Health Association Nova Scotia's Privacy Commitment
Health Association Nova Scotia has a reputation for – and a commitment to – superlative service to its customers and to exercise integrity in everything we do. As part of this commitment, the Health Association respects the privacy of our customers by meeting or exceeding the standards set by law. Our privacy commitment is based on the ten principles of the Canadian Standards Association model Code for the Protection of Personal Information, all of which are enshrined in law in the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
2. Identifying purposes
4. Limiting collection
5. Limiting use, disclosure and retention
9. Individual access
10. Challenging compliance
This privacy commitment adopts the definition of personal information from PIPEDA:
“personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
Principle 1 – Accountability
Health Association Nova Scotia is responsible for personal information under its control. As part of this accountability, the Health Association has designated an individual who is responsible for compliance with this policy and applicable legislation. Any inquiry related to our privacy practices may be directed to any of our customer service representatives, or escalated to the individuals listed below:
Health Association Nova Scotia
2 Dartmouth Road, Bedford, NS B4A 2K7
The Health Association is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. We seldom transfer personal information to third parties (other than another Health Association company or affiliate) for processing, but when we do we obtain assurances from the company that the personal information will be protected in the same manner as if the information was being processed by the Health Association directly and we also require that the company abide by this policy in every respect.
Principle 2 – Identifying Purposes
At the time that any personal information is collected, the Health Association will inform the individual concerned of the purposes for which the information is being collected. Individuals will be informed of the purposes in a manner that is clear, concise and comprehensible. Our customer service personnel are well-trained and knowledgeable in our privacy practices and are able to provide any further information on the purposes of collection, if such information is required. Depending upon the circumstances of the collection, this information may be provided orally or in writing.
At any time when it is proposed to use any personal information for a purpose that was not originally identified, the new purpose shall be identified prior to use and the consent of the individual will be obtained, unless such new consent is not required under law.
Principle 3 – Consent
Health Association Nova Scotia will obtain the informed consent of an individual concerned for the collection, use, or disclosure of that individual’s personal information, except as may be allowed by law. The Health Association will try to obtain consent for all anticipated purposes at the time of the collection of the personal information. In some circumstances this may not be possible, so the Health Association will obtain the informed consent of the individual before using the personal information. Also if the Health Association proposes to use an individual’s personal information for a purpose for which consent was not initially obtained.
For all purposes, consent means informed consent. At the time that consent is sought, the Health Association will make reasonable efforts to advise the individual of all the purposes for which the personal information is being sought. As required under Principle 2, individuals will be informed of the purposes in a manner that is clear, concise and comprehensible.
The Health Association shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified purposes. This means that where consent is being sought for information it is not essential to the provision of the service, the provision of that information will be voluntary. It is the Health Association’s policy to obtain affirmative or “opt-in” consent for any collateral use of personal information. If certain personal information is necessary for the provision of a service, this will be communicated to the individual along with information related to why the personal information is necessary in such circumstances.
There may be circumstances where the consent of an individual may be implied by the circumstances. In such cases, the purposes for the collection and use of personal information must be clearly apparent and the Health Association may only use the personal information for the obvious purposes. For example, if an individual asks to be sent a particular item, the Health Association will need the individual’s name and address so that we can fulfill the request. In such a case, the Health Association can assume that the individual’s request for the item constitutes consent for specific purposes. In such a case, we will not use that information for any reason other than fulfilling the request.
Where practicable, consent for the collection, use and disclosure of personal information will be in writing. Whether consent in writing is required may vary with the circumstances, the sensitivity of the information in question and the proposed use of the information. The form of the consent sought by the Health Association may vary, depending upon the circumstances and the type of information. As a general rule, if the information is “sensitive”, written consent will be obtained. If the Health Association is seeking consent to acquire personal information from a third party (seeking a credit reference, for example), consent in writing will be required so that we can prove the consent of the individual when asked by the third-party information provider.
Health Association Nova Scotia will also take reasonable steps to determine whether an individual has the capacity to consent. For example, children are not necessarily able to consent to the collection, use and disclosure. Disabled individuals may also be unable to consent, in which case the consent of a guardian or holder of a power of attorney may be necessary.
The law provides certain exceptions to the usual requirement to obtain an individual’s consent. For example, an organization may collect and use personal information in circumstances where the collection and/or use of such information is clearly in the interests of the individual and consent cannot be obtained in a timely way. Similarly, personal information may be collected and used without the consent of the individual if the information is reasonably required to investigate a breach of an agreement or a violation of the law and there is reason to believe that obtaining consent may compromise the availability or accuracy of such information. Front-line employees of the Health Association will not be given discretion to dispense with consent.
Principle 4 – Limiting Collection
Health Association Nova Scotia will not collect any personal information that is not reasonably necessary for the legitimate purposes identified and for which consent has been obtained. In addition, personal information shall be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
Health Association Nova Scotia will only use, disclose or retain personal information for the legitimate purposes identified to the individual concerned and for which consent has been obtained. Personal information shall be retained only as long as necessary for the fulfillment of those purposes, except where a longer retention period is required by law. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. Some personal information may be retained incidentally as a result of routine computer backup operations. When this is the case, the personal information is not available for use by the Health Association.
Personal information that is no longer required to fulfill the identified purposes shall be destroyed, erased, or made anonymous.
Principle 6 – Accuracy
Personal information collected, used and disclosed by the Health Association shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Information that will be used to make a decision about an individual should be as accurate as reasonably possible. If the Health Association does not have confidence in the accuracy of particular information, it shall not be used to make any decisions about the individual.
Nevertheless, the Health Association shall not routinely update personal information, unless the information needs updating to fulfill the purposes for which it was initially collected. Updating or confirming the reliability of personal information shall be done by communicating with the individual concerned, unless it is inappropriate in the circumstances.
Principle 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. All personal information shall be maintained on a “need to know” basis. All information shall be secured by physical, technical and policy measures as is prudent given the sensitivity of the personal information concerned. Any information related to the health and finances of an individual shall be afforded a very high level of security, at least in accordance with industry standards.
Principle 8 – Openness
The Health Association shall provide specific information about its personal information handling policies and practices to any individual upon request.
The Health Association’s personal information handling policies made available shall include:
- the name, title and the address of the person who is accountable for The Health Association’s policies and practices and to whom complaints or inquiries can be forwarded;
- the means of gaining access to personal information held by the Health Association;
- a description of the type of personal information held by the Health Association, including a general account of its use; and
- what personal information is made available to related organizations (e.g., subsidiaries).
Principle 9 – Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. If, in the Health Association’s view, the information is accurate, the individual will be able to have the personal information annotated with his or her comments related to the alleged inaccuracy.
An individual requesting access to his or her personal information, or who is inquiring whether the Health Association holds any personal information related to him or her, shall be required to provide sufficient identifying information to allow the Health Association to search for his or her personal information. Such personal information provided to facilitate a search shall only be used for the purposes of a search and shall be destroyed as soon as practicable after conducting the search.
If possible and upon request, the Health Association will inform an individual of the source of any personal information, the uses to which it has been put and to whom it may have been disclosed.
The Health Association shall respond to an individual’s request within a reasonable time and at no cost. The requested information shall be provided or made available in a form that is generally understandable.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Health Association shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the Health Association. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.
Principle 10 – Challenging Compliance
Any individual with concerns related to the Health Association’s personal information handling practices or the manner in which his or her personal information has been collected, used or disclosed, shall be able to address those concerns to a customer service representative. If the concerns are not immediately resolved to the satisfaction of the individual, it will be immediately referred to the designated privacy officer for that Health Association Nova Scotia business. The privacy officer shall investigate the individual’s concerns and shall attempt to resolve any complaint as expeditiously and as fairly as possible. If a complaint is found to be justified, the Health Association shall take appropriate measures, including, if necessary, amending its policies and practices. If a complaint is not found to be justified, the individual will be informed of this conclusion and of his or her right to seek redress with the Office of the Privacy Commissioner.
The complaint procedure shall be made known to any individual expressing concerns and shall be personally explained to the individual if circumstances warrant.