complaints or inquiries can be
forwarded; |
| |
b) |
The
means of gaining access to personal information held by
the Multiple Sclerosis Society of Canada; |
| |
c) |
A
description of the type of personal information held by
the Multiple Sclerosis Society of Canada, including a general
account of its use; and |
| |
d) |
A
copy of any brochures or other information that explain
the Multiple Sclerosis Society of Canada's policies, standards,
or codes. |
Principle
9 – Individual Access
If an individual requests, the Multiple Sclerosis Society of
Canada will inform him/her of the existence, use, and disclosure of his
or her personal information. The individual will be given access to that
information and be able to challenge the accuracy and completeness of
the information and have it amended as appropriate.
In certain
situations, the Multiple Sclerosis Society of Canada may not be able
to provide access to all the personal information it holds about an
individual. Exceptions to the access requirement will be limited and
specific. The reasons for denying access will be provided to the individual
upon request. Exceptions may include information that is prohibitively
costly to provide, information that contains references to other individuals,
information that cannot be disclosed for legal, security, or commercial
proprietary reasons, and information that is subject to solicitor-client
or litigation privilege.
Principle
10 – Challenging Compliance
An individual will be able to address a challenge concerning
the Multiple Sclerosis Society of Canada’s compliance with its own
Privacy and Confidentiality Policy and the 10 PIPEDA privacy principles
to the designated individual or individuals accountable for the Multiple
Sclerosis Society of Canada's compliance.
Implementation
The Multiple Sclerosis Society of Canada will develop detailed
guidelines to assist volunteers and staff in carrying out the Privacy
and Confidentiality Policy.
| Appendix
I |
Approved
by the National Board
of Directors, June 9, 2001 |
Opal
Information System Data Sharing Principles
Opal
Project Objective
To provide
an integrated customer relationship management system throughout the
Multiple Sclerosis Society of Canada to enable a high degree of collaboration
amongst volunteers and staff and thereby increase our capacity to find
a cure for MS and to enable people affected by MS to enhance their quality
of life.
Opal
Data Sharing Principles
-
Opal
will adhere to all legislated privacy regulations and will
respect the rights of individuals to be removed from the
database upon their request.
-
In
addition to limiting access to information to authorized
users only, Opal will provide further security over individual
health information and restrict access to this data to authorized
IFS users.
-
Members
of the Multiple Sclerosis Society of Canada within the Opal
system will not be solicited solely on the basis of their
membership without their expressed prior consent.
-
Within
Opal, individuals will be able to self-determine their desired
level of interaction with the Multiple Sclerosis Society
of Canada.
-
Opal
will provide equal access to local and organization-wide
statistical data on an aggregate basis.
Back to top
|
