Who does this policy apply to?
CORE values our customers and takes privacy seriously. We have policies in place for collecting, using, and securing all private personal and business information.
- We do not sell customer information.
- We do not provide customer information to persons or organizations outside of CORE, for their own marketing purposes.
- We afford prospective and former customers the same protections as existing customers with respect to the use of personal and business information.
- We collect and use information that is necessary to administer our business.
- We may collect information from customers:
- on customer applications (such as telephone, address, credit history, credit card and banking information).
- from your transactions and interactions with us.
- We share information about our transactions and experiences with you within CORE to better serve you. We may also disclose customer information about you to our suppliers or organizations outside of CORE as permitted or required by law.
- By working/engaging with CORE, you provide CORE with your consent to the collection, use, and disclosure of certain personal and/or business information, including that previously collected, for the purposes of communicating with you; assessing your application, analyzing business results, and acting as required by law
How does CORE protect your personal and/or business information?
- CORE maintains physical, electronic, and organizational safeguards to protect customer information. We continually review our policies and practices, monitor our computer networks, and test the strength of our security to help us ensure the safety of customer information.
- We utilize computer systems that restrict access to customer information.
- When communication with customers regarding personal and/or business information we will ensure there are Administrative Safeguards in place, which include:
- Notice in emails that information is confidential
- Providing instructions for when email is received in error
- Communicate by professional (business) vs personal accounts
- Confirming recipient email address is current
- Checking that email address is typed correctly
- Restricting access to email system and content on a need-to-know basis
- Informing individuals of email changes
- Acknowledge receipt of emails when content includes orders, changes to orders, payments, agreements or contracts, notices or complaints or when message contains information of high importance
- Recommending that recipients implement these safeguards
- CORE will limit the amount and type of Personal Health Information (PHI) included in an email
- CORE will ensure PHI information is stored on email servers and portable devices for as long as is necessary to serve the intended purpose
- Our physical premises have security safeguards that assist in the prevention of unauthorized access to our facility. These safeguards include locked offices, security pass entrance, alarm system with video surveillance and sign in requirements for visitors to the premises.
- CORE restricts access to customer information to those employees and contractors that the management of CORE has determined as a “need to know” that information in order that CORE may provide services to its customers.
- We have established procedural requirements and trained our staff to be respectful and to comply with this policy.
- Under PHIPA (Personal Health Information Protection Act, 2004, c. 3) as Health Information Custodians CORE will ensure that personal health information is collected, used, stored and shared in a way that protects the confidentiality of the information, and privacy of individuals.
- Customer information will be stored in accordance with our record archiving policy.
- We will retain customer information only for the time frame that is either:
- required for the purposes as explained to you;
- as recommended by regulators, accreditation bodies or legal counsel;
- as required to perform the services of CORE; or
- as required by law.
- When we dispose of customer information we will do so in a secure manner.
What will CORE do in the event of a data breach?
Upon learning of a privacy breach, CORE will take immediate action. The following steps will be carried out simultaneously or in quick succession.
- NOTIFY STAFF AND OTHER CUSTODIANS
- Notify appropriate staff of the breach, including the privacy officer or other staff members responsible for privacy.
- Depending on the nature or seriousness of the privacy breach, the information technology and communications staff should be notified.
- If the breach involves PHI (Personal Health Information) on an electronic system shared between multiple custodians, notify all affected custodians.
- IDENTIFY THE EXTENT OF THE BREACH AND TAKE STEPS TO CONTAIN IT
- Identify the scope of the breach, including individuals or organizations who may have been involved with or are responsible for the breach, and the nature and quantity of PHI that is affected.
- Retrieve any copies of PHI that have been disclosed.
- Ensure no copies of PHI have been made or retained by anyone who was not authorized to receive the information. Record the person’s contact information in case follow-up is required. Determine whether the breach would allow unauthorized access to any other PHI, for instance if it is on a shared system.
- Take whatever steps are appropriate, such as changing passwords and identification numbers and/or temporarily shutting down your computer system.
- NOTIFY THE INDIVIDUALS AFFECTED BY THE BREACH
- Notify individuals affected by a breach at the first reasonable opportunity. Notification can be by telephone or in writing.
- There are many factors to consider when deciding on the best form of notification (e.g., the sensitivity of the information breached). If unsure, contact the IPC (Information Privacy Commissioner) to discuss the most appropriate form of notification.
- When notifying individuals/businesses affected by a privacy breach, you should provide the following information:
- where appropriate, the name of the employee responsible for the unauthorized access or the date of the breach
- a description of the nature and scope of the breach
- a description of the information (PHI, Financial, etc.) that was subject to the breach
- the measures implemented to contain the breach, and
- the name and contact information of the person in your organization who can address inquiries
- Notice to affected individuals must include a statement letting them know they are entitled to make a complaint to the IPC (Information Privacy Commissioner). Under PHIPA, custodians must report certain privacy breaches to the IPC and cooperate with the IPC, as described in Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector.
- If financial information or information from government-issued documents, such as health card numbers, bank or credit card details are involved, the following statements can be included in the notice:
If you are concerned that you may be a victim of fraud, you may request these bureaus place a fraud alert on your credit files instructing creditors to contact you before opening any new accounts.
If your health card number has been affected by the breach, you should call Service Ontario INFO line at 1-866-532-3161 or 1-800-387-5559 to report your lost or stolen health card number. If you suspect misuse of your health card number, you can report suspected cases of fraud by calling the Ministry of Health and Long-Term Care at 1-888-781-5556 or e-mail at firstname.lastname@example.org.
You may also wish to review this publication from the Information and Privacy Commissioner of Ontario, Identity Theft: A Crime of Opportunity.
- INVESTIGATE AND REMEDIATE
Conduct an internal investigation to:
- ensure the immediate requirements of containment and notification have been met
- review the circumstances surrounding the breach, and
- review the adequacy of existing policies and procedures in protecting PHI
Address the situation from a systemic basis; in some cases, program-wide procedures may warrant a review. For example, administrative or security controls on an electronic system may be insufficient and need to be updated or augmented.
Can I review and, if needed, correct my customer information?
- CORE tries to ensure that all customer information on file is as accurate, correct, and complete as necessary for CORE to run its operations safely and efficiently. Information contained in inactive or closed files is not actively updated or maintained.
- CORE will allow customers to review their information at any time.
Who should you contact for questions or concerns?
CORE’s Privacy Officer is Leslie Gallagher who can be contacted at 416-260-2673. We investigate all privacy complaints received. If we cannot resolve the matter to your satisfaction it can be escalated to the Office of the Privacy Commissioner of Canada.
EXC POL P009C