Privacy Policy - Cira Health Solutions

Policy Statement

Oncidium has made a commitment to collect, use and disclose personal information in compliance with applicable law and in such a manner that a reasonable person would consider appropriate in the circumstances.

Scope

This policy governs the collection, use, disclosure, and handling of personal information in the course of the commercial activity of Oncidium and Cira Health Solutions.

Introduction

Oncidium’s commercial activity is subject to applicable privacy legislation. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies when personal information crosses provincial boundaries and in all provinces and territories except Alberta, British Columbia and Quebec. Alberta, British Columbia and Quebec have passed privacy legislation based on similar principals as PIPEDA that applies in each province. This Policy is based on the principles and rules set out in all applicable privacy legislation.

Definitions (specific to this policy only)

Personal Information — means information about an identifiable individual but does not include “Business Card Information.”

Privacy Officer — means the individual or individuals appointed from time to time by Oncidium to be accountable for Oncidium’s compliance with this and related privacy policies.

Publicly Available Information — means information that is deemed to be publicly available as set out in applicable privacy legislation.

Business Card Information – means information about an individual’s working life or profession that is excluded from the definition of personal information in applicable privacy legislation – e.g. name, position name, work address and work telephone number.

Breach of Security Safeguards - means the loss of unauthorized access to or unauthorized disclosure of personal information resulting from a breach of Oncidium’s security safeguards.

The Privacy Principles

Policy 1 – Accountability

Oncidium is responsible for all personal information under its control and will designate one or more individuals who will be accountable for the organization's compliance with applicable privacy legislation and its policies and procedures.

The individual appointed to be accountable for Oncidium compliance will be designated as the Privacy Officer. Oncidium will appoint an appropriate person in this capacity that has sufficient authority within the organization to ensure compliance.

Privacy Officer

3700 Steeles Avenue West, Suite 600
Vaughan, ON L4L 8K8
1-877-366-3816
privacy@cloudmd.ca

Oncidium will use reasonable means to ensure that personal information is given a comparable level of protection while being processed by a service provider. It will do so by employing due diligence in selecting third parties, contracting with third parties and working with third parties.

Oncidium currently uses a customer relationship tool that is hosted in the United States and that may be used to transmit and store personal information. Oncidium employees, contractors and service providers may also work from outside Canada using Oncidium systems that are hosted in Canada. Service providers are authorized by Oncidium to collect, use and disclose personal information to facilitate the provision of service.

Policy 2 – Identifying Purposes

Oncidium will identify the purposes for which Oncidium collect personal information at or before the time the information is collected from individuals.

Oncidium may choose to identify such purposes orally or in writing. Written notification will be used whenever practical to do so. Common purposes for collection include:

verifying the circumstances surrounding loss, damage or injury;
verifying the amount payable for loss, damage or injury;
verifying the availability of benefits payable under the policy;
verifying the circumstances leading to the formation of the insurance contract;
protecting Oncidium and/or the insurer and/or the client against inaccuracy;
protecting Oncidium and/or the insurer and/or the client against fraud

Oncidium may choose to orally explain to individuals the purposes for which personal information is being collected and then simply place a note in the relevant file indicating that this has been done.

Oncidium will identify any new purposes that arise during the course of dealing with personal information – and obtain prior consent for this new use – even if Oncidium has already identified certain initial purposes. However, Oncidium will only do this when the intended new purpose truly constitutes a "new" use (i.e., when the purpose now being proposed is sufficiently different from the purpose initially identified).

Policy 3 – Consent

Oncidium will obtain the appropriate consent from individuals for the collection, use, or disclosure of their personal information, except where the law provides an exemption.

Oncidium may obtain express consent for the collection, use, or disclosure of personal information or Oncidium may determine that consent has been implied by the circumstances. All consent must be informed and obtained fairly without deception.

Express consent is an affirmative authorization given by the individual to Oncidium, either orally or in writing. Medical assessors retained to assess a claim, for example, ordinarily obtain express consent from claimants.

Implied consent is one in which Oncidium has not received an affirmative authorization but the circumstances make it reasonable to believe that an individual understands how Oncidium will collect, use or disclose personal information and has given Oncidium permission.

Express written consent includes a client:

signing a consent form
providing a letter, claim form or other document authorizing certain activities; and
providing an authorization electronically (through a computer).

Express, oral, consent can be given in person or over the telephone. If Oncidium obtains express oral consent, Oncidium will make note of that consent in the file.

Subject to legal exceptions, consent may be withdrawn at any time. Oncidium generally requires such withdrawal to be in writing. There may be serious consequences to failing to provide or withdrawing consent, such as Oncidium’s inability to properly investigate a claim presented or the circumstances surrounding a liability claim.

Depending on whether a new purpose is identified during the course of dealing with the personal information, Oncidium may choose to seek a new consent.

Exceptions — there are circumstances set out in applicable legislation that permit Oncidium to collect, use or disclose of personal information without consent. The scope of the exceptions varies in each applicable statute.

Policy 4 – Limiting Collection

The personal information Oncidium collects will be limited to that which is necessary for the purposes Oncidium has identified.

Oncidium will only collect personal information for specific, legitimate purposes. Oncidium will not collect personal information indiscriminately.

Oncidium will only collect information by fair and lawful means and not by misleading or deceiving individuals about the purpose for which information is being collected.

Oncidium policies and procedures relating to the limitations on collection of personal information will be communicated to staff members who collect personal information.

Oncidium may need to obtain personal information about individuals from third parties, for example, those parties identified in a consent form.

Policy 5 – Limiting Use, Disclosure, and Retention

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Oncidium will only retain personal information as long as necessary for the fulfillment of those purposes.

Oncidium will only use or disclose personal information for legitimate, identified purposes.

Oncidium will retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.

Oncidium will establish minimum and maximum retention periods for records containing insured/claimant/client personal information.

Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made.

Personal information that is no longer required to fulfill identified purposes will be destroyed, erased, or made anonymous. See Policy 7 – Safeguards.

Policy 6 – Accuracy

The personal information Oncidium collects will be as accurate, complete and up to date as is necessary for the purposes for which it is to be used.

Oncidium will, on an ongoing basis, take reasonable steps to ensure the accuracy and completeness of personal information under its care and control.

Individuals who provide their personal information to Oncidium must do so in an accurate and complete manner. Oncidium’s goal is to minimize the possibility that inaccurate information is used to make a decision about any individual whose personal information Oncidium processes.

The process for ensuring accuracy and completeness will involve:

initial collection from the insurer or other instructing principal preferably in writing
contact with the claimant/insured/client or witness and where appropriate, documenting information in a statement or by letter or e-mail
verifying accuracy as appropriate by contacting third parties (g., motor vehicle and driver licensing authorities, police, fire departments, fire marshals, authorities with jurisdiction, insurance brokers, other adjusters and any other party that can substantiate the type and nature of an occurrence or circumstance) including date, time and place of persons who may have been present and which is relied upon by an insured/claimant/client to support their claim for loss, damage or injury
facilitating assessments that are conducted by competent medical professionals

Policy 7 – Safeguards

Oncidium will safeguard personal information under its control in a manner that is appropriate to the sensitivity of the information.

Oncidium will safeguard personal information, regardless of the format in which it is held, against loss or theft, and against unauthorized access, disclosure, copying, use, or modification.

More sensitive information will be safeguarded by a higher level of protection.

In determining what safeguards are appropriate, Oncidium will consider all relevant factors. For example:

the sensitivity of the information;
the amount of information held;
the format in which the information is held; and
the foreseeable risks

When transferring personal information to a third party, Oncidium will remove or mask any information that is not reasonably needed by the third party.

Oncidium methods of protection may include:

physical measures, such as locked filing cabinets and restricted access;
organizational measures, such as security clearances and limiting access on a "need-to-know" basis;
technological measures, such as the use of passwords and encryption;
protocols for keeping physical files secure during travel;
protocols for conducting work remotely;
rules governing use of passwords and log in information; and
regular communication to employees and others to support data security.

Oncidium will ensure that the policies and procedures on safeguarding personal information are reasonably communicated and accessible to employees by:

training staff on the subject of personal information protection; and
having periodic staff meetings in which Oncidium will review the procedures and revise where appropriate.

Oncidium will take reasonable precautions in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information. These measures may include securely shredding physical documents and deleting electronically stored information in a manner that prevents it from being readily recovered.

All employees must promptly report any known or suspected Breach of Security Safeguards (all “incidents”) to the Privacy Officer. Oncidium will investigate all reports and respond appropriately with a view to understanding incidents, containing them, mitigating the potential for harm and improving safeguarding practices to prevent future incidents.

Oncidium will notify individuals and regulators of a Breach of Security Safeguards in accordance with applicable laws and regulations and otherwise will notify individuals when it concludes that an incident gives rise to a real risk of significant harm.

Policy 8 – Openness

Oncidium will make readily available to individuals’ specific information about the policies and procedures relating to the management of personal information which is under the Corporation’s control.

Individuals will be able to inquire about the policies and procedures without unreasonable effort.

All staff members will be aware of who the Privacy Officer is so that members of the public can easily be informed.

Oncidium may choose to make information about the policies and procedures available in a variety of ways, for example:

mailing out information;
establishing a primary section on their website;
establishing a toll-free telephone number; or
establishing standardized wording to be included in letters and e-mails to the insured/claimant/client as part of their first written communication.

The information Oncidium makes publicly available will include:

the name or title, and the address of the Privacy Officer;
the means of gaining access to personal information held by the corporation;
a description of the type of personal information held by Oncidium and a general account of its use;
written information that explains the policy; and
a general list of the kinds of personal information made available to other organizations (i.e.: insurance companies and other third parties).

Policy 9 – Individual Access

Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information which is under Oncidium control, and may be given access to, and challenge the accuracy and completeness of that information in accordance with applicable law.

Oncidium will act as agent of the insurer or administrator of a self-insured plan and where a written request is made by an individual to be informed of whether or not Oncidium holds personal information about him or her, Oncidium should immediately refer that inquiry to their instructing principal and ask for instructions.

To the extent that Oncidium is not an agent for a principal, upon written request, an individual will be informed as to whether or not Oncidium holds personal information about him or her. If Oncidium does hold such personal information, upon written request, Oncidium will provide access to the information, as well as a general account of its use in accordance with applicable law.

The manner in which access will be given may vary, depending on the format in which the information is held (i.e., hard copy or electronic), the amount of information held and other factors. Oncidium may provide original source information but not documentation that merely repeats or incorporates the information in our internal work product.

Upon written request, Oncidium will provide a list of third parties to whom Oncidium may have disclosed an individual's personal information. If Oncidium is unsure exactly which third parties may have received the information, Oncidium will provide a list of third parties likely to have received the information.

Individuals will be required to provide sufficient information to Oncidium to permit the corporation to provide an account of the existence, use and disclosure of personal information.

The procedure for making a request is as follows:

All requests must be made in writing.
Oncidium will respond to a request within 30 days after receipt of the request, unless Oncidium first advises the person that Oncidium needs a longer period to respond.
Reasons – If Oncidium refuses a request, Oncidium will inform the individual in writing of the refusal, explaining the reasons and any recourse the individual may have, including the possibility that they may file a complaint with the Privacy Commissioner of Canada or provincial Privacy Commissioners.
Deemed refusal – Notwithstanding sub-paragraphs (2) and (3), if Oncidium does not respond within the above time limit, Oncidium will be deemed to have refused the request.
Costs for responding – Oncidium may require payment of a modest fee to cover administrative costs associated with preparing a response (and do so in accordance with applicable law).

There are also exceptions in applicable privacy legislation that may allow or require Oncidium to deny access. For example, applicable legislation may allow Oncidium to deny access when:

personal information about another person might be revealed;
commercially confidential information might be revealed;
someone's life or security might be threatened;
the information was collected without consent for the purposes related to an investigation of a breach of an agreement or contravention of the law; or
the information was generated during the course of a formal dispute resolution process.

Policy 10 – Challenging Compliance

An individual may address a challenge concerning compliance with the above policies and procedures to the Privacy Officer.

Upon request, individuals who wish to inquire or file a complaint about the manner in which Oncidium handled their personal information – or about Oncidium’s personal information policies and procedures – will be informed of their applicable complaint procedures.

To file a complaint, an individual must notify Oncidium in writing providing basic information and a description of the nature of the complaint.

The procedure for filing a complaint about Oncidium is as follows:

a written request must be filed with the Privacy Officer;
Oncidium will acknowledge the complaint right away;
Oncidium will assign someone to investigate;
Oncidium will give the investigator unfettered access to files and personnel, etc.;
Oncidium will clarify facts directly with the complainant, where appropriate; and
Oncidium will advise the complainant in writing of the outcome of their investigation, including any steps taken to rectify the problem, if applicable.

Oncidium will document all complaints, as well as the actions in response to complaints, by noting these details in the individual's file and also in a master privacy file.