Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Legislation: What Every Funeral Director Needs to Know Julie Maciura March 31 and April 1, 2004.

Published byAngela Lang Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy Legislation: What Every Funeral Director Needs to Know Julie Maciura March 31 and April 1, 2004."— Presentation transcript:

1 Privacy Legislation: What Every Funeral Director Needs to Know Julie Maciura March 31 and April 1, 2004

2 2 Introduction Disclaimer –General information only –Not providing legal advice –Need to consult with your own lawyer

3 3 PIPEDA Personal Information and Protection of Electronic Documents Act (PIPEDA) PIPEDA sets out rules for how private sector may collect, use or disclose personal information in the course of commercial activities

4 4 PIPEDA PIPEDA balances an individual’s right to privacy of personal information with the need of organizations to collect, use or disclose personal information for legitimate business purposes

5 5 PIPEDA As of January 1, 2004, PIPEDA covers commercial activities within all provinces Provincial legislation in Ontario is on hold Legislation in Alberta, B.C. and Quebec exists

6 6 Who is Covered by PIPEDA? PIPEDA covers: A. Any organization B. That engages in a commercial activity C. Involving personal information Very few exceptions The Act applies to funeral directors and transfer service operators

7 7 A. Any Organization An organization can be: –a single individual (e.g., a sole proprietorship) –a partnership –a corporation –an association of individuals, partnerships and/or corporations

8 8 B. Commercial Activity “Commercial Activity” is defined: –“means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”

9 9 Commercial Activity Intended to capture as broad a range as possible of transactions involving the collection, use or disclosure of information

10 10 Commercial Activity Includes: –Private practice of a profession E.g., lawyer, health practitioner, funeral establishment –Even if services paid for by the government E.g., legal aid, OHIP, Social Services

11 11 Commercial Activity Does not include –Employee information (except in federal sector; constitutional reason for not covering provincial sector employees)

12 12 Commercial Activity Exceptions –Government activities Covered by separate privacy legislation (federal Privacy Act, provincial Freedom of Information and Protection of Privacy Act) –Household use only E.g., personal address book

13 13 Commercial Activity Exceptions - Artistic, journalistic or literary activities Freedom of expression under Charter E.g., news organizations, fiction

14 14 C. Personal Information “Personal Information” is defined: –“means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”

15 15 Personal Information Extremely broad definition Open-ended, no list of examples Not limited to recorded information

16 16 Personal Information Likely includes: –Name, address, telephone number –Identification numbers (SIN, license #) –Human rights characteristics (e.g., age, race) –Credit records, loan records, income –Health information –Criminal or misconduct history –Information about recently dead people

17 17 PIPEDA Under PIPEDA, personal information must be: –Collected with consent and for a reasonable purpose, –Used and disclosed for the limited purpose for which it was collected, –Accurate, –Accessible for inspection and correction, and –Stored securely

18 18 Requirements of PIPEDA Every organization must have a Privacy Policy that meets the 10 principles of PIPEDA The 10 principles form the basic rules for the collection, use and disclosure of personal information

19 19 10 Principles 1. Accountability 2. Identifying Purpose 3. Consent 4. Limiting Collections 5. Limiting Use, Disclosure and Retention

20 20 10 Principles 6. Accuracy 7. Safeguards 8. Openness 9. Individual Access 10. Challenging Compliance

21 21 How to Implement the 10 Principles Step 1 – Appoint Information Officer Step 2 – Identify Personal Information Step 3 – Identify Purpose for Collection

22 22 How to Implement the 10 Principles Step 4 – Obtain Consents Step 5 – Limit Use and Disclosure Step 6 – Safeguards, Retention & Destruction

23 23 How to Implement the 10 Principles Step 7 – Access, Corrections, Complaints & Openness Step 8 – Implement Your Privacy Plan

24 24 Step 1 – Information Officer Must have an “Information Officer” or “Privacy Officer” Information Officer must: –Review funeral home’s or transfer service’s information practices –Develop and implement Privacy Plan –Train staff –Monitor compliance –Be contact person for information/privacy questions

25 25 Information Officer A good Information Officer must: –Hold a senior position –Be familiar with how information is collected, stored, used and disclosed in the funeral home –Be experienced with human resources management –Be experienced with client relations –Be comfortable with legal matters

26 26 Step 2 – Identify Personal Information What personal information do you collect? –May have to review files Both paper and electronic May have to survey staff –List needs to be complete

27 27 Identify Personal Information Can use categories –E.g., Vital statistics of deceased, obituary notice information Categories of individuals you collect info about –Clients –Prospective clients, general public –Contract staff E.g., non-employees, students

28 28 Step 3 – Identifying Purpose PIPEDA states you may collect, use or disclose information only for the purposes that a reasonable person would consider are appropriate in the circumstances (s. 3(5))

29 29 Identifying Purpose Identifying purpose for collecting, using and disclosing information: 1.Need to set out in privacy policy 2.Need to limit as much as possible 3.Need authority to collect, use and disclose –Most common authority is consent

30 30 Identifying Purpose Types of purposes for collecting, using and disclosing personal information –Primary purpose E.g., serving clients –Related purpose E.g., billing clients, accounting –Secondary purpose E.g., regulatory accountability Identify all purposes

31 31 Identifying Purpose Example of a primary purpose – funeral establishment –Purpose: Our primary purpose for collecting personal information about you is to provide funeral services to you –Description: We collect information including vital statistics about you in order to help us advise about funeral service options and then to provide funeral services

32 32 Identifying Purpose Related and secondary purposes Invoicing and collection Quality control and risk management External regulation Sale of business

33 33 Identifying Purpose Can collect only the information that is necessary for the purpose –E.g., No need to collect financial information if no credit extended

34 34 Step 4 – Obtain Consent General rule, must obtain consent for collection, use and disclosure Means explaining to clients what information you are collecting and why What about family members? –Probably characterized as info about client, not family members per se

35 35 Obtain Consent Manner of obtaining consent, varies with –Sensitivity of the information (e.g., health information, financial information) –Reasonable expectations of the individual –Context (e.g., a written consent is difficult to obtain over the phone) Can be implied, verbal or written –Risk of implied consent for related purposes Opt-out consent inappropriate in many cases

36 36 Obtain Consent Sample consent form –I understand that to provide me with supplies and services, [ABC Funeral Establishment ] will collect some personal information about me (e.g., [set out some common examples like home telephone number, address] )

37 37 Obtain Consent I have reviewed the [ ABC Funeral Establishment ] ’s Privacy Policy about the collection, use and disclosure of personal information, steps taken to protect the information and my right to review my personal information. I understand how the Privacy Policy applies to me. I have been given a chance to ask any questions about the Privacy Policy and they have been answered to my satisfaction.

38 38 Obtain Consent I understand that only if I check off the following boxes will I receive the following: –I would like to receive newsletters and other informational mailings from [ABC Funeral Establishment ] –I would like to receive informational mailings from [other organizations]

39 39 Obtain Consent I understand that, as explained in the Policies and Procedures for Personal Information, there are some rare exceptions to these commitments I agree to ABC Funeral Establishment collecting, using and disclosing personal information about me as set out above and in the ABC Funeral Establishment’s Privacy Policy

40 40 Obtain Consent Rare exceptions to consent principle –E.g., to investigate a breach of law or agreement E.g., collection of unpaid accounts –E.g., publicly available information specified in regulation under the Act Actually a narrow exception (e.g., name, address in a publicly available phone directory)

41 41 Step 5 - Limit the Use and Disclosure Principles of Use and Disclosure Personal information can only be used or disclosed for the purpose for which it was obtained unless: –Further consent is obtained, or –There is legal authority to use or disclose the information without consent

42 42 Thus it is important to get a complete consent at the start –E.g., if want to sell business later

43 43 Limit the Use and Disclosure Use of personal information without consent –An emergency that threatens the life, health or security of an individual –For the investigation of a breach of law in Canada or elsewhere –Publicly available information specified in regulation (e.g., telephone directories, professional directories, statutory registries, court records and information provided by the individual to newspapers, magazines and books) –Specific research situations (obtain legal advice)

44 44 Limit the Use and Disclosure Disclosure of personal info without consent –To the organization’s lawyer –For debt collection purposes –To comply with a subpoena, warrant or court order –At the request of a government institution for national security, law enforcement or administration

45 45 Limit the Use and Disclosure Disclosure of personal info without consent –Where there is an emergency that threatens the life, health or security of an individual Must then advise in writing right away –Publicly available information specified in regulation –20 years after the death or 100 years after the record made (implications for funeral directors) –Specific research situations (obtain legal advice) –Where disclosure is required by law

46 46 Step 6 – Safeguards, Retention and Destruction Safeguards must include –Physical measures E.g., restricted access areas, locked cabinets –Organizational measures E.g., need-to-know & other employee policies E.g., security clearances –Technological measures E.g., passwords, encryption, firewalls

47 47 Safeguards, etc. Location of Paper Information –Office areas restricted to staff –Office areas open to non-staff Non-staff supervised at all times or All personal info locked away when staff absent –While in transit to another location –Home office

48 48 Safeguards, etc. Location of Electronic Information Office areas restricted to staff –Security badges and sign-in sheets for larger organizations –Non-staff with access (e.g., cleaners) must sign confidentiality agreements –Password protection for each terminal –Password protection for screen saver on each terminal –For more sophisticated networks, unique user identifiers, audit trails, and intrusion detection systems –For wireless networks, consult an expert

49 49 Safeguards, etc. Transfer of Electronic Information Through a direct line that is password protected Through email or other internet communication where –Consent of the person to whom info relates E.g., the client requests email communication –Where the message is anonymized –Encryption is used Through a disk, CD or other storage medium –Treated with the same safeguards as paper info

50 50 Safeguards, etc. Transfer of Paper Information In sealed envelope marked private and confidential, sent by Canada Post or reputable courier or delivered by staff.

51 51 Safeguards, etc. Faxes Through fax with a cover sheet identifying the recipient with privacy clause on it and only where –Fax number has been approved by the recipient and fax machine is securely located –Privacy of the recipient can reasonably be inferred E.g., to an organization that is expected to keep information private like a legal office –Recipient has a Privacy Policy Your incoming fax machine is securely located

52 52 Safeguards, etc. Staff (including temporary workers) training on: Importance of the privacy of personal information Access on a need-to-know basis The organization’s Privacy Policy Remove or mask unnecessary personal information Shred info, not regular garbage or blue box Avoid discussing personal information in public places Breach of policies will result in discipline, even dismissal

53 53 Safeguards, etc. Duty to ensure accuracy Must take reasonable steps to ensure information is accurate Implications –Confirm with client? –Update with client on subsequent visits?

54 54 Safeguards, etc. Privacy and security agreements with –Temporary workers –Cleaners –Information technology consultant –Lawyers –Bookkeepers and accountants

55 55 Safeguards, etc. Privacy and security agreements with –File storage service –Credit card companies –Website manager –Premises security agency –Building maintenance This access is a transfer, not a disclosure

56 56 Safeguards, etc. Regular and systematic monitoring of compliance with the organization’s policies by the Information Officer Regular and systematic auditing of the electronic safeguards by an external company Policy to notify individuals where their personal information is misused or misappropriated Review physical layout and procedures –E.g., use rooms not cubicles for interviews –E.g., reception area concerns

57 57 Retention, etc. Retention of Files Minimum and maximum retention period –working notes, extra copies destroyed earlier Categories of Files Client Files General Correspondence Contact Directories Other

58 58 Destruction, etc. Destruction of Personal Information Shredding (paper files) Deletion (electronic records where hard drive or storage vehicle is retained) Physical destruction (where hard drive etc. is discarded) Return all or part of the file to client

59 59 Destruction, etc. No hard and fast rules regarding when to destroy material – you need to justify your decision and your policy needs to be reasonable and consistently applied

60 60 Step 7 – Access & Correction Individuals generally have the right to access personal information you hold about them

61 61 Access & Correction Some Grounds for Refusing a Request –The information reveals personal information about a third party unless Third party info can be severed The third party consents or An individual’s life, health or safety is threatened –Information is solicitor and client privileged –Information would reveal confidential commercial information, unless it can be severed

62 62 Access & Correction Providing Access –Must respond within 30 days –Must confirm the identity of person seeking access –Ensure that person can understand the info E.g., explain short forms or codes E.g., provide in alternative format where disability –Access to how you have used / disclosed info Thus need to keep records

63 63 Access & Correction Person has right to correct errors If agree you must make correction If disagree must file notice of disagreement –What about original entry? Must give notice of correction, or notice of disagreement, to third parties

64 64 Complaints System Internal complaints system –Designated individual to receive and respond –Accessible and simple complaints procedure Acknowledge receipt of the complaint Investigate the complaint Provide a decision with reasons –Respond appropriately where justified –Notify public of external recourses E.g., Information and Privacy Commissioner

65 65 Complaints System Information and Privacy Commissioner Investigates complaints about an organization’s personal info handling practices –E.g., enter premises, interview staff, review records –E.g., summonsing documents and witnesses

66 66 Complaints System Information and Privacy Commissioner Mediates and conciliates such complaints Audits personal information handling practices Makes public reports of abuses Seeks remedies for breaches in Federal Court

67 67 Complaints System Federal Court of Canada remedies –Order for the organization to correct its personal information handling practices –Order for the organization to publish a notice of corrective action –Award of damages for any humiliation

68 68 Openness Must have a written privacy policy Must make available to public –E.g., brochure –E.g., website –E.g., on request To anyone, not just clients Staff must know policies and be able to answer questions

69 69 Step 8 – Implement Your Plan Initial Implementation –Complete an audit –Develop your consent forms –Write out your Privacy Policy –Train staff –Contracts with external consultants and outsourcing providers –Post Privacy Policy document publicly

70 70 Implement Your Plan Ongoing implementation –Monitoring compliance with Privacy Policy Prepare a report annually –External information technology audit (annual) –Refresher training session for all staff (annual) –Review and update of Privacy Policy document (annual)

71 71 Other Resources Information & Privacy Commissioner of Canada –www.privcom.gc.cawww.privcom.gc.ca Ontario Information & Privacy Commission –www.ipc.on.cawww.ipc.on.ca Our firm’s website –www.sml-law.comwww.sml-law.com

72 72 Julie Maciura STEINECKE MACIURA L E BLANC

Download ppt "Privacy Legislation: What Every Funeral Director Needs to Know Julie Maciura March 31 and April 1, 2004."

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Before reviewing the following presentation click on the links below and print off the documents: NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA.

Before reviewing the following presentation click on the links below and print off the documents: NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Presentation by Mark Grady Vancouver Island University June 13, 2012.

Presentation by Mark Grady Vancouver Island University June 13, 2012.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
2/16/2010 The Family Educational Records and Privacy Act.

2/16/2010 The Family Educational Records and Privacy Act.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak UVIC.

Internet and Information Technology Law September 18 th – Privacy Law Allyson Whyte Nowak UVIC.
A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.

A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.

Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.

Similar presentations

Ads by Google