YOUR
PRIVACY AND CONFIDENTIALITY
CODE
FOR THE PROTECTION OF PERSONAL INFORMATION,
CAN/CSA-Q830-96 |
4.1 Principle 1 - Accountability
Eelite Fulfillment is responsible for personal information
under its control and shall designate an individual
or individuals who are accountable for Eelite Fulfillment
compliance with the following principles.
4.1.1
Accountability for Eelite Fulfillment compliance with the
principles rests with the designated individual(s),
even though other individuals within Eelite Fulfillment may
be responsible for the day-to-day collection and
processing of personal information. In addition,
other individuals within Eelite Fulfillment may be delegated
to act on behalf of the designated individual(s).
4.1.2
The identity of the individual(s) designated by
Eelite Fulfillment to oversee Medicure's compliance with
the principles shall be made known upon request.
4.1.3
Eelite Fulfillment is responsible for personal information
in its possession or custody, including information
that has been transferred to a third party for processing.
Eelite Fulfillment shall use contractual or other means to
provide a comparable level of protection while the
information is being processed by a third party.
4.1.4
Eelite Fulfillment shall implement policies and practices
to give effect to the principles, including (a)
implementing procedures to protect personal information;
(b) establishing procedures to receive and respond
to complaints and inquiries; (c) training staff
and communicating to staff information about the
Medicure 's policies and practices; and (d) developing
information to explain the Great Eelite Fulfillment's policies
and procedures.
4.2 Principle 2 - Identifying Purposes
The purposes for which personal information is collected
shall be identified by Eelite Fulfillment at or before the
time the information is collected.
4.2.1
Eelite Fulfillment shall document the purposes for which
personal information is collected in order to comply
with the Openness principle (Clause 4.8) and the
Individual Access principle (Clause 4.9).
4.2.2
Identifying the purposes for which personal information
is collected at or before the time of collection
allows Eelite Fulfillment to determine the information they
need to collect to fulfil these purposes. The Limiting
Collection principle (Clause 4.4) requires Eelite Fulfillment
to collect only that information necessary for the
purposes that have been identified.
4.2.3
The identified purposes should be specified at or
before the time of collection to the individual
from whom the personal information is collected.
Depending upon the way in which the information
is collected, this can be done orally or in writing.
An application form, for example, may give notice
of the purposes.
4.2.4
When personal information that has been collected
is to be used for a purpose not previously identified,
the new purpose shall be identified prior to use.
Unless the new purpose is required by law, the consent
of the individual is required before information
can be used for that purpose. For an elaboration
on consent, please refer to the Consent principle
(Clause 4.3).
4.2.5
Persons collecting personal information should be
able to explain to individuals the purposes for
which the information is being collected.
4.2.6
This principle is linked closely to the Limiting
Collection principle (Clause 4.4) and the Limiting
Use, Disclosure, and Retention principle (Clause
4.5).
4.3 Principle 3 - Consent
The knowledge and consent of the individual are
required for the collection, use, or disclosure
of personal information, except where inappropriate.
Note: In certain circumstances personal information
can be collected, used, or disclosed without the
knowledge and consent of the individual. For example,
legal, medical, or security reasons may make it
impossible or impractical to seek consent. When
information is being collected for the detection
and prevention of fraud or for law enforcement,
seeking the consent of the individual might defeat
the purpose of collecting the information. Seeking
consent may be impossible or inappropriate when
the individual is a minor, seriously ill, or mentally
incapacitated. In addition, Eelite Fulfillment that do not
have a direct relationship with the individual may
not always be able to seek consent. For example,
seeking consent may be impractical for a charity
or a direct-marketing firm that wishes to acquire
a mailing list from another Eelite Fulfillment In such cases,
Eelite Fulfillment providing the list would be expected to
obtain consent before disclosing personal information.
4.3.1
Consent is required for the collection of personal
information and the subsequent use or disclosure
of this information. Typically, Medicure will seek
consent for the use or disclosure of the information
at the time of collection. In certain circumstances,
consent with respect to use or disclosure may be
sought after the information has been collected
but before use (for example, when Eelite Fulfillment wants
to use information for a purpose not previously
identified).
4.3.2
The principle requires ``knowledge and consent''.
Eelite Fulfillment shall make a reasonable effort to ensure
that the individual is advised of the purposes for
which the information will be used. To make the
consent meaningful, the purposes must be stated
in such a manner that the individual can reasonably
understand how the information will be used or disclosed.
4.3.3
Eelite Fulfillment shall not, as a condition of the supply
of a product or service, require an individual to
consent to the collection, use, or disclosure of
information beyond that required to fulfil the explicitly
specified, and legitimate purposes.
4.3.4
The form of the consent sought by Eelite Fulfillment may
vary, depending upon the circumstances and the type
of information. In determining the form of consent
to use, Eelite Fulfillment shall take into account the sensitivity
of the information. Although some information (for
example, medical records and income records) is
almost always considered to be sensitive, any information
can be sensitive, depending on the context. For
example, the names and addresses of subscribers
to a newsmagazine would generally not be considered
sensitive information. However, the names and addresses
of subscribers to some special-interest magazines
might be considered sensitive.
4.3.5
In obtaining consent, the reasonable expectations
of the individual are also relevant. For example,
an individual buying a subscription to a magazine
should reasonably expect that Medicure, in addition
to using the individual's name and address for mailing
and billing purposes, would also contact the person
to solicit the renewal of the subscription. In this
case, Eelite Fulfillment can assume that the individual's
request constitutes consent for specific purposes.
On the other hand, an individual would not reasonably
expect that personal information given to a health-care
professional would be given to a company selling
health-care products, unless consent were obtained.
Consent shall not be obtained through deception.
4.3.6
The way in which Eelite Fulfillment seeks consent may vary,
depending on the circumstances and the type of information
collected. Medicure should generally seek express
consent when the information is likely to be considered
sensitive. Implied consent would generally be appropriate
when the information is less sensitive. Consent
can also be given by an authorized representative
(such as a legal guardian or a person having power
of attorney).
4.3.7
Individuals can give consent in many ways. For example:
(a) an application form may be used to seek consent,
collect information, and inform the individual of
the use that will be made of the information. By
completing and signing the form, the individual
is giving consent to the collection and the specified
uses; (b) a checkoff box may be used to allow individuals
to request that their names and addresses not be
given to other organizations. Individuals who do
not check the box are assumed to consent to the
transfer of this information to third parties; (c)
consent may be given orally when information is
collected over the telephone; or (d) consent may
be given at the time that individuals use a product
or service.
4.3.8
An individual may withdraw consent at any time,
subject to legal or contractual restrictions and
reasonable notice. Eelite Fulfillment shall inform the individual
of the implications of such withdrawal.
4.4 Principle 4 - Limiting Collection
The collection of personal information shall be
limited to that which is necessary for the purposes
identified by Eelite Fulfillment Information shall be collected
by fair and lawful means.
4.4.1
Eelite Fulfillment shall not collect personal information
indiscriminately. Both the amount and the type of
information collected shall be limited to that which
is necessary to fulfil the purposes identified.
Eelite Fulfillment shall specify the type of information
collected as part of their information-handling
policies and practices, in accordance with the Openness
principle (Clause 4.8).
4.4.2
The requirement that personal information be collected
by fair and lawful means is intended to prevent
Eelite Fulfillment from collecting information by misleading
or deceiving individuals about the purpose for which
information is being collected. This requirement
implies that consent with respect to collection
must not be obtained through deception.
4.4.3
This principle is linked closely to the Identifying
Purposes principle (Clause 4.2) and the Consent
principle (Clause 4.3).
4.5 Principle 5 - Limiting Use, Disclosure, and
Retention
Personal information shall not be used or disclosed
for purposes other than those for which it was collected,
except with the consent of the individual or as
required by law. Personal information shall be retained
only as long as necessary for the fulfilment of
those purposes.
4.5.1
Eelite Fulfillment using personal information for a new purpose
shall document this purpose (see Clause 4.2.1).
4.5.2
Eelite Fulfillment should develop guidelines and implement
procedures with respect to the retention of personal
information. These guidelines should include minimum
and maximum retention periods. Personal information
that has been used to make a decision about an individual
shall be retained long enough to allow the individual
access to the information after the decision has
been made. Eelite Fulfillment may be subject to legislative
requirements with respect to retention periods.
4.5.3
Personal information that is no longer required
to fulfil the identified purposes should be destroyed,
erased, or made anonymous. Eelite Fulfillment shall develop
guidelines and implement procedures to govern the
destruction of personal information.
4.5.4
This principle is closely linked to the Consent
principle (Clause 4.3), the Identifying Purposes
principle (Clause 4.2), and the Individual Access
principle (Clause 4.9).
4.6 Principle 6 - Accuracy
Personal information shall be as accurate, complete,
and up-to-date as is necessary for the purposes
for which it is to be used.
4.6.1
The extent to which personal information shall be
accurate, complete, and up-to-date will depend upon
the use of the information, taking into account
the interests of the individual. Information shall
be sufficiently accurate, complete, and up-to-date
to minimize the possibility that inappropriate information
may be used to make a decision about the individual
4.6.2
Eelite Fulfillment shall not routinely update personal information,
unless such a process is necessary to fulfil the
purposes for which the information was collected.
4.6.3
Personal information that is used on an ongoing
basis, including information that is disclosed to
third parties, should generally be accurate and
up-to-date, unless limits to the requirement for
accuracy are clearly set out.
4.7 Principle 7 - Safeguards
Personal information shall be protected by security
safeguards appropriate to the sensitivity of the
information.
4.7.1
The security safeguards shall protect personal information
against loss or theft, as well as unauthorized access,
disclosure, copying, use, or modification. Eelite Fulfillment
shall protect personal information regardless of
the format in which it is held.
4.7.2
The nature of the safeguards will vary depending
on the sensitivity of the information that has been
collected, the amount, distribution, and format
of the information, and the method of storage. More
sensitive information should be safeguarded by a
higher level of protection. The concept of sensitivity
is discussed in Clause
4.3.4. 4.7.3
The methods of protection should include (a) physical
measures, for example, locked filing cabinets and
restricted access to offices; (b) Eelite Fulfillment measures,
for example, security clearances and limiting access
on a ``need-to-know'' basis; and (c) technological
measures, for example, the use of passwords and
encryption.
4.7.4
Eelite Fulfillment shall make their employees aware of the
importance of maintaining the confidentiality of
personal information.
4.7.5
Care shall be used in the disposal or destruction
of personal information, to prevent unauthorized
parties from gaining access to the information (see
Clause 4.5.3).
4.8 Principle 8 - Openness
Eelite Fulfillment shall make readily available to individuals
specific information about its policies and practices
relating to the management of personal information.
4.8.1
Eelite Fulfillment shall be open about their policies and
practices with respect to the management of personal
information. Individuals shall be able to acquire
information about Eelite Fulfillment policies and practices
without unreasonable effort. This information shall
be made available in a form that is generally understandable.
4.8.2 The information made available shall include
(a) the name or title, and the address, of the person
who is accountable for Medicure's policies and practices
and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information
held by Eelite Fulfillment
(c) a description of the type of personal information
held by Eelite Fulfillment including a general account of
its use;
(d) a copy of any brochures or other information
that explain Eelite Fulfillment's policies, standards, or
codes; and (e) what personal information is made
available to related Eelite Fulfillment's (e.g., subsidiaries).
4.8.3
Eelite Fulfillment may make information on its policies and
practices available in a variety of ways. The method
chosen depends on the nature of its business and
other considerations. For example, an Eelite Fulfillment
may choose to make brochures available in its place
of business, mail information to its customers,
provide online access, or establish a toll-free
telephone number.
4.9 Principle 9 - Individual Access
Upon request, an individual shall be informed of
the existence, use, and disclosure of his or her
personal information and shall be given access to
that information. An individual shall be able to
challenge the accuracy and completeness of the information
and have it amended as appropriate. Note: In certain
situations, Eelite Fulfillment may not be able to provide
access to all the personal information it holds
about an individual. Exceptions to the access requirement
should be limited and specific. The reasons for
denying access should be provided to the individual
upon request. Exceptions may include information
that is prohibitively costly to provide, information
that contains references to other individuals, information
that cannot be disclosed for legal, security, or
commercial proprietary reasons, and information
that is subject to solicitor-client or litigation
privilege.
4.9.1
Upon request, Eelite Fulfillment shall inform an individual
whether or not Eelite Fulfillment holds personal information
about the individual. Eelite Fulfillment are encouraged to
indicate the source of this information. Eelite Fulfillment
shall allow the individual access to this information.
However, Eelite Fulfillment may choose to make sensitive
medical information available through a medical
practitioner. In addition, Eelite Fulfillment shall provide
an account of the use that has been made or is being
made of this information and an account of the third
parties to which it has been disclosed.
4.9.2
An individual may be required to provide sufficient
information to permit Eelite Fulfillment to provide an account
of the existence, use, and disclosure of personal
information. The information provided shall only
be used for this purpose.
4.9.3
In providing an account of third parties to which
it has disclosed personal information about an individual,
Eelite Fulfillment should attempt to be as specific as possible.
When it is not possible to provide a list's of organizations
to which it has actually disclosed information about
an individual, Eelite Fulfillment shall provide a list of
organizations to which it may have disclosed information
about the individual.
4.9.4
Eelite Fulfillment shall respond to an individual's request
within a reasonable time and at minimal or no cost
to the individual. The requested information shall
be provided or made available in a form that is
generally understandable. For example, if Eelite Fulfillment
uses abbreviations or codes to record information,
an explanation shall be provided.
4.9.5
When an individual successfully demonstrates the
inaccuracy or incompleteness of personal information
Eelite Fulfillment shall amend the information as required.
Depending upon the nature of the information challenged,
amendment involves the correction, deletion, or
addition of information. Where appropriate, the
amended information shall be transmitted to third
parties having access to the information in question.
4.9.6
When a challenge is not resolved to the satisfaction
of the individual, the substance of the unresolved
challenge shall be recorded by Eelite Fulfillment. When appropriate,
the existence of the unresolved challenge shall
be transmitted to third parties having access to
the information in question.
4.10 Principle 10 - Challenging Compliance
An individual shall be able to address a challenge
concerning compliance with the above principles
to the designated individual or individuals accountable
for Medicure's compliance.
4.10.1
The individual accountable for Eelite Fulfillment compliance
is discussed in Clause
4.1.1. 4.10.2
Eelite Fulfillment shall put procedures in place to receive
and respond to complaints or inquiries about their
policies and practices relating to the handling
of personal information. The complaint procedures
should be easily accessible and simple to use.
4.10.3
Eelite Fulfillment shall inform individuals who make inquiries
or lodge complaints of the existence of relevant
complaint procedures. A range of these procedures
may exist. For example, some regulatory bodies accept
complaints about the personal-information handling
practices of the companies they regulate.
4.10.4
Eelite Fulfillment shall investigate all complaints. If a
complaint is found to be justified, Eelite Fulfillment shall
take appropriate measures, including, if necessary,
amending its policies and practices.
|
|
 |
|
|
|
|
|
