PERSONAL INFORMATION POLICY
We wish to update you on Canada's new Privacy Act and to assure you that CDCS Health Claims Inc. is complying with the Personal Information and Electronic Documents Act taking effect on January 1, 2001 and January 1, 2004 as it relates to Personal Health Information.
Chief Privacy Officer - 'Loretta Clipperton' -1-800-265-2327 ext. 209
Click to access The Canadian Goverment Privacy Commission SiteCDCS Health Claims Inc. collects personal information and personal health information relating to the employees of our clients only for the following purposes:
Personal information will not be used for any other purpose without individual consent.
As CDCS Health Claims Inc. has been contracted by the employer to process and pay insurance type health claims, and in doing so requires employees and health care service providers to provide us with personal and personal health information, we therefore become the custodians of this information. As we must comply with the Act, we must also confirm that parties to whom we provide this information also comply with the Act. We are developing an addendum to our contract with our clients that will address this issue.
As the personal information (name, address, dates of birth) has been given to us by our clients, this is public knowledge between us and therefore not at issue. The issue is the personal health information which has been provided to us by the employee or the health care provider. This information is protected under the Act and we cannot give it to a third party, i.e. the employer, without assurance that they have complied with the Act.
Each year, we ensure that our employees sign a code of business conduct that requires the safeguarding and proper use of personal computer information. We also place strict controls on the protection and use of personal information within our systems and web sites and ensure that our employees are trained to respect your privacy and that of your employees at all times.
Attached are some more interesting excerpts from the Act, the full text of which can be found on the internet at FULL TEXT or by calling the Privacy Commissioner of Canada at 1 800 282 1376
BILL C-6: PERSONAL INFORMATION PROTECTION
AND ELECTRONIC DOCUMENTS ACT
Full title
TOPAn Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act
Part One
Definitions
TOP``personal information'' means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
``personal health information'', with respect to an individual, whether living or deceased, means
(a) information concerning the physical or mental health of the individual;
(b) information concerning any health service provided to the individual;
(c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
(d) information that is collected in the course of providing health services to the individual; or
(e) information that is collected incidentally to the provision of health services to the individual.
Division 1 sub 5. (3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Division 1 sub 9. (1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
Division 1 sub 9. (2) Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual's life, health or security is threatened.
In its Report to the Senate on 6 December 1999, the Standing Senate Committee on Social Affairs, Science and Technology recommended that clause 30 of the bill be amended. A new clause, clause 30(1.1), would provide that Part 1 would not apply to any organization in respect of personal health information that it collected, used or disclosed. Under a second new clause, clause 30(2.1), clause 30(1.1) would cease to have effect one year after the day clause 30 came into force.
These amendments were passed by the Senate and subsequently accepted by the House of Commons. Bill C-6 received Royal Assent on 13 April 2000. Pursuant to an order-in-council dated 26 April 2000, Part 1 of the bill (which includes clause 30) will come into force on 1 January 2001. This means that, under clause 30(2.1), the "exemption" for personal health information will expire on 1 January 2002.
Schedule One Section 5
4.1 Principle 1 - Accountability TOP
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
4.1.1 TOP
Accountability for the organization's compliance with the principles rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).
4.1.2 TOP
The identity of the individual(s) designated by the organization to oversee the organization's compliance with the principles shall be made known upon request.
4.1.3 TOP
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
4.1.4 TOP
Organizations shall implement policies and practices to give effect to the principles, including
(a) implementing procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints and inquiries;
(c) training staff and communicating to staff information about the organization's policies and practices; and
(d) developing information to explain the organization's policies and procedures.
4.2 Principle 2 - Identifying Purposes TOP
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
4.2.1 TOP
The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual Access principle (Clause 4.9).
4.2.2 TOP
Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified.
4.2.3 TOP
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
4.2.4 TOP
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. For an elaboration on consent, please refer to the Consent principle (Clause 4.3).
4.2.5 TOP
Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.
4.2.6 TOP
This principle is linked closely to the Limiting Collection principle (Clause 4.4) and the Limiting Use, Disclosure, and Retention principle (Clause 4.5).
4.3 Principle 3 - Consent TOP
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.
4.3.1 TOP
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).
4.3.2 TOP
The principle requires ``knowledge and consent''. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
4.3.3 TOP
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.3.4 TOP
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
4.3.5 TOP
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual's name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual's request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.
4.3.6 TOP
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
4.3.7 TOP
Individuals can give consent in many ways. For example:
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) consent may be given orally when information is collected over the telephone; or
(d) consent may be given at the time that individuals use a product or service.
4.3.8 TOP
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.
4.4 Principle 4 - Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
4.4.1 TOP
Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8).
4.4.2 TOP
The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
4.4.3 TOP
This principle is linked closely to the Identifying Purposes principle (Clause 4.2) and the Consent principle (Clause 4.3).
4.8 Principle 8 - Openness TOP
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
4.8.1 TOP
Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
4.8.2 TOP
The information made available shall include
(a) the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., subsidiaries).
4.8.3 TOP
An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.