How to Build and Implement Your Own Privacy Management Plan

Part I – The Ten Guiding Principles

The primary purpose of compliance with any Privacy Act is not to guarantee that Personal Information (“Pi“) will not be compromised, but to be able to prove that you have diligently taken every precautionary measure to protect Pi in accordance with the Ten Guiding Principles.

The Ten Guiding Principles are the backbone of any Privacy Management Plan. It is essential to know these principles well and to keep them in mind at every step of building your plan. The following, is a concise summary of each of these principles.

Introduction

For reasons of accepted international compliance, including EU data Protection Law, the privacy act chosen to exemplify compliance principles and procedures is the 2015 and 2018 revised federal Personal Information Protection and Electronic Documents Act of Canada (PIPEDA). The United States has a similar regulation, HIPAA and the UK has GDPR. PIPEDA extends its federal jurisdiction to include jurisdiction over commercial enterprise in the private sector for Canadian based organizations. Where certain Canadian provinces have enacted their own “substantially similar” privacy regulation, compliance with PIPEDA prevails in respect to personal and health information that is transmitted across provincial and international borders.

On Nov 1, 2018, mandatory breach notification and record keeping requirements came into force, making it compulsory for organizations to document their compliance activities. i.e. there must be documented proof of compliance at any given time. The privacy acts state that it is your responsibility to implement and maintain compliance and that third party information processors such as Click4Time are required to provide tools to assist you in taking responsibility for your own compliance. Click4Time has integrated measures to automatically track and record your compliance, enabling a fast response with a provable record of your compliance. For simplicity, this Mini Guide assumes you have no such integration and therefore all principles, measures and record keeping methods presented, are for manual implementation.

Did you know that to initiate the first steps towards becoming compliant, as a clinic owner, sole practitioner or practitioner within a group, it is your responsibility to:

  • perform a risk analysis self-assessment
  • create an action plan and privacy management protocols based on that assessment
  • implement the plan protocols on a daily basis
  • review and revise the plan regularly
  • train staff to follow the plan protocols

Failure to implement these basic steps, puts your client’s personal information at risk and in the event of a breach of privacy, you risk incurring the costs of litigation, fines, suspension or even loss of your business.

The primary purpose of compliance with any Privacy Act is not to guarantee that Personal Identifiable Information (“PII“) will not be compromised, but to be able to prove that you have diligently taken every precautionary measure to protect PII in accordance with the Ten Guiding Principles.

The Ten Guiding Principles are the backbone of any Privacy Management Plan. It is essential to know these principles well and to keep them in mind at every step of building your plan. The following, is a concise summary of each of these principles.

Principle 1 – Accountability

An organization or sole practitioner is responsible for personal information under their control. One person or more must be designated as accountable for the organization’s compliance or their own compliance with the following principles.

Principle 2 – Identifying Purposes

The purposes for which personal information is collected must be clearly identified by the organization or sole practitioner at or before the time the information is collected.

Principle 3 – Valid Consent (Revision 2015)

Full knowledge and valid consent of a person is required for the collection, use, or disclosure of personal information, except where inappropriate. Quote, “Consent is considered valid only if it is reasonable to expect that individuals to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure, to which they are consenting.

Principle 4 – Limiting Collection

The collection of personal information must be limited to what is necessary for the purposes which have been identified by the organization or sole practitioner. Information must be collected using fair and lawful methods.

Principle 5 – Limiting Use, Disclosure, and Retention

Personal information must not be used or disclosed for any purpose other than that for which it was collected; the only exceptions are when the individual gives valid consent or there is a requirement by law. Personal information must only be retained for as long as is necessary for the fulfillment of those purposes as well as to allow sufficient time for recourse, appropriate to the purpose for its collection.

Principle 6 – Accuracy

Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 – Safeguards

Personal information must be protected by security safeguards appropriate to the sensitivity of the information.

Principle 8 – Openness

An organization or sole practitioner must provide ready access for individuals, to specific information about its policies and practices relating to the management of personal information.

Principle 9 – Individual Access

Upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. An individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate. (There are conditions and limitations to access. These are detailed in Part III – Policies and Procedures for Implementation.)

Principle 10 – Challenging Compliance

An individual must be able to address a challenge concerning compliance with the above principles, to the designated person or people accountable for the organization’s compliance or to the sole practitioner responsible for their own compliance.

In Part II – Risk Analysis Self Assessment, the principle of “Accountability” is applied, to carry out a privacy and security audit of your daily information handling, processing, disclosure and storage policies and procedures.

Click4Time Software Inc.
"Winner of multiple Canada Health Infoway awards including the fastest growing e-scheduling company serving Canadian health care."

Connect with Us
Canada / US: 1-877-425-4254
Worldwide:1-604-210-1039
WhatsApp:1-604-210-1039
Email: support@click4time.com

Join our monthly newsletter to keep up on all the newest updates

© Click4Time Practice Management Software 2026