Information about http://67.19.28.170/~clinidat/data_entry/Privacy%20Policy%200108.pdf

Clinidata a division of Sykes Assistance Services Corporation …

Tags: act canada, advisory services, assistance services, canada model, canadian provider, clinidata, corporation privacy policy, electronic documents act, health information services, information practices, information procedure, model code, openness, personal health, personal information and electronic documents act, primary care, privacy legislation, privacy principles, safeguards, triage,
Pages: 12
Language: english
Created: Fri Jan 25 15:58:08 2008

Display cached document

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

Page 9

Page 10

Page 11

Page 12

Clinidata
a division of Sykes Assistance Services Corporation

POLICY STATEMENT

This privacy policy is the foundation for Clinidata's information practices. Clinidata will
comply with all applicable privacy legislation and adopt the 10 privacy principles set out
in the National Standard of Canada Model Code for the Protection of Personal
Information (PIPEDA)

OBJECTIVE

To set out the principles upon which Clinidata collects, uses and discloses personal
information and personal health information.

PROCEDURE

Commitment to Privacy

As a leading Canadian provider of patient-centred telehealth advisory services, nursing
triage and health information services, Clinidata is responsible for protecting the privacy,
confidentiality and security of personal information in its custody and control. Clinidata
is committed to a high standard of privacy for its information practices. Clinidata
complies with all applicable privacy legislation and adopts the 10 privacy principles set
out in the National Standard of Canada Model Code for the Protection of Personal
Information, which is Schedule 1 to the Protection of Personal Information and
Electronic Documents Act (Canada) (PIPEDA). These principles include:

1. Accountability

2. Identifying Purposes

3. Consent

4. Limiting Collection

5. Limiting Use, Disclosure, and Retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual Access

10. Challenging Compliance
� Clinidata a division of Sykes Assistance Services 2007 All rights reserved 1
Privacy Policy

Scope

This policy applies to personal information and personal health information of patients
and employees which is collected, used or disclosed by Clinidata and its employees,
contractors and agents during the course of providing services. Services that Clinidata
provides include primary care teletriage, health information and advice, disease
management, public health support services, pharmaceutical support services, benefits
and corporate health management, as well as web based services.

Protection of Personal Information of Canadians

Clinidata is a division of Sykes Assistance Services Corporation, which is a Canadian
corporation. Sykes Assistance Services Corporation is a subsidiary of Sykes
Enterprises Incorporated, a US public company. Clinidata employs stringent privacy
and security measures, including technical, contractual and corporate measures to
protect the personal information of Canadians in its custody and control from
inappropriate disclosure to foreign governments.

PRIVACY PRINCIPLES

Clinidata has implemented a privacy program to meet the following privacy goals:

Principle 1 � Accountability for Personal Information

� Clinidata is responsible for protecting personal information in its custody or under its
control and has designated a Privacy Officer in each jurisdiction in which it operates
to be responsible for implementing Clinidata's privacy program. The Privacy Officer
is accountable for facilitating compliance with applicable federal and provincial
legislation and these principles.

� Clinidata is responsible for personal information in its possession or custody,
including information that has been transferred to a third party for processing.
Clinidata will use contractual or other means to provide a comparable level of
protection while the information is being processed by a third party.

� The names and contact information for the Privacy Leadership designated by
Clinidata to oversee compliance with these principles will be made publicly available.

� The Privacy Officer is responsible to:

o Implement information practices to protect personal information, including
information relating to patients, employees, and agents.

o Identify and address any potential privacy compliance issues.

� Clinidata a division of Sykes Assistance Services 2007 All rights reserved 2
Privacy Policy

o Establish policies and procedures to receive and respond to complaints and
inquiries.

o In conjunction with the Manager of Staff Development and the Educators, train
and communicate to staff and agents information about Clinidata's information
practices.

o Develop plans and communicate to the public and key stakeholders' information
to explain Clinidata's information practices.

� Clinidata's senior management is ultimately responsible for privacy compliance on
behalf of the organization. Privacy is part of Clinidata's comprehensive Quality
Management program.

� All Clinidata employees and agents are responsible for individual compliance with
Clinidata's information practices for personal information that they collect, use and
disclose in the course of their duties.

Principle 2 - Identifying Purposes for the Collection of Personal Information

At or before the time personal information is collected, Clinidata will identify the
purposes for which personal information is collected. The least amount of information is
collected, with the highest degree of anonymity to fulfill the specified purpose. The
primary purposes for collecting personal information are:

o to provide health care or assist in providing health care

o to provide support services (i.e. public health, pharmaceutical, employee health
and corporate support)

o for planning purposes

o for research, teaching or to compile statistics

o to obtain payment for services

o for quality and risk management activities and for patient satisfaction surveys

o to meet legal and regulatory requirements

� Identifying the purposes for which personal information is collected at or before the
time of collection allows Clinidata to determine the information it needs to collect to
fulfill these purposes.

� Clinidata a division of Sykes Assistance Services 2007 All rights reserved 3
Privacy Policy

� Depending upon the way in which the information is collected, explanation of
purposes can be given orally or in writing: for example, an enrolment form, or posted
notice, may give notice of the purposes. A patient who seeks assistance and
receives an explanation is also giving implied consent for the use of his or her
personal information for authorized purposes. Patients will be given the option to
accept or reject each such use.

� When personal information that has been collected is to be used for a purpose not
previously identified, the new purpose will be identified prior to use. Unless the new
purpose is required by law, the consent of the individual is required before
information can be used for that purpose.

Principle 3 - Consent for the Collection, Use, and Disclosure of Personal
Information

The knowledge and consent of the individual are required for the collection, use, or
disclosure of personal information, except where inappropriate. In order to be
knowledgeable, Clinidata will make a reasonable effort to ensure that the individual is
advised of the purposes for which the information will be used. The purposes must be
stated in such a manner that the individual can reasonably understand how the
information will be used or disclosed.

Consent Application

� When consent is required, Clinidata obtains the consent of the individual before
collecting the information. If additional consent is required for use and disclosure,
consent will be obtained from the individual before the use or disclosure occurs.

� Personal information is deemed to have been collected with appropriate consent and
notification if it was collected before January 1, 2004.

Forms of Consent

� The way in which Clinidata seeks consent may vary, depending on the
circumstances and the type of information collected. Consent may be expressed
(oral or written) or implied. Clinidata has developed approved consent processes for
the collection, use and disclosure of more sensitive information.

� There are three main options for determining the appropriate form of consent or
process to be followed:

o Express or explicit consent: Individual is properly informed and explicitly gives
permission, either in writing or orally, before action is taken.

� Clinidata a division of Sykes Assistance Services 2007 All rights reserved 4
Privacy Policy

o Implied or deemed consent: Permission is implied based on the circumstances of
the transaction such that the individual intentionally and directly releases the
information to the corporation or that the nature and purposes of the collection
are so clear to the individual that they do not need to be stated or explained.

o Opt-out: An individual is given reasonable opportunity to express their wishes; if
no response is given, consent is assumed. Opt-out forms of consent are not
used when providing patient-related services.

� Express or explicit consent is required for collection of all personal information from
patients, unless specifically authorized in policy. Express consent is also required in
order to disclose personal information to third parties, for example, sending a
patient's personal information to an emergency department or primary care
physician.

� Opt-out is only used when dealing with personal information limited to name and
location or contact information.

� Express or explicit consent contains the following minimal elements:

o An authorization from the individual or authorized representative;

o The purposes for collection, use or disclosure;

o The users or recipients of the personal information;

o An acknowledgement that the individual providing the consent understands the
risks of consenting or not consenting;

o The effective date, and if any, the expiry date of the consent;

o A statement that the consent may be revoked by the individual at any time.

� General consents are used to authorize collection, use and disclosure of personal
information for the time and conditions associated with an individual's engagement
with a program. Transactional consents are used to authorize one-time collection,
use or disclosure of personal information as part of a specific transaction.

� The form of consent will take into consideration the reasonable expectations of the
individual, the circumstances surrounding the collection, use, disclosure, the
sensitivity of the information involved and the purpose for which it is to be used.

Consent Process

� Only the individual or authorized representative can provide consent.

� Clinidata a division of Sykes Assistance Services 2007 All rights reserved 5
Privacy Policy

� Clinidata cannot refuse a service to an individual if they refuse to give their consent
for the collection, use or disclosure of personal information beyond what is
reasonably required to provide the service.

� An individual may refuse to give their consent for personal information to be
collected in relation to a specific purpose.

� An individual may withdraw consent at any time, subject to legal or contractual
restrictions and reasonable notice. Clinidata will inform the individual of the
implications of such withdrawal.

� Providing Clinidata with personal information is always the choice of the individual.
When a service is requested, Clinidata asks that the individual provide information
that enables Clinidata to respond to the request. In doing so, the individual consents
to the collection, use and disclosure to appropriate third parties of such personal
information for these purposes. The individual also authorizes Clinidata to use and
retain this personal information for as long as it may be required for the purposes
described above. The individual's consent remains valid even after the termination of
Clinidata's relationship with the corporate client, unless the individual provides
Clinidata with written notice that such consent is withdrawn.

Exceptions to Consent

� There are a number of legal exceptions to the requirement of consent, for example,
Clinidata may disclose personal information without the consent of the patient if the
patient or another person is at risk of harm. In addition, Clinidata has a number of
statutory reporting obligations, for example, the requirement to report a child in need
of protection to appropriate authorities.

� Where legislation in the jurisdiction allows, Clinidata can trace a patient phone
number without the individual's knowledge, through Emergency Medical Services, if
the patient is at risk of harm or others are at risk of harm.

Principle 4 - Limiting Collection of Personal Information

The collection of personal information will be limited to that which is necessary for the
purposes identified by Clinidata. Information will be collected by fair and lawful means.

� Clinidata will not collect personal information indiscriminately. Both the amount and
the type of information collected will be limited to that which is necessary to fulfill the
purposes identified.

� The requirement that personal information be collected by fair and lawful means is
intended to prevent Clinidata from collecting information by misleading or deceiving

� Clinidata a division of Sykes Assistance Services 2007 All rights reserved 6
Privacy Policy

individuals about the purpose for which information is being collected. This
requirement implies that consent with respect to collection must not be obtained
through deception.

Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information

Personal information will not be used or disclosed for purposes other than those for
which it was collected, except with the consent of the individual or as required by law.
Personal information will be retained only as long as necessary for the fulfillment of
those purposes.

� If using personal information for a new purpose, Clinidata will document this
purpose.

� Clinidata has developed guidelines and implemented procedures with respect to the
retention of personal information. These guidelines include minimum and maximum
retention periods. Personal information that has been used to make a decision
about an individual will be retained long enough to allow the individual access to the
information after the decision has been made.

� Personal information that is no longer required to fulfill the identified purposes will be
destroyed, erased, or made anonymous. Clinidata has developed guidelines and
implemented procedures to govern the destruction of personal information.

Principle 6 � Ensuring Accuracy of Personal Information

Clinidata will make all reasonable efforts to ensure that personal information collected,
used or disclosed by or on its behalf is accurate and complete, as is necessary for the
purposes for which it is to be used.

� The extent to which personal information will be accurate, complete, and up to date
will depend upon the use of the information, taking into account the interests of the
individual. Information will be sufficiently accurate, complete, and up to date to
minimize the possibility that inappropriate information may be used to make a
decision about the individual.

� Clinidata will not routinely update personal information, unless such a process is
necessary to fulfill the purposes for which the information was collected.

� Personal information that is used on an ongoing basis, including information that is
disclosed to third parties, will generally be accurate and up to date, unless limits to
the requirement for accuracy are clearly set out.

� Clinidata a division of Sykes Assistance Services 2007 All rights reserved 7
Privacy Policy

Principle 7 � Ensuring Safeguards for Personal Information

Clinidata has developed security safeguards and information practices appropriate to
the sensitivity of the information to protect personal information.

� The security safeguards protect personal information against loss, theft,
unauthorized access, disclosure, copying, use, or modification. Clinidata protects
personal information regardless of the format in which it is held.

� The nature of the safeguards varies depending on the sensitivity of the information
that has been collected, the amount, distribution, and format of the information, and
the method of storage. A higher level of protection safeguards more sensitive
information, such as records of personal health information.

� The methods of protection include:

o Physical measures, for example, safe storage of records, locked filing cabinets
and restricted access to offices;

o Organizational measures, for example, limiting access on a "need-to-know"
basis, and

o Technological measures, for example, the use of passwords, encryption and
audits.

� Clinidata makes its staff and agents aware of the importance of maintaining the
confidentiality of personal information. As a condition of employment or agency, all
employees and agents must sign Clinidata's Confidentiality Agreement and an IT
acceptable use agreement on an annual basis.

� Care will be used in the disposal or destruction of personal information, in
accordance with approved Clinidata information practices, to prevent unauthorized
parties from gaining access to the information.

� All personal information in the custody or under the control of Clinidata and its
agents will be stored and accessed, including by remote access, only in Canada.
There will be no disclosure of personal information to the United States or other
foreign jurisdiction, absent an individual's express consent.

� Clinidata provides whistle blower protection for those employees reporting potential
breaches of privacy in good faith.

Principle 8 - Openness About Personal Information Policies and Practices

Clinidata will make readily available to individuals specific information about their
policies and practices relating to the management of personal information.

� Clinidata will provide information about its information practices with respect to the
management of personal information without unreasonable effort and in a form that
is generally understandable.

� The information made available includes:

o The contact information to reach members of the Privacy Office who are
accountable for Clinidata's privacy policies and information practices and to
whom complaints or inquiries can be forwarded;

o The means of gaining access and to request correction of personal information
held by Clinidata;

o A description of the type of personal information held by Clinidata, including a
general account of its use;

o A copy of any brochures or other information that explains Clinidata's policies
and information practices, and

o What personal information is made available to related organizations.

� Clinidata will make information on their information practices available in a variety of
ways to address varied information needs and to ensure accessibility to information:
for example, Clinidata may choose to make brochures available in places of
business, mail information to clients, post signs, provide online access, or provide
information electronically.

Principle 9 - Individual Access to Own Personal Information

Upon request, an individual will be informed of the existence, use, and disclosure of his
or her personal information and will be given access to that information. An individual
will be able to challenge the accuracy and completeness of the information and have it
amended, as appropriate.

� In certain situations, Clinidata may not be able to provide access to all the personal
information they hold about an individual. Exceptions to the access requirement will
be limited and specific. The reasons for denying access will be provided to the
individual upon request. Exceptions may include information that is prohibitively
costly to provide, information that contains references to other individuals,
information that cannot be disclosed for legal, security, or proprietary reasons, and
information that is subject to solicitor-client or litigation privilege.

� Upon request, Clinidata will inform an individual whether or not they hold personal
information about the individual. Clinidata will seek to indicate the source of this
information and will allow the individual access to this information. However, they
may choose to make sensitive health information available through a health care
practitioner. In addition, Clinidata will provide an account of the use that has been
made or is being made of this information and an account of the third parties to
which it has been disclosed.

� An individual will be required to provide sufficient information to permit Clinidata to
provide an account of the existence, use, and disclosure of personal information.
The information provided will only be used for this purpose.

� Clinidata will respond to an individual's request within a reasonable time and at no
cost to the individual. The requested information will be provided or made available
in a form that is generally understandable. For example, if Clinidata use
abbreviations or codes to record information, an explanation will be provided to the
extent that it is reasonably practical.

� When an individual successfully demonstrates the inaccuracy or incompleteness of
personal information, Clinidata will amend the information as required, in accordance
with professional standards of practice for records of personal health information.
Depending upon the nature of the information challenged, amendment may involve
the correction, deletion, or addition of information. Information contained within
records of personal health information will not be deleted, but rather, the original
must be maintained, with any amendments or corrections being made in a
transparent manner. Where appropriate, the amended information will be transmitted
to third parties having access to the information in question.

� When a challenge is not resolved to the satisfaction of the individual, Clinidata will
record the substance of the unresolved challenge. When appropriate, the existence
of the unresolved challenge will be transmitted to third parties having access to the
information in question.

Principle 10 - Challenging Compliance with Clinidata's Privacy Policies and
Practices

An individual may bring a challenge concerning compliance with this policy to the Chief
Executive Officer.

� Clinidata has procedures in place to receive and respond to complaints or inquiries
about their policies and practices relating to the handling of personal information.

� Clinidata informs individuals who make inquiries or lodge complaints of the existence
of relevant complaint procedures, including complaints to federal or provincial
privacy oversight bodies.

� Clinidata investigates all complaints. If a complaint is found to be justified, Clinidata
will take appropriate measures, including, if necessary, amending its policies and
practices.

APPENDIX A

Definitions

Agent - a person who acts, with the authorization of the organization, for or on behalf of
the organization in exercising powers or performing duties with respect to personal
information for the purposes of the organization, and not the agent's own purposes,
whether or not employed by the organization or remunerated. Agents may include
volunteers, students, consultants, nurses, vendors and contractors.

Disclose - release or make personal information available to another person,
organization or information custodian; it does not mean to use the information.

Identifying information - any information that identifies an individual or that one could
reasonably foresee might be used either on its own or with other information to identify
an individual

Information practices � an information custodian's policies concerning when, how, and
why the custodian routinely collects, uses, modifies, discloses, retains or disposes of
personal health information, and the administrative, technological and physical
safeguards and practices maintained to protect personal health information.

Personal health information - with respect to an individual, whether living or
deceased, means

(a) Information concerning the physical or mental health of the individual;

(b) Information concerning any health service provided to the individual;

(c) Information concerning the donation by the individual of any body part or any
bodily substance of the individual or information derived from the testing or
examination of a body part or bodily substance of the individual;

(d) Information that is collected in the course of providing health services to the
individual; or

(e) Information that is collected incidentally to the provision of health services to the
individual.

Personal information - means information about an identifiable individual, but does not
include the name, title or business address or telephone number of an employee of an
organization. Personal information includes personal health information.

Record - an information record in any form or media, including written, printed,
photographic or electronic form, but excluding computer programs and other
mechanisms that produce a record

Security - the physical, technological and administrative protective measures and
techniques that are designed to ensure that personal health information remains
confidential, available and uncompromised. This includes measures such as
encryption, passwords, and firewalls designed to prevent unauthorized access to
information, to protect the integrity of computing resources and to limit the potential
damage that can be caused by unauthorized access.

Use - to handle or deal with personal information but does not mean to disclose
personal information.

ADOPTED: March 2006
REVIEWED: June 2007
REVISED: June 2007