PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada’s federal privacy law that governs how private-sector organizations collect, use, and disclose personal information during commercial activities. It is designed to protect individuals’ privacy while allowing businesses to use personal data for legitimate purposes. PIPEDA is based on 10 principles, including accountability, consent, limiting collection and use, safeguarding data, and providing individuals with access to their information. Organizations must comply with these principles to ensure data security and transparency. The law also gives individuals the right to access, correct, and withdraw consent for their personal data. The Privacy Commissioner of Canada oversees enforcement and can investigate complaints related to non-compliance. To learn more, please click here.

OCAP (Ownership, Control, Access, and Possession) is a set of principles developed in 1998 by the First Nations Information Governance Centre (FNIGC), first formed by the Assembly of First Nations in 1996, for First Nations to govern the collection, management, and use of their data. OCAP asserts that Indigenous peoples have ownership and control over their data, ensuring that they have the authority to determine how their information is used, shared, and accessed. OCAP emphasizes the importance of respecting Indigenous sovereignty, ensuring that data collection and use align with Indigenous values and rights. The framework aims to protect Indigenous knowledge and ensure that Indigenous communities benefit from their data, while also fostering accountability and transparency in data management practices. To learn more, please click here.

1.1 User Ownership 

At this time, only non-identifying data is collected by Boodawewin. This is to say: users (aside from First Nation Leadership) currently cannot access their data since there is no way to trace data back to individuals. Although Ishkoday logs standard information such as user ID and User IP, these combinations themselves are not enough to single-out individuals. This is specific to Ishkoday – other organizations may collect data that, although aren’t distinctly considered “Personal Information”, when used together can identify individuals. This is not the case with Ishkoday. However, if users choose to provide their email address (optional), they will be able to access their data. Here, users retain full ownership of their data collected via Boodawewin and have the right to control its access and use.

Why do we collect data?

The data is stored on our servers for the purpose of advancing the energy needs and interests of First Nations in Ontario through Ishkoday’s government and energy/service provider channels as well as community-led directives through First Nation leadership.

1.2 Data Access 

Where possible, users have the right to access, view, and retrieve their data at any time, as well as to request a full export of the raw data in a machine-readable format (.CSV).

1.3 Nature of Data

“Personal Information” refers to any information that can identify you, either on its own or when combined with other data. This includes things like username and password, email address, full name, IP address, and photos.

However, Personal Information does not include aggregated or anonymous data that can’t be traced back to you. We may use this type of data for purposes such as analyzing website performance and help enhance, manage, and improve the Website and Services, or for advocacy as previously stated.

Personal Information like names, addresses, and phone numbers are not collected by Ishkoday. Emails may be collected for the purpose of following up with users. Data will be fully anonymized when data requests are made. Aggregate data will be collected through Boodawewin, such as trends and patterns relating to the number of users, number of clients on fixed incomes, number of clients connected to the energy grid, among others. This data may be shared with First Nation Leadership, welfare administrators, or governmental bodies in accordance with Ishkoday’s mandate.

1.4 Consent

By using Ishkoday’s services, you are consenting to the collection, use, and disclosure of your Personal Information in accordance with this Privacy Policy. Additionally, with your consent, we automatically gather basic data that is typically collected by most services. This includes information about how you use the Service, such as the pages you visit, your IP address, session data, and the timestamp of each request. This data is collected from all visitors to the website.

2.1 Making a Data Access Request 

To request access to their data, users must submit a request through the following channels:

– In-App Request: Users can make a request directly to [email protected]. A secure authentication process (e.g., password verification, two-factor authentication) will be required to initiate the request. Users will be contacted by the Ishkoday Team to follow through with the data request.

– Email Request: Users can email [email protected] with their request, providing necessary identity verification (Name, phone number, First Nation). Users will also be required to provide reason for their data request to ensure data is being used in good faith.

The following entities are permitted to access data: Leadership (Chief and Council) and users.

2.2 Processing the Request 

Once the request is made and the user’s identity is verified, the process for accessing the data will be initiated. The data will be made available in a format that is easy to read, such as a .CSV file. The request will be fulfilled within 30 business days in accordance with PIPEDA, and users will be notified once the data is ready for download.

2.3 Delivery of Data 

Users can download their data via a secure link sent to their registered email address. This link will be time-limited and can only be used by the authorized user. Emails will be transmitted using industry-standard encryption protocol TSL to encrypt data in transit. Emails themselves will be encrypted with AES-256, so that not just the connection is encrypted, but also the message body and any attachments, even after delivery. All data stored on our servers is also encrypted at rest to prevent unauthorized access.

2.4 Access Logging and Monitoring 

All access requests are logged, and any access to user data is monitored for suspicious activity. Logs will include information such as:

– Date and time of the request

– IP address

– Type of data requested

– Successful or failed attempts

These logs will be kept for six (6) months to ensure transparency and accountability.

3.1 Retention of Data 

User data will be retained on our servers for up to seven (7) years. If a user requests to delete their data or withdraw consent, their data will be permanently deleted from our servers within 30 days.

3.2 Data Deletion Request 

Users may also request the deletion of their data by contacting support at [email protected]. Once verified, the request will be processed, and all associated data will be permanently deleted. Please note that once data is deleted, it cannot be recovered.

4.1 Data Breach Protocol 

In the event of a data breach, we will immediately notify affected users and provide them with information about the breach, the types of data compromised, and the steps we are taking to mitigate the issue. Notifications will be sent within 24 hours of discovery, as required by relevant data protection regulations (PIPEDA).

4.2 Third-Party Access 

We will not share user data with third parties without explicit user consent, except as required by law or to fulfill the functionality of the app (e.g., service providers for data storage or analytics). All third parties involved will be contractually bound to adhere to strict data protection policies.

5.1 Right to Access 

Users have the right to access their data as outlined in this policy. If users experience difficulty in retrieving their data or have any concerns, they are encouraged to contact [email protected].

5.2 Right to Withdraw Consent 

Users may withdraw their consent to the processing of their data at any time by contacting support. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

For questions, concerns, or requests regarding data access, please contact us at:

Email: [email protected]

For questions, concerns, or requests regarding data access, please contact us at [email protected] – Data Manager.