Federal Privacy Act

The Government of Canada has implemented new privacy legislation as of January 1, 2004 – The Personal Information Protection and Electronic Documents Act. It includes provisions that control the handling of information for all business entities that collect any information from individuals for any purpose. The basic principle of the legislation is that “an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances” The Act also requires that the organization take active steps to protect its controlled information, and establish a set of procedures to accomplish this. Barry Shuken of our office is Information Manager under the PIPEDA. The purpose and procedure of our information collection is as follows:

1. We are collecting information for the purpose of conducting medical assessments. To accomplish that purpose, we must collect personal demographic information, and medical histories, to allow us to make the judgments we need to make. This includes a wide variety of lifestyle and life event information relevant to the subject’s physical and mental health. To prejudge the relevance of specific information would limit the ambit of judgment of the assessors, and therefore we are reluctant to limit the scope of information gathering. One can only say in advance that information that would have no ramifications for medical analysis would be irrelevant, and the Limiting Collection Principle would apply to such information.

2. No collected information shall be used for any purpose other than the medical assessment for which we were retained, except under the terms of the Act, or in pursuance to other duties imposed on us by other statutes and regulations. An example of such statutory release of information would be our obligation to report to our regulator, the Financial Services Commission of Ontario.

3. Consent will be solicited and obtained from each client in writing before any assessment is commenced after the client has been advised of the purpose for collecting information. Information will be retained for the period of our statutory responsibility, 10 years. Thereafter, demographic information and basic medical information shall be retained in our database. Personal information contained in files shall be destroyed after 10 years.

4. Clients shall be apprised of the scope of the information retained for them, and be given the opportunity to correct inaccurate information in writing addressed to the Information Manager. Such corrections shall be added to the subject’s file, and any electronic information adjusted accordingly.

5. The physical security of the information shall be maintained by securing it in locked premises, and actively restricting access to it. Electronic information shall be protected by limiting access to approved users with passwords and similar electronic protection methods.

6. Clients will be afforded access to their information upon provision of requested releases in accordance with the Act, and the Guidelines laid down under the Insurance Act.