1. Accountability

Governance

The Excelleris Board of Directors is accountable for protecting the privacy of personal information, and for ensuring that reasonable and adequate safeguards are in place to protect personal information assets under the control of Excelleris.

The Board of Directors has delegated authority to the CEO, Excelleris, to implement measures to protect the privacy of personal information and to safeguard information assets and critical information systems under the control of Excelleris.

Excelleris has appointed a Privacy Officer accountable to the CEO and Board of Directors. The Privacy Officer is responsible for, but not limited to:

• Reviewing contractual terms and conditions for Client contracts to ensure they satisfactorily meet privacy requirements under legislation
• Reviewing Excelleris privacy and security policies and procedures
• Providing oversight of the collection, use, access and disclosure of personal information through Excelleris’ communications infrastructure
• Supporting follow-up investigation of privacy breaches
• Receiving and responding to questions, queries and complaints
• Facilitating correction to individual personal information as defined by Client contracts for services
• Facilitating individual information access requests as defined by Client contracts for services
• Providing advisory services on risks and issues related to current and new initiatives Monitoring compliance to all of the above

The Privacy Officer may appoint a Privacy Steering Committee to assist with fulfilling the above accountability responsibilities.

Information Management and Technology Services

Information Management and Technology Services relate to the circumstances where Excelleris is providing services to a client organisation, where the client organisation has contractual responsibilities for protecting the privacy of personal information it sends and/or receives through Excelleris’ communications infrastructure.

Privacy Impact Assessments (PIA)

A Privacy Impact Assessment (PIA) is used to determine if new systems, upgrades, or additions to existing information systems/technologies, meet basic privacy principles and best practice standards, and to ensure compliance with legislation (e.g. PIPA).

Excelleris will conduct a PIA whenever there is a potential or perceived risk to the privacy of individuals and/or serious risk to the organisation because of privacy and security issues associated with the collection, use, access and disclosure of personally identifiable information.

Excelleris will retain PIAs indefinitely and review annually to determine if revisions are needed and if new PIAs are required on upcoming or planned initiatives. PIAs will be signed off by the Excelleris Privacy Officer, Chief Technology Officer, and where necessary, approved by the Excelleris Board of Directors.

Upon request, Excelleris will release PIAs to the BC Office of the Information and Privacy Commissioner, to be maintained in confidence. Similarly, Excelleris will, upon request, release appropriate portions of PIAs as applicable to client organisations as proof of appropriate privacy and security risk management practices. Excelleris reserves the right to withhold portions of PIAs if release of the information compromises Excelleris’ security by exposing details of security controls and safeguards.

Privacy Breaches

The Excelleris Privacy Officer is responsible for investigating any breach of confidentiality or privacy.

The CEO of Excelleris must prepare a report for the Excelleris Board of Directors on every occurrence involving a breach of personal privacy, including what actions were taken to rectify the situation.

The Excelleris Privacy Officer will inform, if deemed appropriate or required following the guidelines of the BC Office of the Information and Privacy Commissioner (OIPC), the OIPC in the event of a real or possible breach of privacy and what actions are being taken to rectify the situation.

2. Identifying Purposes

Personal information which Excelleris has collected from its client organisations is to be used solely for the purposes described under the terms described in the Contract for Services.

Information on clients that is considered business contact information is not considered personal information under PIPA and is not subject to the same considerations. This information is typically comprised of information found on a business card.

Excelleris understands that other uses beyond those described in the Contract for Services is considered a breach of contract and can result in termination of contract.

3. Consent

Consent and Notification for Disclosure

It is the responsibility of the private labs, health authorities, or other care providers – the Senders - which initially collects, and then discloses, patient information, to provide appropriate consent and/or notification on the legal authority to collect, and that the data is shared with whom and for what general uses.

There is no requirement to specify that Excelleris is the communications provider.

Consent and Notification for Indirect Disclosure (Access)

It is the responsibility of the private labs, health authorities or other care providers – the Recipients - which access the patient information made available in Excelleris, to provide appropriate consent and/or notification identifying the purposes for the collection, use, access and disclosure as well as the legal authority to do so.

There is no requirement to specify that Excelleris is the communications provider.

4. Limiting Collection

Only information required to support Excelleris’ business will be collected. This information must be defined, for a justifiable purpose, and collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention

Limiting Use, Disclosure and Retention of Client Information

Excelleris has the responsibility both directly, and under the terms of a Contract for Service, to collect, use, access, disclose and retain information from Clients only in accordance with legislation and best practice standards, or as specified by the terms and conditions of the service contract.

Personal information sent to Excelleris under the terms and conditions of a Contract for Service will only be used or disclosed for its originally defined purpose(s).

Personal information in the custody of Excelleris is collected, stored, used, and disclosed for pre-defined purpose(s) and personal information may not be removed without Excelleris’ permission.

Personal information disclosed to third parties will be protected contractually with the appropriate security, confidentiality and acceptable use requirements defined. It is the responsibility of the Sender (data collector/steward) to ensure that the requirements regarding what data is disclosed and to whom, are clearly articulated. Excelleris will ensure that the disclosure is facilitated in a secure fashion.

Limiting Collection, Use and Disclosure of Employee Personal Information

Excelleris will collect personal information about employees only to manage administration of their employment.

Employee home address and telephone numbers will only be disclosed where it is necessary for the performance of work functions such as on-call.

There may be occasions where disclosure of employee personal information is required by legislation (e.g. Workers Compensation Act, Employment Insurance Act) or to other organisations (e.g. Pacific Blue Cross) in order to facilitate an individual’s benefits program.

Limiting Collection, Use and Disclosure of Physician Information

Excelleris will collect contact information from and about physicians and their staff only for the purposes required to support the business mandate and aligned with defined purpose(s). Use of the information includes administering day to day operations and administration of the work relationship. The contact information will include: name, business mailing address, business telephone number and fax number, profession, and job classification.

Bill 73/30 of FOIPPA: Prohibition on Foreign Access, Storage and Disclosure outside of Canada

Under Bill 73/30 of FOIPPA for public bodies – introduced in October 2004 and subsequently amended in 2006 – it is prohibited to access, store and disclose personal information outside of Canada without the consent of the individual except under strictly defined conditions. This requirement applies to all individuals, systems, and data.

Where the information is held on behalf of a public body, Bill 73/30 applies. Therefore, as public bodies such as health authorities disclose personal information to Excelleris, Excelleris will be responsible for safeguarding this information as per the requirements of Bill 73/30. These conditions will be defined in the Contract for Services where the public body is the data steward.

• Where personally identifiable data forms part of a service provided by Excelleris, or the service requires that Excelleris have access to the data, contractual obligations must be clearly articulated describing the nature of the service(s), a description of the data required in support of the service, the uses of the data, and the allowable disclosures, if any.
• Excelleris will be expected to conform and comply with a standard Privacy Schedule outlining the requirements of Bill 73/30.
• Public bodies will be responsible for ensuring and monitoring compliance.

6. Accuracy

Information that is sent to Excelleris will be received, stored, and conveyed to the appropriate recipients in a secure and timely fashion without altering the information content of the communication.

Responsibility for the accuracy of information belongs to the Sender (data collector/steward). Excelleris is responsible for maintaining the integrity of data sent to it.

Individuals may exercise their right to request correction to their personal information if they deem the information to be incorrect or inaccurate. This request must be made in writing to Excelleris.

Because Excelleris conveys information rather than initiates its collection or creation, corrections must be made in agreement with the participant that sent the information to Excelleris. Excelleris, though not the data originator, will facilitate the correction.

7. Safeguards

Excelleris will implement appropriate and reasonable security safeguards to protect personal information. Security safeguards can be in the form of technical, administrative, physical or procedural methods, and Excelleris will utilize a combination of security and access controls to provide adequate protections.

Excelleris will conduct, on a periodic basis, a Security Threat and Risk Assessment.

8. Openness

Excelleris will make readily available information about its privacy policies and information protection practices. This information is available upon request or can be readily obtained from the Excelleris website: www.excelleris.com

Excelleris may make information on its policies and practices available in a variety of forms (e.g. website, toll-free number, brochure, online documentation).

9. Individual Access

Individuals may exercise their rights under PIPA and request access (e.g. copy of) to their personal information.

Excelleris, though not the data originator, will assist the applicant in this process, or may under the terms of the contract for services with the originating data steward, allow access by individuals to their own data.

A reasonable fee may be charged for this service.

10. Challenging Compliance

An individual can challenge Excelleris’ compliance with privacy legislation and the principles of privacy protection. Individuals have a right to make a complaint directly to a staff member of Excelleris or to the BC Office of the Information and Privacy Commissioner (OIPC).

Excelleris will acknowledge, record, and investigate each privacy complaint it receives.

For questions about Excelleris’ privacy practices, please contact Privacyofficer@Excelleris.com.

An acknowledgement will be made within three business days.

The Excelleris Privacy Policy was last revised: May 2008