I. YOUR PRIVACY RIGHTS
From January 1, 2004, all businesses that collect, use or disclose personal information in the course of commercial activities must comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”)which sets national standards for privacy practices in the private sector and gives you rights concerning the privacy of your personal information. A number of provinces have passed similar laws.
II. WHAT IS PERSONAL INFORMATION and PERSONAL HEALTH INFORMATION UNDER CANADIAN LAWS
“Personal Information” (“PI”) is defined as any information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. For example, your PI includes information that relates to your race, origin, color, religion, age, marital status, education, criminal or employment history, information relating to financial transactions, identifying number, an unlisted address or unlisted telephone number, fingerprints, among others. In addition, some information that is otherwise publicly available is not protected by PIPEDA.
“Personal Health Information” (“PHI”) is defined as identifying information about an individual that (i) relates to the physical or mental health of an individual, including information concerning family health history, (ii) relates to the providing of health care to an individual, payments or eligibility for health care, including an OHIP number, (iii) relates to the donation by an individual of any body part or bodily substance, or is derived from testing of such body part or substance, or (iv) identifies an individual’s substitute decision-maker.
III. HOW WE COLLECT, USE AND DISCLOSE YOUR PI AND PHI.
We collect, use and disclose personal information for many different reasons. Below, we describe the different categories of our uses and disclosure as well as give you some examples of each category.
A. Collection, Use, Disclosure, and Retention of PI and/or PHI
- We will not collect any PI or PHI about you unless it relates directly to the insurance underwriting activities our organization performs. We will obtain your consent before or at the time the information about you is collected, with very few exceptions. Normally, we ask for your consent in writing, but in some circumstances, we may accept your oral consent. Sometimes, your consent may be implied through your conduct with us or we may not ask for your specific consent in a case of urgency or where we believe you would consent if asked and it is impractical to obtain your consent. However, we will obtain your express consent if your PHI will be disclosed to any party that is not a health information custodian or for purposes unrelated to providing of health care. Any information previously collected about you will not be re-collected. In order for us to continue to use the previously collected information, we need your consent. You may also withdraw your consent in writing, to stop any future uses or disclosure (to the extent we have not taken any action relying on that consent). Your withdrawal will not have an effect on the use or disclosure occurring prior to our receipt of your withdrawal. We do not use your Social Insurance Number as a way of identifying or organizing the information we hold about you.
- We will notify you about the purpose for which information about you is requested at or before the information about you is collected. This notification may be provided orally or in writing. In the event we wish to use your information for a new purpose, you will be notified, and have an opportunity to provide or refuse your consent.
- After obtaining your consent, we may only use or disclose your PI or PHI for the purpose for which the information was collected, or for a use consistent with that purpose. For example, we may use information we obtain throughout the underwriting process, and disclose it to the company from which you are applying for insurance. We will use or disclose such information only for the purpose for which it was collected, unless we have your consent, or unless the use or disclosure fits into one of the exceptions listed below. When information is to be used or disclosed for a purpose not previously identified to you, such new purpose will be identified for you prior to use or disclosure, and your consent will be requested.
- Whenever possible, we will collect PI or PHI directly from you, unless you have authorized otherwise. We collect information only by lawful and fair means and not in an unreasonably intrusive way.
- We will take reasonable steps to ensure that your PI and/or PHI is accurate, up-to-date, and as complete as possible. If we hold information about you and you can establish that it is not accurate, up-to-date and complete, we will take reasonable steps to correct it. If any of your information changes, please inform us so that we can make any necessary changes.
- We retain PI and/or PHI for only as long as we need it to effectively provide our services and for a reasonable length of time thereafter in case we need to meet any potential obligations or legal or government requirements. We destroy paper files containing PI and/or PHI by shredding. We destroy electronic information by deleting it, and when the hardware is discarded, we ensure that the hard drive is physically destroyed. Clinical specimens, including blood, urine, and saliva, are disposed of according to applicable Canadian or United States laws, as the case may be.
- Some of the PI and/or PHI that we collect may be processed and stored by LabOne, Inc., our parent company in the United States and a subsidiary of Quest Diagnostics Incorporated, where the United States government and its agencies may be able to apply to a court in the United States for an order to obtain disclosure of it. Such PI and/or PHI, when processed and stored in Canada may also be subject to disclosure to foreign governments, pursuant to the laws and treaties of Canada.
- In certain limited circumstances, we may use PI and/or PHI in order to conduct or support statistical, scholarly study, or research activities, all in accordance with PIPEDA and PHIPA. In this case, we will obtain your express consent and we must notify the Privacy Commissioner of Canada with respect to PI and/or the Office of Information and Privacy Commissioner of Ontario with respect to PHI, prior to use.
B. Exceptions to Consent
Under certain circumstances we may use and/or disclose your PI and/or PHI without your consent or knowledge. For example:
- When disclosure is authorized, or required by any applicable law. For example, we will disclose PI and/or PHI when a law, court order or a subpoena requires that we disclose information. We will also make disclosures when the Attorney General of Canada requires it for proceedings involving the Crown in right of Canada or the Canadian Government or when a foreign government through a treaty with Canada has requested it. In the event your PI and/or PHI collected by us is processed and stored in the United States, that information may also be subject to the laws of the United States.
- For governmental investigation activities. For example, we will provide information to assist the government when it conducts an investigation, audit or inspection of an organization or other person based upon breach of an agreement or a contravention of federal or provincial law, or if the information relates to national security, the defence of Canada or the conduct of international affairs.
- In emergency situations. We may disclose PI or PHI because of an emergency that threatens the life, health or security of an individual. In this case, we will inform you in writing of the disclosure.
- We may collect PHI directly from you, even if you are incapable of consenting, if the collection is reasonably necessary for the provision of health care and it is not reasonably possible to obtain your consent in a timely manner.
- For legal activities. We may provide your PI or PHI to a lawyer who is representing us.
- For debt collection. We may disclose your PI for the purpose of collecting a debt owed by you to us, if any.
C. Security Safeguards
We take all reasonable precautions to ensure that your PI and/or PHI is kept safe from loss, unauthorized access, modification or disclosure.
Among the steps taken to protect your information are:
- premises security such as supervised or locked cabinet storage;
- restricted file access to PI and/or PHI;
- deploying technological safeguards like passwords, security software and firewalls to prevent hacking or unauthorized computer access;
- paper information is transmitted through sealed, addressed envelopes or boxes by reputable companies;
- electronic information is transmitted either through a direct line or is anonymized or encrypted;
- internal password and security policies.
We use a number of consultants and agencies that may, in the course of their duties, have limited access to PI and/or PHI we hold. These include computer consultants, office security and maintenance, bookkeepers and accountants, a file storage company, temporary workers to cover holidays and illness, credit card companies, website managers, cleaners and our landlord. We restrict their access to any PI and/or PHI we hold as much as is reasonably possible. We also have their assurance that they follow appropriate privacy principles and where appropriate or required, have contractual provisions to ensure that your PI and PHI is properly safeguarded. However, please note that no contract or contractual provision can override any laws applicable in Canada or any other jurisdiction.
If your PI or PHI is stolen, lost, or accessed by unauthorized persons, we will notify you at first reasonable opportunity as required under applicable laws.
IV. YOUR RIGHTS ASSOCIATED WITH YOUR PI and PHI
You have the following rights with respect to your PI and PHI:
A. The Right to Access Your PI and PHI
In most cases, you have the right to look at or get copies of your PI or PHI that we have, but you must make the request in writing. However, we reserve the right to confirm the identity of the person seeking access to this information at or before complying with any access requests. Summary information is available upon request. More detailed requests which require archive or other retrieval costs may be subject to a reasonable fee. In certain situations, we may deny your request for access. If we do, we shall explain why. Your rights to access your PI or PHI are not absolute.
We may deny access to your PI when:
- the information is protected by solicitor-client privilege;
- to do so would reveal confidential commercial information;
- to do so could reasonably be expected to threaten the life or security of another individual;
- the information was generated in the course of a formal dispute resolution process; or
- denial of access is required or authorized by law.
We may deny access to your PHI when:
- the record or the information in the record is subject to a legal privilege that restricts disclosure of the record or the information, as the case may be, to the individual;
- legislation or a court order prohibits disclosure to the individual of the record or the information in the record in the circumstances;
- the information in the record was collected or created primarily in anticipation of or for use in a proceeding, and the proceeding, together with all appeals or processes resulting from it, have not been concluded;
- the information was collected or created in the course of an inspection, investigation or similar procedure authorized by law, or undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a service or benefit, to which the person is not entitled under Canadian legislation or a program operated by the Ontario Minister of Health and Long-Term Care, or a payment for such a service or benefit, and the inspection, investigation, or similar procedure, together with all proceedings, appeals or processes resulting from them, have not been concluded;
- granting the access could reasonably be expected to,
- result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person,
- lead to the identification of a person who was required by law to provide information in the record to the custodian, or
- lead to the identification of a person who provided information in the record to the custodian explicitly or implicitly in confidence if the custodian considers it appropriate in the circumstances that the identity of the person be kept confidential;
- the custodian is an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act or is acting as part of such an institution and the custodian would refuse to grant access to the part of the record under certain parts of those acts; or
- personal health information that is in the custody or control of a laboratory in respect of a test requested by a health care practitioner for the purpose of providing health care to the individual where the following conditions apply:
- the individual has a right of access to the information through the health care practitioner, or will have such a right when the information is provided by the laboratory to the health care practitioner within a reasonable time, and
- the health care practitioner has not directed the laboratory to provide the information directly to the individual.
B. The Right to Receive an Accounting of Uses and Disclosures
You have a right to request and receive a list of instances in which we have disclosed your PI or PHI to third parties. We will attempt to be as specific as possible in identifying the organizations to which we have disclosed your PI or PHI. At a minimum, we will provide you a list of organizations to which we may have disclosed your PI or PHI.
C. The Right to Correct or Update Your PI or PHI.
If you believe that there is an error or omission in your PI or PHI, you have the right to request that we correct the error or omission. You must provide the request and your reason for the request in writing. If you can establish that the information we hold is inaccurate, we will take reasonable steps to correct it. We will also take reasonable steps to advise any third parties to whom we have disclosed your PI or PHI of the correction. If we refuse your request to correct information, we shall explain why.
V. COMMUNICATING WITH US
E-mail is not a 100% secure medium, and you should be aware of this when contacting us to send personal or confidential information.
VII. REQUEST FOR ACCESS/CORRECTION
Attention: Privacy Officer
1290 Wall Street West
Lyndhurst, NJ 07071
Tel.: 800-222-0446, ext. 8954
If you are not satisfied with our response with respect to your PI, the Privacy Commissioner of Canada can be reached at:
112 Kent Street
In the case of PI collection, use and disclosure by private sector organizations in British Columbia, the Office of the Information and Privacy Commissioner for British Columbia can be reached at:
PO Box 9038, Stn. Prov. Govt.
Victoria, BC V8W 9A4
4th Floor, 947 Fort Street
Victoria BC V8V 3K3
In the case of PI collection, use and disclosure by private sector organizations in Alberta, the Office of Information and Privacy Commissioner of Alberta can be reached at:
Suite 2460, 801 6 Avenue SW
Calgary AB T2P 3W2
In the case of PI collection, use and disclosure by private sector organizations in Quebec, the Commission d’accès à l’information du Québec can be reached at:
575, rue Saint-Amable
Québec QC G1R 2G4
Website: www.cai.gouv.qc.ca/ (French only)
If you are not satisfied with our response with respect to your PHI in Ontario, the Office of the Information and Privacy Commissioner of Ontario can be reached at:
2 Bloor Street East, Suite 1400
If you are not satisfied with our response with respect to your PHI in New Brunswick, the Office of the Access to Information and Privacy Commissioner of New Brunswick can be reached at:
65 Regent Street, Suite 230
Fredericton, New Brunswick
VIII. EMPLOYMENT INQUIRIES
If you apply to us for a job, we need to consider your personal information, as part of our review process. We normally retain information from candidates after a decision has been made, unless you ask us not to retain the information. If we offer you a job, which you accept, the information will be retained in accordance with our privacy procedures for employee records.
On our website, like most other commercial websites, we may monitor traffic patterns, site usage and related site information in order to optimize our web service. We may provide aggregated information to third parties, but these statistics do not include any identifiable PI.
X. EFFECTIVE DATE OF THIS POLICY
This policy is effective as of December 15, 2012.