Context and purpose
Pain BC adheres to the BC Privacy of Information Protection Act (PIPA) and to the Federal Personal Information Protection and Electronic Documentation Act (PIPEDA). This policy describes how Pain BC manages client records, whether they be produced by staff or by volunteers, in accordance with regulation, and with the intention of protecting the trust and privacy of Pain BC stakeholders.
Personal information means information about an identifiable individual, including:
- Name, age, weight, height
- Home address and phone number
- Race, ethnic origin, sexual orientation
- Medical information
- Income, purchases and spending habits
- Blood type, DNA code, fingerprints
- Marital status and religion
- Employment information
Personal information does not include the name, job title, business address, telephone number or other contact information of an individual at a place business.
Personal information at Pain BC
Pain BC routinely manages personal information as part of its daily operations; for our clinical staff, the collecting, processing, and recording of personal information is an integral component of the services they provide. Other examples of personal information handled at Pain BC include:
- Notes regarding clients of our clinical support services and our education programs, whether they be taken by staff, volunteers, or other Pain BC associates (such as contracted workshop facilitators). These notes represent the most sensitive personal information managed by Pain BC.
- Address and contact information for funders, contractors, service providers, employees, donors, volunteers, and other stakeholders
- Financial, health-related, and other personal details of current and past employees as part of standard human resource record-keeping
- Ensuring that the right to privacy of all our stakeholders is essential to achieving Pain BC’s mission.
- All Pain BC staff and volunteers are required to handle all client personal information in compliance with the requirements of BC’s PIPA and Canada’s PIPEDA laws.
- Management of the risk associated with the leakage or loss of personal information falls under the purview of the Director of Operations.
- All Pain BC staff are to follow all guidance on information practices issued by the Director of Operations.
- All Pain BC staff are required to take the Province of British Columbia’s Privacy Training Course within their first week of joining the organization.
- All Pain BC processes involving personal information are to have a documented standard operating procedure; the design and documentation of these processes must consider risks of loss/leakage of personal information and adhere to best practices and PIPA / PIPEDA guidelines.
- Pain BC staff, volunteers, contractors, and other stakeholders participating in processes that involve personal information will receive adequate training in the correct way to handle this information.
- All personal information will be consistently stored in secure systems and databases that are located in Canada and follow industry best practices in information security.
- All Pain BC staff are required to immediately report any potential loss or leakage of personal information to their Director and to the Director of Operations who will inform the Executive Director; the Executive Director will determine the need to advise the Board of Directors or funding agencies.
- In the event of a loss or leakage of personal information, Pain BC management will both remediate the situation as per PIPA guidelines and conduct a root-cause analysis to address gaps in practice.
- Pain BC will maintain a formal, documented process for handling requests for personal information. Pain BC will comply with PIPA and PIPEDA by responding to legitimate requests well within the required 30 working days from the initial request.
- Pain BC will not release personal information of clients who engage in Pain BC programs and services unless this information is requested by the clients themselves.
- Pain BC will provide personal records of support services clients – if these are requested by the client themselves – within 30 days of request. Pain BC will NOT provide client records if they reveal the identity or other personal information pertaining to any other person (specifically, a Pain BC volunteer). If necessary, the information identifying the third party will be redacted prior to submitting these records to the requestor.
- In an attempt to protect the privacy of our volunteers against unnecessary intrusion, Pain BC staff will limit release of personal information to the number of sessions and dates of program involvement unless case notes are legally mandated and accompanied with consent of the client.
- Any personal information that is written down on paper or other physical medium as notes will be transcribed or scanned to the appropriate system / database and then destroyed in a prompt manner.
- Digital written communication – whether via e-mail, Slack, or any other tool – involving client personal information should be reserved for time-sensitive situations such as when coordinating client care. Any such communication is to be permanently deleted on a monthly basis.