Skip to content

ABOUT US

title_pre

Touchstone Institute Privacy Policy

Please note: Touchstone Institute exam policies do not necessarily apply to assessments conducted on behalf of other organizations.

dotarrow_down_blue

Objective

Touchstone Institute is committed to protecting the privacy and security of personal information and personal health information of individuals with whom we interact, such as employees, clients, suppliers and contractors. This is achieved by embedding rigorous and consistent privacy and information protection strategies across all corporate services and work units.

Touchstone Institute’s Privacy Policy includes the strategies, tools, processes and reporting procedures necessary to support this. This Policy outlines how Touchstone Institute manages, monitors and reports on Privacy and Information Protection performance. This Policy also provides the accountabilities of Management relating to the management of personal and personal health information.

Touchstone Institute collects, holds and uses personal information and personal health information information about identifiable individuals in the course of providing its core services.

A person writing on a form

Policy Scope

This Policy applies to all aspects of Touchstone Institute’s business operations. Reference to Touchstone Institute’s staff include the CEO, directors, employees, contract workers, consultants and agents of Touchstone Institute who collect, hold or use personal or personal health information. Touchstone Institute staff will comply with the requirements of this Policy. Failure to comply with privacy practices could expose Touchstone Institute to legal risk and may result in disciplinary action for Touchstone Institute staff.

Personal or personal health information refers to any information concerning an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization. Some examples of personal information collected by Touchstone Institute include:

  • National origin, age, marital status
  • Education and employment history
  • Correspondence with Touchstone Institute that is explicitly or implicitly of a private nature
  • Views or opinions concerning an employee’s or individual’s performance evaluation
  • Salary information
  • Banking information
  • A person’s image (e.g. photograph, videos)

Personal information is not restricted to the examples listed above. Personal information may be stored on paper, electronically or digitally, and includes videos, photographs, and/or tape recordings.

Some examples of personal health information collected by Touchstone Institute include:

  • Details regarding a candidate’s special needs accommodation
  • Health history of a Touchstone Institute staff member

Personal health information is not restricted to the examples listed above. Personal health information includes any information concerning an identifiable individual’s physical or mental health status; the provision of their health care; the eligibility of payment for their health care; the identity of the provider of their health care; and where required for an authorized purpose their personal health care plan numbers. Personal health information also includes information about an identifiable individual that is not personal health information but is contained in the same record or file as personal health information about the individual.

Icon of documents fanning out

Policy Principles

Touchstone Institute is responsible for personal and personal health information under its control and has designated the Director of Human Resources and Operations as the Chief Privacy Officer who along with the management team is accountable for ensuring Touchstone Institute has processes, procedures and practices in place for the organization’s compliance with the following principals:

Identifying Purpose: the purposes for which personal and personal health information are collected will be identified by the organization at or before the time the information is collected.

Consent: the knowledge and consent of the individual are required for the collection, use or disclosure of personal and personal health information, unless exceptions apply.

Limiting Collection: The collection of personal and personal health information will be limited to that which is necessary for the purposes identified by Touchstone Institute. Information will be collected by fair and lawful means.

Limiting Use, Disclosure, and Retention: Personal and Personal Health Information will not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal and personal health information will be retained only as long as necessary for fulfillment of these purposes.

Accuracy: Personal and personal health information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Safeguards: Security safeguards appropriate to the sensitivity of the information will protect personal and personal health information.

Openness: Touchstone Institute will make available to individuals specific information about its policies and practices relating to the management of personal and personal health information. The Privacy Policy and related information about other practices will be posted on Touchstone Institute’s website.

Individual Access: Upon request, an individual will be informed of the existence, use and disclosure of his or her personal and personal health information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Challenging Compliance: An individual will be able to address a challenge concerning compliance with the above principles to the Chief Privacy Officer/Director of Human Resources and Operations of Touchstone Institute. Appeals will be forwarded to Touchstone Institute’s Board of Directors. When necessary the Board of Directors will seek consultation with the Privacy Commissioner(s) to inform investigation processes and/or validate decisions.

Privacy Roles

Chief Privacy Officer
Touchstone Institutes Director of Human Resources and Operations serves as the Chief Privacy Officer. The Chief Privacy Officer is responsible for monitoring Touchstone Institute wide application of the Privacy Policy and for monitoring changes in relevant legislation. The Chief Privacy Officer also serves as a resource for management and may coordinate and support the efforts of management in Touchstone Institute’s employee training and awareness. The Chief Privacy Officer will assist in the development of business processes and procedures across programs. The Chief Privacy Officer also manages all complaints and is responsible for responding on behalf of Touchstone Institute to internal and external requests for personal and personal health information and inquiries about Touchstone Institute’s Privacy Policy for personal and personal health information management.

Touchstone Institute Staff
The Chief Executive Officer, Directors, Managers and designated Touchstone Institute staff are the custodians of the personal and personal health information collected, retained and used within their respective organizational units and organizational roles. Touchstone Institute staff are responsible for ensuring that:

  1. Consent has been obtained prior to collection of information, and processes to manage exceptions are in place;
  2. Only personal and personal health information necessary for the business purpose is collected, retained and used;
  3. Appropriate controls are in place to physically secure both hard copy (including external computer readable media) and electronically stored personal and personal health information;
  4. Electronic files that contain personal and/or personal health information will not be stored in the generally accessible electronic file system, directories or databases;
  5. Appropriate system access controls including “business related need to know” restrictions are in place and kept up to date.
  6. Personal and personal health information is appropriately updated and accurate, having regard for the purpose of such information;
  7. Personal and personal health information is destroyed or made anonymous when it is reasonable to conclude that it is no longer required for any of the purposes for which it was collected.
  8. Management and staff will consistently adhere to Touchstone Institutes record retention standards;
  9. Contracts with third parties for processing, using or storing personal and personal health information will contain appropriate clauses guaranteeing that the third party will comply with Touchstone Institute’s Privacy Policy and related privacy legislation, safeguard the information, and will only use the information provided for the contractual purposes. Similar privacy clauses will also be included in any agreement that the third party has with subcontractors that they may engage to conduct work on their behalf of Touchstone Institute.
  10. Contracts with third parties who provide Touchstone Institute with personal and personal health information will include appropriate clauses asserting that they have obtained the required consent from their staff; and,
  11. Appropriate resources will be assigned to retrieve information requested by an individual.

Touchstone Institute Management is responsible for ensuring that all staff have received appropriate training and support to understand and comply with Touchstone Institute’s Privacy Policy and applicable privacy laws.

Touchstone Institute Management is also responsible for ensuring that appropriate safeguards are in place for the physical security of personal and personal health information stored in offsite archiving facilities, and for ensuring that such personal and personal health information is appropriately destroyed within a reasonable time following the destruction date established by the document owner.

The Chief Privacy Officer/Director, Human Resources and Operations is responsible for ensuring that appropriate safeguards are in place to protect the personal and personal health information stored electronically by Touchstone Institute, and for ensuring that all Touchstone Institute employees are sufficiently familiar with the availability and application of such safeguards to make appropriate use of them in complying with the Privacy Policy.
If required, Touchstone Institute will engage legal counsel to provide legal advice and support in relation to matters arising out of Touchstone Institute’s Privacy Policy.

All Touchstone Institute staff are individually responsible for the personal and personal health information about others that they collect, use, retain or disclose. In the course of performing their duties for Touchstone Institute, staff will ensure that their activities with respect to that information are carried out only in accordance with Touchstone Institute’s Privacy Policy.

Collecting Data

Collecting and Using Personal and Personal Health Information

Personal and personal health information may only be collected if it relates to Touchstone Institute business activities, if the information is reasonably necessary for the carrying out of such programs or activities, and if appropriate consent has been obtained. Personal and personal health information may only be used for the purpose for which it was collected and access to such information must be restricted to those Touchstone Institute staff who have a need for access to administer Touchstone Institute business activities. All Touchstone Institute staff authorized to access personal and personal health information are required to maintain confidentiality of the information in accordance with the Privacy Policy.

Touchstone Institute may use personal and personal health information without the knowledge and consent of an individual only:

  • For contracted specific business purposes;
  • For research purposes. Any data reported will be in aggregate format, with all identifiers removed.
  • If there are reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
  • For an emergency that threatens an individual’s life, health or security; or
  • If the information is publicly available.

Disclosure

Disclosure of Personal and Personal Health Information

Personal and personal health information concerning an individual may only be disclosed to others when the purpose for the disclosure is consistent with the purpose for which the information was collected. This includes internal disclosure when there is a business-related need to know. It also includes external disclosure if the information is given to Touchstone Institute’s third party service providers to assist Touchstone Institute and/or its clients in carrying out their business activities.

Disclosure Process Exceptions
There are specific situations in which exceptions to disclosure procedures are permitted:

  1. For the purposes of a business transaction between two or more organizations (e.g., joint venture or partnership), the parties to the transaction may collect, use or disclose employee information without the consent of the individual, under certain circumstances.
  2. Touchstone Institute may disclose personal information without the individual’s knowledge and consent only:
    • To a lawyer representing Touchstone Institute.
    • To collect a debt the individual owes to Touchstone Institute.
    • To comply with a subpoena, warrant or an order made by a court or other body with appropriate jurisdiction.
    • To a regulatory body or government institution that has requested the information, identified its lawful authority and indicates that disclosure is for the purpose of carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security or the conduct of international affairs, or is for the purpose of administering a federal or provincial law.
    • In an emergency threatening an individual’s life, health or security. (Touchstone Institute must then inform the individual of the disclosure).
    • If it is publicly available.
    • If required by law.

All other disclosure process exceptions require the approval of Touchstone Institute’s Chief Privacy Officer.

Transmission

Transmission / Sharing of Personal and Personal Health Information

Touchstone Institute staff will demonstrate extreme care when transmitting personal and personal health information internally or externally to ensure that:

  • The persons who have requested the information and those to whom Touchstone Institute staff are sending it have been authenticated; and
  • The method of transmission (whether by telephone, mail, fax, electronically or otherwise) is appropriate to protect the confidentiality of the information in light of its sensitivity.

Retention

Retention and Disposal of Personal and Personal Health Information

The retention and disposal of personal and personal health information will comply with Touchstone Institute’s Records Management Policy. Personal and personal health information no longer required to fulfill the purposes for which it was collected will be destroyed, erased or made anonymous. Touchstone Institute will maintain a secure centralized filing system with appropriate access and retrieval controls for both employee and client information data. Care will be used in the disposal or destruction of personal and personal health information to prevent unauthorized parties from gaining access to the information. When disposal of hard copy information is authorized, shredding will be used to maintain confidentiality.

If mailed, the information will be enclosed in a securely sealed envelope and stamped “Private and Confidential”. In all instances, the name of the intended recipient must be clearly identified. Email flags will be used to denote personal or confidential information in email communications. Because of the ease with which email is transmitted, and issues relating to control over storage of multiple copies of email, the use of email to transmit personal and personal health information is discouraged where a reasonable alternative is available except with the expressed consent of the individual.

Accuracy

Updating Personal and Personal Health Information

Personal and personal health information will be updated to fulfill the purpose for which it was collected. Touchstone Institute information management processes will minimize the possibility of using incorrect information when making decisions about the individual, or when disclosing information to third parties.

Protection

Protection of Personal and Personal Health Information

Touchstone Institute’s corporate and business practice standards specify operating procedures that protect electronically stored personal and personal health information. The physical security of such information will be managed through office security practices, records management practices and individual discretion, based on the sensitivity of the information. When developing safeguards for personal and personal health information, Touchstone Institute will consider loss, theft, alteration, unauthorized access, copying and use. If an incident occurs where personal or personal health information is inadvertently disclosed, lost, corrupted, or transmitted contrary to Touchstone Institute standards, Touchstone Institute staff will contact the Chief Privacy Officer immediately to report the incident and develop an appropriate remediation plan.

Service Providers

Third Party Service Providers

From time to time, Touchstone Institute may retain third party service providers to assist Touchstone Institute in administering its programs or conducting its business (e.g., service providers that keep records relating to our employee insurance and benefit plans). In some cases, to perform the services, Touchstone Institute must disclose personal and personal health information about its employees. Touchstone Institute staff entering into these contracts with third party service providers will ensure that:

  • Use of the personal and personal health information by the third party service provider is limited to the purposes specified to exercise the contract;
  • All use of the personal and personal health information will be in accordance with the Privacy Policy;
  • The third party service provider refers any individuals looking for access to their personal and personal health information to Touchstone Institute;
  • The third party service provider uses appropriate safeguards to protect the personal and personal health information;
  • The personal and personal health information is destroyed or returned to Touchstone Institute upon termination or completion of the contract; and,
  • Touchstone Institute has the right to audit the third party service provider’s compliance with the contract.

Transparency

Open and Transparent Practices

Touchstone Institute will inform clients, employees and other individuals about the Privacy Policy and its information management practices on Touchstone Institute’s website and intranet sites. Touchstone Institute will also publish the contact information for the Chief Privacy Officer.

Access

An Individual’s Access to Their Personal and Personal Health Information

Any individual has the right to request access to their information. Access to specified information is given by allowing an individual to view Touchstone Institute documentation, or by providing them with a reproduced copy of the information. Under no circumstances will documents that are the property of Touchstone Institute be given to the individual requesting access.

Requests for access may be made verbally or may be written. Documents or files provided to an individual will be reviewed to ensure that no personal or personal health information about another individual is disclosed. If so, that information must be masked, or made anonymous before the person making the request views the document. Personal or personal health information to which an individual has requested access cannot be removed or destroyed under any circumstances.

Touchstone Institute has the right to charge an individual a reasonable amount to recover the cost of producing and delivering documents requested by the individual. The Chief Privacy Officer in consultation with management will be responsible for assessing related costs based on compliance with Touchstone Institute’s policy and determining the reasonability of charging the individual. If Touchstone Institute plans to charge, the individual must be informed, and the individual must accept the charge before the documents are produced.

Access Process Exceptions
Access shall be subject to any prohibitions, exceptions or exemptions in applicable privacy laws. If access is denied, then the requesting individual shall be informed in writing of the reason for the denial. Touchstone Institute must refuse access to personal and personal health information that it has disclosed to a government institution for law enforcement or national security reasons. In some cases, the fact that such information was disclosed must also be withheld. The Chief Privacy Officer should be contacted if Touchstone Institute staff require direction on the refusal of access. It is also Touchstone Institute policy to refuse access, as permitted under applicable law, if:

  • The information falls under solicitor/client privilege
  • The information contains confidential commercial information
  • Disclosure could harm an individual’s life, health or security
  • It was collected to investigate a breach of an agreement or contravention of a law
  • It was generated in the course of a formal dispute resolution process,

Unless the Chief Privacy Office specifically authorizes access to any of the foregoing.

Complaint Process

Individuals whose personal and personal health information has been collected, used, disclosed and/or disposed of by Touchstone Institute may make complaints about Touchstone Institute’s policies and practices relating to the handling of their personal and personal health information. A complaint may be made in writing to the Chief Privacy Officer/Director, Human Resources and Operations specifying the nature of the complaint. In the case of a complaint, the Chief Privacy Officer will undertake an investigation. The Chief Privacy Officer will provide a written response to the complainant outlining the results of the investigation and the actions, if any, taken or to be taken by Touchstone Institute in respect of the complaint. Appeals regarding a complaint decision will be escalated to the Chief Executive Officer. The Chief Executive Officer may seek consultation legal experts or governmental authorities to inform the investigation process, seek advice and/or validate decisions. Touchstone Institute will not penalize, sanction nor discriminate against any individual who has made a complaint or inquiry.

For more information please contact:

 

Chief Privacy Officer/Director, Human Resources and Operations
Touchstone Institute
145 Wellington Street West, Suite 600
Toronto, ON M5J 1H6

416-924-8622
info@tsin.ca