Privacy
PURPOSE
To outline the privacy principles to which Healthcare Excellence Canada (HEC) adheres and set out its practices relating to the collection, use and disclosure of personal information, including employee personal information, recognizing the need for HEC to collect, use and disclose personal information while managing and administering the employment relationship.
POLICY
HEC is committed to protecting individual privacy and ensures the collection, use and disclosure of personal information in accordance with the requirements within applicable provincial or territorial private sector privacy legislation and the principles set out in the federal Personal Information Protection and Electronic Documents Act.
Staff are accountable to maintain the confidentiality and security of personal information they have access to or become aware of during their role, and shall only collect, use, disclose and retain personal information in accordance with this policy.
Breach of this policy is a serious matter and may result in discipline up to and including dismissal without notice or pay in lieu thereof.
Accountability
HEC is responsible for the personal information under its control and has designated the Vice-President, Organizational Performance and Corporate Services accountable for HEC’s compliance with this policy.
This policy applies to HEC’s collection, use and disclosure of personal information in addition to, as applicable, HEC’s privacy procedures, and its public-facing privacy notices, including, but not limited to, its Web Privacy Policy.
To support HEC in meeting its privacy obligations, HEC maintains procedures for:
- Appropriate management of personal information;
- Privacy breach management;
- Responding to requests for access to personal information; and
- Responding to privacy inquiries and complaints.
HEC makes staff aware of the importance of maintaining the confidentiality of personal information through this policy.
Identifying Purposes
HEC collects personal information for the following primary purposes:
- Human resources management including recruitment and administering HEC’s relationship with its staff;
- Administering payments to staff and external stakeholders including, but not limited to, home address, banking information for electronic fund transfer payments, Social Insurance Numbers, and similar information; and
- Administering HEC programs and activities, including, but not limited to, projects, programs, awards and applications for which funding or other support is sought.
HEC makes individuals aware of the purpose(s) for which personal information is being collected at or before the time the information is collected. This may be done in writing (e.g., inclusion on a form or posted notice), as appropriate.
Consent
HEC relies on consent or an exception to consent for the collection, use and disclosure of personal information about staff and applicants for employment or for the purpose of administering these relationships.
HEC also relies on implied consent for the collection, use and disclosure of personal information about its partners and program applicants for the purposes of program delivery, including the administering and monitoring of awards. Any disclosures of personal information to organizations or individuals that are not HEC contractors or agents (e.g., reviewers) will be made only with express consent or as required by law. Where HEC publishes testimonials or reviews from providers, patients, or caregivers about their experience, it will request express consent for the publication.
If an individual from whom HEC has collected personal information wishes to withdraw their consent and/or place restrictions on the use or disclosure of their personal information, HEC will take reasonable steps to comply with the individual’s request. A request to withdraw consent is valid from the date that it is made and does not apply retroactively to HEC’s collection, use and/or disclosure of personal information and may be subject to legal and/or contractual restrictions.
HEC may be obliged by law or as per the terms and conditions of its contribution agreement with the Government of Canada (e.g., salary disclosure of executives) to disclose information without the consent of the affected person. Where disclosure occurs, HEC will not disclose more information than is required.
HEC may collect, maintain, use, and disclose employee personal information without consent only as reasonably necessary for the purposes of establishing, managing, maintaining, and terminating the employment relationship and as permitted by applicable law.
Employee Information Collected
HEC may collect the personal information of its employees in the course of employment. Types of employee personal information that HEC may collect include:
- Identifying information including name, home address, personal email address and phone number
- Date of birth, gender, nationality, citizenship, marital and family status
- Information contained in resumes and employment applications
- Contact information for beneficiaries and emergency contacts
- Payroll information including social insurance numbers, bank deposit information, and RRSP information
- Information relating to employee health and welfare benefits, including short- and long-term disability, medical and dental care
- Personal information about minors for the purposes of benefit administration
- Information contained in performance appraisals
- Information collected during workplace investigations
- Photographs and videos for placement on the HEC website, for internal use and display within HEC intranet (i.e., employee profile picture), on office displays, and/or for business development initiatives
- Other information that employees voluntarily provide in the course of employment that is necessary for the operations of HEC
- Any other information collected pursuant to or authorized by applicable law
Personal information generally does not include business contact information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business, or profession.
Non-Employee Personal Information Collected
HEC may collect personal information from persons who are not employees while delivering programs, including the administration, and monitoring of awards, as well as from its Board of Directors. Types of personal information that HEC may collect include:
- Name
- Phone number
- Address
- Social Insurance Number
- Gender
- Date of Birth
- Likeness, including image and voice
Limiting Collection
HEC limits the collection of personal information to that which is necessary for the purposes identified.
HEC will collect personal information directly from individuals (or parent/guardian if under the age of 18) unless an individual has provided consent for HEC to collect personal information about them from another individual or organization.
Limiting Use, Disclosure and Retention
HEC will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Personal information of employees may be used for purposes relating to the management and administration of the employment relationship. These purposes include but are not limited to:
- Communicating with employees
- Ensuring the health and safety of employees and others
- Safeguarding HEC infrastructure and property
- Managing service development
- Record maintenance
- Budgeting, financial management and financial reporting
- Recruitment activities
- Performance evaluations
- Monitoring training requirements
- Promotion and succession planning
- Administration of salaries, wages, and benefits
- Managing workplace investigations and disciplinary matters
- Managing grievances and terminations
- Processing work-related claims (e.g., worker compensation, insurance claims)
- Managing expenses and reimbursements
- Complying with legal and other requirements, including under labour and employment law
- For any other purposes required for employee administration
From time to time, HEC may need to make personal information available to other unaffiliated third parties. HEC ensures that appropriate privacy terms are included in all agreements with contractors or agents to which personal information is disclosed, or that have access to personal information under the control of HEC, to limit the use, disclosure, and retention of such information. Third party service providers are expected to protect the confidentiality and security of personal information and only use personal information for the provision of services to HEC, and in compliance with applicable law.
HEC may share employee personal information with agents, consultants, data processors, service providers and other parties who require such information to assist HEC with administering the employment relationship. Unaffiliated third parties with whom employee personal information may be shared include, but not limited to:
- Professional advisors, such as accountants, auditors, lawyers, insurers, and other outside professional advisors.
- Service providers including those that provide payroll services, pension schemes, employee benefits, human resources services, IT systems and associated support, external medical and health practitioners, and other service providers
- Public and governmental authorities that regulate or have jurisdiction over HEC, including regulatory authorities, law enforcement agencies, and judicial bodies.
Personal information will be retained only if required to fulfill its intended purpose. HEC takes appropriate measures to ensure the secure disposal of personal information to prevent unauthorized use or disclosure. The period of retention may extend beyond the end of a period of employment.
Accuracy
HEC takes reasonable steps to ensure personal information will be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used.
Employees are expected to ensure that their personal information is up to date and inform HEC of any significant changes to personal information (address, phone number, etc.).
Safeguards
HEC uses appropriate safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, use or modification. The methods of protection include physical, organizational, and technological measures.
HEC also requires third parties who are provided with personal information, including its independent reviewers and members of committees, its contractors and consultants, its partners, etc. to keep such information confidential, to use it only for the specific purpose for which it was provided, and to manage and protect it at all times in accordance with standards established by HEC.
HEC aims to adhere to the principles of OCAP (Ownership, Access, Possession and Control) as it pertains to the collection, use and disclosure of information about First Nations; OCAS (Ownership, Control, Access, and Stewardship) as it pertains to the collection, use and disclosure of information about Métis; and Inuit Research Principles as it pertains to the collection, use and disclosure of information about Inuit. These principles establish how information should be collected, accessed, used, and shared. HEC will seek to endeavor to obtain express consent to obtain, use and disclose any information pertaining to First Nations, Inuit, or Métis in accordance with these principles when possible, recognizing that HEC may not always be aware of situations where this is applicable (for example, if an individual has not disclosed to HEC that they are First Nations, Inuit, or Métis).
Privacy breaches will be promptly reported to the Vice-President, Organizational Performance and Corporate Services/delegate. HEC will respond to and resolve all privacy breaches in accordance with its privacy breach management procedures.
Openness
HEC makes information about its policies and practices relating to the management of personal information readily available on its public website.
Individual Access
HEC will take reasonable efforts to provide an individual, on request, with access to the records of their personal information that HEC has collected and retained, and with information about how that information has been used, and to whom it has been disclosed. HEC will request and verify identifying information from the requester prior to the release of any personal information. HEC will respond to all requests for access to personal information within 30 calendar days unless a reasonable extension is required. There will be no cost for reasonable requests to access information.
In certain situations, HEC may not be able to provide access to all the personal information it holds about an individual. This may include, but is not limited to, situations in which disclosure would breach legal privilege, reveal confidential commercial information, reveal information collected for an investigation or legal proceeding, reveal personal information about another person, or any other reason provided under applicable legislation. The specific exemptions available will depend on the applicable law. In such instances, the reasons for denying access will be provided to the individual. If the request for access involves information that is under the control of another organization with whom HEC partners, HEC will direct the individual to the other organization.
HEC will correct, on request, any factual inaccuracies in personal information that HEC has collected or retained, once satisfactory evidence is provided by the individual to whom it relates, or by a program applicant, partner or co-funder with the knowledge and consent of the individual to whom it relates.
Personnel files are the property of HEC. Depending on the jurisdiction of employment, currently employed HEC employees may request to review a copy of their personnel file. If an employee believes information about them is incorrect, they may request an update of that information by making a request to a Human Resources representative. Where information will be disclosed to an employee, HEC will endeavour to provide the information in question within a reasonable time. HEC may require sufficient information to allow it to confirm that the person making the request is authorized to do so before granting access or making corrections. HEC may, subject to applicable laws, decline to provide access to personal information contained in personnel files.
Challenging Compliance
An individual will be able to address a challenge concerning compliance with the above principles to the Vice-President, Organizational Performance and Corporate Services.
The Vice-President, Organizational Performance and Corporate Services/delegate will respond to all privacy inquiries and complaints within 10 business days. All complaints will be investigated, and appropriate corrective actions implemented to address any issues with HEC’s information handling practices and policies.
DEFINITIONS
“Personal Information” means any information about an identifiable individual. Applicable privacy laws may provide exceptions to consent, access requests, and other requirements in the case of business contact information of an individual that the organization collects, uses, or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business, or profession.