PIPEDA (Personal Information Protection and Electronic Documents Act) Policy
The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use, and disclosure of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Wellbeats is committed to protecting and respecting the personal information of its customers, employees, business partners, and all other entities it interacts with in accordance with PIPEDA. This policy will provide guidelines to ensure that Wellbeats remains compliant with PIPEDA requirements.
PIPEDA fair information principles
PIPEDA’s 10 fair information principles form the ground rules Wellbeats follows for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.
In addition to these principles, PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.
Principle 1 – Accountability
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
Wellbeats has designated the following position responsible for PIPEDA compliance:
Program Manager: Privacy, Security and Compliance
Wellbeats
1660 South, Hwy 100
Suite 590
St. Louis Park, MN 55416
United States of America
Principle 2 – Identifying Purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
The types of personal information collected by Wellbeats is within the corporate Privacy Policy.
Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
Consent is obtained by platform use which requires agreeing to our End User License Agreement.
Consent may be withdrawn by contacting us using our Data Subject Request Form.
Principle 4 – Limiting Collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Wellbeats only requires information necessary to facilitate login to the platform and collect usage statistics as outlined within the corporate Privacy Policy.
Principle 5 – Limiting Use, Disclosure, and Retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Wellbeats has documented the limited use of information collected and does not sell personal information as documented within the corporate Privacy Policy. Wellbeats maintains a records retention policy and schedule to comply with the applicable regulations.
Principle 6 – Accuracy
Personal information must be as accurate, complete, and up to date as possible in order to properly satisfy the purposes for which it is to be used.
Wellbeats maintains the records of system use as documented within the corporate Privacy Policy. Profile information is editable by the user and is used to enhance the experience within the Wellbeats system.
Principle 7 – Safeguards
Personal information must be protected by appropriate security relative to the sensitivity of the information.
Wellbeats employs technical safeguards backed by policy and procedure to ensure personal information is protected. Encryption is used while information is in transit and while at rest.
Principle 8 – Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Wellbeats has this document, the corporate Privacy Policy, and Data Subject Request Form available to ensure you are informed of our practices and are able to exercise your rights.
Principle 9 – Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Wellbeats accommodates this principle by having a Data Subject Request Form available for you. Policy and Procedures are in place to satisfy any such request to comply. Responses will be provided to requests within 30 days unless additional time is reasonably required in which case the individual will be notified of that.
Principle 10 – Challenging Compliance
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
The Data Subject Request Form is the preferred method to submitting a Challenge. It will be handled by the individual identified under Principle 1.
Reporting Breaches
If Wellbeats becomes aware of a breach of our security safeguards that compromises the privacy of the personal information retained by the company, the following action shall be taken:
Notifying Affected Individuals
Determining Whether a Real Risk of Significant Harm Exists
Wellbeats will assess the following factors when determining whether a security breach constitutes a real risk of significant harm to an individual or individuals:
Notifications
Wellbeats will designate a representative whom is responsible for ensuring that all individuals affected by the breach for whom the breach creates a real risk of significant harm are notified at the earliest available opportunity, subject to any legal restrictions. Notifications shall:
In addition to the individual(s) affected by the breach, Wellbeats may notify other parties of the breach or disclose personal information relating to the breach, subject to the following guidelines:
Intent
Wellbeats has adopted this Policy to ensure that all Wellbeats employees are aware of our commitment to the privacy and protection of client information.
Protecting the privacy and confidentiality of personal information is an important aspect of the way Wellbeats conducts its business. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner is fundamental to Wellbeats’s daily operations.
Wellbeats strives to protect and respect the personal information of its customers, employees, business partners, and so on in accordance with all applicable regional and federal laws. Each staff member of Wellbeats must abide by the organization’s procedures and practices when handling personal information.
Requirement of Confidentiality
In accordance with the Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act), Wellbeats requires all employees to handle sensitive personal client information in a confidential and appropriate manner. It is understood that employees of Wellbeats will become aware of confidential information regarding our clients through the course of their employment. Employees agree that if confidential information is not effectively protected, the operations of Wellbeats may be threatened, and the well-being and privacy of our clients may suffer irreparably.
Employees of Wellbeats are required to keep all confidential information and relevant medical knowledge regarding both the Company and our clients confidential both during and after their term of employment. These practices have been adopted as they have been deemed essential to the protection of Wellbeats, and the well-being and privacy of our clients.
Wellbeats uses the United States’ HIPAA minimum necessary standard. This standard is applied to uses and disclosures of PHI and PII that are permitted under the HIPAA Privacy Rule.