Introduction

The Nidus Registry is committed to protecting your privacy.

This Privacy Policy, in compliance with British Columbia’s Personal Information Protection Act, SBC 2003, c 63 (“PIPA”), outlines the principles and practices we will follow in protecting Registry users’ personal information. This means we will tell you why and how we collect, use and disclose your personal information, and we will only do so as is necessary to fulfill the purposes of the Registry (described in more detail below). We will get your consent where required, and handle your personal information in a manner that a reasonable person would consider appropriate in the circumstances.

This Privacy Policy is to be read together with and forms part of the Registry Terms and Conditions.

Changes to this Policy

The Registry reserves the right to amend, modify, alter, revise or otherwise update this Privacy Policy from time to time, without notice, by updating this posting. Users agree to review the Privacy Policy regularly and accept the terms in effect at the time when they access or use the Site. Users’ continued access or use of the Site shall mean and imply agreement by users to any such amendment.

Definitions

Access User: an individual approved by the Nidus Registry to access information stored in the Registry. These individuals represent institutions like Health Authorities and their associated services, banks and credit unions, the Public Guardian and Trustee and government services.

Account Holder: the person whose information is stored in the Registry as data or as a document or file in formats such as PDF, mp3, mp4, flv, wma, wmv, mov.

Adult: a person age 19 years or older who engages in personal planning, including the making of a planning document such as a Representation Agreement or Enduring Power of Attorney.

Appointee: a person authorized in a Representation Agreement or Enduring Power of Attorney to assist or act on behalf of the Adult or a person named in a Nomination of Committee (can only be authorized by the court).

Institutional Contact: an individual who acts as the Registry’s contact person for Registration Agents or Access Users within a specific firm or institution.

Nidus ID: the unique number assigned to an Adult’s account by the Registry at the time of registration. Also referred to as the “Nidus Registration Number.” Accounts set up through the online Registry will be assigned a randomly generated 7-digit Nidus ID. This number can be used as a Personal Identifier.

Nidus Personal Planning Resource Centre Association: the legal name of the non-profit charitable organization, registered as a charity in Canada and incorporated in British Columbia. The organization, including its employees and directors, is also known as Nidus or the Resource Centre, and its mandate is to provide education, support, and assistance with personal planning to British Columbians.

Nidus Registry or Personal Planning Registry or Registry: a service operated by the Nidus Personal Planning Resource Centre Association. It is a voluntary, centralized online registry for an Adult’s planning documents, to facilitate communication of an Adult’s information, instructions/wishes and authorizations when needed.

Personal Identifier: an Adult’s date of birth, BC Care Card or Provincial Health Card Number, Driver’s License Number, BC Identification Number, and/or Social Insurance Number, as provided by the Registrant at the time of registration, and used to search for an Adult’s account in the Registry.

Personal information: information about an individual that allows them to be identified.

Personal Password: the password chosen by a Registrant in the registration process and used to access the account created by that Registrant.

PIPA: British Columbia’s Personal Information Protection Act, SBC 2003, c 63.

Planning Document: written authorizations for matters related to managing health care, personal care, and legal and financial affairs that may be used to assist the Adult during their lifetime. In BC these include a Representation Agreement, Enduring Power of Attorney, Advance Directive, Nomination of Committee, Notice of Revocation for any of the aforementioned.

Registrant: the person who registers information with the Nidus Registry, and includes registration through self-registrations and Registration Agents.

Registrar: the individual(s) designated responsible for the operation of the Registry and for ensuring compliance with this Privacy Policy and with PIPA.

Registration Agent: a lawyer or notary public or their staff approved by the Nidus Registry to act as a Registrant on behalf of their clients.

Registry Site or Site: the website, webpages and sub-pages of the online Nidus Registry.

Self-Registration: registration by an Adult of their own information and documents, or by someone with the legal authority to act on the Adult’s behalf, other than a Registration Agent.

Purpose

Why does the Registry collect, use, and disclose personal information?

The purpose of the Nidus Registry is to facilitate communication. This involves protecting privacy and ensuring access when needed.

Nidus’ mission is to enable adults to maintain and protect their self-determination through personal planning in the event they need help making decisions or managing their affairs. If an adult’s mental competency is in question or he, she, or they has/have difficulty communicating or physically managing their affairs, the Registry can help with identifying and locating the people who have legal authority to assist the adult or to act on his, her, or their behalf. It can also help to communicate information about the adult’s wishes and their other supporters and contacts.

Registration is voluntary: you can choose whether or not to use the Registry’s services.

The Registry will only collect the personal information that is necessary to fulfill this purpose; Nidus will tell you what the purpose of collecting your information is upon or before collection unless the purpose is obvious. We will collect, use and dispose of your information for purposes authorized and/or required by applicable privacy legislation or other laws.

You will find specific examples of our purposes for collecting, using and disclosing your information throughout this Policy and the Terms and Conditions. Before using or disclosing personal information for a purpose that we have not already identified, we will identify the new purpose and ask you for your consent unless the use or disclosure is authorized or required by law.

If you do not want us to use your personal information for these purposes you may at any time provide reasonable written notice to Nidus using the contact information provided on our Site. You may also contact us if you would like to request further information about collection.

Collection of other information

The Registry will collect and analyze non-identifying information to help us improve our services and monitor the effectiveness of promotions. For example, the Registry will collect statistics on the number of registrations and of what types. None of this information can be connected to any specific individual.

The Registry collects and records identifying information about its Registration Agents and Access Users, whose identities are authenticated and recorded each time they use their log-in to access the Registry. We use this information to communicate with and collect registration fees from Registration Agents. We also use this information to monitor Access Users and will confer with the Institutional Contact in the event that unauthorized access or breach of our Terms and Conditions or of this Privacy Policy terms is suspected. Nidus reserves the right to suspend the log-in of an Access User without prior notice, at the sole discretion of the Registrar, if unauthorized access or breach is suspected.

Collection

What kinds of information does the Registry record and store?

The Registry records information about you, your planning document(s), and your Appointees. You may also store a copy of your document(s) by uploading it in PDF format. You can also store a copy of other documents or files in formats such as PDF, mp3, mp4, flv, wma, wmv, mov.

To create an account, the Registry requires you to give us, at minimum:

  • The full legal name of the Adult
  • The Adult’s current address (or mailing address) and phone number
  • At least two personal identifiers belonging to the Adult, from the following list:

– Date of birth
– Provincial Health Number (BC Care Card or BC Services Card)
– Driver’s License Number
– BC Identification Number (used if no Driver’s License)
– Social Insurance Number

  • An email address for Registry communications
  • A password you create

The personal identifiers including the Nidus ID assigned at the online registration, along with the Adult’s first and last name are the criteria outside parties will use to search for information and documents associated with your account. (For more details on searching the Registry, see this Policy’s section on “Use & Disclosure,” below.) We only collect this information for identification purposes, and you are not required to enter any particular identifier as long as you provide at least two; however, the more you do provide, the better chance an outside party has of accessing your information and documents when they need to.

You must also register at least one document, upload an audio or video file, or enter data in the Personal Information Record in order to create an account in the Registry. When you register a document, you are required to provide, at minimum, information on the type of document being registered (for example, a Representation Agreement) and the date the document was signed and witnessed.

Beyond these requirements, you control how much information is entered and stored in the Registry. For example, you can list details about the location where the Account Holder keeps the original document.

Please remember that the Registry does not keep original documents. Registration of a copy  of a document in PDF format or its information does not replace the need to keep the original safe and accessible.

You cannot use the Registry to create, revoke, or make changes to a legal document. The Registry only records information or stores a PDF copy for a document you have already made.

Accuracy, Corrections and Updates

What kind of accuracy is the Registry responsible for, and what are the
Registrant’s responsibilities?

The law requires the Registry to make reasonable efforts to ensure that users’ personal information is accurate and complete. This means the Registry will not alter or edit the information provided, and we will make corrections as requested, in accordance with this Policy (see below).

Generally, Registrants are responsible for making sure the information they record in the Registry is accurate and up-to-date.

Use and Disclosure to Others

Who gets to see the personal information stored in the Registry, and when?

Registrant access to Account Holder information

A Registrant has complete, unrestricted access to the information and documents they registered. It is often helpful for the Adult to give this information to the person or people appointed in your legal document(s), as they may need to update and access your account if you are unable to do so.

Shared access

An Account Holder/Registrant can give  individuals, such as a representative or attorney, financial advisor, or family doctor, read-only access to view stored information and uploaded documents on the account.

Shared access can be given to the entire account or to specific documents and can be cancelled at any time by the Account Holder/Registrant.

Read-only access is ‘shared’ with individuals by entering their email address. It is up to the Account Holder/Registrant to ensure the email address is correct and that the owner of the email address is trustworthy and will treat the information they access as private. An auto-email message is sent to the email address with a temporary password allowing them to ‘log-in’ to view the information shared. They are encouraged to change the password for future access. The email address and password serve as their log-in for read-only access. This feature was designed at the request of Registry Users and avoids Account Holders/Registrants from sharing their password that along with the Nidus ID allows for editing of information and documents stored in the Registry Account.

Public search for an Account Holder

The Search feature of the Registry is available to the public. Anyone can use this feature to find out if someone is an Account Holder with the Registry by searching for the Adult’s first and last name and two of the Adult’s personal identifiers. A basic search will only reveal if the search information entered “matches” or “does not match” information provided to create an account in the Registry.

Access Users can search to view information and documents

Only third parties designated as Access Users can view information and uploaded documents of an Account Holder by entering the Adult’s first and last name and at least two personal identifiers. The Registrant may grant permissions to allow Access Users to see the Account Holder’s information, they can also permit Access Users to access the uploaded document. A Registrant can grant this permission at the time of initial registration or may modify access at a later time.

Access Users must comply with the Terms and Conditions, which addresses their responsibilities regarding privacy and confidentiality. For more information on Access Users, please read the Terms and Conditions.

Special Emergency Access

The Registry may provide a special designation that allows certain Access Users to browse for information and documents associated with an account by searching by last name or one identifier only. This designation is only available to select pre-authorized individuals within health care institutions, such as hospital emergency or urgent care departments. It is only for medical emergencies where a patient is unconscious or very confused and cannot provide sufficient information for the Access User to conduct an Advanced Search. Special Emergency Access Users can only view information and documents if the Registrant has given permission to access to ‘All Types’ or ‘Health and Personal Care types.’

When is the Registry required to use or disclose personal information without consent?

To cooperate with law enforcement

The Registry will disclose information when that disclosure is necessary to comply with a subpoena, warrant, or order by a court or other agency with jurisdiction to compel the production of personal information.

When else can the Registry use or disclose information without consent?

The law also allows the Registry to use or disclose your personal information without your consent in a number of other situations. Some of the situations in which the Registry may choose to do so include:

  • Responding to a medical emergency that threatens an individual’s life, health, or personal security;
  • Contacting the next of kin or friend of an injured, ill, or deceased individual;
  • When we believe obtaining your consent or notifying you of disclosure would affect your health or safety;
  • Getting legal advice from a lawyer representing us;
  • Assisting a public body or law enforcement agency to investigate an offense;
  • Protecting ourselves from fraud or investigating a breach or anticipated breach of our Terms and Conditions, this Policy, or any other agreement;
  • Collecting a debt owed to us, or when paying a debt owed by us;
  • When the personal information is available from a public source (like a telephone directory); and
  • When the use or disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way.

Accessing Your Own Information

Can I access my own information? How?

According to the law, individuals have the right to access any of their own personal information that is under the Registry’s custody or control.

The Registrant or anyone with the matching Registration Number and password has complete, unrestricted access to the information and documents registered.

Registrants and those with the matching Nidus ID (Registration Number) and personal password can also make a written request to the Registrar for information about the ways the Registry has used or is using your personal information. They can also request to know when and to whom the Registry disclosed their information (for example, the date an Access User accessed it, the name of their organization, and contact information for that organization’s Institutional Contact).

The Registrar responds to written requests within 30 business days of receipt. We will either provide you with the requested information within this period or give you written notice if we need more time. For the Registrar’s contact information, see this Policy’s section on “Questions, Complaints, & Contact,” below.

PIPA allows us to charge a minimal fee for providing an individual with access to their personal information. We may also require payment of the fee or of a deposit before we release the requested information. If a fee is required, we will tell you in advance.

When could I be refused access?

The law (PIPA) requires the Registry to refuse someone access to their personal information when the Registry has knowledge that granting access would:

  • Reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
  • Reasonably be expected to cause immediate or grave harm to the safety or to the physical or
    mental health of the individual who made the request;
  • Reveal personal information about another individual; or
  • Reveal the identity of an individual who has provided personal information about another individual, and the individual providing the personal information does not consent to disclosure of his, her, or their identity.

The law also allows the Registry to refuse access in other situations. Some of the situations in which the Registry may choose to do so include when:

  • The information is protected by solicitor-client privilege or is in a document that is subject to a solicitor’s lien;
  • Disclosure would reveal confidential commercial information that, if disclosed, could harm our competitive position;
  • The information was collected or disclosed without consent for the purposes of an investigation,  as allowed by PIPA, and the investigation, associated proceedings and appeals have not yet been completed; and
  • The information was collected or created by a mediator or arbitrator in the course of a mediation or arbitration for which he, she, or they was/were appointed to act under a collective agreement, under an enactment, or by a court.

If possible, the Registry will remove the specific information that may be grounds for refusal from the information to which you have requested access, and will give you access to the remaining information to which these exceptions do not apply.

If the Registry refuses an access request we will tell the applicant of the refusal in writing. We will also tell you why we refused the request and will let you know what further steps you can take, including any internal review by us and the right to ask the Office of the Information and Privacy Commissioner of British Columbia to review the decision.

Retention & Removal

How long does the Registry keep personal information?

The Registry keeps personal information for as long as it remains necessary to fulfill the purposes for which it was collected. This means that, in most cases, the Registry will hold on to your information indefinitely, unless or until you ask to have it removed or someone requests removal on your behalf and provides the necessary information according to this Policy and the Terms & Conditions.

How do I remove my account from the Registry?

This section is about completely removing an account and all of its associated information from the Registry. For more information on altering part of an account, see the section of this Policy on “Accuracy, Corrections, & Updates.”

As previously stated in this Policy, a Registrant can withdraw his, her, or their consent and have his, her, or their information removed from the Registry at any time, as long as we don’t have any legal obligations to keep it. For example, the law requires us to keep your information for at least one year after your account has been accessed, even after you’ve asked to have the information removed.

Once you tell us you want your account removed completely, the law requires us to tell you of the likely consequences of doing so. For example, withdrawing might restrict the Registry’s ability to provide a particular service. If so, we will explain the situation to help you decide.

Security

The Registry is committed to ensuring the security of our users’ personal information, and protecting it from unauthorized access, collection, use, disclosure, copying, modification, disposal, and similar risks. This commitment includes using appropriate security measures when communicating, storing, and destroying your information.

We will continually review and update our security policies and controls as technology changes, to ensure ongoing security of personal information.

 Communication and retrieval of information and documents

The Registry allows Registrants to access their own information. However, there may be times where the Registrar is asked to provide information or documents ‘offline.’ Email transmission is not considered as secure as regular mail, phone or fax communication. Please note that information transmitted through electronic communications such as e-mail are not guaranteed to be secured or confidential. Nidus and the Registry are not responsible for ensuring the security of information transmissions via electronic communications. The Registry does not initiate the transmission of personal information by email unless instructed in writing by an authorized party to do so.  Personal information is available by fax, regular mail, and pick-up with advance notice, for a modest fee.

If you send paper (hard) copies of communication to the Registry, these are digitized (scanned) and then shredded. If we retain a hard copy for any period of time, we use appropriate security measures to ensure that any of your personal information is appropriately protected. This includes the use of locked filing cabinets and securing offices where personal information is held.

Questions, Complaints and Contacts

Contact information for the Registrar:

Email: registry@nidus.ca

How can I ask questions or make a complaint about this Privacy Policy?

The Registrar is responsible for ensuring the Nidus Registry’s compliance with this Privacy Policy and with the Personal Information Protection Act.

Users should direct any questions, concerns, or complaints regarding the Registry’s compliance in writing to the Registrar. If the Registrar is unable to resolve your concerns, you may also write to the Office of the Information and Privacy Commissioner of British Columbia (the “OIPC”).

The OIPC also handles questions and complaints about the way your personal information is being used by public bodies, which are governed by British Columbia’s Freedom of Information and Protection of Privacy Act. This includes many of the organizations that might access your information through the Registry, like the Public Guardian and Trustee or a Health Authority.

Contact information for the Office of the Information and Privacy Commissioner of BC
Web Site: www.oipc.bc.ca

Email: info@oipc.bc.ca

Telephone: (250) 387–5629

For toll-free access call Enquiry BC at one of the following numbers and request a transfer to (250) 387–5629: in Vancouver, (604) 660–2421; elsewhere in BC, (800) 663–7867

Mailing Address:
Office of the Information and Privacy Commissioner for British Columbia
P.O. Box 9038
Stn. Prov. Govt.
Victoria BC, V8W 9A4

Want to know more? Find answers to some frequently asked questions.

nidus personal planning registry