Security and Privacy Policy Statement
bphealth is committed to excellence and focused on improving healthcare and patient/client outcomes. We ensure that by partnering with our clients, we provide the expertise to implement and support secure, interoperable and sustainable business and technology solutions that realize tangible benefits for the system and its users. We maintain a firm commitment to our client’s security and privacy. In that effort, we implement applicable security safeguards to protect the privacy of those who use our services.
Our Privacy and Security Framework is based on standards that utilize several proven methodologies and provide a comprehensive approach towards conducting risk management and meeting compliance objectives both for the government and the private sector clients within Canada.
This Security and Privacy Policy, effective Sep 22, 2008, applies to all our service offerings and relates to internal practice and information we handle or obtain during our business engagement processes. We have a long history of recognizing and protecting the privacy of our customers' information. We strive to protect or clients privacy and utilize security technologies that gives the safest and most powerful customer service experience available.
Privacy Principles
bphealth generally does not collect client’s information that personally identifies individuals except when individuals provide such specific information on a voluntary basis. If bphealth consultants require access to personal information while conducting client services, our consultants strictly adhere and comply with the guidelines set out at bphealths Security and Privacy polices and procedure. It is the policy of bphealth to control the collection, use, and disclosure of personal information. In certain circumstances personal information may be collected, used, or disclosed without the knowledge and consent of the individual. Exemptions include, but are not limited to, personal information gathered for:
- Legal, medical, or security reasons
- Detection and prevention of fraud or for law enforcement
- Journalistic, artistic or literary purposes if its use is confined to those purposes
bphealth shall meet the following requirements unless exempted by the provisions stated above:
I. Accountability
bphealth is responsible for personal information under its control and shall designate a Privacy Officer to be accountable for bphealth's compliance with all relevant Privacy regulations.
II. Identifying Purposes
The purposes for which personal information is accessed or collected shall be identified by bphealth at or before the time the information is accessed or collected.
III. Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
IV. Limiting Collection
The access or collection of personal information shall be limited to that which is necessary for the purposes identified by bphealth.
V. Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as permitted by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
VI. Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
VII. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
VIII. Openness
bphealth shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
IX. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
X. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for bphealth's compliance.
Security and Privacy Standards
bphealth Security and Privacy Standards are based on guiding principles set out at the following:
- ISO/IEC 27002:2005
http://www.iso.org/iso/catalogue_detail?csnumber=42103 - IPC or Office of the Information Privacy Commissioner of Ontario
http://www.ipc.on.ca/index.asp?navid=36 - PIPEDA or Personal Information Protection and Electronic Documents Act
http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm - PHIPA or Personal Health Information Protection Act
http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm - FIPPA or Freedom of Information and Protection of Privacy Act
http://www.accessandprivacy.gov.on.ca/english/act/index.html - RCMP/CSE Harmonized TRA Methodology
http://www.rcmp-grc.gc.ca/ts-st/pubs/tra-emr/tra-emr-1-eng.pdf - SANS - Overview of Threat and Risk Assessment or TRA
http://www.sans.org/reading_room/whitepapers/auditing/76.php
bphealth's Internal Security and Privacy Policies
All bphealth staff are required to comply with the internal polices:
- Information Security Classification and Labeling Policy
- Security and Privacy Incident Management Policy
- IT Acceptable Use Policy
- Client Communication Policy
- Compliance Management Policy
- Security and Privacy Management Framework
Security and Privacy Policy Changes
We may change our security and privacy policy at any time. Any changes to the privacy and security policy will be posted on this Web site so that you are aware of the information we collect and how we use it.
Compliance
All bphealth members who collect, maintain and/or use personal information, are responsible for insuring that the collection, use and disclosure of this information is carried out in accordance with this policy and relevant procedures.
The Privacy Officer is accountable for bphealth's policies and practices with respect to the management of personal information, and is the individual to whom complaints and inquiries can be forwarded.
How to Register a Privacy Complaint
You may register a privacy-related complaint by contacting bphealths Privacy Officer by using one of the following methods:
- Call: 416.363.3900
- Fax: 416.363.2872, Attn: Privacy Officer
- E-mail: info@bphealth.ca
- Mail:
84 Gerrard Street West
Toronto, ON M5G 1J5
Attention: Privacy Officer