CAPs’ Privacy Guidelines incorporate the provisions of Part 1 of the Personal Information and Electronic Documents Act (PIPEDA – Government of Canada), the principals of the Personal Information Protection Act (PIPA – Government of Alberta) and the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information.
Application of Privacy Principles
CAP is responsible for all personal information in its possession or control, including information that has been transferred to a third-party for processing. CAP will use contracts or other means to provide an appropriate level of protection when a third-party processes information on behalf of the company.
CAP will, from time to time, enhance our processes and procedures to maintain our commitment to privacy, including:
Procedures to protect personal information;
Procedures to receive and respond to complaints and inquiries;
Communications and training programs to provide information to CAP staff about privacy policies and practices.
2. Identifying Purposes
CAP will identify & document how and why personal information will be used at or before the time the information is collected.
CAP will only collect information necessary to perform the activities outlined.
CAP will articulate through verbal, electronic or written means – the purpose for the collection of the personal information at or before the time for which personal information is collected.
When personal information is collected for a new means – not previously identified – we will engage the affected individual(s) prior to use. In such cases, the consent of the individual is required before the information is used for a new purpose.
CAP collects personal/contact information in order to:
Manage customer accounts;
Follow-up with individuals to determine their interest in the products and services provided by CAP and inform them of new products, services or promotions;
Screen individuals for employment, volunteer or contracting suitability;
Manage and administer personnel (including performance appraisals, security, access control and disciplinary measures);
Manage and administer compensation and benefits programs;
Administer occupational health and safety programs;
Monitor and track skills and competency development;
Meet legal and regulatory requirements (e.g. Employment Standards Legislation, Canada Customs and Revenue Agency reporting requirements);
Facilitate CAP audits when required to do so;
Provide contact information of CAP staff and volunteers to CAP insurers;
Provide such information as may be required for administration of CAP programs.
CAP is not responsible for the management of Personal Information collected by its customers through use of CAP products and services. However, CAP employs reasonable measures to ensure the safety and protection of its customers’ information. CAP employs strict policies and procedures to protect and maintain the confidentiality of this information. These measures are outlined in the contracts signed by CAP customers. Furthermore, CAP considers all information collected by its customers as confidential and does not access or use its customer’s information other than for data maintenance, auditing or trend analysis (e.g. benchmarking).
CAP uses reasonable efforts to ensure that individuals understand how their personal information will be used. CAP obtains consent as required for the collection, use and disclosure of personal information.
When determining the form of consent, CAP considers the sensitivity of the information and the reasonable expectations of the individual. Express consent will be obtained when the information is likely to be considered sensitive; implied consent may be appropriate when information is less sensitive. Consent may also be given through an individual’s authorized representative (such as a legal guardian or a person having power of attorney).
CAP obtains consent for the collection, use or disclosure of information through various means, including verbal, written (e.g. signed forms) or electronic processes.
In rare circumstances, CAP may collect and use personal information without the individual’s knowledge or consent. For example:
If consent cannot be obtained in a timely way (e.g. when the individual is seriously ill);
If obtaining prior consent would defeat the purpose of collecting the information (e.g. in the investigation of alleged criminal activity);
In the case of an emergency where the life, health or security of the individual is threatened.
CAP generally seeks to obtain consent at the same time personal information is collected. CAP may, however, seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose (e.g. before disclosing board member information to a funding organization, if this purpose was not previously contemplated).
Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. CAP and/or the Privacy Officer informs individuals of the implications for withdrawing consent.
4. Limiting Collection
CAP limits the amount and type of personal information collected to that which is necessary for the identified purpose.
CAP collects information by fair and lawful means.
CAP may collect the following information from employees, contractors and suppliers:
Demographic and contact information including home address and telephone number, date of birth, and social insurance number;
Training, experience and skills as necessary to establish competence, and regulatory, employer or industry standards compliance;
Education and employment history;
Banking or financial information;
Security background checks, as required.
CAP may collect the following personal information from customers of CAP:
Names and contact information, including home address and telephone numbers;
HSE system and performance documentation, interview records, client employee HSE system compliance assessments, equipment assessments, COR audits, and any other relevant audit documentation;
Demographic information about customer(s) for CAP programs, including number and year of birth or ages of employees, and interest in programs or facilities for system planning purposes;
Financial information, if members involved in programs with financial eligibility requirements, or where payment is required for programs or services;
Limited medical information for members or employees of members participating in business activities.
CAP may collect personal information through the following means:
Online software application for the purposes of delivering CAP Programs,
Online Solicited and unsolicited resumes and correspondence;
Completed application forms (paper or on-line format) for employment, benefits, grants and bursaries, volunteer opportunities, business and other program registrations, etc.;
Worksite audits, inspections and assessments in person and through telephone interviews;
Online forms through the website.
5. Limiting Use, Disclosure and Retention
CAP does not use or disclose personal information other than for the purpose for which it was collected, except with the consent of the individual or as required by law.
Notwithstanding the above, CAP may disclose personal information without consent:
To a lawyer representing CAP;
To a company or individual employed by CAP to perform functions on its behalf (e.g. outsourced information processing function, administration of health services plan);
In order to collect a debt owed by the individual to CAP;
To comply with a subpoena, warrant or court order;
As required or authorized by law (e.g. Employment Standards Legislation);
When the information is publicly available (e.g. telephone directory information);
To a public authority in the event of imminent danger to any individual.
CAP obtains consent for all other disclosures of personal information for purposes other than those for which the information was initially collected (e.g. to provide references regarding current or former employees. CAP does not require consent to confirm an individual’s employment record (e.g. confirm years of employment, and position held).
Only CAP employees, contractors, partners or volunteers with a business need-to-know, or whose duties so require, are granted access to personal information.
CAP has developed guidelines and implemented procedures with respect to the retention of personal information. CAP retains personal information only if it is necessary for the identified purpose, or as required by law. Where personal information is used to make a decision about an individual, CAP retains the information, or the rationale for making the decision, long enough to allow the individual access to the information after the decision has been made.
Personal information that is no longer required to fulfill the identified purposes or required by law to be retained is destroyed, erased or made anonymous.
CAP provides our best efforts to ensure that personal information collected, used and disclosed is as accurate, complete and up to date as necessary for the intended purpose.
Personal information is kept sufficiently accurate, complete and up to date to minimize the possibility that inappropriate information may be used to make a decision about the subject individual.
CAP updates personal information as and when necessary to fulfill the identified purpose or upon notification by the individual who is the subject of the information.
CAP protects personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, regardless of the format in which it is held.
CAP has developed and implemented information security policies and procedures that outline physical, organizational, and technological measures in place to protect personal information as appropriate to the sensitivity of the information. These same measures are employed in the safeguarding and protection of information resources of CAP customers.
CAP protects personal information disclosed to, or processed by third parties by contractual agreements which address the following as necessary:
Identifying the types of records provided, collected, created or maintained in order to deliver the service, and specifying any applicable privacy legislation;
Stipulating the confidentiality of the information and the purposes for which it is to be used;
Identifying the organization(s) having custody and control of the records, including the responsibility and process for handling requests for access to information;
Ensuring that third parties and their employees having access to CAP and information assets are aware of, and understand their responsibility to adhere to CAP information handling and security policies, including maintaining the confidentiality of personal information;
Ensuring that CAP has access to information produced, developed, recorded or acquired by third-parties as a result of the contract, including timely access in response to requests for information, and specifying that third-parties shall not deny access to, or retain custody of, personal information because of late or disputed payment for services;
Requiring third parties to report breaches of confidentiality and privacy to CAP Privacy Officer within 48 hours of knowing that the breach occurred;
Addressing disaster recovery and backup of any information assets and systems in the custody of the third-party;
Addressing the disposition (e.g. destruction or return) of all of CAP information assets (e.g. records, hardware, system documentation) upon termination of the contract;
Specifying any audit or enforcement measures that CAP will undertake to ensure that third parties comply with information handling and security provisions outlined in contractual agreements (for example, non-disclosure agreements, audit trails, regular review of third-party access requirements, inspection of third-party premises).
CAP ensures that all employees and volunteers are aware of its privacy policies and procedures and understand the importance of maintaining the confidentiality of personal information.
Care shall be taken in the disposal or destruction of personal information to prevent unauthorized parties from obtaining access to the information.
Upon request, CAP makes available specific information about its policies and practices relating to the management of personal information, including:
The means of gaining access to personal information held by CAP;
Identification of personal information held by CAP, and a general account of its use;
To make an inquiry or lodge a complaint about CAP personal information handling policies and procedures, contact:
CAP Privacy Officer Suite 200, 683 – 10th Street S.W. Calgary, Alberta Canada T2P 5G3 Email: [email protected]
9. Individual Access
Upon request, CAP provides individuals with access to their personal information held by the company. Individuals have the right to challenge the accuracy and completeness of their personal information held by CAP, and to have it amended as appropriate.
All requests by individuals (e.g. customers, employees, volunteers, contractors) to access their personal information held by CAP, or to correct or amend their personal information, should be directed to the designated Privacy Officer. Such requests should be in writing.
CAP responds to requests for access to personal information within 30 business days.
Responding to an individual’s request for information is usually done at no or minimal cost to the individual. However, a fee for reasonable costs incurred may be charged when responding to more complex requests, provided the individual is informed in advance.
In order to safeguard personal information, CAP may request sufficient information from the individual to verify that person’s identity.
10. Limitations to Individual Access
CAP provides individuals access to their personal information, subject to limited and specific exceptions. CAP will refuse access to personal information if:
CAP has disclosed information to a government institution for law enforcement or national security reasons;
It would reveal personal information about a third-party unless there is consent or a life-threatening situation;
Doing so could reasonably be expected to threaten the life or security of another individual;
The disclosure would reveal confidential commercial information;
The information is protected by solicitor-client privilege;
If access to information is refused, CAP shall, in writing, inform the individual of the refusal, the reason(s) for the refusal, and any recourse the individual may have to challenge CAP decision.
11. Correction/Amendment of Personal Information
CAP corrects or amends personal information as required when an individual successfully demonstrates the inaccuracy or incompleteness of the information. Amendment may involve the correction, deletion, erasure, or addition to any personal information found to be inaccurate or incomplete.
Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, CAP shall inform any third-parties having access to the personal information in question as to any amendments, or the existence of any unresolved differences between the individual and CAP.
12. Challenging Compliance
Complainants may address inquiries or complaints concerning compliance with these policies or guidelines by contacting CAP Privacy Officer as set out in these Guidelines under Principle 8 (Openness). A complaint may also be addressed in writing to the Privacy Commissioner of Canada at 112 Kent Street, Ottawa, Ontario, K1A 1H3 -or- to the Office of the Information and Privacy Commissioner of Alberta, #410 – 9925 – 109th Street, Edmonton, AB, T5K 2J8, 780-422-6860, www.oipc.ab.ca.
HIPAA and PIPEDA COMPLIANCE
CAP’s cloud services do not include sharing or disseminating the data we do collect to our partners for the purposes of processing and storing PHI, therefore, our partners are not classified as covered entities. Covered entities must enter into contracts to ensure that they adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act.
The law regulates the use and dissemination of PHI in four general areas:
Privacy, which covers patient confidentiality.
Security, which deals with the protection of information, including physical, technological, and administrative safeguards.
Identifiers, which are the types of information that cannot be released if collected for research purposes.
Codes for electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments.
By definition Protected health information (PHI), also referred to as personal health information, includes demographic information (age, income and education level), medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Last updated: 2022-07-19
BECOME A CAP PARTNER
Be part of the solution to prevent concussions before they occur! Leave your contact information and we will be in touch as soon as we can.