Federal Privacy Act
The Government of Canada has implemented new privacy
legislation as of January 1, 2004 - The Personal Information Protection
and Electronic
Documents Act. It includes provisions that control the handling of information
for all business entities that collect any information from individuals
for any purpose. The basic principle of the legislation is that "an
organization may collect, use or disclose personal information only for
purposes that a reasonable person would consider are appropriate in the
circumstances" The Act also requires that the organization take
active steps to protect its controlled information, and establish a set
of procedures to accomplish this. Barry Shuken of our office is Information
Manager under the PIPEDA. The purpose and procedure of our information
collection is as follows:
1. We are collecting information for the purpose of conducting medical
assessments. To accomplish that purpose, we must collect personal demographic
information, and medical histories, to allow us to make the judgments
we need to make. This includes a wide variety of lifestyle and life event
information relevant to the subject's physical and mental health. To
prejudge the relevance of specific information would limit the ambit
of judgment of the assessors, and therefore we are reluctant to limit
the scope of information gathering. One can only say in advance that
information that would have no ramifications for medical analysis would
be irrelevant, and the Limiting Collection Principle would apply to such
information.
2. No collected information shall be used for any purpose other than
the medical assessment for which we were retained, except under the terms
of the Act, or in pursuance to other duties imposed on us by other statutes
and regulations. An example of such statutory release of information
would be our obligation to report to our regulator, the Financial Services
Commission of Ontario.
3. Consent will be solicited and obtained from each client in writing
before any assessment is commenced after the client has been advised
of the purpose for collecting information. Information will be retained
for the period of our statutory responsibility, 10 years. Thereafter,
demographic information and basic medical information shall be retained
in our database. Personal information contained in files shall be destroyed
after 10 years.
4. Clients shall be apprised of the scope of the information retained
for them, and be given the opportunity to correct inaccurate information
in writing addressed to the Information Manager. Such corrections shall
be added to the subject's file, and any electronic information adjusted
accordingly.
5. The physical security of the information shall be maintained by
securing it in locked premises, and actively restricting access to it.
Electronic information shall be protected by limiting access to approved
users with passwords and similar electronic protection methods.
6. Clients will be afforded access to their information upon provision
of requested releases in accordance with the Act, and the Guidelines
laid down under the Insurance Act.