Privacy Policy

(This policy incorporates any other documents by reference and specifically includes the Validation of Authority document as attached, regardless of its source and either, as it exists on a particular date or as amended from time to time.)

1.         Applicability of NAHO’s Privacy Policy

NAHO’s privacy policy applies to NAHO, and its centres, including the First Nations Centre, the Inuit Tuttarvingat and the Métis Centre.

2.         Accountability

The National Aboriginal Health Organization (NAHO) is committed to being accountable for how it handles personal information and for the principles outlined in this policy.

The Chief Executive Officer of NAHO is accountable for overall compliance with this policy but may delegate her/his authority. As well, NAHO has various projects which, for privacy reasons, may contain information which is accessible only to certain NAHO employees. As a result, requests for information may have to be directed to different individuals within NAHO

3.         Governing Principles

NAHO is committed to ensuring that its privacy policy is flexible and responsive. As a result, the policy will likely change from time to time to reflect changes within NAHO, as well as to respond to gaps or needs that are identified as the policy is put into practice.

As an overall framework, NAHO’s privacy policy is guided by the First Nations principles of Ownership, Control, Access and Possession, or OCAP. The OCAP principles apply the concepts of self-determination and self-governance to research, statistics and information involving First Nations communities.

Under OCAP principles, Ownership refers to the relationship of a First Nation community to its cultural knowledge/data/information. OCAP states that a community or group owns information collectively in the same way that an individual owns his or her personal information. The principle of Control recognizes the right of First Nations communities and representative bodies to control research and information management processes which affect them, including research projects, policies, processes, frameworks etc. Access refers to the right of First Nations peoples to have access to information and data about themselves and their communities, wherever held, and to make decisions regarding access to their collective information, while Possession refers to the actual custody and stewardship of data, in other words, where information is actually held. A more complete explanation of OCAP principles is to be found in the draft First Nations Centre Code of Research Ethics (As attached to Schedule “A” )

OCAP principles recognize collective rights to control and access information, rather than only individual ones. Thus, NAHO requires that collective consent, at the community, tribal and/or regional level be obtained as well as the free and fully informed consent of the individual participant before information is collected, used or distributed.

NAHO has also adopted certain principles which were developed in the National Standard of Canada Model Code for the Protection of Personal Information. Along with informed consent, these include a requirement that the purposes for which personal information is collected are documented, identifiable and limited to what is necessary; that personal information be  retained only as long as necessary to fulfill these purposes; that it  be accurate, complete, and up-to-date; that it be protected against loss or theft, as well as unauthorized access or disclosure; that privacy policies and practices relating to the management of personal information be accessible and available; that an individual be informed of the existence, use, and disclosure of his or her personal information and provided access to it on request, and that an individual be able to address a challenge concerning compliance to a designated and accountable individual.

4.         What is Personal Information?

Personal information means any information that could be used to identify someone, such as their name, address, telephone number, age, sex, marital status, education, social insurance number, race  and ethnic origin,  identification numbers, income, blood type, evaluations, employee files, and health or medical records. This might include collective or communal information, in some instances, such as Band membership, tribal affiliation or language, to give some examples.

5.         Limits on Collection, Use and Disclosure

NAHO collects many different kinds of personal information. For example, raw data  is collected from individuals through questionnaires for research. Statistical information based on personal information may be gathered or received. Other information, such as historical or archival information containing personal information, may be collected in the course of research. NAHO also uses and receives “de-identified” information. This refers to personal information where all information which might identify an individual have been removed, or where the personal information has been coded, so that the identity of the person who provided it cannot be determined.

In all instances, however, NAHO only collects and uses that personal information which is needed to fulfill the purposes identified in the workplan, research plan or research agreement which governs the specific research being done.

6.         How Consent is Obtained

NAHO’s policy is to have free and fully informed consent before personal information is collected. Informed consent means that the individual providing the information knows from the outset why their personal information is needed, what the purpose of the research is, how the information will be used, who the information will be shared with, how long it will be kept and what will be done with it when it is no longer needed.

In seeking informed consent, NAHO considers both the sensitivity of the information and what a reasonable person would expect and consider appropriate in the circumstances when determining what form of consent to use. Individuals and communities will not be subjected to any undue pressure or influence when approached to participate in research activities and processes.

There are some circumstances in which NAHO may receive information in which it is impossible to obtain consent, for example, information which has been “de-identified,” or statistical or historical information. In those limited circumstances, NAHO will not be able to obtain consent for the collection, use or disclosure of information, as this would be impractical or even impossible. In all other circumstances, NAHO requires that individual consent is expressly given in writingbefore personal information is collected, used or disclosed. NAHO requires that the consequences of withdrawing consent are explained at that time as well. Individuals will be given a chance to refuse to share their personal information. They will also be able to withdraw their consent to the use of their personal information at any time during the research process. If they choose to withdraw their consent, their personal information will be removed from the research data base and will either be returned to them, or destroyed.

Consent is a continuing process and ongoing consultation with community members and/or nation citizens will be necessary at every stage of the process. If an individual belonging to a community which has consented to participate in research later withdraws their individual consent, their personal information will be removed from the research data base and either returned to them, or destroyed.

7.         Retention of Information

NAHO will only keep personal information for as long as it is needed to fulfill the purposes which were identified at the time written consent was provided. This time period may vary, depending on the particular research involved. However, NAHO will not retain an individual’s personal information for any longer period of time without their further written consent.

Under NAHO’s IT policy, data is returned to the individuals or communities which provided it wherever  possible. If personal information has to be destroyed, reasonably secure methods are used, such as erasing electronic records and shredding paper records  without keeping any copies.

8.         Security of Information

NAHO has security arrangements in place to prevent against risks such as unauthorized access, collection, use, disclosure, copying, modification or disposal of personal information. If NAHO retains an individual or an organization to do research that involves personal information, NAHO will ensure that there is a contractual or other agreement in place that commits the individual or organization providing services to comply with NAHO’s privacy policy.

Much of the information in NAHO’s custody is electronic. Under NAHO’s IT policy, NAHO’s electronic information is stored off-site and is protected by firewalls. It is also backed up regularly and is accessible only to authorized persons by password. NAHO is also working on a template for its contracts with researchers that will require them to abide by the same security provisions which apply to its employees.

9.         Disclosure of Personal Information

NAHO does not disclose personal information to outside agencies and will never sell or rent personal information to third parties. In certain circumstances, NAHO may be required by law to disclose personal information without consent only, for example, due to a court order or a search warrant. Where personal information is used for research purposes such as publication and communication activities personal information will be made anonymous (“de-identified”) and will remain confidential. In all cases, NAHO will take steps to ensure that the dissemination of information meets accepted research standards of ethics and protocols.

10.       Access to Personal Information

Individuals have the right to access their own personal information at any point in the research project and process. They will also have access to descriptions of the research objectives and methods at all times. Where research is being conducted that is community or nation-based, guidelines and procedures for access to data will be agreed upon with the relevant authorities representing the community or nation participating in the research, and will be outlined in the research plan.

Because of the sensitivity of personal information, requests by an individual for access to their own personal information must be made in writing. NAHO may require that individuals prove their identity before giving them access. Where a request is made for information by a government agency, NAHO may require that the request be made by an authorized official in writing, on government letterhead, for example.

On receiving a written request for personal information, NAHO will inform individuals what personal information of theirs is held by NAHO, and will inform them how the information is being, or has been, used and the names of the individuals and organizations to which their personal information has been disclosed. Requests for personal information will be answered as soon as reasonably practicable after the written request is received.

There may be situations in which it is impossible to provide access, such as where information has been “de-identified,” or where NAHO does not have custody or control of the information. If an access request is denied, the applicant will be informed of the reason why and will be informed of what further steps may be available to him or her.

11.       Accuracy

NAHO makes reasonable efforts to ensure that personal information it collects, uses or discloses is accurate and complete at the time it is collected. On occasion, individuals may wish to correct errors in their personal information. Where it is reasonable to do, corrections will be made. However, it may not be possible to correct information which has been “de-identified,” or has been published, or where NAHO does not have custody or control of the information. In such instances, individuals will be informed of why the information cannot be changed.

12.       Open and Transparent

NAHO’s privacy policy is intended to be open, public and transparent. A copy of NAHO’s privacy policy will be posted on its website.

Last Update: August 11 2009