Privacy Policy

The software platform this website runs on and associated technology operations are provided by Bang the Table Pty Ltd. Click this link for the Privacy Policy governing their service.


INTRODUCTION

 

           As a public body, the City of Dieppe is subject to the Right to Information and Protection of Privacy Act (RTIPPA).  To the extent that the City collects, uses, or discloses personal health information in delivering municipal programs and services, the Personal Health Information Privacy and Access Act (PHIPAA) applies to those activities.   The privacy provisions of both of these Acts require the City to adhere to appropriate practices and procedures for collecting, storing, using, disclosing, retaining, and disposing of personal information and to adhere to standards for protecting personal information in its custody or control. 

 

2.              POLICY STATEMENT

 

           The City is committed to developing and implementing effective controls for protecting the personal information that it collects, uses, discloses and maintains, and to upholding individuals’ privacy rights in compliance with privacy legislation in the province of New Brunswick. The City will consider the spirit and intent of all applicable privacy laws and regulations when it considers the privacy implications of its business decisions.

 

3.       OBJECTIVE

 

                  The purpose of this policy is to: 

  • outline the responsibilities of the City’s employees, elected officials and non-staff personnel in relation to personal information;
  • promote compliance with privacy and access legislation;
  • instill confidence in the City’s ability to identify and mitigate privacy risks and ensure compliance with privacy policies, legislation, and regulations; and
  • promote and strengthen accountability for good privacy management practices within the organization. 

 

4.       SCOPE

 

(1)            Individuals to whom this policy applies

 

                This policy applies to all City employees, elected officials and non-staff personnel.  

 

 

(2)  Type of Information to which this policy applies 

 

 a)              Personal Information 

 

           RTIPPA sets out rules that public bodies must follow to ensure the proper handling and protection of PI in their custody or control.   Personal information (PI) is defined broadly as any recorded information about an identifiable individual.  

 

b)       Personal Health Information

 

           PHIPAA defines personal health information (PHI) to generally mean identifying information about an individual in oral or recorded form pertaining to that person’s health or health services provided to the individual.   To the extent that the City collects, uses, or discloses personal health information in delivering municipal programs and services, such as emergency first response, it is defined as a custodian under PHIPAA and will be subject to this legislation when it carries out those activities.  Personal health information collected by the City in its role as an employer (such as information collected for administering employee disability or gradual return to work programs) is, however, subject to RTIPPA and not PHIPAA. 

 

5.              DEFINITIONS 

 

           “Non-staff personnel” includes, but is not limited to, agents, students, volunteers, consultants, third-party service providers, external professionals or experts contracted to offer a service and vendors, demonstrating, installing or servicing equipment, software applications or hardware.

  

           “personal health information” means identifying information about an individual in oral or recorded form if the information: 

 

a)       relates to the individual’s physical or mental health, family history or health care history, including genetic information about the individual; 

 

b)       is the individual’s registration information, including the Medicare number of the individual; 

 

c)       relates to the provision of health care to the individual,;

 

d)       relates to information about payments or eligibility for health care in respect of the individual, or eligibility for coverage for health care in respect of the individual;

 

e)       relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any body part or bodily substance,;

  

f)        identifies the individual’s substitute decision-maker; or

 

g)       identifies an individual’s health care provider. 

  

           “personal information” means recorded information about an identifiable individual, including but not limited to,

 

a)   the individual’s name; 

 

b)   the individual’s home address or electronic mail address or home telephone or facsimile number; 

 

c)   information about the individual’s age, gender, sexual orientation, marital status or family  status;

 

d)   information about the individual’s ancestry, race, colour, nationality or national or ethnic origin; 


e)   information about the individual’s religion or  creed or religious belief, association or activity;

 

 f)    personal health information about the individual;

 

g)   the individual’s blood type, fingerprints or   other hereditary characteristics;

 

 h)   information about the individual’s political  belief, association or activity;

 

 i)    information about the individual’s education,  employment or occupation or educational,  employment or occupational history; 

 

j)    information about the individual’s source of income or financial circumstances, activities or history;

 

k)   information about the individual’s criminal  history, including regulatory offences;

 

 l)    the individual’s own personal views or opinions, except if they are about another person;

 

m)  the views or opinions expressed about the  individual by another person, and 

 

n)   an identifying number, symbol or other particular assigned to the individual.

 

5.       POLICY REQUIREMENTS

 

           The following requirements are intended to provide direction to employees, elected officials, and non-staff personnel in carrying out their obligations under the policy.  These requirements are based upon the Canadian Standards Association’s Model Code for the Protection of Personal Informationwhich is outlines ten interrelated privacy principles.  These principles form the basis of most Canadian provincial and federal privacy legislation.  This Policy uses these ten privacy principles, together with applicable privacy legislation, as its foundation. 

  

(1) Accountability

 

           The City is responsible for personal information under its control, and accountable to the individual to whom the information relates for its protection and safe keeping. This accountability extends to agreements the City enters into with third party service providers that act for or on its behalf with respect to personal information and that may come in contact with personal information while providing services to the City.  The City will implement appropriate controls, such as contractual agreements with these service providers to ensure that personal information under its control is appropriately protected.  

 

(2)  Limiting Collection 

 

           No personal information may be collected by the City or on the City’s behalf unless:

 

 

a)     the collection of the personal information is authorized or required by or under an Act of the Legislature of NB or an Act of the Parliament of Canada, 

 

b)     the information relates directly to and is necessary for an existing program or activity of the City of Dieppe, or 

 

 c)     the information is collected for law enforcement purposes. 

 

           When personal information is collected as authorized above, the City will collect only as much personal information about an individual as is reasonably necessary to accomplish the purpose for which it is collected. 

 

           Personal information must always be collected directly from the person to whom the information pertains, unless another method of collection is authorized by the individual or by law.  Exceptions to this requirement are limited and specific and are outlined in RTIPPA and PHIPAA.

 

(3) Identifying purposes 

 

 When collecting personal information, the City will provide the individual with a written notice that outlines:

 

a)      the purpose(s) for which the information is being collected (i.e. principally how the information is intended to be used); 

 

b)      the City’s legal authority to collect the information (which may be provided by RTIPPA and/or another law with which the  City must comply); and

 

 c)      the title, business address and telephone number of an employee of the City who can answer questions about the collection (i.e., why it is being collected, how it will be used).

 

(4)  Limiting Use and Disclosure

 

a)      The use and disclosure of personal information must be limited in scope to the original purpose for the collection, or to purposes reasonably connected to the original purpose. If the City intends to use or disclose personal information for a different purpose, it must obtain the written consent of the individual prior to using or disclosing the information for this new purpose, except as permitted by law or otherwise authorized by legislation.  

 

b)       The principle of “need to know” must guide all collection, use and disclosure of personal information, such that the City only collects, uses, or discloses the minimum amount of Personal information required for the immediate, valid purpose and only grants access to and discloses personal information to the extent needed to fulfill that purpose.

 

(5)            Retention and Destruction

 

a)       Personal information will be retained only as long as necessary for the fulfillment of the identified and authorized purposes or as required by law.

  

b)       The City will develop a policy and implement procedures with respect to the retention of personal information, which will include minimum and maximum retention periods.    Personal information that has been used to make a decision about an individual will be retained for a period of time that is long enough to allow the individual access to the information after the decision has been made. 


c)       Personal information that is no longer required to fulfill the purposes identified at the time of collection must be securely destroyed, erased or de-identified.   

  

d)       The City will develop guidelines and implement procedures to govern the secure destruction of personal information, to ensure that unauthorized parties do not gain access to the information. 

 

 

(6)            Safeguards 

 

a)       Personal information will be protected with appropriate technical, administrative and physical safeguards which will protect personal information against loss or theft, as well as unauthorized access, use, disclosure, modification, or destruction.  

 

b)       The nature of the safeguards required to be applied to protect personal information will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.  A higher level of protection must safeguard more sensitive information, such as personal health information, personal financial information, and information that could be used to commit identity theft, such as social insurance numbers.   An assessment of the sensitivity of the personal information to be protected must be made at the time the information is collected or received by the City so that sufficient and appropriate safeguards can be applied. 

 

c)       Guidelines for protecting personal information will be outlined in written standards and procedures in support of this policy.

 

d)       If personal information is stolen, lost, or accessed by unauthorized persons, the City will take immediate steps to contain the breach and to notify appropriate individuals, in accordance with the City’s Privacy Breach Reporting Policy and related Protocol.  Any reported or suspected privacy breach must be addressed appropriately and expeditiously.

 

 (7)            Accuracy

 

a)       Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used, and to minimize the possibility that inappropriate information may be used to make a decision that directly affects the individual.  The City will identify processes by which individuals may be able to challenge the accuracy and completeness of the information collected from them and have it corrected as appropriate.


(8)            Individual Access 

 

a)       Individuals are entitled to request access to their personal information and to examine or receive a copy of personal information maintained by the City, subject only to limited exceptions outlined in RTIPPA and where applicable, PHIPAA.

 

b)       Where access is denied, the individual will be provided with the reasons for denying access and informed of his or her right to complain about the City’s decision to the Access to Information and Privacy Commissioner or refer the matter to the court.


 (9)            Openness

 

a)       The City   will be open about its policies and practices with respect to the management of personal information and will make specific information readily available to the general public, including:

 

i)        the title, business address, and telephone number of the appropriate individual, to whom complaints or inquiries can be forwarded; 

 

ii)       the means of gaining access to personal information held by the City; and

 

iii)      a description of the type of personal information held by the City, including a general account of its use; 

  

b)       The City will make employees, elected officials and non-staff personnel aware of the importance of maintaining the privacy and confidentiality of personal information and will provide appropriate privacy training, the contents of which will be periodically reviewed and updated. 

 

(10)          Complaints 

 

a)       Any individual shall be able to address a challenge concerning compliance with the above principles to the designated City employee accountable for compliance by submitting a complaint to the City in writing or by voicing a concern.


b)       All complaints will be reviewed by the City Clerk, who will ensure that an investigation is conducted and send a response of the outcome of the investigation to the sender as expeditiously as possible.  The individual will be notified in writing of the City’s receipt of the complaint and an approximate time frame for sending the response.

 

7.              ACCOUNTABILITIES

 

(1)     Accountability for overseeing the management of PI rests with the City Clerk who has been delegated authority by Council to act on behalf of the City of Dieppe in these matters.

 

(2)     Employees, elected officials and non-staff personnel are responsible to comply with this Policy. The City will monitor compliance and may apply sanctions to those found in violation of this Policy, consistent with the City’s disciplinary and procurement policies and procedures. 


NOTE

 

It is important to note that personal information (such as a person’s name, address, birth date etc) is considered PI if it was collected by the City for the purpose of providing or assisting in the provision of health care or for treatment or delivering a government program or service.   For example, the City of Dieppe would be a “custodian” of personal information when it collects names, addresses and health status about individuals involved in medical emergencies to which it responds, but would also be a holder of personal information where it maintains employee files containing employee names and addresses and medical information (such as diagnosis of carpal tunnel syndrome or a specific medical condition for which a work accommodation is being made) because, in the case of the employee file, the information was not collected for one of the purposes included in the definition of a “custodian” under PHIPAA