Privacy and Confidentiality
Purpose:
V!VA Retirement Communities is committed to protecting the privacy and confidentiality of personal information and personal health information in its custody and control. All V!VA Retirement Communities entities are both legally and ethically responsible for the information generated, used and stored within its service delivery. As such, V!VA’s policies and procedures on how that information is collected, used, accessed, maintained, disclosed, and destroyed are outlined in this policy.
This policy is created in conjunction with guidelines provided by Ontario’s Personal Health Information Act, 2004 (PHIPA) and Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA).
Policy:
It is the responsibility and obligation of all Team Members, agents, and/or those affiliated either directly or indirectly with V!VA to ensure that information to which they have access is kept private and confidential.
Each Community will have a designated Community Privacy Officer, and that person will be the Community Director or designate in his/her absence and as approved by the Company Privacy Officer.
In the course of your employment with V!VA Retirement Communities, Team Members may receive or have access to confidential or sensitive information about V!VA Retirement Communities, its Team Members, Community Members, and families. Team Members will also acquire knowledge of certain business practices including trade secrets belonging to V!VA Retirement Communities. Trade secrets, confidential or proprietary information is defined as any information or idea including but not limited to market research data, Community operations, customer knowledge, marketing strategies, personnel information, financial data and any other information that is used to establish or maintain the company’s position in the marketplace.
Contracted and Private Care Service Providers: All information obtained during an affiliation with any V!VA entity must be held in the strictest confidence. All reasonable measures must be taken to ensure that information is collected, used, accessed, and disclosed for a lawful purpose and only in circumstances necessary and authorized for Community Member care, research, education and/or as necessary in the conduct of business of the organization, and for other purposes as required or permitted by law.
Collection, use, access, sharing, disclosure, maintenance, or disposal of information must be done in accordance with the appropriate legislative authority, professional standards, scope of practice or responsibility, codes of ethics, and V!VA’s Policies, including this one.
Definitions of Company, Personal and Personal Health Information and Other Terms
Company Information
For the purposes of this policy, company information includes information in any form that is provided, generated, or produced for or by V!VA Retirement Communities and/or a V!VA Retirement Community.
Information, documents, tools and resources prepared by Team Members for V!VA Retirement Communities are considered proprietary to V!VA and as such, is protected by our Privacy and Confidentiality policy.
Company information includes any factual or subjective information, whether it is recorded or not, about V!VA, any of its employees, its materials and/or customers, business partners or investors.
Personal Information
For the purposes of this policy, personal information for Team Members includes information in any form that is reasonably required by V!VA Retirement Communities for the purpose of establishing, managing, or terminating our employment relationship.
For Community Members it includes information in any form that is reasonably acquired by V!VA for the purpose of and/or establishing or managing care or residency needs prior to, during and post residency which may also include information related to the termination of a lease agreement.
Personal information includes any factual or subjective information, whether it is recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, ID numbers, suite number, income, ethnic origin, marital/family status, or blood type
- opinions, evaluations, comments, social status, or disciplinary actions
- employee files, resumes, letters of reference, reference checks, police and Vulnerable Sector checks, annual declarations, credit records, loan records, medical records, personal phone number(s) or email addresses
- Photographs and images
Personal information does not include names, title, business address or business telephone number.
Personal Health Information
Personal Health Information includes any factual or subjective information, whether it is recorded or not, about an identifiable individual. This includes information in any form, such as:
- the physical or mental health of the individual, including information respecting the individual’s health care status and history and the health history of the individual’s family;
- the provision of health care to the individual, including information respecting the person providing health care;
- medical information provided by a Team Member, Community Member or family member or, any related medical information provided by a physician or Community Members of a circle of care;
- opinions, evaluations, or comments about health or conditions;
- the donation by an individual of a body part or bodily substance, including information derived from the testing or examination of a body part or bodily substance;
- registration information;
- payments or eligibility for a health care program or service in respect of the individual, including eligibility for coverage under insurance or payment arrangement with respect to health care;
- an individual’s entitlement to benefits under or participation in a health care program or service;
- information about the individual that is collected in the course of, and is incidental to, the provision of a health care program or service or payment for a health care program or service;
- a drug as defined in the Pharmacy Act, a health care aid, device, product, equipment, or other item provided to an individual under a prescription or other authorization issued by a health care professional; or
- the identity of a person’s representative or guardian.
Types of Information Considered Private and/or Confidential
Information that is to be kept confidential and private and not disclosed unless permitted or required by policy or legislation, is information that would not otherwise be publicly available and includes, but is not limited to:
Prospect or Community Member Medical & Health Related Information: any information regarding a prospects or Community Members’ medical condition, health status, diagnosis, or medications.
Community Member Knowledge: personal information related to the Community Member regardless of the source of that information e.g. details or information contained within wills or other Community Member private documents, lists generated by V!VA e.g. lists with names, contact information, phone numbers including contacts and sales statistics, Community Member images or photos.
Operational/Service Delivery: strategies, tactics, training, policies and procedures, documents and marketing information obtained through working at V!VA including but not limited to V!VA branded programs (V!VAfit, V!VAlicious, Service Culture Standards, Happier Here Guarantee, etc.)
Development, Business & Strategic Plans: company and/or Community-specific strategic, business, or future plans whether formal, in development or anticipated. This includes but is not limited to human resources, compensation, succession, and/or operational plans and/or any documents marked private and/or confidential
Marketing Strategies: prospective customer targets, forecasts, key target markets, marketing and advertising materials, and strategic planning knowledge.
Human Resources: Team Member compensation agreements, job descriptions, organizational structure, status and any individual personal or health-related information.
Financial Data: all data up to and including V!VA’s financial statements, situation/status/relationships, depository/bank information, sales figures, forecasts, accounts payables and receivables, salaries, and all financial information.
Investors: any information obtained through the course of V!VA work related to investors, their families, investments, holdings or related information
Software: codes, login or password information; interface or technical information
For more information about types of information considered private and/or confidential, see the section below entitled: Reasonable Limits: Definition of Personal Information and Personal Health Information.
Artificial Intelligence
VIVA Retirement Communities’ Team Members are not permitted to enter confidential data into an AI tool about a Community Member, Team Member of any of V!VA’s proprietary information without written approval from V!VA’s Privacy Officer or Community Privacy Officer.
Explicit consent from the Community Member or Team Member must be obtained when their personal information is used in a public AI tool, in accordance with applicable privacy legislation.
Team Members are expected to act in accordance with this Privacy and Confidentiality Policy at all times while using AI tools. All information as identified in Types of Information Considered Private and/or Confidential section above are subject to protection from use within any AI tools.
Where access to AI tools has been approved, Team Members must not share their company-issued AI accounts and/or devices with other Team Members, whether they are authorized to use the AI tool or not. Any security concerns regarding an AI tools must be reported to V!VA’s Privacy Officer or the Community Privacy Officer immediately.
All AI systems used and approved by V!VA must be designed to protect confidential information. This includes ensuring that data used by AI systems is anonymized where possible and that access to confidential information is restricted to authorized personnel only.
V!VA Retirement retains ownership of all data provided to or generated by AI systems. Vendors and third parties are prohibited from using this data for any purpose other than providing the agreed-upon services.
Vendors and third parties are not allowed to use confidential information to train or improve their AI models without explicit written consent from V!VA’s Privacy Officer.
For other information related to artificial intelligence, see V!VA’s Artificial Intelligence Policy in the People Handbook.
Legal, and Other Administrative Information
Information may be in several formats including, but is not limited to, paper, electronic, film, visual, or verbal communication.
Personal and personal health information should only be collected, accessed, used, and disclosed on a need-to-know basis by Team Members, agents, contractors, and all those affiliated with V!VA, keeping in mind that the authorized collection, access, use, and disclosure should be limited to the minimum amount necessary, and as defined by their role within the organization.
Access to personal information is permitted only for the purpose of employment or affiliate duties or for conducting business as per a contract or agreement. For more information on appropriate collection, access, use, and disclosure of personal health information for the purpose of providing care, please refer to PHIPA.
Intentional, as well as unintentional access, collection, use, disclosure and/or viewing of confidential information that is not necessary for the performance of one’s assigned responsibilities or duties is a breach of privacy and confidentiality, even if that information is not disclosed to another party.
Hardcopy information obtained or acquired in order to provide services must not be removed from the Community at any time without the expressed permission of the Community Privacy Officer.
Team Members, agent, or affiliate whose relationship/employment ceases with V!VA or any supplier/contractor whose contract ends with V!VA is required to treat all information obtained as a result of that service and covered by this policy as confidential/private indefinitely and must not disclose it to any third party, for any reason, unless given written authorization from V!VA or required by law.
Additionally, an employee, agent, affiliate, or contractor must also return to V!VA all information covered in this policy or destroy the information in a manner authorized by V!VA and ensure the protection of that information from unauthorized access, use, or disclosure, unless otherwise specified in a contract or agreement and subject to applicable legislation.
Definitions & Acronyms1
Affiliate: A person authorized by V!VA, to act on its behalf or on behalf of another public body. This term includes designated staff within the Department of Child Youth and Family Services and other people who are affiliated with V!VA.
Affirmation: a solemn declaration instead of an oath and has the same legal effect as an oath.2
Agent: A person authorized by V!VA to act on its behalf. This term includes physicians, nurses, volunteers, Team Members and contractors and other persons working within V!VA facilities or affiliated with V!VA.
Confidentiality: The duty to protect, respect and maintain the privacy of personal health and business information, the obligation to refrain from disclosing personal health information outside the “circle of care” or business information to others not involved with the use of the information in the normal course of their authorized work.
Privacy of Information: The right of an individual within limits to determine when, how and to what extent personal information is collected, used and disclosed about him/herself.
Disclosure: The provision or communication of personal health or business information outside of the authorized uses described.
Circle of Care: The circle of care includes the persons participating in and activities related to the provision of health care to the individual who is the subject of the personal health information and includes necessarily incidental activities such as laboratory work and professional consultation.
Notary Public: A public officer or other person authorized to authenticate contracts, acknowledge deeds, take affidavits, protest bills of exchange, take depositions, etc.
Source:http://dictionary.reference.com/browse/notary+public
Service Provider: An individual or organization that provides services to Community Member. The service provider could be private, provided by government resources or arranged by V!VA. In some contexts, V!VA Retirement Communities may be the service provider.
Privacy/Confidentiality Oath/Affirmation
As a condition of employment or contracted service provider (e.g., agency worker, primary care giver, other wellness services provider), Team Members and service providers will be required to sign a Privacy and Confidentiality Agreement. Violation of the Privacy and Confidentiality Agreement could lead to disciplinary action up to and including termination and possibly legal action if deemed appropriate.
Breach of Confidentiality and/or Privacy
Individuals and corporations at V!VA Retirement Communities may be held accountable for breaches of confidentiality and/or privacy.
A breach includes intentional or unintentional unauthorized access to, use, disclosure, and/or disposal of confidential information. Some examples of potential breaches include but are not limited to the following:
- email sent to the wrong Community Member and/or family and/or other Team Members;
- inclusion of Team Members or others in an email that contains private or confidential information;
- texting or emailing information using an unapproved V!VA device;
- forwarding information from an approved V!VA device to a personal/unapproved device;
- paper Community Member records that fell out of a garbage can or left on a desk;
- dispensing of medications in an unsecured or public area of the Community;
- unauthorized sharing of passwords or user information to access devices;
- knowledge about information being shared or used inappropriately and not reporting;
- leaving a Wellness mobile device unattended or removing it from the Community;
- discussing private or confidential information about a Community Member with others or in a public area where others can hear the conversation;
- a cyber-attack.
In addition, unauthorized posting, sharing or disclosure of personal information or personal health information in any format, including on social media websites (e.g. Facebook, X, Instagram, Snapchat, TikTok, etc.) is considered a privacy breach.
All V!VA Team Members, agents, or affiliates have a responsibility to report breaches of confidentiality and/or privacy. If a breach is suspected it must be reported to a Community Manager, who must report the concern to the designated Community Privacy Officer. Team Members, agents, or affiliates can report directly to the Community Privacy Officer as well or instead of a manager.
Community Privacy Officers are required to advise V!VA’s Privacy Officer, the Vice President of Community Experience (or designate in their absence) as soon as possible upon learning about a breach or proceeding with an investigation regarding a reported breach.
If it is established that a breach of confidentiality and/or privacy has occurred, those individuals or corporations deemed responsible may be subject to penalty or discipline up to and including termination of employment, cancellation of contract or services, termination of the relationship with V!VA, withdrawal of privileges, and/or legal action. Where applicable, reporting to an individual’s professional regulatory body will be considered.
Privacy and Confidentiality Breach Protocols
In the event of a privacy breach, the scope and depth of the breach will be determined, and all relevant Team Members will be identified and, as appropriate, informed of the breach and next steps. Every effort will be made to contain the breach as soon as possible.
The following steps will be taken to contain a privacy breach:
- retrieve and secure any personal information that has been collected, used, or disclosed without authority.
- ensure that no copies, including digital copies, have been made or retained by the individual who was not authorized to receive or use the information.
- determine whether the breach would allow unauthorized access to any other personal information – for example on an electronic information system – and take necessary steps to prevent a further breach, such as changing passwords or temporarily shutting down your system.
At the first reasonable opportunity following the breach (lost, stolen, used or disclosed without authority) of a Team Member or Community Member’s personal information, they will be informed. The notice must:
- provide a general description of the breach in easy-to-understand language;
- inform the individual of any steps you have taken to:
- mitigate adverse effects on the individual and
- prevent a similar breach from happening.
- provide contact information for a designated V!VA Team Member who can provide additional information; and
- advise the individual of their right to complain to the Information Privacy Commission of Ontario.
V!VA will assess all breaches of confidentiality in conjunction with the guidelines provided by PIPEDA and/or PHIPA and report breaches to Ontario’s Information and Privacy Commissioner and/or the Office of the Privacy Commissioner of Canada, as required.
Collection, Use and Disclosure
The following section outlines how V!VA collects, uses, and discloses personal information and personal health information.
Reasonable Limits
While every effort is made to maintain confidentiality and privacy, V!VA recognizes that, in practice, reasonable limits may be placed on the principle of confidentiality.
The actual facilities and dynamic environment in which services are provided can limit the degree to which privacy and confidentiality can be protected (e.g., close proximity to each other, home visit environments, crowded events).
Understanding the environmental limitations in a retirement home setting, information that is considered confidential and private is not to be discussed in any public location (e.g., elevators, lobbies, cafeterias, off premises, Making Today Great Meetings) where others, not entitled to receive that information, are present and likely to overhear.
Investigation of privacy/confidentiality breaches and/or other organizational processes defined by V!VA policies may necessitate disclosure of personal information and/or personal health information to Team Members not routinely privy to this level of access. In these cases, every effort will be made to limit the information shared on a ‘need to know’ basis for the purpose of the investigation and all Team Members receiving private or confidential information will be required to ensure the information received always remains confidential, including when the investigation is complete.
Collection of Personal Information
A: Team Members
Before V!VA collects personal information, we will explain the purpose of its collection. We collect Team Member personal information:
- for recruiting and contracting purposes
- to administer payroll and benefit plans
- to administer vehicle insurance and verify driver’s license status
- to process any benefit or other claims you may have, such as WSIB or medical related claims
- to manage our employment relationship, including any performance evaluations, incentive programs, or disciplinary measures
- to establish training or development requirements
- to identify a contact person in the event of an emergency
- to comply with applicable employment and human rights legislation
V!VA may collect, use and disclose employment-related personal information without consent if it is reasonable for the purposes of establishing, managing or terminating our employment relationship.
If consent is required, V!VA will explain why the information is being collected and how we intend to use it.
Team Members will be deemed to consent to the collection, use or disclosure of the personal information if, when the information was given, the purpose would be obvious to a reasonable person. For example, individuals who submit their resumes are deemed to consent to their use for recruitment and hiring purposes.
B: Community Members
Before V!VA collects personal information, we will explain the purpose of its collection. We collect Community Member personal information directly from an individual to:
- Evaluate and assess the ability of V!VA Retirement Communities to provide a safe and secure living environment
- determine the care and services required to live safely, promote independence and thrive in a community setting
- facilitate rent and ancillary services payments
- verify eligibility for a parking space
- identify a contact person in the event of an emergency or death
- comply with the applicable Ministry of Health and RHRA requirements.
V!VA will collect information indirectly under the following circumstances, the:
- Community Member or Substitute Decision Maker provides their consent
- information is necessary for the provision of health care and direct collection is not reasonably possible.
- information is needed for an investigation, proceeding or statutory function of the Community and/or its responsibilities.
- Privacy Commissioner of Ontario authorizes the indirect collection.
- information is collected from a person who is permitted or required by law to disclose it to V!VA Retirement Communities.
V!VA may collect, use, and disclose related personal information without consent if it is reasonable for the purposes of establishing and/or managing or terminating the lease agreement.
If consent is required, V!VA will explain why the information is being collected and how we intend to use it.
Team Members and Community Members will be deemed to consent to the collection, use or disclosure of the personal information if, when the information was given, and the purpose would be obvious to a reasonable person. For example, individuals who submit their resumes are deemed to consent to its use for recruitment and hiring purposes. Prospects who agree to participate in the discovery process during a sales meeting are deemed to consent to its use for determining suitability for moving into the Community.
V!VA may collect personal information without an individual’s knowledge or consent:
- if it is clearly in their best interests and consent is not available in a timely way
- for the planning or delivery of programs or services
- risk management, error management or activities to improve or maintain the quality of care or any related program or service
- educating agents to provide health care
- research, provide specific requirements and conditions are met
- if knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law
- for journalistic, artistic, or literary purposes
- if it is publicly available as specified in the regulations
Use of Personal Information
V!VA may use personal information without the individual’s knowledge or consent:
- for the planning or delivery of programs or services
- for the education of agents to provide care
- if we have reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial, or foreign law and the information is used for that investigation
- for an emergency that threatens an individual’s life, health, or security
- for statistical or scholarly study or research (as long as we notify the Privacy Commissioner before using the information)
- if it is publicly available as specified in the applicable government regulations
- if the use is clearly in your interest and consent is not available in a timely way (3rdparty company-approved training sites and/or apps)
- if knowledge and consent would compromise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of a federal or provincial law.
V!VA Retirement Communities and its entities will not sell Team Member or Community Member personal or health related information to a 3rdparty for any reason. Where access to personal or health-related information is required to improve existing software platforms, upgrade or introduce new software platforms, V!VA will conduct an audit to ensure compliance with the recommended standards as set forth in the guidelines provided by both PHIPA and PIPEDA.
Collection and Use of Photographs and Images
Photos/images: while photos and images can be taken of Community Members and Team Members, sharing or use of those photos/images must be done with express consent from the party(ies). A consent form is required for the use of photos/images for marketing or social media purposes for both Team Members and Community Members. Community Member consent forms are reviewed and provided in the Residency Agreement package; Team Members are asked to consent during onboarding and orientation. Signed copies of photo/image consent forms are retained in the Community Member and Team Members respective files.
No one is permitted to share photos or images on personal or non-V!VA approved devices/computers/laptops and/or applications (e.g. What’s Ap, texting, Messenger) without express consent of the individual (Team Member or Community Member).
Disclosure of Personal Information
V!VA may disclose personal information without the individual’s knowledge or consent only:
- to a lawyer representing the organization
- if the disclosure is reasonably necessary for providing health care and consent cannot be obtained in a timely manager, unless there is an express request from the individual instructing otherwise
- for the purpose of contacting a relative or friend or potential substitute decision-maker of an individual who is injured, incapacitated or ill and unable to give consent personally
- for determining or verifying eligibility for publicly funded health care or related goods, services or benefits
- for the purpose of administration and enforcement of various Acts by the professional Colleges and other regulatory bodies (ie. Retirement Home Regulatory Authority)
- to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons
- to collect a debt owed to us
- to comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction
- to a government institution that has requested the information, identified its lawful authority, and indicated that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law; or suspects that the information relates to national security or the conduct of international affairs, or is for the purpose of administering any federal or provincial law
- to conduct an investigation or to an investigative body named in the applicable legislation or regulations or government institution on our initiative when we believe the information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law, or suspect the information relates to national security or the conduct of international affairs
- if made by an investigative body for the purposes related to the investigation of a breach of an agreement or a contravention of a federal or provincial law
- in an emergency threatening the individual’s life, health, or security (we will inform the individual of the disclosure)
- for statistical, scholarly study or research (we will notify the Privacy Commissioner before disclosing the information)
- to an archival institution
- 20 years after your death or 100 years after the record was created, if available
- if it is publicly available as specified in the applicable regulations
- if required by law.
Disclosures Relating to Health Care Providers
V!VA may disclose personal and/or health information to health care practitioners, long-term care providers and persons or organizations who operate programs and services if:
- the disclosure is reasonably necessary for the provision of health care;
- it is not reasonably possible to obtain consent in a timely way; and
- the Community Member has not instructed V!VA to not make the disclosure.
If the Community Member requests that V!VA not disclose all of the personal and/or health information V!VA considers reasonably necessary for the purpose of providing healthcare, V!VA will inform the requesting person/organization of this fact.
V!VA may also disclose personal and/or health information to receive payments for services for the purpose of contacting next of kin, substitute decision-maker or Power of Attorney for Healthcare if the Community Member is injured, incapacitated or ill, and unable to give consent.
Unless otherwise advised, the following Community Member personal and/or health related information will be disclosed to hospitals and other health care providers to:
- confirm that an individual is a patient or resident
- the individual’s general health status, and,
- the location of the individual in the Community.
Organizations and/or individuals requesting or requiring confidential information must be approved by the Community Privacy Officer and where that information is not provided to an organization entitled to obtain the information (ie. hospital, government, Information Privacy Commission), a Confidentiality and Non-Solicitation Agreement is also required. That Agreement may need to be customized in response to the organizations collection or use of information and disclosure limits. This action should be conducted in conjunction with guidelines from V!VA’s Privacy Officer.
Disclosure Related to Risks
V!VA may disclose personal and/or health related information if there are reasonable grounds to believe that disclosure is necessary to eliminate or reduce the significant risk of serious bodily harm to a person or a group of persons. V!VA will be expected to use good judgement in determining what is a significant risk and will only be done so in consultation with the Community Privacy Officer.
Disclosure about a Deceased Community Member
V!VA will also disclose personal and/or health related information about a deceased Community Member for the purposes of identifying the individual and informing persons that the individual is deceased and the circumstances of the death, where appropriate. In addition, information may be disclosed to the Power of Attorney or designate if the information is required to make health-related decisions.
V!VA offers Community Members the opportunity to allow us to share information about their passing and will only share this information with express written permission.
Retention and Disposal of Personal and Health-Related Information
Team Member personal information will be retained for seven (7) years. It may be retained longer for legal or other actionable purposes (e.g. Insurance, investigation).
Community Member personal and health-related documents will be retained for 7 years unless it must be retained for legal purposes or, as long as necessary to allow the individual to exhaust any recourse action that may be underway under PHIPA guidelines.
Personal information that is no longer required to fulfil the identified purposes will be destroyed, erased, or made anonymous as well all known associated and backup files using a methodology that is most available or most appropriate.
Records that are retained as hardcopies will be reviewed by the Community Privacy Officer (Community Member data) or Vice President, Human Resources/designate (Team Member data) prior to disposal. The Community Privacy Officer or Vice President, Human Resources/designate will ensure that all information defined as private or confidential is disposed of using a secured method (e.g. shredding, 3rdparty, company who meets best practices for disposal, etc.).
Where the records are retained electronically on a host platform or by a 3rdparty, disposal of the data will be agreed upon with the host using a method that ensures data is permanently destroyed and resistant to simple recovery methods. V!VA will also request that the 3rdparty service provider disclose if any of the data is being retained for statistical or anonymous data collection.
Where records are electronically retained within V!VA, they will be destroyed using a method that ensures the data is permanently destroyed and resistant to simple recovery methods.
All company-provided electronics (tablets, phones, computers and laptops) that are being reassigned to a new Team Member/Team, or removed from use for any reason will be reported to a designated person(s) at Home Office who will arrange for appropriate data destruction and provide directions on what to do with the device. Home Office will ensure that the person/organization tasked with this responsibility is knowledgeable about how to destroy personal and confidential information.
Accuracy of Personal Information
When V!VA collects, uses or discloses personal or health-related information, we will make reasonable efforts to ensure that it is accurate to the extent necessary to fulfill the purposes for which it was obtained.
You may submit a written request to us to correct any errors or omissions in any of your personal information that is within our control or, where access is provided directly your information, Team Members and Community Members/substitute decision-makers can update the information themselves. Where V!VA is updating the records, we will either amend the information or notify you of any reasons why such an amendment cannot be made.
Storage and Protection of Personal Information
V!VA recognizes the importance of protecting personal information and will use appropriate security safeguards to provide the necessary protection. This includes but is not limited to:
- Hiring practices that include reference, police, and Vulnerable Sector screening checks
- physical measures such as locked filing cabinets, alarm systems, offices where confidential information is kept, and restricting access to areas in which personal information is stored (e.g. Wellness Centre, V!VAfit Studio);
- technological resources such as firewalls, encryption software and passwords;
- organizational controls including security clearance measures, Team Members training, the use of confidentiality agreements and limiting access to only those who need the information as much as possible;
- ensuring that partners/service providers who have access to personal information are advised of V!VA’s Privacy and Confidentiality Policy and acknowledge its receipt;
- ensure any 3rdparty software partners who have access to personal or health-related information meet the criteria set out by both PHIPA and PIPEDA;
- ensuring that no personal information is given to individuals and/or third parties without the consent of the individual; and,
- required annual privacy and confidentiality training for Team Members and service providers.
V!VA expects you to assist us in protecting personal information and to take all appropriate measures to safeguard personal information belonging to you or any other Team Member and our Community Members. This includes ensuring that:
- You read and are familiar with V!VA’s Wellness PlayRight Policies that pertain and outline information regarding but not limited to Community Member confidentiality, sharing of medical information, health records, etc.
- any individuals who have requested personal information and those to whom you are sending it are authorized to receive the information; and
- the method by which the information is transmitted (e.g., email, fax, telephone etc.) will adequately protect the confidentiality of the information considering its sensitivity.
All personal information related to Team Members and Community Members will be safeguarded using storage methods that reasonably prevent anyone from unauthorized access. Information stored in filing cabinets will always be locked when not in the immediate presence of the appropriate manager.
Information stored in company computers/servers will be password protected, and electronic files will only be accessible to Team Members who have the authorization to access personal data.
Information stored in databases, computers and off-site on servers or clouds will undergo due diligence ensuring that all precautions are taken to comply with PHIPA and PIPEDA guidelines, V!VA’s policies and industry best practices. All engagement with 3rdparty software providers who store personal data will be subject to a Privacy Impact Assessment to understand their processes for safeguarding data, their policies associated with the storage and use of personal data, and their protocols to mitigate risks in the storage, retention, use and disposal of personal data.
As much as possible, V!VA works with software providers to set up user permissions that only allow them access to information they need to perform their duties or provide services. However, where a software user permission permits Team Members access to more information about both Community Members and Team Members than is required, Team Members are expected to only access information they need to perform their duties or services. Accessing information that is not required to perform a duty or service is considered a breach of privacy and will be regarded as such.
Maintaining Awareness of Our Practices
V!VA will strive to make Team Members and other relevant individuals aware that we have policies and practices for the management of personal information. For example, we have policies in the Wellness Playbook which is updated regularly with changes in red and wide-spread communication about new releases.
Upon hire, Team Members are required to review and agree to V!VA’s expectations and policies regarding confidentiality and non-disclosure as written in each Job Offer.
V!VA’s Privacy and Confidentiality Policy (this document) will be located in the People Handbook and readily available to all Team Members on their Community’s shared drive (r: drive/level 1) or to Community Members upon request.
As needed, V!VA will also issue communications to Team Members related to specific or all components of this Policy as necessary for awareness and/or training purposes.
V!VA will also provide public access to our Privacy and Confidentiality Policy on our website.
Access to Personal Information and Personal Health Information
Team Members may request access to your personal information, or request information about how it is or has been used or disclosed by submitting a written request to V!VA’s Vice President, Human Resources/designate, the Community Privacy Officer, or the Company Privacy Officer.
Community Members may request access to your personal or health-related information, or request information about how it is or has been used or disclosed by making a verbal request or, if the request for information is substantive, submit a written request to the Community Privacy Officer, or the Company Privacy Officer. This information will only be provided to the Community Member directly or their designated Power of Attorney for Healthcare.
V!VA will make every attempt to respond to your request for access no later than 30 days after receiving the request. Upon notice, this 30-day response time may be extended for a maximum of 30 additional days if:
- responding to the request within the initial 30-day period would unreasonably interfere with V!VA Retirement Communities or an individual Community’s activities
- V!VA needs additional time to conduct consultations or to convert personal information to an alternate format
Under certain circumstances, you may be expected to bear any costs associated with searching for, consolidating and/or disclosing the information to you. We will advise you up front of any costs associated with disclosure.
V!VA must refuse access to your personal information if:
- it would reveal personal information about another individual which cannot be removed, unless there is consent or a life-threatening situation; or
- we have disclosed information to a government institution for law enforcement or national security reasons. Upon request, the government institution may instruct us to refuse access or not to reveal that the information has been released. We will then refuse the request and notify the Privacy Commissioner. We are not allowed to inform you of the disclosure to the government institution, or that the institution was notified of the request, or that the Privacy Commissioner was notified of the refusal.
V!VA may refuse access to personal information if the information falls under one of the following circumstances:
- it is protected by solicitor-client privilege or a legal privilege restricting disclosure applies;
- another law prohibits the disclosure;
- the information was collected or created for a proceeding;
- The information was collected or created during an inspection, investigation or similar procedure;
- Access could result in serious harm to any person or the identification of a person who was required to provide information or who has provided the information in confidence;
- it constitutes confidential commercial information, which cannot be removed;
- disclosure could harm an individual’s life or security, and the offending information cannot be removed;
- it was collected without your knowledge or consent to ensure its availability and accuracy, and the collection was required to investigate a breach of an agreement or contravention of a federal or provincial law (the Privacy Commissioner must be notified);
- it was generated during a formal dispute resolution process.
Where any of the above conditions applies, V!VA will separate the record and provide access to the part of the record to which the exception does not apply.
Challenging Compliance
Team Members: If you are dissatisfied with the way a V!VA Community has managed your personal information, you may contact your manager, Community Director or Human Resources in writing to outline the reasons for your concern.
Community Members: If you are dissatisfied with the way a V!VA Community has managed your personal or health-related information, you may contact the Community Director/Community Privacy Officer.
An investigation will be launched and a response to all complaints made in relation to this policy will be provided by the owner of the complaint.
If an individual remains unsatisfied with a decision a V!VA Community has made or actions taken regarding access to personal or health-related information, the complaint can be escalated to the Vice President, Human Resources or Company Privacy Officer.
If still unsatisfied, complaints can be registered with the Privacy Commissioner of Ontario’s Office.
1 Sources:
Guide to the Personal Health Information Protection Act (PHIPA)
Office of the Privacy Commissioner of Canada website
The Personal Information Protection and Electronics Document Act (PIPEDA)
Information and Privacy Commissioner of Ontario website
2 Source:
http://dictionary.reference.com/browse/affirmation