CODE FOR THE PROTECTION OF PERSONAL INFORMATION, CAN/CSA-Q830-96
1.1
Principle 1 - Accountability
EnhanceRX™ is responsible for personal information under
its control and shall designate an individual or individuals who
are accountable for EnhanceRX™ compliance with the following
principles.
1.1.1 Accountability
for EnhanceRX™ compliance with the principles rests with
the designated individual(s), even though other individuals within
EnhanceRX™ may be responsible for the day-to-day collection
and processing of personal information. In addition, other individuals
within EnhanceRX™ may be delegated to act on behalf of the
designated individual(s).
1.1.2 The identity
of the individual(s) designated by EnhanceRX™ to oversee
EnhanceRX™'s compliance with the principles shall be made
known upon request.
1.1.3 EnhanceRX™
is responsible for personal information in its possession or custody,
including information that has been transferred to a third party
for processing. EnhanceRX™ shall use contractual or other
means to provide a comparable level of protection while the information
is being processed by a third party.
1.1.4 EnhanceRX™
shall implement policies and practices to give effect to the principles,
including (a) implementing procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints
and inquiries; (c) training staff and communicating to staff information
about the EnhanceRX™ 's policies and practices; and (d) developing
information to explain the Great EnhanceRX™'s policies and
procedures.
1.2
Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall
be identified by EnhanceRX™ at or before the time the information
is collected.
1.2.1 EnhanceRX™
shall document the purposes for which personal information is
collected in order to comply with the Openness principle (Clause
1.8) and the Individual Access principle (Clause 1.9).
1.2.2 Identifying
the purposes for which personal information is collected at or
before the time of collection allows EnhanceRX™ to determine
the information they need to collect to fulfill these purposes.
The Limiting Collection principle (Clause 4.4) requires EnhanceRX™
to collect only that information necessary for the purposes that
have been identified.
1.2.3 The identified
purposes should be specified at or before the time of collection
to the individual from whom the personal information is collected.
Depending upon the way in which the information is collected,
this can be done orally or in writing. An application form, for
example, may give notice of the purposes.
1.2.4 When personal
information that has been collected is to be used for a purpose
not previously identified, the new purpose shall be identified
prior to use. Unless the new purpose is required by law, the consent
of the individual is required before information can be used for
that purpose. For an elaboration on consent, please refer to the
Consent principle (Clause 1.3).
1.2.5 Persons collecting
personal information should be able to explain to individuals
the purposes for which the information is being collected.
1.2.6 This principle
is linked closely to the Limiting Collection principle (Clause
1.4) and the Limiting Use, Disclosure, and Retention principle
(Clause 1.5).
1.3
Principle 3 - Consent
The knowledge and consent of the individual are required for the
collection, use, or disclosure of personal information, except
where inappropriate.
Note: In certain
circumstances personal information can be collected, used, or
disclosed without the knowledge and consent of the individual.
For example, legal, medical, or security reasons may make it impossible
or impractical to seek consent. When information is being collected
for the detection and prevention of fraud or for law enforcement,
seeking the consent of the individual might defeat the purpose
of collecting the information. Seeking consent may be impossible
or inappropriate when the individual is a minor, seriously ill,
or mentally incapacitated. In addition, EnhanceRX™ that do
not have a direct relationship with the individual may not always
be able to seek consent. For example, seeking consent may be impractical
for a charity or a direct-marketing firm that wishes to acquire
a mailing list from another EnhanceRX™ In such cases, EnhanceRX™
providing the list would be expected to obtain consent before
disclosing personal information.
1.3.1 Consent is
required for the collection of personal information and the subsequent
use or disclosure of this information. Typically, EnhanceRX™
will seek consent for the use or disclosure of the information
at the time of collection. In certain circumstances, consent with
respect to use or disclosure may be sought after the information
has been collected but before use (for example, when EnhanceRX™
wants to use information for a purpose not previously identified).
14.3.2 The principle
requires "knowledge and consent''. EnhanceRX™ shall
make a reasonable effort to ensure that the individual is advised
of the purposes for which the information will be used. To make
the consent meaningful, the purposes must be stated in such a
manner
1.3.3 EnhanceRX™
shall not, as a condition of the supply of a product or service,
require an individual to consent to the collection, use, or disclosure
of information beyond that required to fulfill the explicitly
specified, and legitimate purposes.
1.3.4 The form of
the consent sought by EnhanceRX™ may vary, depending upon
the circumstances and the type of information. In determining
the form of consent to use, EnhanceRX™ shall take into account
the sensitivity of the information. Although some information
(for example, medical records and income records) is almost always
considered to be sensitive, any information can be sensitive,
depending on the context. For example, the names and addresses
of subscribers to a newsmagazine would generally not be considered
sensitive information. However, the names and addresses of subscribers
to some special-interest magazines might be considered sensitive.
1.3.5 In obtaining
consent, the reasonable expectations of the individual are also
relevant. For example, an individual buying a subscription to
a magazine should reasonably expect that EnhanceRX™, in addition
to using the individual's name and address for mailing and billing
purposes, would also contact the person to solicit the renewal
of the subscription. In this case, EnhanceRX™ can assume
that the individual's request constitutes consent for specific
purposes. On the other hand, an individual would not reasonably
expect that personal information given to a health-care professional
would be given to a company selling health-care products, unless
consent were obtained. Consent shall not be obtained through deception.
1.3.6 The way in
which EnhanceRX™ seeks consent may vary, depending on the
circumstances and the type of information collected. EnhanceRX™
should generally seek express consent when the information is
likely to be considered sensitive. Implied consent would generally
be appropriate when the information is less sensitive. Consent
can also be given by an authorized representative (such as a legal
guardian or a person having power of attorney).
1.3.7 Individuals
can give consent in many ways. For example: (a) an application
form may be used to seek consent, collect information, and inform
the individual of the use that will be made of the information.
By completing and signing the form, the individual is giving consent
to the collection and the specified uses; (b) a check-off box
may be used to allow individuals to request that their names and
addresses not be given to other organizations. Individuals who
do not check the box are assumed to consent to the transfer of
this information to third parties; (c) consent may be given orally
when information is collected over the telephone; or (d) consent
may be given at the time that individuals use a product or service.
1.3.8 An individual
may withdraw consent at any time, subject to legal or contractual
restrictions and reasonable notice. EnhanceRX™ shall inform
the individual of the implications of such withdrawal.
1.4
Principle 4 - Limiting Collection
The collection of personal information shall be limited to that
which is necessary for the purposes identified by EnhanceRX™
Information shall be collected by fair and lawful means.
1.4.1 EnhanceRX™
shall not collect personal information indiscriminately. Both
the amount and the type of information collected shall be limited
to that which is necessary to fulfill the purposes identified.
EnhanceRX™ shall specify the type of information collected
as part of their information-handling policies and practices,
in accordance with the Openness principle (Clause 1.8).
1.4.2 The requirement
that personal information be collected by fair and lawful means
is intended to prevent EnhanceRX™ from collecting information
by misleading or deceiving individuals about the purpose for which
information is being collected. This requirement implies that
consent with respect to collection must not be obtained through
deception.
1.4.3 This principle
is linked closely to the Identifying Purposes principle (Clause
1.2) and the Consent principle (Clause 4.3).
1.5
Principle 5 - Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes
other than those for which it was collected, except with the consent
of the individual or as required by law. Personal information
shall be retained only as long as necessary for the fulfillment
of those purposes.
1.5.1 EnhanceRX™
using personal information for a new purpose shall document this
purpose (see Clause 1.2.1).
1.5.2 EnhanceRX™
should develop guidelines and implement procedures with respect
to the retention of personal information. These guidelines should
include minimum and maximum retention periods. Personal information
that has been used to make a decision about an individual shall
be retained long enough to allow the individual access to the
information after the decision has been made. EnhanceRX™
may be subject to legislative requirements with respect to retention
periods.
1.5.3 Personal information
that is no longer required to fulfill the identified purposes
should be destroyed, erased, or made anonymous. EnhanceRX™
shall develop guidelines and implement procedures to govern the
destruction of personal information.
1.5.4 This principle
is closely linked to the Consent principle (Clause 1.3), the Identifying
Purposes principle (Clause 4.2), and the Individual Access principle
(Clause 1.9).
1.6 Principle 6
- Accuracy
Personal information
shall be as accurate, complete, and up-to-date as is necessary
for the purposes for which it is to be used.
1.6.1 The extent
to which personal information shall be accurate, complete, and
up-to-date will depend upon the use of the information, taking
into account the interests of the individual. Information shall
be sufficiently accurate, complete, and up-to-date to minimize
the possibility that inappropriate information may be used to
make a decision about the individual
1.6.2 EnhanceRX™
shall not routinely update personal information, unless such a
process is necessary to fulfill the purposes for which the information
was collected.
1.6.3 Personal information
that is used on an ongoing basis, including information that is
disclosed to third parties, should generally be accurate and up-to-date,
unless limits to the requirement for accuracy are clearly set
out.
1.7 Principle 7
- Safeguards
Personal information shall be protected by security safeguards
appropriate to the sensitivity of the information.
1.7.1 The security
safeguards shall protect personal information against loss or
theft, as well as unauthorized access, disclosure, copying, use,
or modification. EnhanceRX™ shall protect personal information
regardless of the format in which it is held.
1.7.2 The nature
of the safeguards will vary depending on the sensitivity of the
information that has been collected, the amount, distribution,
and format of the information, and the method of storage. More
sensitive information should be safeguarded by a higher level
of protection. The concept of sensitivity is discussed in Clause
1.7.3 The methods
of protection should include (a) physical measures, for example,
locked filing cabinets and restricted access to offices; (b) EnhanceRX™
measures, for example, security clearances and limiting access
on a ``need-to-know'' basis; and (c) technological measures, for
example, the use of passwords and encryption.
1.7.4 EnhanceRX™
shall make their employees aware of the importance of maintaining
the confidentiality of personal information.
1.7.5 Care shall
be used in the disposal or destruction of personal information,
to prevent unauthorized parties from gaining access to the information
(see Clause 1.5.3).
1.8 Principle 8
- Openness
EnhanceRX™ shall make readily available to individuals specific
information about its policies and practices relating to the management
of personal information.
1.8.1 EnhanceRX™
shall be open about their policies and practices with respect
to the management of personal information. Individuals shall be
able to acquire information about EnhanceRX™ policies and
practices without unreasonable effort. This information shall
be made available in a form that is generally understandable.
1.8.2 The information
made available shall include
(a) the name or title, and the address, of the person who is accountable
for EnhanceRX™'s policies and practices and to whom complaints
or inquiries can be forwarded;
(b) the means of gaining access to personal information held by
EnhanceRX™
(c) a description of the type of personal information held by
EnhanceRX™ including a general account of its use;
(d) a copy of any brochures or other information that explain
EnhanceRX™'s policies, standards, or codes; and (e) what
personal information is made available to related EnhanceRX™'s
(e.g., subsidiaries).
1.8.3 EnhanceRX™
may make information on its policies and practices available in
a variety of ways. The method chosen depends on the nature of
its business and other considerations. For example, an EnhanceRX™
may choose to make brochures available in its place of business,
mail information to its customers, provide online access, or establish
a toll-free telephone number.
1.9 Principle 9
- Individual Access
Upon request, an individual shall be informed of the existence,
use, and disclosure of his or her personal information and shall
be given access to that information. An individual shall be able
to challenge the accuracy and completeness of the information
and have it amended as appropriate. Note: In certain situations,
EnhanceRX™ may not be able to provide access to all the personal
information it holds about an individual. Exceptions to the access
requirement should be limited and specific. The reasons for denying
access should be provided to the individual upon request. Exceptions
may include information that is prohibitively costly to provide,
information that contains references to other individuals, information
that cannot be disclosed for legal, security, or commercial proprietary
reasons, and information that is subject to solicitor-client or
litigation privilege.
1.9.1 Upon request,
EnhanceRX™ shall inform an individual whether or not EnhanceRX™
holds personal information about the individual. EnhanceRX™
are encouraged to indicate the source of this information. EnhanceRX™
shall allow the individual access to this information. However,
EnhanceRX™ may choose to make sensitive medical information
available through a medical practitioner. In addition, EnhanceRX™
shall provide an account of the use that has been made or is being
made of this information and an account of the third parties to
which it has been disclosed.
1.9.2 An individual
may be required to provide sufficient information to permit EnhanceRX™
to provide an account of the existence, use, and disclosure of
personal information. The information provided shall only be used
for this purpose.
1.9.3 In providing
an account of third parties to which it has disclosed personal
information about an individual, EnhanceRX™ should attempt
to be as specific as possible. When it is not possible to provide
a list's of organizations to which it has actually disclosed information
about an individual, EnhanceRX™ shall provide a list of organizations
to which it may have disclosed information about the individual.
1.9.4 EnhanceRX™
shall respond to an individual's request within a reasonable time
and at minimal or no cost to the Individual. The requested information
shall be provided or made available in a form that is generally
understandable. For example, if EnhanceRX™ uses abbreviations
or codes to record information, an explanation shall be provided.
1.9.5 When an individual
successfully demonstrates the inaccuracy or incompleteness of
personal information EnhanceRX™ shall amend the information
as required. Depending upon the nature of the information challenged,
amendment involves the correction, deletion, or addition of information.
Where appropriate, the amended information shall be transmitted
to third parties having access to the information in question.
1.9.6 When a challenge
is not resolved to the satisfaction of the individual, the substance
of the unresolved challenge shall be recorded by EnhanceRX™.
When appropriate, the existence of the unresolved challenge shall
be transmitted to third parties having access to the information
in question.
1.10 Principle 10
- Challenging Compliance
An individual shall be able to address a challenge concerning
compliance with the above principles to the designated individual
or individuals accountable for EnhanceRX™'s compliance.
1.10.1
The individual accountable for EnhanceRX™ compliance is discussed
in Clause
1.10.2
EnhanceRX™ shall put procedures in place to receive and respond
to complaints or inquiries about their policies and practices
relating to the handling of personal information. The complaint
procedures should be easily accessible and simple to use.
1.10.3
EnhanceRX™ shall inform individuals who make inquiries or
lodge complaints of the existence of relevant complaint procedures.
A range of these procedures may exist. For example, some regulatory
bodies accept complaints about the personal-information handling
practices of the companies they regulate.
1.10.4
EnhanceRX™ shall investigate all complaints. If a complaint
is found to be justified, EnhanceRX™ shall take appropriate
measures, including, if necessary, amending its policies and practices.
