The Personal Information Protection and Electronic Document Act (PIPEDA) enacted in 2000, is a Canadian federal legislation governing the collection, use and disclosure of personal information by private sector organizations. As of January 1, 2004 all Canadian businesses including child care centres are required to comply with the following privacy principles:
2. Identifying purposes
4. Limiting collection
5. Limiting use, disclosure and retention
9. Individual access
10. Challenging compliance
Personal information is defined as:
• Factual or subjective information, recorded or unrecorded, about an identifiable individual
• Name, race, ethnicity, religion, marital status, education level
• E-mail addresses, e-mail messages, IP addresses
• Medical records: age, height, weight, blood type, DNA code, fingerprints, voiceprint
• Financial information: income, purchases, spending habits, credit/debit card data, banking information, tax returns, credit reports
• Social Insurance Number (SIN), or other identification numbers
• Privacy and confidentiality are important to establish and maintain trusting and lasting relationships with parents, guardians and partner agencies.
• Privacy and confidentiality are the cornerstones to ensure that personal information is only accessible to those authorized to have access.
• Confidentiality acknowledges respect for an individual’s right to privacy.
• Confidentiality assumes that those who pledge to safeguard confidential information will do so.
ii. All Inuuqatigiit employees, students, volunteers and Board members sign an Oath of Confidentiality upon employment.
iii. If an employee is, or becomes aware of, another employee breaking confidentiality, he/she is obligated to report this to his/her Supervisor who will report it to the Chief Privacy Officer.
iv. Breaching confidentiality and/or contravening this policy may lead to disciplinary action.
2. Identifying purposes (why we are collecting information)
The Inuuqatigiit collects, generates, uses and discloses electronic and non-electronic personal information for the following purposes only:
• To identify clients of Inuuqatigiit (children and their parents/guardians);
• To share, discuss and address concerns about a client’s safety, health or well-being (e.g. attendance, illness, behaviour, development);
• To ensure and monitor the development, health, safety and well-being of children, youth and families;
• To provide optimal and individualized programs and services for each child/youth;
• To monitor the quality of care and the progress of children/youth in programs;
• To ensure the care provided is flexible and continues to meet the unique needs of each child/youth;
• To ensure that the programs and services we provide are culturally respectful and developmentally appropriate;
• To meet statutory, regulatory and contractual requirements of the agency;
• To process applications/requests for programs and services;
• To place clients on a waiting list;
• To determine eligibility for programs and services and proper placement of your child/youth in a program; and
• To deliver high quality programs and services and collect information regarding the impact of these services.
• To communicate with our children, youth and parents/guardians;
• To communicate daily activities of children/youth to parents; and
• To provide or send information to prospective clients.
• To assist parents in obtaining and maintaining fee subsidies from the City of Ottawa;
• To share information about Kindergarten children’s progress between Inuuqatigiit staff and OCDSB teachers in our classroom;
• To collect and share statistics as required by our funders;
• To arrange transportation with a third party provider;
• To demonstrate the impact of programs and services through photographs on the Inuuqatigiit website or in media;
• To meet the record-keeping obligations required by municipal, provincial and federal governing bodies;
• To comply with City of Ottawa’s Public Health policies regarding communicable diseases e.g. outbreak management; and
• To disclose information to a third party where the client has consented to such disclosure or to a third party where such disclosure is required by law.
i. Inuuqatigiit will only collect, use or disclose information for the above identified purposes and will obtain client consent during intake.
ii. Other than the purposes listed above (#2), written consent will be obtained to share or disclose any information with a third party outside of the Inuuqatigiit (Inuuqatigiit Consent to Disclose Form).
iii. Inuuqatigiit will only rely on implied consent in rare circumstances where consent can reasonably be inferred from previous consent. For example, we ask the age and birth date of a child during intake. We would rely on the parent’s implied consent to also use the child’s birth date to celebrate the child’s birthday.
iv. Clients are free to withdraw consent at any time regarding a particular piece of personal information, but Inuuqatigiit reserves the right to withdraw service from clients, if having that information is critical, necessary or a legislated requirement in the provision of quality and safe programs and services for a client.
v. Clients are free to withdraw signed consent to disclose information to a third party at any time. Verbal withdrawal is considered ample.
vi. Other than for the purposes indicated above (#2) or unless required to do so by law, Inuuqatigiit does not disclose the personal information under its control to any other parties. We do not trade, sell, barter or give away client information to anyone.
vii. Clients 16 years or older are permitted to complete their own intake for programs and services. Information collected from youth 16 years or older is considered confidential and is not shared with parents without the youth’s consent.
4. Limiting collection
i. Inuuqatigiit only collects, uses and discloses personal information in order to meet the purposes identified above (#2). If there is a need to collect further information for a new purpose, staff will seek fresh consent for that specific collection.
5. Limiting use, disclosure and retention
i. Inuuqatigiit retains personal information for as long as we have a purpose to do so and/or as is required by all the applicable legislation that governs our operations. For example, the provincial legislation upon which our license is based, the Child Care and Early Years Act, 2014, requires that we retain child files for three years beyond the date of discharge from any of our licensed programs.
ii. Inuuqatigiit retains child electronic and paper files for an extended period of 5 years after discharge to assist parents in seeking information for other purposes e.g. a lost birth certificate needed to register for school. After 5 years, child and other client electronic and paper files are securely disposed of.
iii. Confidential information may only be disclosed to another agency or individual with the informed, written consent of the client and then only with the reasonable assurance that the receiving agency provides the same degree of confidentiality and respect for the right of privileged communication as Inuuqatigiit.
iv. Clients are permitted to block personal information provided to particular individuals or organizations including staff at Inuuqatigiit. This means the client expressly withholds or withdraws consent for release of certain personal information.
v. Inuuqatigiit is obligated to break confidentiality under the following circumstances:
• A client is in danger of seriously hurting himself/herself;
• A client is in danger of hurting someone else;
• There is good reason to believe that a child under 16 is being harmed or will be harmed. This information must be reported to the Children’s Aid Society.
• If a client is considered by law to be unable to make informed decisions about himself or herself.
• The information has been ordered or subpoenaed by a court of law.
• In cases of required reporting to the Workplace Safety and Insurance Board.
i. Inuuqatigiit makes every effort to keep personal information accurate and up to date.
ii. We rely on parents/guardians to keep us updated of any changes in a timely manner, so that the personal information we have is accurate at all times. This is particularly important with respect to the health and safety of a child or emergency contact information.
i. The security of the information provided is our number one priority. We limit access to your personal information only to those who require it to provide you and your family with quality programs and services.
ii. Information stored on our computers and database is protected by firewalls, is password protected and is stored securely.
iii. All hard files are kept in locked filing cabinets within lockable offices.
iv. Inuuqatigiit employees will safeguard personal information about clients at all times e.g. not leaving files on desk.
v. Inuuqatigiit employees are fully aware of their obligations to maintain the confidentiality and security of personal information. All Inuuqatigiit employees and independent contractors are subject to the agency’s policies and procedures with respect to confidentiality of client information and a breach of confidentiality can be grounds for disciplinary action.
vi. In order to protect confidentiality of information employees are to exercise caution when discussing any Inuuqatigiit matter in public, in person or in written format, including all electronic/social media contexts.
vii. When completing incident or accident reports, identifying information about other children will not be disclosed on the report and only initials will be used.
viii. When sending emails regarding clients, only initials will be used to ensure client confidentiality is protected in case emails are intercepted or sent to the wrong email address.
ix. Access to the Inuuqatigiit database is on a need-to-know basis depending on job function e.g. confidential information can only be accessed by certain employees.
x. Staff training is provided on the use and misuse of the database and the importance of privacy and confidentiality.
9. Individual access
i. Individuals have the right to access their own personal information, or the personal information about their child/youth (under 16 years), which is in the possession of Inuuqatigiit. Clients also have the right to know if their personal information has been disclosed to any third parties.
ii. Requests for access to personal information must be made in writing to the Inuuqatigiit Chief Privacy Officer.
iii. The Chief Privacy Officer or designate has 10 business days in which to respond to a request.
iv. Inuuqatigiit does have the right to deny a request under certain circumstances that include but are not limited to: information which is protected by lawyer-client privilege; information which reveals personal information about another individual; personal information which was collected for an investigation, legal proceeding or formal dispute resolution process that has not yet concluded; if providing access to particular personal information could jeopardize an individual’s life or security; or if access to the personal information could reasonably be expected to threaten the safety or physical or mental health of another individual.
v. Acceptable proof of identification is required before access to personal information is granted.
10. Challenging compliance
i. If a client has any concerns about privacy, believes that there has been a breach of confidentiality or that this policy has been contravened in any manner, he or she can submit a complaint to the Chief Privacy Officer. All reported incidents will be thoroughly reviewed.
ii. Clients will be notified if it is discovered that their personal information has been disclosed to a third party in error. For example, if an email is sent to the wrong person.
iii. A review of the incident will be made to determine how the breach occurred and to reduce the risk of further breaches.