Protection of Personal Information Policies
Last updated: November 10, 2019
Time: 11:16 pm
Privacy legislation recognizes the need of the organization to collect, use and disclose personal information for reasonable purposes and the right of the individual to have his or her personal information protected.
The College of Alberta Dental Assistants (College), collects, uses, and discloses personal information to regulate the profession of dental assisting in compliance with the following legislation:
- Health Professions Act of Alberta (HPA);
- Dental Assistants Profession Regulation (DAPR);
- Personal Information Protection Act of Alberta (PIPA);
- Personal Information Protection Act Regulation (PIPA Regulation); and,
- Personal Information Protection and Electronic Documents Act of Canada (PIPEDA).
If PIPEDA and PIPA are contradictory, the rule that offers stronger protection of personal information applies.
PIPEDA applies to the College, as we provide personal information to Canadian organizations outside of Alberta (i.e. letters of standing, insurance lists).
Personal information is information about an identifiable individual.
The College is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the College’s compliance with privacy legislation.1
(1) The Registrar will appoint a Privacy Officer.
(2) The Privacy Officer will:
(a) develop privacy policies, procedures and documents and keeping them up to date;
(b) monitor privacy legislation for amendments and consider their implications;
(c) review and revise privacy policies and procedures and documents i.e. service provider agreements, website documents, confidentiality agreements, resource material;
(d) provide policy and procedure revision recommendations to the Registrar, as necessary;
(f) provide privacy training for the College staff. All new staff will be trained within 30 days of their hiring date. Training will include at minimum:
(i.) the importance of privacy;
(ii.) the College’s collection, use, and disclosure practices; and,
(iii.) access to personal information practices.
(g) monitor the College’s compliance with privacy legislation;
(h) develop and offer resources and tools to make compliance easy i.e. confidentiality agreements;
(i) ensure all staff, volunteers and service providers regularly review and sign applicable agreements;
(j) serve as the primary contact person for staff and third-parties such as members, service providers and authorities;
(k) provide key information and access to resources or individuals within the College who can provide further information;
(l) communicate with staff regularly to remind them of the importance of privacy;
(m) ensure applicants for registration and members are aware of the College’s privacy policies;
(n) manage and ensure consistent processing of requests from third parties for access to personal information;
(o) manage privacy breaches.
1. Personal Information Protection Act of Alberta 2003, s 5 (2), 5(3), 5(4), 6(1) – Personal Information Protection and Electronic Documents Act 2000, s 4.1
The College collects, uses and discloses personal information for the purpose of regulating the profession of dental assisting and its members, pursuant to the HPA and the DAPR. This includes conducting registrations, managing the continuing competence program, and conducting investigations regarding alleged unprofessional conduct. The College identifies the purposes for which personal information is collected at or before the time the information is collected.2
(1) The College will:
(a) identify the purpose of personal information collection in a public document available on the College website and by request from the College office; and
(b) identify the purpose of personal information collection on member applications.
2 Personal Information Protection Act of Alberta 2003, s 13(1) – Personal Information Protection and Electronic Documents Act 2000, s 4.2.1, 4.2.2, 4.2.3, 4.2.4
At the time of collection, the College secures consent from the individual to collect, use, or disclose personal information. 3
(1) The College will:
(a) secure a declaration from individuals at the time of application for initial registration and with each practice permit renewal or change of status, to authorize the College to collect, use and disclose personal information as required for reasonable matters including fulfillment of statutory requirements; and
(b) require a consent for release of personal information from the individual to authorize the College to collect or disclose personal information to or from a third-party i.e. letters of standing, publication.
3. Personal Information Protection Act of Alberta 2003, s 7(1), 7(2,) 8(1), 8(2.2), 8(5)
The College limits collection of personal information to what is necessary in order to carry out its statutory and other responsibilities. The personal information is collected by fair and lawful means.
The College shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.4
(1) The College collects personal information from individuals as required by the HPA and the DAPR to:
(a) assess credentials for the purpose of being registered and maintaining registration to practice as a dental assistant;
(b) satisfy requirements of government on the registration status of individuals;
(c) satisfy requirements for other membership statuses as defined in the College Bylaws;5
(d) satisfy the requirements of hiring an employee, contractor and/or a volunteer to work on behalf of the College or provide services to the College;
(e) contact regulated members or their employers for the purposes of maintaining a regulated member’s registration, reviewing complaints of alleged unprofessional conduct, and/or advising individuals of pertinent information changes affecting the conditions of their registration or membership;
(f) disclose personal information upon general inquiry as defined in the HPA and DAPR;
(g) disclose personal information as required to third-parties i.e. government reporting, provision of malpractice insurance coverage; and
(h) ensure that information concerning alleged unprofessional conduct provided to and or from an investigator is not used for any other purpose beyond the investigation, that information gathered under this process remains confidential, and that inquiries about unprofessional conduct complaints and related matters are referred to the Complaints Director.
4. Personal Information Protection Act of Alberta 2003, s 11(1), 14, 16(1), 16(2), 17, 19(1), 19(2), 20 – Personal Information Protection Act Regulation 366/2003, S 31(1) – Health Professions Act (2000), S 33(3), 34(1)
5. CADA Bylaws, s 10.02, 10.04
The College retains personal information as long as required by legislation or as necessary where lengthier retention is deemed to be appropriate.6
(1) The College will ensure that personal information is only retained for the minimum time required by law and thereafter destroyed in a secure and prudent manner.
|Item Description||Location||Retention Period|
|(a) Employee Files||Executive Director’s office locked file cabinet||According to Alberta Labour Standards|
|(b) Volunteer & Affiliates Confidentiality Agreements||Administrative Officer’s office locked file cabinet||Perpetually|
|(c) Discipline Records||Complaints Director’s office locked file cabinet||According to the Health Professions Act (minimum 10 years)|
|(d) Hearings Records||Hearings Director’s office locked cupboard||Kept until hearing and appeal period is over, then moved to Discipline Records location|
|(e) Awards Material||Communication Director’s office locked cupboard||Perpetually|
|(f) Financial & Payroll Records||Locked member file cabinets, Finance Assistant’s locked filing cabinets, storage room locked cabinets||Retained for 7 years or as indicated by accounting rules|
|(g) Renewal Invoices/ Payments||Paper renewals stored in member’s file||Perpetually|
|(h) Pending Applications||Locked two drawer file cabinet under fax machine||Upon approval, stored in member files perpetually|
|(i) Applications Deemed Incomplete||Registrar’s office locked file cabinet||Kept for minimum 3 years, then destroyed|
6. Health Professions Act (2000), s 35(1), 35(2), 121
The College will give individuals access to personal information it holds about them subject to lawful restrictions such as, but not limited to, where the information is being collected for an investigation pursuant to the HPA. In addition, individuals may request correction of an error or omission in personal information held by the College.7
(1) The College will:
(a) make every reasonable effort to ensure that the personal information of its members is accurate and complete; and
(b) correct an error or omission as soon as is reasonably possible.
(2) Requests for access and correction must be in writing and must set out in sufficient detail the scope of the request.
(3) Requests should be delivered to the College’s Privacy Officer.
(4) The College’s Privacy Officer will assist individuals asking for access to or for correction of their personal information and will respond within the time limits specified in the Personal Information Protection Act.
7. Personal Information Protection Act of Alberta 2003, s 25(1), 26(1), 28(1), 33
The College takes every reasonable effort to prevent unauthorized access, loss, misuse, disclosure, or modification of personal information that is in its custody or under its control. It will provide notice to the Office of the Information and Privacy Commissioner (OIPC) to report privacy breaches without unreasonable delay.8
(1) The College protects personal information by:
(a) ensuring that office areas in which personal information is stored are secure;
(b) restricting access to personal information to those with a need for it;
(c) using password protected technology for personal information stored electronically;
(d) training staff about the importance of privacy;
(e) employing confidentiality agreements with all staff, volunteers and service providers;
(f) monitoring information technology practices and security measures; and
(g) implementing a privacy breach process.
Definition of a Breach
(2) A breach has occurred if there is any unauthorized access to, or collection, use, disclosure or disposal of personal information, where there exists a risk of significant harm to an individual (financial loss, identity theft, physical harm, embarrassment or harm to reputation). This could be due to theft, loss, or mistaken disclosure (i.e. information is emailed or mailed to the wrong person).
8. Personal Information Protection Act of Alberta 2003, s 34, 34(1), 34(2) – Personal Information Protection Act Regulation 366/2003, s 19, 19(1), 19(2)
The College ensures that individuals are informed of the College’s practices concerning the existence, use, and disclosure of their personal information.9
The College provides written information about its privacy policies and practices relating to the management of personal information.
(1) The College will:
(a) provide written information about its privacy policies and practices relating to the management of personal information; and
(b) provide a Challenging Compliance Form upon request for individuals to make a written complaint if they believe he College has not complied with personal privacy legislation and or the College’s Protection of Personal Information Policies.
9. Personal Information Protection Act of Alberta 2003, s 6(3) – – Personal Information Protection and Electronic Documents Act 2000, s 4.8 – Principle 8, 4.8.1, 4.8.2