Introduction

PiOT is committed to protecting the privacy of its employees, contractors, clients and confidential business information.

Employees or contractors are obligated to ensure that personal information, to which they may have access remains confidential, is only used for the purposes for which it was collected, is not disclosed without authorization or used for personal gain.

Employees or contractors are required to follow all procedures regarding collection, use, and disclosure of personal information as set out in this policy.

Employees or contractors who disclose personal information, contrary to this policy will be subject to disciplinary measures, up to and including discharge for cause.

The Privacy Manager is accountable for the implementation of this policy. Any issues or questions regarding this policy should be directed to Privacy Manager.

Policy Purpose

All employees or contractors at one time or another may receive personal information, personal medical information, privileged and/or confidential information which may concern other employees or contractors, company operations or clients. The purpose of this policy is to preserve the privacy of employees or contractors, clients and PiOT, by outlining obligations and procedures for dealing with personal, privileged and/or confidential information.

Definitions

Personal information” is any information about an identifiable individual and includes race, ethnic origin, colour, age, marital status, family status, religion, education, medical history, criminal record, employment history, financial status, address, telephone number, and any numerical identification, such as Social Insurance Number. Personal information also includes information that may relate to the work performance of the individual, any allegations, investigations or findings of wrongdoing, misconduct or discipline. Personal information does not include job title, business contact information or job description.

Personal health information” is information about an identifiable individual that relates to the physical or mental health of the individual, the provision of health care to the individual, the individual’s entitlement to payment for health care, the individual’s health card number, the identity of providers of health care to the individual or the identity of substitute decision-makers on behalf of the individual.

Third parties” are individuals or organizations other than the subject of the records or representatives of PiOT.  Note that in certain circumstances, the company may be entitled to provide personal information to an external party acting as an agent of PiOT.

Procedure

Responsibilities

  1. Employees or contractors are responsible for (but not limited to):
  • using the Release of Information/ Consent Form and authorizations prior to disclosure of personal, privileged and/or confidential information;
  • immediately reporting any breaches of confidentiality to their Supervisor;
  • keeping private passwords and access to personal, privileged and/or confidential data;
  • explaining this policy to clients and referring them to the Privacy Manager if necessary;
  • being familiar with and following policies and procedures regarding personal information; for example, (as outlined in PiOT’s Confidentiality policy) keeping client information confidential by:
    • keeping files in a locked filing cabinet or drawer when not in use;
    • keeping files in a locked trunk or brought with you when you are transporting files to a client location;
    • ensuring all electronic devices (computers, cell phones, memory sticks etc.) and individual electronic client files are password protected;
    • using client initials only when naming them in files or referring to clients;
    • relinquishing any personal, privileged, confidential or client information in their possession before or immediately upon termination of employment;
    • returning all electronic and paper client files to PiOT for secure storage when service to client is completed. Deleting all dormant client files from electronic devices;
    • shredding all personal information and personal health information;
    • protecting documents by a double password (client name is the first password and the second is the company password) when sending personal information or personal health information by email.
  1. Supervisors are responsible for (but not limited to):
  • obtaining consent to the collection and use of personal information from employees or contractors by using Release of Information/ Consent Form;
  • ensuring policies and procedures regarding collection, use and disclosure of information of personal information are consistently adhered to;
  • responding to requests for disclosure after the proper release is obtained;
  • cooperating with the Privacy Manager to investigate complaints or breaches of policy;
  • obtaining from terminating employees or contractors prior to their termination any personal information, personal medical information, privileged, confidential or client information in their possession;
  • ensuring that disclosure of personal information or personal health information to a Third Party is done with the approval of the Privacy Manager in order to minimize risk of non-compliance with applicable legislative or regulatory regimes.
  1. The Privacy Officer is responsible for:
  • internal compliance with applicable policies or legislation;
  • cooperating with supervisors and administrative personnel in developing internal policies for the collection, use and disclosure of client personal information, client personal health information and personal information from employees or contractors;
  • monitoring and responding to Third Party requests for personal information or personal health information;
  • ensuring appropriate consents are obtained for the collection (including attaching the written consent from the client to the OCF 18), use and disclosure of personal information and personal health information;
  • where collection, use or disclosure is permitted without prior consent, notifying individuals of the collection, use and disclosure of personal information and/or personal health information after such occurrence.

Client Information

  1. Personal, privileged and/or confidential information about clients may only be collected, used, disclosed and retained for the purposes identified by PiOT as necessary.
  2. Employees or contractors must ensure that no personal, privileged and/or confidential client information is disclosed without the client’s consent and then only if security procedures are satisfied.
  3. Client information is only to be accessed by employees/contractors with appropriate authorization.
  4. Unless retention of personal information is specified by law for certain time periods, personal information that is no longer required to fulfill the identified purpose shall be destroyed, erased or made anonymous within 10 years after its use.
  5. Personal information that is the subject of a request by an individual or a Privacy Commission shall be retained as long as necessary to allow individuals to exhaust any recourse they may have under PIPEDA.

Complaints

Concerns or complaints related to privacy issues must be made, in writing, to the Privacy Manager setting out the details of the concern or complaint. The Privacy Manager shall investigate the matter forthwith and make a determination related the resolution of the concern(s) or complaint.

Arvinder Gaya
Privacy Manager/ PiOT Director
6-14845 Yonge Street,
Suite # 346
Aurora, ON L4G 6H8

Tel: 647.847.4005
Fax: 647.933.2920
Email: info@piot.ca