Privacy Protection Policy
The Mount Washington Ski Patrol Association (MWSPA) is committed to protecting the privacy of its members, directors, officers, volunteers, and any other persons from whom MWSPA collects and retains personal information.
We manage all personal information in our custody or under our control in accordance with universal Fair Information Principles, as set out in the Canadian Standards Association (CSA) Model Privacy Code and the Personal Information Protection and Electronic Documents Act (PIPEDA).
Personal information collected by MWSPA will be limited to the information that is needed for providing services to our members, Mount Washington Alpine Resort (MWAR), and the general public served by MWSPA. The data collected will be used only for the purposes for which it is collected. Personal information will be disposed of in a safe and timely manner when no longer required.
MWSPA is committed to safeguarding the personal information entrusted to us by our members and the public. No personal information will be sold, rented, leased or otherwise made available to any person or entity without the explicit consent of the person from whom it was collected.
MWSPA has designated the Secretary to be its Privacy Officer. Any inquiry, request or concern related to privacy matters should be made in writing to the Secretary at firstname.lastname@example.org or PO Box 3131, Courtenay, BC V9N 5N3 the address of MWSPA.
MWSPA has adopted the following 10 Privacy Principles:
MWSPA accepts responsibility for maintaining and protecting the personal information in its custody or under its control. MWSPA has appointed the Secretary as the Privacy Officer, who will ensure there is compliance with all of these Privacy Principles.
Accountability for our compliance with the Privacy Principles rests with our Privacy Officer, even though other individuals within MWSPA have responsibility for the day-to-day collection and processing of personal information and may be delegated to act on behalf of the Privacy Officer.
We are responsible for personal information in our possession or custody, including information that has been transferred to a third party for processing. We will use contractual or other means to provide a comparable level of protection when the information is being processed by a third party.
1.1 The following data will be provided to the Mount Washington Alpine Resort Risk Manager, or his successor:
Your contact information (home address, phone, and email address); your MWSPA training documents and records; and your first aid certifications. This data will be provided to the MWAR Risk Manager and will be retained by MWAR for up to 17 years. MWAR will only access and use this data in the event of a lawsuit for an incident in which you were involved as a patroller. In the event that MWAR needs to provide the data to other parties, MWAR will contact MWSPA and the individual patrollers involved prior to disclosing the data to request permission and notify them why the data will be shared, how the data will be shared and the parties who will be provided the data. MWSPA and its members reserve the right to decline sharing data with outside parties unless compelled by appropriate legal processes.
2. Identifying Purposes
MWSPA shall identify and explain the purposes for which it collects personal information, to the person from whom the personal information is being collected, before or at the time the information is collected. MWSPA is committed to collecting personal information in a fair, open and lawful manner.
The purposes will be limited to those which are related to the provision of health services which a reasonable person would consider are appropriate in the circumstances. We collect, use and disclose personal information concerning patients for the following reasons:
· to provide health care services,
· to meet requirements under federal and provincial laws.
We collect, use and disclose personal information concerning our members for the following reasons:
· to recruit, train, recognize and retain a highly qualified and motivated volunteers;
· standardizing and maintaining the qualifications and training of volunteer patrollers through pre-season training, on-hill training and Outdoor Emergency Care (OEC) training
· to establish and maintain harmonious relations among volunteers;
· to administer MWSPA and MWAR policies and procedures, including investigations related thereto;
· to manage and promote the health care services of MWAR;
· to meet requirements imposed by law;
Consent will be obtained from the person whose personal information is collected, used and disclosed, unless obtaining the express consent would be inappropriate or not required by these Principles. Sometimes the person’s consent may be implied by virtue of their involvement with MWSPA. However, the primary method of obtaining consent will be expressed consent in writing. Written consents will be kept on file for as long as the information is reasonably necessary. A person may withdraw his or her consent at any time, subject to legal or contractual restrictions and reasonable notice. The person will be informed of reasonably foreseeable implications of the withdrawal.
Personal patient information will only be collected, used or disclosed with the knowledge and consent of the individual, except where inappropriate.
The consent to treatment will be the manner in which we obtain consent for the collection of patient information, and the employment application will be the means by which we collect member information.
In certain circumstances, as permitted or required by law, we may collect, use or disclose personal information without the knowledge or consent of the individual.
These circumstances include:
· personal information which is subject to member/patient privilege or is publicly available as defined by regulation;
· where collection or use is clearly in the interests of the individual and consent cannot be obtained in a timely way;
· to investigate a breach of an agreement or a contravention of a law;
· to act in respect to an emergency that threatens the life, health or security of an
· to comply with a subpoena, warrant or court order.
4. Limiting Collection
We will limit the amount and type of personal information collected to that which is necessary for our or MWAR’s identified purposes and we will only collect personal information by fair and lawful means.
5. Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, unless explicit consent is obtained to use it for another purpose, or if required by law. All collected personal information shall be destroyed, erased or made anonymous as soon as the purpose for which it was collected is no longer relevant, or as permitted by the law.
Personal information shall be maintained in as accurate, complete and up-to- date a form as necessary in order to fulfill the purposes for which it was collected. Periodic reviews of personal information, particularly in informational databases – including email address books - will be conducted to verify the accuracy of the information.
Personal information will be protected by security safeguards that are appropriate to the sensitivity of the personal information. Our methods of protection will include physical measures (for example, locked filing cabinets and restricted access to offices), organizational measures (for example, security clearances and limiting access on a need-to-know basis), and technological measures (for example, the use of passwords and encryption).
We will make our members aware of the importance of maintaining the confidentiality of personal information, and we will exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
· Name and address of the Privacy Officer;
· Means of gaining access to one’s own personal information held by MWSPA; and
· Copies of any brochures or other information that explains MWSPA’s policies, standards or codes for protecting personal privacy.
9. Access to Records containing Personal Information
Access to one’s own personal information in the custody or under the control of MWSPA will be granted, subject to some exceptions. For example, access to the personal information of third parties will be denied unless the request is accompanied by the written consent of the third party. For added protection, such written consent will be verified by the Privacy Officer.
If we refuse a request in whole or in part, we will provide the reasons for the refusal.
In some cases where exceptions to access apply, we may withhold that information and provide you with the remainder of the record.
You may make a request for access to your personal information by writing to the Privacy Officer at the address of MWSPA. You must provide sufficient information in your request to allow us to identify the information you seek.
You may also request information about how your personal information has been used by MWSPA and any disclosure of that information to persons outside our organization.
You may also request a correction of an error or omission in your personal information. The Privacy Officer has the responsibility to decide whether it is appropriate to correct the information in the record. If the Privacy Officer decides not to correct the information, you will be given the reasons for the decision and the Privacy Officer will annotate the record with the correction that was requested but not made.
MWSPA will respond to your request within 30 calendar days of receiving the request. If the search for the information and preparing the records for disclosure involves an inordinate amount of time and copying expenses, the Privacy Officer will advise you of any fees that may apply before processing your request.
10. Challenging Compliance
Complaints or inquiries about the collection, use, disclosure or retention of personal information and MWSPA’s compliance with these ten principles should be directed to the Privacy Officer. The Privacy Officer will investigate complaints and take appropriate correction measures where a complaint is substantiated. The Privacy Officer may use whatever form of dispute resolution available, including mediation, in an effort to settle the complaint. The Privacy Officer will advise you in writing how the complaint has been dealt with and what measures were taken or are proposed to correct an error and prevent a recurrence.
If you are not satisfied with the results of the Privacy Officer’s actions and decision, you may make a request in writing to the address of MWSPA for a review by the Board of Directors. The Board will review the complaint, the action taken by the Privacy Officer, and any additional relevant information, and conclude the matter in any of the following ways:
• confirm and validate the actions and decision taken by the Privacy Officer;
• direct the Privacy Officer to reconsider the complaint on the basis of specific grounds not previously taken into account;
• vary the decision of the Privacy Officer; or
• direct the Privacy Officer to take further action or make changes to administrative processes or procedures as appropriate.
The Board of Directors will complete a report on the results of its review, with reasons for its decision, and provide a copy to the person making the complaint and to the Privacy Officer. Investigations by the Privacy Officer on a complaint, and any subsequent review by the Board of Directors will be in a conducted in a timely manner.
Privacy Rights of Personal Information Policy
The Mount Washington Ski Patrol Association (MWSPA) is responsible to protect the legal rights of our members and MWAR patients to privacy of their personal information under our custody and control. MWSPA further recognizes that we have an obligation to inform our clients and MWSPA agents that there are specific circumstances that override an individual’s right to privacy when personal information will be shared with individuals with an authorized requirement for that information. In all circumstances, MWSPA recognizes the value of an individual’s personal information, which must be collected, used, disclosed and protected appropriately.
The purpose of this policy is to provide a framework for the consistent management of personal information collected, used, disclosed and protected by the MWSPA in accordance with the principles and requirements of various legislative Acts, including but not limited to BC’s Freedom of Information and Protection of Privacy Act (FOIPPA), and standards of practice.
2.1 Privacy Right and Access to Personal Information
The right of privacy includes an individual’s right to determine with whom he or she will share information and to know of and exercise control over collection, use, disclosure, access and retention concerning any information collected about him or her. The right of privacy and consent are essential to the trust and integrity of the patient care or service provider relationship.
While patrollers are expected to be open in their communication with patients with respect to their day-to-day care practices, it is also recognized that clients and other individuals may make formal written information requests to the MWSPA in accordance with the provisions of FOIPPA.
Information rights include the right of access to records, with limited exception and the right to request correction of personal information about oneself.
2.2 Responsibility for Confidentiality
Personal information obtained in the course of an individual’s affiliation or interaction with MWSPA must be held in confidence. All reasonable measures must be taken to ensure that personal information is collected, used and disclosed only in circumstances necessary and authorized for client care, research, education, or as necessary in the conduct of the business of the organization. Use, sharing or disclosure of information must be in accordance with the appropriate legislative authority (e.g. FOIPPA) and/or MWSPA policy and/or MWAR policy.
The key point is that you should not disclose personal or identifying information when discussing incidents.
Intentionally viewing confidential patient or member information that is not necessary to perform an individual’s role is considered a breach of confidentiality even if that information is not disclosed to another party. Confidential information must not be discussed in any physical location where others, not entitled to receive that information, are present and likely to overhear, unless required in order to fulfill one’s professional role, by law or with permission from an authorized individual.
Patient information at MWAR is collected and used for the provision of care or a healthcare related service. Disclosure of patient information for other than that purpose, or as authorized by the appropriate legislative Act (e.g. FOIPPA), without informed client consent is a breach of client privacy and confidentiality.
Projects or initiatives concerning the collection, use or disclosure of personal information must have appropriate privacy protections in place.
2.3 Confidentiality Acknowledgement
A signed Confidentiality Acknowledgement is a requirement of membership for all MWSPA patrollers and first aid attendants.
All MWSPA members and designated MWSPA agents are required to be familiar with and abide by the MWSPA Confidential Information - Privacy Rights of Personal Information Policy during the course of their involvement with MWSPA.
2.4 Breach of Confidentiality
Individuals will be held accountable for breaches of confidentiality.
Breaches of confidentiality include intentional and unauthorized access to, use and/or disclosure of, confidential information.
All MWSPA volunteers have a responsibility to report breaches of confidentiality without fear of reprisal.
If it is established that a breach of confidentiality has occurred, those individuals deemed responsible may be subject to penalty or sanction up to and including termination of membership.
This policy applies to:
- All MWSPA members.
- All designated MWSPA agents.
- Any individual either directly or indirectly associated with the MWSPA.
- Personal information in any format including, but not limited to, paper, electronic, film, verbal discourse.
- Information as noted in #4 that is provided to, obtained from, or as a result of a relationship with the MWSPA, regardless of where that information may be subsequently stored or used.
All such information in the custody and control of the MWSPA is covered by this policy and the associated legislative and common law rules.
4.0 Examples of Breaches (WHAT YOU SHOULD NOT DO)
These are examples only. They do not include all possible breaches of confidentiality covered by the MWSPA Confidential Information - Privacy Rights of Personal Information Policy and the Confidentiality agreement.
Accessing information that you do not need to know in the course of your patrol duties:
Unauthorized reading of a patient’s record
Accessing information on yourself, children, family, friends or co-workers.
Showing, telling, copying, selling, changing, or disposing of confidential information that is not pertinent to your role or care activity.
Providing or gaining unauthorized access to physical locations (e.g. file cabinets) which contain confidential information
Lending out your keys to someone else to access file cabinets, file storage areas or other areas where confidential information is stored, OR using anothers keys for the same purpose
Leaving file storage areas unlocked when they should be locked.
Sharing, copying or changing information without proper authorization:
Making unauthorized marks on a patient’s record
Making unauthorized changes to a volunteer file.
Discussing confidential information in a public area such as the cafeteria or chalet
Failing to report a breach of confidentiality
Being aware of a breach of confidentiality, but not reporting the breach to a member of the executive team
4.1 Breach Response
Upon learning of a privacy breach, the following immediate action should be taken:
· Containment: Identify the scope of the potential breach and take steps to contain it:
· retrieve any hard copies of any personal information that has been disclosed;
· ensure that no copies of the personal information have been made or retained by the individual who was not authorized to receive the information.
Document the incident and report it to the MWSPA privacy officer. The privacy officer will conduct an internal investigation into the matter with the objectives of:
- ensuring the immediate requirements of containment and notification have been addressed;
- reviewing the circumstances surrounding the breach; and
- reviewing the adequacy of existing policies and procedures in protecting personal information.
- Notification: Identify those individuals whose privacy was breached and, barring exceptional circumstances, notify those individuals if the breach extended outside the organization or is found to be malicious in intent:
- notify the individuals whose privacy was breached by telephone or in writing;
- provide details of the extent of the breach and the specifics of the personal information at issue; and advise of the steps that have been taken to address the breach, both immediate and long-term.
5.1 Personal and Confidential Information:
Personal and confidential information is information provided to, collected or created by the MWSPA that exists regardless of form and includes, but is not limited to the following:
Personal information about an identifiable individual [e.g. patient or member) including:
· The individual’s name, address or telephone number,
· The individual’s race, national or ethnic origin, colour, or religious or political beliefs or associations,
· The individual’s age, sex, sexual orientation, marital status or family status,
· An identifying number, symbol or other particular assigned to the individual,
· Information about the individual’s health care history, including a physical or mental disability,
· Information about the individual’s education, financial, criminal or employment history,
Confidential Information related to an identifiable individual under the custody and control of the MWSPA including:
• Information (membership records including certifications, incident reports) prepared as part of a pending or ongoing review
• Information related to discipline and incident reviews
5.2 Information Privacy
Information privacy refers to the right of an individual or data subject to determine with whom their personal information is shared, under what circumstances and to know of and exercise control over use, disclosure and access concerning any personally identifiable information collected about him or her.
Confidentiality refers to the responsibility or obligation of an individual or organization to ensure that personal and confidential information is kept secure and is collected, accessed, used and disclosed appropriately.
5.4 Designated MWSPA Agents
Designated MWSPA agents are individuals or organizations who have a business relationship with the MWSPA and, at the discretion of the MWSPA, are deemed to have the potential to access, intentionally or inadvertently, all forms of MWSPA confidential information by virtue of their relationship to the MWSPA (e.g website hosting).
5.7 Authorized Individual
An authorized individual is an individual who has the authority under law or policy to access specific forms of confidential information.
Supporting and Related Policies and Procedures
Freedom of Information and Protection of Privacy Act, S.B.C. 1992, Chapter 61, as amended by S.B.C. 1993, Chapter 46.
Approved: October 27, 2013