Privacy and Confidentiality Policy
Approved by the National Board of Directors, May 4, 2002
The Multiple Sclerosis Society of Canada has always been aware of its responsibilities in safeguarding the privacy of people with MS, members, clients and donors. Since June 1989, the Multiple Sclerosis Society of Canada Confidentiality Policy has protected the privacy and confidentiality of people with multiple sclerosis. This Privacy and Confidentiality Policy supersedes the 1989 Confidentiality Policy since it both includes and extends those requirements.
PIPEDA and the Multiple Sclerosis Society of Canada
This policy is based on the 10 principles of the federal Personal Information Protection and Electronics Documents Act (PIPEDA) that guide how organizations collect and use personal information. These principles are:
- Identifying Purposes
- Limiting Collection
- Individual Access
- Limiting Use, Disclosure & Retention
- Challenging Compliance
In addition, the Multiple Sclerosis Society of Canada has developed its own policies and regulations about the collection, use and disclosure of information which in most instances are more restrictive than those of PIPEDA and/or provincial/territorial legislation. The Opal Information System Data Sharing Principles (approved by the National Board of Directors, June 9, 2001) secure Multiple Sclerosis Society of Canada information to authorized users only and further restrict access to individual health information only to authorized Individual and Family Services staff and volunteers or their designates. The Opal IS Data Sharing Principles also stipulate that Multiple Sclerosis Society of Canada members will not be solicited (approached for donations and/or participation in other fund raising activities) on the basis of their memberships without their express prior consent. (See Appendix I for the full text of the Opal IS Data Sharing Principles.)
Phase I of the federal Personal Information Protection and Electronics Documents Act (PIPEDA) came into force January 1, 2001. This phase covers the exchange of personal information as a commercial activity by federal works, undertakings or businesses and the disclosure of personal information as a commercial activity across provincial or national borders. Phase II came into effect January 1, 2002 and adds the exchange of personal health information as a commercial activity to PIPEDA. Phase III came into effect January 1, 2004 and extended the act to all commercial activities within all provinces and territories unless there is substantially similar provincial or territorial privacy legislation in force.
An activity that is included in the definition of “commercial activities” in PIPEDA is “the selling, bartering or leasing of donor, membership or other fund raising lists”. The act does not regulate non-commercial activities even in the area of health information. However, since those activities are currently or probably will be regulated by various provincial or territorial legislation in the future, the Multiple Sclerosis Society of Canada considers PIPEDA the standard by which personal and health information should be protected. In provinces and/or territories with more stringent privacy policies, Multiple Sclerosis Society of Canada activities within those jurisdictions should meet the requirements of both the provincial/territorial legislation and PIPEDA.
Multiple Sclerosis Society of Canada – The Society is defined as including all levels of the organization, its national office, divisions, chapters and units and volunteers acting in a staff capacity.
Personal information – Under PIPEDA, personal information is defined as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. The history of an individual’s donations to the Multiple Sclerosis Society of Canada is personal information.
Personal health information – Under PIPEDA, personal health information is defined to mean, with respect to an individual, whether living or deceased:
- Information concerning the physical or mental health of the individual;
- Information concerning any health service provided to the individual;
- Information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of an individual;
- Information that is collected in the course or providing health services to the individual; or
- Information that is collected incidentally to the provision of health services to the individual.
The Multiple Sclerosis Society of Canada considers information about whether a person has multiple sclerosis to be personal health information.
Usage in this Policy – As used in this Privacy and Confidentiality Policy, the term personal information is inclusive of personal health information unless the latter term is used exclusively. In that case, it applies only to personal health information.
Multiple Sclerosis Society of Canada Property
Any and all records referred to in the document as being personal information or personal health information are and will remain the property of the Multiple Sclerosis Society of Canada. Volunteers and staff are required to maintain the privacy and confidentiality of all records in any and all formats both while acting as an active volunteer or staff member and after they leave the Multiple Sclerosis Society of Canada.
Privacy and Confidentiality Principles
Principle 1 - Accountability
The Multiple Sclerosis Society of Canada is responsible for personal information under its control and will designate an individual or individuals to ensure the Society is in compliance with the Privacy and Confidentiality Policy and PIPEDA principles. The individual designated within the Multiple Sclerosis Society of Canada is the Vice-President, Communications. In addition, within each division, the chief staff person (president or executive director) will be accountable for compliance within his/her respective division in consultation with the Vice-President, Communications. Chapters/units will designate an individual to be accountable for compliance in consultation with their division chief staff person. Divisions have an obligation to oversee how chapters/units carry out the Privacy and Confidentiality Policy.
|1.1||The Multiple Sclerosis Society of Canada will implement practices and procedures to carry out the policy, including:|
|a)||Implementing procedures to protect personal information;|
|b)||Establishing procedures to receive and respond to complaints and inquiries from individuals regarding their personal information;|
|c)||Training volunteers and staff and communicating to volunteers and staff information about the Multiple Sclerosis Society of Canada's Privacy and Confidentiality Policy and practices; and|
|d)||Developing information to explain the Multiple Sclerosis Society of Canada's Privacy and Confidentiality and practices.|
Principle 2 – Identifying Purposes
The Multiple Sclerosis Society of Canada, at or before the time information is collected, will identify the purposes for which personal information is collected. The identified purposes will be specified at or before the time of collection to the individual from whom the personal information is collected. When personal information that has been collected is to be used for a purpose not previously identified, the Multiple Sclerosis Society of Canada is obligated to communicate the new purpose to each individual and obtain his/her consent to use the information.
Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. It is anticipated that instances in which knowledge and consent of the individual would not be required would be extremely rare and would include legal, medical or security reasons which would have to be fully documented.
|3.1.||Typically, the Multiple Sclerosis Society of Canada will seek consent for the use or disclosure of the information at the time of collection. The form of the consent sought by the Multiple Sclerosis Society of Canada may be either express or implied, depending upon the circumstances and the sensitive nature of the personal information.|
|3.2.||Express consent is required from an individual before the Multiple Sclerosis Society of Canada will disclose personal health information about that individual to an external organization or individual.|
|3.3.||Implied consent is considered to be sufficient for fund raising purposes to allow the trade of limited personal information (name and home address only) about a donor to another charitable organization if the individual has been informed that his/her personal information might be used in this manner and he/she has been given an opportunity in a clear and meaningful way to opt out.|
Principle 4 – Limiting Collection
The collection of personal information will be limited to that which is necessary for the purposes identified by the Multiple Sclerosis Society of Canada. Information will be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
Principle 6 – Accuracy
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out. Individuals will always have the opportunity to contact the Multiple Sclerosis Society of Canada to update their personal information.
Principle 7 – Safeguards
Security safeguards appropriate to the sensitivity of the information will protect personal information. The security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The Multiple Sclerosis Society of Canada will protect personal information regardless of the format in which it is held.
Principle 8 – Openness
The Multiple Sclerosis Society of Canada will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
|8.1||The information made available will include:|
|a)||The name or title, and the address, of the person who is accountable for the Multiple Sclerosis Society of Canada's policies and practices and to whom complaints or inquiries can be forwarded;|
|b)||The means of gaining access to personal information held by the Multiple Sclerosis Society of Canada;|
|c)||A description of the type of personal information held by the Multiple Sclerosis Society of Canada, including a general account of its use; and|
|d)||A copy of any brochures or other information that explain the Multiple Sclerosis Society of Canada's policies, standards, or codes.|
Principle 9 – Individual Access
If an individual requests, the Multiple Sclerosis Society of Canada will inform him/her of the existence, use, and disclosure of his or her personal information. The individual will be given access to that information and be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
In certain situations, the Multiple Sclerosis Society of Canada may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Principle 10 – Challenging Compliance
An individual will be able to address a challenge concerning the Multiple Sclerosis Society of Canada’s compliance with its own Privacy and Confidentiality Policy and the 10 PIPEDA privacy principles to the designated individual or individuals accountable for the Multiple Sclerosis Society of Canada's compliance.
The Multiple Sclerosis Society of Canada will develop detailed guidelines to assist volunteers and staff in carrying out the Privacy and Confidentiality Policy.
Approved by the National Board of Directors, June 9, 2001
Opal Information System Data Sharing Principles
Opal Project Objective
To provide an integrated customer relationship management system throughout the Multiple Sclerosis Society of Canada to enable a high degree of collaboration amongst volunteers and staff and thereby increase our capacity to find a cure for MS and to enable people affected by MS to enhance their quality of life.
Opal Data Sharing Principles
- Opal will adhere to all legislated privacy regulations and will respect the rights of individuals to be removed from the database upon their request.
- In addition to limiting access to information to authorized users only, Opal will provide further security over individual health information and restrict access to this data to authorized IFS users.
- Members of the Multiple Sclerosis Society of Canada within the Opal system will not be solicited solely on the basis of their membership without their expressed prior consent.
- Within Opal, individuals will be able to self-determine their desired level of interaction with the Multiple Sclerosis Society of Canada.
- Opal will provide equal access to local and organization-wide statistical data on an aggregate basis.