PRIVACY AND ACCESS CODE
Under the Board of Funeral Services Act, the principal object of the Board is to enforce the Board of Funeral Services Act (BOFSA) and the Funeral, Burial and Cremation Services Act, 2002 (FBCSA), in order that the public interest may be served and protected. To fulfill its objects, the Board has to collect, use and disclose personal information, primarily about its members, but sometimes also about others. The Board also has a strong duty of confidentiality under the BOFSA and the FBCSA Act. That duty is subject to exceptions, particularly “as may be required in connection with the administration of these Acts and the regulations or any proceedings under these Acts or the regulations”. That latter exception is broad and somewhat unstructured.
There is an increased tendency towards increasing protection of personal information and setting formal guidelines and rules for the collection, use and disclosure of that information, even in the private sector. For example, on January 1, 2004, the federal Personal Information Protection and Electronic Documents Act took effect provincially to apply to commercial enterprises unless a substantially similar provincial statute is in effect. In addition, the then Ontario Ministry of Consumer and Business Services consulted in 2002-03 on a proposed Bill that might cover non-profit bodies like the Board. As a public interest body, the Board needs to be transparent in its processes and activities. There is also a growing realization that providing individuals with access about personal information about themselves enhances the accuracy of the information. Rather than wait for government action, the Board wishes to take the lead in developing a policy to address this issue.
The purpose of this policy is to provide greater guidance in the interpretation of the Board’s duty to collect, use and disclose personal information including when disclosure is not appropriate.
1. For the purpose of carrying out its objects, the Board has the authority to collect, use and disclose personal information. Personal information means any information about an identifiable individual other than business title and contact information. The Board shall not collect, use or disclose more personal information than is reasonably necessary to carry out its regulatory and oversight activities and to manage its operations.
2. Personal information that the Board collects, uses or discloses shall be as accurate, complete, and up-to-date as is necessary for the purposes of the collection, use or disclosure, as the case may be without being in contravention of confidentiality provisions of the BOFSA or the FBCSA.
3. The Board shall take reasonable steps to ensure that personal information in its custody or under its control is protected against unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or destruction. What constitutes reasonable steps shall be determined in light of all the circumstances, including the sensitivity of the information, the amount of information and the format in which it is stored. These measures shall include the following:
(a) Providing a copy of the Board’s Privacy and Access Code to the staff of the Board upon its approval and upon the hiring or retaining of new staff.
(b) Training staff in the confidentiality of personal information. Access is on a need-to-know basis.
(c) Training staff in the methods of maintaining security of personal information.
(d) Requiring staff to sign a confidentiality statement.
(e) Requiring that personal information that is not in a secure area be locked or otherwise protected from unauthorized access.
(f) Requiring personal information in paper form to be shredded or otherwise destroyed before it is disposed of.
(g) Requiring the use of password protection, firewalls, virus protection and other recognized security measures for electronic information.
(h) Requiring ongoing monitoring and evaluation that electronic data be destroyed before the hardware holding the data is discarded.
(i) Obtaining reasonable privacy assurances from the agents of the Board that are permitted access to personal information.
4. The Board shall:
(a) make readily available to individuals information about its policies and practices relating to the collection, use and disclosure of personal information including providing a written copy upon request and posting a copy on the Board’s website and
(b) designate an individual or individuals, called a Privacy Officer, who will be accountable for the Board's compliance with the policies and practices mentioned in clause (a).
5. The Privacy Officer shall receive and investigate written complaints from individuals about the Board's alleged contravention of the requirements set out in this part of the policy, including requests for access to or correction of personal information. The complaints process shall be as follows
(a) The Privacy Officer shall investigate the complaint, prepare a written report of his or her findings and provide it to the person making the complaint and to the Executive Committee of the Board.
(b) The report shall be provided to the complainant within 30 days of the complaint. If the Privacy Officer is unable to complete the report within 30 days, the Privacy Officer shall advise both the person making the complaint and the Executive Committee of the delay and the anticipated date of completion of the report.
(c) If the person making the complaint disagrees with the report, he or she can ask the Executive Committee of the Board to review and reconsider the report. A request for review and reconsideration shall be initiated by filing with the Board a written request setting out the grounds for the request. The Privacy Officer shall have 30 days to provide to the Executive Committee and the person making the request a response to the request. The Executive Committee shall review the written submissions and shall make a decision on behalf of the Board. The decision of the Executive Committee is final.
(d) If the report of the Privacy Officer recommends that certain action be taken by the Board or if there is a review and the Executive Committee directs that certain action be taken by the Board, the staff of the Board shall report to the Executive Committee within 30 days, and at such other times as directed by the Executive Committee, as to whether the action has been taken.
6. Subject to section 7, the Board shall not retain a record of personal information after the purpose for which the Board collected the information has been fulfilled unless:
(a) another law requires or authorizes the Board to retain the record,
(b) the Board reasonably requires the record for purposes related to its regulatory or oversight activities including future regulation of members, or
(c) the record is transferred to its archive for the purposes of permanent preservation or historical research.
In order to achieve this goal, the Board has a retention schedule and destruction policy.
7. If the Board has used a record of personal information about an individual to make a decision about the individual, it shall retain the record long enough after making the decision to allow the individual a reasonable opportunity to request access to the information. This requirement does not apply if the individual has already been given access to the information prior to the making of the decision.
8. The Board may disclose personal information about an individual without the consent of the individual:
(a) if done for purposes related to its regulatory and oversight activities,
(b) to manage the Board’s operations (e.g., the personal information of Board and committee members such as home telephone numbers and addresses),
(c) if otherwise required or authorized by law to make the disclosure.
9. The Board shall permit an individual to obtain access to records of personal information about the individual that are in the custody or under the control of the Board, subject to those rules and limitations that may be necessary or appropriate to enable the Board to carry out its regulatory and oversight activities. For example, the Board may decline to provide access to personal information where:
(a) access may reasonably interfere with a regulatory and oversight process of the Board including an inquiry, investigation or hearing,
(b) access may reasonably reveal a confidential source of information or otherwise breach a confidence that is reasonably necessary for the Board to protect,
(c) access may reasonably reveal personal information about another person who has not consented to the access,
(d) access may reasonably interfere with the regulatory or enforcement activities of another statutory regulatory body or a law enforcement agency,
(e) access may reasonably place the health or safety of a person at risk,
(f) access is reasonably available from another, more appropriate source,
(g) access may reasonably reveal legally privileged information,
(h) access is prohibited by another Act.
10. Subject to sections 11 and 12, the Board shall permit an individual who has access to personal information to have the Board correct statements of fact in records of the personal information about the individual that are in the custody or under the control of the Board and that are inaccurate or incomplete.
11. The Board may decline to correct personal information where correcting the personal information could reasonably be expected to interfere with the regulatory and oversight activities of the Board or the management of the Board’s operations, including the following:
(a) the person requesting the correction does not provide sufficient information to enable the Board to assess the request to make the correction;
(b) the fact that the statement was made, whether it is correct or not, is relevant to the regulatory and oversight activities of the Board;
(c) the correction may reasonably interfere with a regulatory and oversight process of the Board including an inquiry, investigation or hearing;
(d) the correction may reasonably interfere with the regulatory or enforcement activities of another statutory regulatory body or a law enforcement agency;
(e) the correction may alter an original document that belongs to someone else and will eventually be returned to that person; or
(f) the correction is prohibited by another Act.
12. An individual or the individual's clients are not entitled to have the Board make a correction under section 10 if the Board determines that it does not have sufficient knowledge, expertise or authority to make the correction.
13. Where the Board agrees to correct a record of personal information, the correction shall be made so as not to destroy the original entry unless there is no reason for the Board to keep the original entry.
14. Where the Board agrees to correct a record of personal information, the Board shall provide written notice to every person to whom the original record was provided within the previous 12 months unless to do so is impractical or would reasonably interfere with the regulatory and oversight activities or the management of the operations of the Board.
15. Where the Board refuses a request to correct a record of personal information, it shall file any statement of disagreement provided by the individual to whom the information relates of less than 500 words with the record unless to do so is impractical or would reasonably interfere with the regulatory and oversight activities or the management of the operations of the Board.
16. Where the consent of an individual or an action of an individual is required or authorized under this policy, and the individual is incapable of giving the consent or taking the action, the Board may accept the consent or action of a personal representative or other reasonable substitute for the individual.