British Columbia’s Personal Information Protection Act (PIPA) sets out the ground rules for how organizations may collect, use, or disclose information about you. At the BC Epilepsy Society (BCES), this information includes persons living with epilepsy, donors, volunteers, and employees. Where a province enacts legislation similar to the federal Act, the provincial statute will apply within the province, in primacy over the federal statute. At this time, all provinces have done so in some way.
Grandfather Clause Within British Columbia
The Act does not apply to the collection of personal information that has been collected on or before the Act comes into force.
Practical effect: Organizations do not have to re-collect personal information they already hold, as long as the use and disclosure are for reasonable purposes and fulfill the original purposes for collection
All other protections will apply (e.g. security, new uses, right of access)
BCES is committed to protecting the privacy and safeguarding the personal information of persons living with epilepsy, donors, volunteers, members, employees, and other stakeholders. BCES endeavours to adhere to all legislative requirements with respect to privacy.
Defining Personal Information
Personal information includes any factual or subjective information, recorded or not, that can be used to distinguish, identify, or contact a specific individual. This includes information in either paper or electronic form, such as:
• age, name, ID numbers, income, or ethnic origin
• opinions, evaluations, comments, social status, or disciplinary actions
• employee files, credit records, loan records, medical records
Personal information does not include the name, title, business address, or business telephone of an employee of an organization. Names, addresses, and telephone numbers as published in publicly available telephone directories are not considered personal information.
Our Ten Privacy Principles
At the heart of the federal law are 10 principles, which guide how organizations collect and use personal information, and that give stakeholders the right to challenge the organization’s compliance with these principles.
Every employee and volunteer at BCES is responsible for maintaining and protecting personal information under his/her control. BCES has appointed the following individual who is accountable for the organization’s compliance with the following principles. The Executive Director or their designate will serve as the BCES Privacy Officer and is directly responsible for employee information.
2. Identifying Purposes
The purposes for which information is collected shall be identified at or before the time the information is collected.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
5. Limited Use, Disclosure, and Retention
Personal information hall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Security safeguards appropriate to the sensitivity of the information shall protect personal information.
BCES shall make readily available to individuals specific information about its policies and practices to the management of personal information.
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended or removed as appropriate.
10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
Types of Information We Collect
All staff and volunteers will be asked to sign an oath of confidentiality at the time of employment or engagement. Some types of information we collect are listed below.
Adopted February 10, 2004
We collect personal information required for the purposes of payroll and benefits administration. We never give personal information (whether a current employee or past employee) e.g. home address and phone number, SIN number, salary, family, or health matters without the prior consent of the employee. Employee information is securely stored and accessible only by the Payroll Administrator and the Executive Director. An employee’s Coach must store and secure the copies of each employee’s information appropriately.
Persons Living with Epilepsy and their Families Information
We collect donor information for the purposes of recording, acknowledging, and tax receipting the donation. From time to time, we mail to donors to provide information about BCES or upcoming events. All information is confidential and is treated with the utmost care. Donors may request to reduce or stop direct marketing by BCES. Access to donor information whether electronically or paper files, is given only to fully-trained staff or volunteers who shall use, update, or manipulate the information only for the purposes of carrying out their responsibilities.
All information whether electronically or paper, is secured as determined appropriate to ensure the privacy of individuals. For examples, locked filing cabinets are used and are accessible only by authorized staff for information of persons living with epilepsy. Appropriate passwords and levels of security have been placed on staff computers. Understanding that email is not always secure, personal information is not transmitted via email e.g. credit card information. Group email, sent to various external constituents, is always sent in a manner, which protects the email addresses such as the use of the bcc field. Email address and computer access of departed employees are always deleted or changed immediately. Appropriate firewalls have been installed.
An individual may complain to the BCES Privacy Officer or to the Privacy Commissioner of Canada (or applicable provincial body) about any alleged breaches of the law. The Commissioner may also initiate a complaint.
We endeavour to regularly review our policies and procedures and train staff and volunteers as appropriate in order to maintain our commitment to all our stakeholders.