Privacy Policy
Policy Statement
Seiden Health Management Inc. (“SEIDEN”) is committed to respecting the privacy rights of all stakeholders. As part of this commitment, SEIDEN will collect, use and disclose personal information only in compliance with the applicable law and in such a manner that a reasonable person would consider appropriate in the circumstances
Scope
This policy governs the collection, use, disclosure and handling of personal information in the course of the commercial activity of SEIDEN.
For this purpose, “SEIDEN” means Seiden Health Management Inc., Canadian Benefits Management Ltd., Front Frederick Health, and Dr. Howard Seiden & Associates.
Introduction
SEIDEN is bound by privacy legislation. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to personal information that is collected, used, or disclosed in the context of commercial activity. This Privacy Policy is based on the principles and rules set out in PIPEDA.
Definitions
Personal Information means information about an identifiable individual, but does not include business contact information.
Personal Health Information is a subset of Personal Information and, broadly speaking, is information concerning the physical or mental health the individual, health services provided to the individual, and information collected during the course of health services to the individual, or medical testing.
Privacy Officer is the title given to the individual appointed by SEIDEN who is accountable for SEIDEN’s compliance with privacy policies and law.
Breach of Security Safeguards - means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of SEIDEN’s security safeguards.
The Privacy Principles
Principle 1 - Accountability
SEIDEN is responsible for all personal information under its control and will designate an individual who will be accountable for compliance with SEIDENs privacy policy and all applicable privacy legislation. The designated individual will be called the Privacy Officer.
SEIDEN’s current Privacy Officer is:
Matthew Seiden
Matthew Seiden may be contacted as follows:
1 Concorde Gate #301
Toronto, ON M3C 3N6
Tel: 416-365-3602
Fax: 416-362-8925
matthew.seiden@seidenhealth.com
SEIDEN shall be responsible for personal information in its possession or custody and shall implement policies and practices to protect personal information. These shall include physical, technological, and organizational protection.
SEIDEN has authorized third party service providers (such as transportation and translation services) to collect, use and disclose personal information in order to facilitate the provision of service. As a result, SEIDEN shall ensure that personal information in the hands of service providers is given a comparable level of protection while outside of SEIDEN custody. This will be accomplished by selecting appropriate parties and via contractual means
Principle 2 - Identifying Purposes
SEIDEN will identify the purposes for which we collect personal information at or before the time the information is collected. This may be done orally or in writing, with a preference for written notification where possible.
SEIDEN will collect only that information that is necessary for the purposes of assessment. SEIDEN will not collect more personal information than is necessary to accomplish the purposes of the collection, and the information will not be used for a purpose other than that identified without additional consent. The exception to this rule is where a new use is required by law.
Principle 3 - Consent
In general, informed consent is required for the collection, use, and/or disclosure of personal information. In the absence of a legal exception, SEIDEN will obtain appropriate consent from individuals for the collection, use, or disclosure of their personal information.
SEIDEN uses consent forms in order to ensure that valid consent has been provided prior to the collection of person information from via medical examination. In the absence of a signed consent form, SEIDEN may accept verbal consent, or another form of express consent (ex. Letter, electronic communication) for the collection, use, or disclosure of personal information. In the case of collection or use of information, SEIDEN may proceed based on a determination of implied consent. If consent is implied, or express consent is not in writing, SEIDEN will keep appropriate notes in the file.
SEIDEN will make reasonable efforts to ensure that the individual is aware of the purposes for which the information will be used and the purposes will be communicated in language appropriate to the individual. SEIDEN will consider the individual’s reasonable expectations when determining whether or not consent is sufficiently informed. If further uses arise, SEIDEN will decide whether or not additional consent is required. This determination will depend on the facts.
SEIDEN will also ensure that individuals are aware that they can withdraw consent at any time.
Policy 4 - Limiting Collection
SEIDEN will limit the personal information collected, used, and/or disclosed to that required to accomplish the purposes communicated to the individual. Collection will not accomplished by means that are unfair or unlawful. SEIDEN will not collect personal information by misleading or deceiving individuals.
SEIDEN may collect personal information about individuals from third parties.
Principle 5 - Limiting Use, Disclosure, and Retention
Personal information collected from individuals will not be used or disclosed for purposes other than those for which it was collected, unless further consent is provided by the individual. The exception to this is if the use or disclosure is required by law.
SEIDEN will only use or disclose the personal information collected for the identified purposes and will retain personal information only as long as is necessary to accomplish the purpose(s) communicated to the individual.
SEIDEN will establish document retention and document destruction policies that govern the minimum and maximum retention periods for records containing personal information. Documents containing personal information will be retained or destroyed in accordance with these policies.
Personal information that is no longer required to accomplish the purpose(s) identified will be appropriately destroyed or depersonalized, according to document destruction policies.
SEIDEN shall ensure that any information that has been used to make a decision about an individual will be available for long enough to allow the individual access to the information after the decision has been made.
Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made.
Principle 6 - Accuracy
SEIDEN will take reasonable steps to ensure that any personal information that is collected, used, or disclosed is as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. This is to ensure that inaccurate information is not used to make a decision.
Principle 7 - Safeguards
SEIDEN will safeguard personal information under its control in a manner that is appropriate to the sensitivity of the information. More sensitive information will be accorded a higher level of protection.
Given the medical context of our business, all personal information of individuals being assessed by SEIDEN is deemed highly sensitive.
Regardless of the format in which is it held, SEIDEN will safeguard personal information against loss, theft, unauthorized access, use, copying, modification, or disclosure,
Methods of protection employed by SEIDEN will include:
- physical measures, including restricted access to office space and a reduction in hard copy files
- organizational measures, including on-going training on privacy and cybersecurity, security clearances and limiting access on a “need-to-know” basis; and
- technological measures, including the use of passwords and encryption.
SEIDEN will maintain policies relating to:
- The security of physical files
- After use
- Remote storage
- Crosscut shredding
- In the office
- In transit
- The security of digital files
- Physical access to technology resources
- Log-in protocols
- Passwords
- Encryption
- Personal information storage
- Remote access to personal information
- VPN
- Remote email access
- Personal information in the possession of assessors or third party service providers
If personal information must be transferred to a third party, any personal information that is unnecessary for the purpose for which the information was transferred shall be removed.
All SEIDEN employees are required to promptly report any known or suspected security breaches to the Privacy Officer and IT. Any reports will be investigated and the appropriate response will be initiated
SEIDEN will notify regulators and individuals of a security breach in accordance with the relevant laws. Individuals will be notified in cases where SEIDEN concludes that the breach may lead to a real risk of significant harm.
Principle 8 - Openness
SEIDEN will make readily available to individuals specific information about the policies and procedures relating to the management of personal information under SEIDEN’s control.
Individuals will be able to inquire about the policies and procedures without unreasonable effort.
In order to ensure that this information is publically available all staff members will be aware of who the Privacy Officer is and how access to personal information may be requested.
SEIDEN will include information on privacy policies, the identity and contact information of the Privacy Officer, and general data processing on the company website. This information will also be made available on request in an alternative, accessible format
Principle 9 - Individual Access
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information which is under the control of SEIDEN, and may be given access to this information in order to challenge accuracy and completeness. The manner of access may vary, depending on the format in which the information is held, and the amount of information to which access is requested.
SEIDEN will respond within 30 days to any written request for access. There will be no cost for this response. If SEIDEN refuses access, the individual will receive a written explanation of why. If access is provided, any fees will be minimal. SEIDEN will make efforts to ensure that the information to which access is requested is made available in a format understandable to the individual.
If SEIDEN holds personal information pertaining to the individual, access to the information will include a general account of its use and, on written request, a list of third parties to whom SEIDEN may have disclosed the information.
SEIDEN will provide access to documents containing the personal information of the individual, but not to documents containing the personal information of other parties. If a document contains the personal information of more than one party, the document may be redacted to remove the personal information of parties other than the individual. Internal work product and documents relating to but not containing the personal information of the individual will not be made available. Privacy and access law contains other exceptions that may result in a denial of access. If SEIDEN is unable to provide access based on one of these exceptions, the individual making the request will be informed and may challenge the refusal.
Principle 10 - Challenging Compliance
Any challenge concerning compliance with the above policies and procedures should be addressed to SEIDEN’s Privacy Officer. The Privacy Officer will inform the individual of the applicable complain procedures.
SEIDEN will maintain a procedure for receiving and responding to complaints or inquiries about company policies relating to information-handling. This procedure requires that any complaint or inquiry must be in writing and filed with the Privacy Officer. In the case that such inquiry or complaint is received, the Privacy Officer will:
- Acknowledge receipt of the complaint
- Investigate – this investigation may be conducted by the Privacy Officer or another party
- Clarify facts
- Decide on further steps
- Notify the complainant in writing of the outcome of the investigation, including any steps taken
If the complaint is found to be justified, SEIDEN will take appropriate measures, including, if necessary, amending policies and/or practices.
If the matter is not resolved to your satisfaction by us, you may contact the Privacy Commissioner at:
Information and Privacy Commissioner/Ontario
1400-2 Bloor Street East
Toronto, Ontario
M4W 1A8
info@ipc.on.ca
Telephone:
Toronto Area: 416-326-3333
Toll Free: 1-800-387-0073