Personal Information Protection and Electronic Documents Act

Effective April 10, 2020 Version 1.2

PIPEDA (Personal Information Protection and Electronic Documents Act) Policy

 

The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use, and disclosure of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Wellbeats is committed to protecting and respecting the personal information of its customers, employees, business partners, and all other entities it interacts with in accordance with PIPEDA. This policy will provide guidelines to ensure that Wellbeats remains compliant with PIPEDA requirements.

PIPEDA fair information principles

PIPEDA’s 10 fair information principles form the ground rules Wellbeats follows for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.

In addition to these principles, PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.

Principles and Wellbeats Compliance

Principle 1 - Accountability

An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.

Wellbeats has designated the following position responsible for PIPEDA compliance:
Program Manager: Privacy, Security and Compliance
Wellbeats
1660 South, Hwy 100
Suite 590
St. Louis Park, MN 55416
United States of America

Principle 2 - Identifying Purposes

The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.

The types of personal information collected by Wellbeats is within the corporate Privacy Policy.

Principle 3 - Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.

Consent is obtained by platform use which requires agreeing to our End User License Agreement.
Consent may be withdrawn by contacting us using our Data Subject Request Form.

Principle 4 - Limiting Collection

The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.

Wellbeats only requires information necessary to facilitate login to the platform and collect usage statistics as outlined within the corporate Privacy Policy.

Principle 5 - Limiting Use, Disclosure, and Retention

Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.

Wellbeats has documented the limited use of information collected and does not sell personal information as documented within the corporate Privacy Policy. Wellbeats maintains a records retention policy and schedule to comply with the applicable regulations.

Principle 6 - Accuracy

Personal information must be as accurate, complete, and up to date as possible in order to properly satisfy the purposes for which it is to be used.

Wellbeats maintains the records of system use as documented within the corporate Privacy Policy. Profile information is editable by the user and is used to enhance the experience within the Wellbeats system.

Principle 7 - Safeguards

Personal information must be protected by appropriate security relative to the sensitivity of the information.

Wellbeats employs technical safeguards backed by policy and procedure to ensure personal information is protected. Encryption is used while information is in transit and while at rest.

Principle 8 - Openness

An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.

Wellbeats has this document, the corporate Privacy Policy, and Data Subject Request Form available to ensure you are informed of our practices and are able to exercise your rights.

Principle 9 - Individual Access

Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Wellbeats accommodates this principle by having a Data Subject Request Form available for you. Policy and Procedures are in place to satisfy any such request to comply. Responses will be provided to requests within 30 days unless additional time is reasonably required in which case the individual will be notified of that.

Principle 10 - Challenging Compliance

An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.

The Data Subject Request Form is the preferred method to submitting a Challenge. It will be handled by the individual identified under Principle 1.

 

Breaches of Security Safeguards

Reporting Breaches

If Wellbeats becomes aware of a breach of our security safeguards that compromises the privacy of the personal information retained by the company, the following action shall be taken:

  • The Program Manager: Privacy, Security, and Compliance is responsible for coordinating the response to the breach and ensuring that all reasonable action is taken to address the breach.
  • The Program Manager: Privacy, Security, and Compliance will notify the Privacy Commissioner of the breach in the prescribed form and manner as soon as feasible once Wellbeats has determined that a breach has occurred.
  • Wellbeats will comply to the greatest extent possible and in a timely manner with any requests, orders, or other instructions from the Office of the Privacy Commissioner in order to respond to and address the security breach.
  • Wellbeats shall maintain records of every breach of security safeguards, and will provide the Privacy Commissioner with access to, or a copy of, a record of a breach, at the request of the Commissioner.

Notifying Affected Individuals

Determining Whether a Real Risk of Significant Harm Exists

Wellbeats will assess the following factors when determining whether a security breach constitutes a real risk of significant harm to an individual or individuals:

  • The sensitivity of the personal information involved in the breach;
  • The probability that the personal information has been, is being, or will be misused; and
  • Any other prescribed factor.

Notifications

Wellbeats will designate a representative whom is responsible for ensuring that all individuals affected by the breach for whom the breach creates a real risk of significant harm are notified at the earliest available opportunity, subject to any legal restrictions. Notifications shall:

  • Contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm from it or to mitigate that harm.
  • Contain any other prescribed information.
  • Be conspicuous and given directly or indirectly to the individual in the prescribed form and manner as legislatively required as the situation dictates.
  • Be given as soon as feasible after the organization determines that the breach has occurred.

In addition to the individual(s) affected by the breach, Wellbeats may notify other parties of the breach or disclose personal information relating to the breach, subject to the following guidelines:

  • Wellbeats shall notify other organizations, government institutions, or part(s) of government institutions if it is believed that doing so can reduce or mitigate the harm from the breach.
  • Wellbeats may disclose personal information without the knowledge or consent of the individual if:
    • The disclosure is made to the other organization, the government institution, or the part of a government institution, that was notified under the breach; and
    • The disclosure is made solely for the purpose of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.

Intent

Wellbeats has adopted this Policy to ensure that all Wellbeats employees are aware of our commitment to the privacy and protection of client information.

Protecting the privacy and confidentiality of personal information is an important aspect of the way Wellbeats conducts its business. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner is fundamental to Wellbeats's daily operations.

Wellbeats strives to protect and respect the personal information of its customers, employees, business partners, and so on in accordance with all applicable regional and federal laws. Each staff member of Wellbeats must abide by the organization's procedures and practices when handling personal information.

Requirement of Confidentiality

In accordance with the Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act), Wellbeats requires all employees to handle sensitive personal client information in a confidential and appropriate manner. It is understood that employees of Wellbeats will become aware of confidential information regarding our clients through the course of their employment. Employees agree that if confidential information is not effectively protected, the operations of Wellbeats may be threatened, and the well-being and privacy of our clients may suffer irreparably.

Employees of Wellbeats are required to keep all confidential information and relevant medical knowledge regarding both the Company and our clients confidential both during and after their term of employment. These practices have been adopted as they have been deemed essential to the protection of Wellbeats, and the well-being and privacy of our clients.

Wellbeats uses the United States’ HIPAA minimum necessary standard. This standard is applied to uses and disclosures of PHI and PII that are permitted under the HIPAA Privacy Rule.


Follow us on Facebook to stay up to date on everything Wellbeats.

Wellbeats Careers