Effective April 10, 2020 Version 1.2
PIPEDA (Personal Information Protection and Electronic Documents Act) Policy
The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use, and disclosure of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Wellbeats is committed to protecting and respecting the personal information of its customers, employees, business partners, and all other entities it interacts with in accordance with PIPEDA. This policy will provide guidelines to ensure that Wellbeats remains compliant with PIPEDA requirements.
PIPEDA fair information principles
PIPEDA’s 10 fair information principles form the ground rules Wellbeats follows for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.
In addition to these principles, PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.
Principles and Wellbeats Compliance
Principle 1 - Accountability
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
Wellbeats has designated the following position responsible for PIPEDA compliance:
Program Manager: Privacy, Security and Compliance
1660 South, Hwy 100
St. Louis Park, MN 55416
United States of America
Principle 2 - Identifying Purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
Principle 4 - Limiting Collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Principle 6 - Accuracy
Personal information must be as accurate, complete, and up to date as possible in order to properly satisfy the purposes for which it is to be used.
Principle 7 - Safeguards
Personal information must be protected by appropriate security relative to the sensitivity of the information.
Wellbeats employs technical safeguards backed by policy and procedure to ensure personal information is protected. Encryption is used while information is in transit and while at rest.
Principle 8 - Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Principle 9 - Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Wellbeats accommodates this principle by having a Data Subject Request Form available for you. Policy and Procedures are in place to satisfy any such request to comply. Responses will be provided to requests within 30 days unless additional time is reasonably required in which case the individual will be notified of that.
Principle 10 - Challenging Compliance
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
The Data Subject Request Form is the preferred method to submitting a Challenge. It will be handled by the individual identified under Principle 1.
Breaches of Security Safeguards
If Wellbeats becomes aware of a breach of our security safeguards that compromises the privacy of the personal information retained by the company, the following action shall be taken:
- The Program Manager: Privacy, Security, and Compliance is responsible for coordinating the response to the breach and ensuring that all reasonable action is taken to address the breach.
- The Program Manager: Privacy, Security, and Compliance will notify the Privacy Commissioner of the breach in the prescribed form and manner as soon as feasible once Wellbeats has determined that a breach has occurred.
- Wellbeats will comply to the greatest extent possible and in a timely manner with any requests, orders, or other instructions from the Office of the Privacy Commissioner in order to respond to and address the security breach.
- Wellbeats shall maintain records of every breach of security safeguards, and will provide the Privacy Commissioner with access to, or a copy of, a record of a breach, at the request of the Commissioner.
Notifying Affected Individuals
Determining Whether a Real Risk of Significant Harm Exists
Wellbeats will assess the following factors when determining whether a security breach constitutes a real risk of significant harm to an individual or individuals:
- The sensitivity of the personal information involved in the breach;
- The probability that the personal information has been, is being, or will be misused; and
- Any other prescribed factor.
Wellbeats will designate a representative whom is responsible for ensuring that all individuals affected by the breach for whom the breach creates a real risk of significant harm are notified at the earliest available opportunity, subject to any legal restrictions. Notifications shall:
- Contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm from it or to mitigate that harm.
- Contain any other prescribed information.
- Be conspicuous and given directly or indirectly to the individual in the prescribed form and manner as legislatively required as the situation dictates.
- Be given as soon as feasible after the organization determines that the breach has occurred.
In addition to the individual(s) affected by the breach, Wellbeats may notify other parties of the breach or disclose personal information relating to the breach, subject to the following guidelines:
- Wellbeats shall notify other organizations, government institutions, or part(s) of government institutions if it is believed that doing so can reduce or mitigate the harm from the breach.
- Wellbeats may disclose personal information without the knowledge or consent of the individual if:
- The disclosure is made to the other organization, the government institution, or the part of a government institution, that was notified under the breach; and
- The disclosure is made solely for the purpose of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.
Wellbeats has adopted this Policy to ensure that all Wellbeats employees are aware of our commitment to the privacy and protection of client information.
Protecting the privacy and confidentiality of personal information is an important aspect of the way Wellbeats conducts its business. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner is fundamental to Wellbeats's daily operations.
Wellbeats strives to protect and respect the personal information of its customers, employees, business partners, and so on in accordance with all applicable regional and federal laws. Each staff member of Wellbeats must abide by the organization's procedures and practices when handling personal information.
Requirement of Confidentiality
In accordance with the Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act), Wellbeats requires all employees to handle sensitive personal client information in a confidential and appropriate manner. It is understood that employees of Wellbeats will become aware of confidential information regarding our clients through the course of their employment. Employees agree that if confidential information is not effectively protected, the operations of Wellbeats may be threatened, and the well-being and privacy of our clients may suffer irreparably.
Employees of Wellbeats are required to keep all confidential information and relevant medical knowledge regarding both the Company and our clients confidential both during and after their term of employment. These practices have been adopted as they have been deemed essential to the protection of Wellbeats, and the well-being and privacy of our clients.
Wellbeats uses the United States’ HIPAA minimum necessary standard. This standard is applied to uses and disclosures of PHI and PII that are permitted under the HIPAA Privacy Rule.