Thinkcatalyst™ — Privacy Policy
– Jan 12/2020


1. Introduction

1.1 Description
Thinkcatalyst has value-based, ethical, and legal obligations to protect Personal Information about its patients, clients, physicians and other staff members. It may also be obliged under contract or other circumstances to protect Confidential Information.
The purpose of this Information Privacy & Confidentiality Policy (“Policy”) is to establish the guiding principles and framework by which Thinkcatalyst and its partners will comply with these obligations, demonstrate accountability for managing Personal Information and Confidential Information and maintain its trust- based relationship with patients, clients, professional partners, and healthcare partners.

1.2 Scope
This Policy applies to all staff relating to personal and confidential information regardless of format or how it is stored or recorded.
For the purposes of this policy, Staff is defined as all physician partners, nurses, administrative personnel, technology professionals, technology partners, researchers, and other service providers engaged by Thinkcatalyst.

2. Policy

Policy Statement- Thinkcatalyst and its Staff will comply with the BC Freedom of Information and Protection of Privacy Act (FIPPA), the Personal Health Information Access and Protection of Privacy Act (e-Health Act), the standards of the Office of the Information and Privacy Commissioner of Alberta (OIPC), the Office of the Information and Privacy Commissioner of Saskatchewan (IPC), and other legislation, professional codes of ethics and standards of practice.
All Staff must ensure that their practices in collecting, accessing, using or disclosing Personal Information and Confidential Information comply with this Policy as well as with other applicable laws, professional codes of practice and contractual obligations. These obligations for ensuring privacy and confidentiality continue after the employment, contract or other affiliation between Thinkcatalyst and its Staff comes to an end.


2.1 Confidentiality Undertaking
As a condition of employment or affiliation, all Staff must read the Information Privacy and Confidentiality Policy and acknowledge their understanding of their privacy obligations by signing an approved Confidentiality Undertaking (see Appendix I). All Staff will be required to re-affirm their understanding of and commitments to upholding confidentially on a regular basis as determined by Thinkcatalyst.

2.2 Privacy Education
Staff must complete mandatory privacy education as determined by Thinkcatalyst. Privacy education will be determined based on the Staff roles and responsibilities at Thinkcatalyst.

2.3 Collection of Personal Information
Staff will collect personal information as needed to operate Thinkcatalyst programs or workflows and will not collect more personal information than is required to fulfill those purposes.

Direct Collection:
Where possible, personal information will be collected directly from the individual the information is about. At the time of collection, the individual should be informed of:
– the purpose for the collection
– the legal authority for the collection; and
– the contact person if the individual has any questions about the collection.

Indirect Collection:
In circumstances where it is not possible or practical to collect information directly from an individual and where it is not possible to obtain consent for another method of collection; Thinkcatalyst can indirectly collect personal information as authorized including:
– when the information is necessary to provide medical treatment
– when the information is necessary to facilitate ongoing medical treatment, it may be collected from
or shared with other Health Authorities or health care providers.

2.4 Use of Personal Information
Staff may access, and use personal information for legitimate purposes based on a “need to know” in order to perform job functions and responsibilities.

Primary Use
Thinkcatalyst primarily collects personal information for providing health care services to patients and for facilitating the access of social and municipal programs for clients. Staff may use personal information for the provision of care and for administrative and other support functions related to direct care.

Secondary Use:
Staff may use personal information for purposes related to the provision of care (“Secondary Purposes”) only if the purpose has a reasonable and direct connection to the provision of health care or social services and is required for an operating program of Thinkcatalyst or one of our healthcare / social services partners. For example:
– Program evaluation and monitoring, including quality improvement;
– System administration;
– Privacy and security audits; and
– Medical education and training related to Thinkcatalyst programs or programs of one of our academic partners.

As a general rule, Staff should limit the amount of personal information used for a secondary purpose to only that which is necessary to achieve the purpose. Where possible, personal identifiers (e.g. name, birth date, PHN, MRN, home address, postal code, personal phone number, SIN, employee ID number, etc.) should be removed from records and documents, such as statistical management reports or sample electronic health records used for system training.

2.5 Disclosure of Personal Information
The following are examples where Personal Information may be disclosed.
Disclosure or sharing for continuity of care:

Staff may share or disclose personal information on a “need to know” basis to other health care providers or members of the care team for continuity of care purposes.

Disclosure for safety purposes:
Staff may, without requiring consent, disclose personal information necessary to provide warning or to avert a risk:
– Where compelling circumstances exist affecting the health or safety of any individual; or
– To protect the public in circumstances where there is a risk of significant harm to the environment
or to the health or safety of the public or a group of people.

Good-faith Decision-making
Thinkcatalyst will not dismiss, suspend, demote, discipline or otherwise disadvantage a Staff member who, acting in good faith and upon a reasonable belief, discloses personal information necessary to provide warning or to avert risk where immediate action is required to prevent harm to any person’s health or safety.

Disclosures to Law Enforcement
For disclosures of personal information to law enforcement (e.g. mandatory demands such as court orders or search warrants, requests by law enforcement, or Thinkcatalyst initiated reporting to law enforcement), the Data Protection Officer will be notified and appropriate action will be taken in consistent with regional regulations and/or provincial laws.

Disclosure Outside of Canada:
Staff will not access, transfer or store personal information outside of Canada, except with the consent of the individual or as otherwise permitted by FIPPA (e.g. for temporary access for systems support). Staff will consult with the Information Access and Privacy Office prior to implementing any program or other initiative in which personal information will be transferred, stored or accessed outside of Canada.

Requirements before disclosing or allowing access to personal information to third parties:
Where personal information is shared with, accessed or stored by a third party vendor, contractor, agency or other organizations staff must ensure that such individuals or vendors are compliant with equivalent standards of privacy as the Personal Health Information Access and Protection of Privacy Act (e-Health Act) of BC or the OIPC of Alberta or Saskatchewan.

Disclosure for Research Purposes:
The disclosure of personal information to Staff or third parties for research must be done in accordance with Section 35 of FIPPA and have Research Ethics Board approval or the equivalent statutes in Alberta and Saskatchewan. Access to personal information may require the execution of an information sharing agreement and may also adhere to applicable policies of the OIPC and/or IPC if applicable.

Disclosure for Fundraising Purposes:
Personal information can only be shared with Hospital Foundations if explicit consent has been obtained. Foundations are considered to be separate organizations from the corporation and fundraising is not a consistent purpose with normal collection of personal information.

2.6 Accuracy of personal information and handling requests for correction of personal information

Thinkcatalyst and its Staff will take all reasonable steps to ensure the accuracy and completeness of any personal information they collect or record and be diligent to protect against making any errors due to carelessness or other oversights.

2.7 Retention and Destruction of Personal Information
Thinkcatalyst must retain records containing personal information for a minimum of one year if the personal information is used to make a decision that directly affects the individual the information is about.

When Personal Information is to be destroyed, by request of Thinkcatalyst users or due to account inactivity, Staff will follow the Thinkcatalyst guidelines and procedures for the secure destruction of personal information to ensure the information is destroyed, erased or made anonymous.

2.8 Protecting Information
Staff must take “reasonable security precautions” to ensure that all personal information and confidential information is protected against unauthorized access, collection, use, disclosure, or disposal. Staff are expected to be familiar with, maintain and enforce the physical and technical security measures applicable to their own program areas and must be aware of and adhere to applicable policies, including IMITS policies as well as any guidelines for protection of personal information.

2.9 Reporting Privacy Breaches
Staff must immediately report any actual or suspected privacy breaches or violations of this policy, including the theft or loss of personal information, devices or paper records, to the information access. Privacy breaches will be dealt with in accordance with the Managing Privacy Breaches Policy.

If Staff wishes to report anonymously, they can follow the process set out in the Thinkcatalyst Safe Reporting Policy.

2.10 Privacy Impact Assessment
A Privacy Impact Assessment (PIA) must be completed before implementing or significantly changing any program or system that involves collection, use, disclosure or storage of personal information.
Thinkcatalyst should contact the Information Access & Privacy Office, OIPC of Alberta and/or IPC of Saskatchewan who will determine if a PIA is required and will support the process. Completion of a PIA and addressing any compliance gaps identified in the PIA is the responsibility of Thinkcatalyst.

2.11 Release of Information Requests
Health Records:
– Staff may provide patients/clients with a copy of a document if it was completed with the patient/patient present (e.g. patient assessment, care plan).
– Patients/residents requesting a copy of their entire health record or health records narrative in nature (e.g. progress notes, transcribed reports), should direct their request to the Thinkcatalyst Data Privacy Officer.

2.12 Compliance Monitoring and Auditing
Thinkcatalyst divisions must conduct appropriate reviews and audits of their systems and processes to ensure compliance in accordance with the Thinkcatalyst Privacy Policy.

2.13 Reporting Privacy Breaches
Staff must immediately report any actual or suspected breaches of privacy, including the theft, loss or attempted theft of personal information. Privacy breaches shall be dealt with in accordance with Thinkcatalyst policy: Managing Privacy Breaches.

2.14 Challenging Thinkcatalyst’s Compliance to Policy

Thinkcatalyst, through the Information Access and Privacy Office, OIPC or Alberta and/or IPC of Saskatchewan will investigate all complaints from individuals concerning compliance with this policy. If the complaint is found to be justified, appropriate measures will be taken, including amending policies and procedures where required. The individual will be informed of the outcome of the investigation.

2.15 Compliance
Failure to comply with this policy may result in disciplinary action including, but not limited to, the termination of employment, loss of computing privileges, loss of privileges, prosecution and restitution for damages.

3. Procedure

3.1 Responsibilities
Accountability for Thincatalyst compliance with this policy rests with the Data Protection Officer. This position is responsible for oversight and compliance with this policy and other staff within Thinkcatalyst are responsible for day-to-day collection, processing and protection of personal information.

3.1 Role of the Data Protection Officer (DPO)
– General oversight of privacy practices within Thinkcatalyst and maintenance of breach and compliance policies;
– Providing privacy education to Staff and promoting good privacy practices throughout the organization;
– Responding to questions from Staff, patients, clients and members of the public concerning collection, access, use and disclosure of personal information;
– Investigating potential and actual breaches of this Policy brought to its attention and reporting breaches in accordance with PHC breach policies;
– Supporting the completion of Privacy Impact Assessments (PIAs);
– Managing Freedom of Information (FOI) requests; and
– Acting as the point of contact for the Office of the Information and Privacy Commissioner of British Columbia (OIPC), OIPC of Alberta, and./or the IPC of Saskatchewan when complaints are received about Thinkcatalyst’s privacy compliance.

3.2 Thinkcatalyst managers
– Overseeing compliance with this Policy by Staff within their area(s) of responsibility

3.3 Staff
– Ensuring that appropriate steps are taken to protect personal information and confidential information at all times;
– Ensuring that access to and disclosure of personal information or confidential information is only made by or to authorized individuals;
– Complying with the OIPC of British Columbia, OIPC of Alberta, and IPC of Saskatchewan policies and security requirements developed for the use of electronic systems; and
– Reporting to the above offices any actual or suspected breaches of privacy or of this Policy and cooperate with any related investigations.

The obligations for ensuring privacy and confidentiality set out in this policy continue after the employment, contract or other affiliation betweenThinkcatalyst and its Staff ends.

4. Information Technology and Data Collection

4.1 IT (information technology) Information Collection

Thinkcatalyst requests that patients and clients supply personal data, which includes individually identifiable information, when placing orders, such as name, physical address, email address, and healthcare numbers (“Personal Information”). This Personal Information is necessary for providing health care services, social services , protecting our legitimate interest and complying with legal and financial regulatory obligations to which we are subject. We do not rent, sell, or share users’ information with third parties except as described in this Privacy Policy.

When users use a Thinkcatalyst website or technology platform, users consent to the collection, storage, use, disclosure and other uses of Personal Information as described in this Privacy Policy.

We encourage our users to carefully read the Privacy Policy and use it to make informed decisions.

4.2 Information we collect

Thinkcatalyst collects personal information, including:

Name and contact information, including mobile phone number, email address and healthcare number. In addition, when users use a Thinkcatalyst website or IT platform we automatically receive and record information from the browser or mobile platform, including location, IP address, cookie information, and activity on the site. This information is stored in our server logs in order to enhance the functionality of our IT systems.

4.3 What we do with collected information

We may use this information for the following:

– communication regarding medical or social services care, surrounding this;
– updating records for the purpose of retaining records;
– protecting our legitimate interest;
– compliance with legal and government regulatory obligations to which we are subject;
– improvement of the Thinkcatalyst and associated IT platforms;
– prevention of unlawful activities;
– evaluation of our medical and social services workflows and for the purposes of medical research, medical education, and analysis of our company outcomes.

We may contact patients, clients, and team members by e-mail for the purposes set out in this section. By submitting such information to us, you are deemed to have agreed to us contacting users by email. We will continue to contact users using this method until advised in writing that they no longer wish to be contacted via our “Privacy Center” application.

4.4 How we collect information

We receive personal information from various sources:

– when users voluntarily provide us personal details in order to register on our websites or platforms
– from medical consultation from other physicians
– from medical consultations from allied health team members

4.5 Managing your information

Thinkcatalyst employs procedural and technological measures designed to protect personally identifiable information from loss, unauthorized access, disclosure, alteration or destruction. Thinkcatalyst uses SSL, data transmission encryption, 2 factor authentication and other encryption, password protection, firewalls, internal restrictions and other security measures to help prevent unauthorized access to personally identifiable information.

Although we take reasonable steps to safeguard information, we cannot be responsible for the acts of those who gain unauthorized access or abuse our systems, and we make no warranty, express, implied or otherwise, that we will prevent such access.

4.6 User Rights

Users may request to:

Receive a copy of personal information they directly volunteer to us in a structured, commonly used and machine-readable format;
Request rectification of their personal information that is in our control;
Request erasure of their personal information;
Object to the processing of personal information by us.

Any questions or comments, or if users want to update, delete, or change any personal information we hold, or you have a concern about the way in which we have handled any privacy matter, please contact our DPO by email (dataprivacyofficer@watch.clinomics.ca or see our “privacy center at https://watch.thinkcatalyst.ca/privacy-center.

4.7 Marketing

Thinkcatalyst may use personal information for the purpose of providing users with medical information or products which we believe may be of interest.

These marketing materials will include an opportunity to decline receiving further marketing offers from us. If users unsubscribe we will remove their email address from our medical information / products distribution list.

Please note that even if users have unsubscribed from receiving marketing emails from us, we may send other types of important email communications. These may include announcements about Thinkcatalyst or about individual accounts.

4.8 Cookies

We use cookies and other technologies on our IT systems. A “cookie” is a small piece of information that a website assigns to a user’s device while you viewing a website. Cookies are very helpful and can be used for various different purposes. These purposes include allowing users to navigate between pages efficiently, enable automatic activation of certain features, remembering preferences and making the interaction between users and our IT systems quicker and easier. Cookies are also used to help ensure that the advertisements seen are relevant to you and your interests and to compile statistical data on use of specific websites.

User’s can disable cookies in your browser and delete all cookies currently stored on your computer. User’s can find out how to do this by modifying your browser’s preferences appropriately.

Thinkcatalyst uses cookies. This site utilizes cookies to personalize content, make web experiences more efficient and analyze traffic. We do not give this information to any 3rd party organizations.

Currently, Canadian law allows us to store cookies on a user’s device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. and if we were to utilize these, we would seek user permissions.

5. Supportive documents

5.1 Managing a privacy breach

Policy

If a privacy breach is suspected or confirmed, Staff will take the following steps:
1. Contain the breach
2. Report to the department manager
3. Report to the Data Protection Officer
4. Assist the Data Protection Officer in their investigation and follow-up as required

5.1 Identifying a Privacy Breach
A Privacy Breach is any loss, theft, intentional or inadvertent unauthorized access to, or collection, use, disclosure, or disposal of personal information, whether recorded or not (verbal), and regardless of format.

Examples of privacy breaches include, but are not limited to:
• the theft or loss of records containing personal information;
• the theft of loss of devices that store personal information, including laptops, PCs, mobile devices, removable storage devices (USBs or external hard drives);
• accessing/viewing personal information other than that required to perform a job function;
• disclosing personal information to others who do not require the information to perform their job
function; or
• misdirecting faxes or emails.

5.2 Containment
Upon discovering a suspected or confirmed breach of personal information; Staff must take immediate steps to contain the breach, which could include but is not limited to:
• Stopping any unauthorized practice;
• Recovering records;
• Securing (e.g. shutting down) the system that was breached;
• Securing the physical area where the breach occurred; and/or
• Contacting security and/or police if applicable e.g. witnessing a crime in progress.

5.3 Reporting
Staff must report all suspected or confirmed privacy breaches to their department manager and to the Data Protection Officer..

5.4 Investigation
The Data Protection Officer will promptly investigate all suspected and confirmed privacy breaches, evaluate risks, and take appropriate actions to mitigate any risks arising from the breach. Staff will support the Data Protection Officer in the investigation and follow up activities.
The Data Protection Officer will manage the investigations in a manner consistent with the guidelines set out by the OIPC of British Columbia, OIPC of Alberta and/or the IPC of Saskatchewan.

5.5 Notification
Thinkcatalyst endorses the principle of disclosure when there has been a confirmed privacy breach. The Data Protection Officer will determine whether notification of the privacy breach to the affected individuals and/or to the Data Protection Officer is required. If required, the Data Protection Officer will determine the manner in which the individuals will be notified (e.g. written, verbal) and will support the notification process.

5.6 Responsibilities

Thinkcatalyst Staff are responsible for:
• identifying a privacy breach;
• taking immediate actions to contain the breach;
• reporting privacy breaches to his/her department manager
• reporting to the Data Protection Officer;
• cooperating and participating in the privacy breach investigations as requested; and
• undertaking remedial and preventative follow-up action as recommended by the investigation.

Department Managers are responsible for:
• ensuring their Staff are aware of this policy and their responsibilities for privacy breach reporting;
• ensuring all privacy breaches discovered by Staff within their program area are reported to the Data Protection Officer
• cooperating and participating in the privacy breach investigation as requested; and
• undertaking remedial and preventative follow-up action as recommended by the investigation.

The Data Protection Officer is responsible for:
• coordinating investigations, identifying risks, and documenting all privacy breaches;
• managing privacy breaches in a manner that is consistent with the guidelines set out by the
OIPC or IPC and other generally accepted practices;
• determining if affected individuals or organizations should be notified, and if so, the manner in
which the notification should occur (e.g. written, verbal);
• notifying other departments as appropriate;
• notifying the OIPC / IPC as required; and
• developing and delivering privacy education to Staff and promoting awareness of this policy and
related privacy policies and guidelines.

5.7 Compliance
All staff are expected to cooperate with the Data Protection Officer and assist in a thorough and timely investigation of all privacy incidents. Failure to comply with this policy may result in disciplinary action including, but not limited to, the termination of employment, loss of professional privileges, prosecution and restitution for damages.