Touchstone Institute is committed to protecting the privacy and security of personal information and personal health information of individuals with whom we interact, such as employees, clients, suppliers and contractors. This is achieved by embedding rigorous and consistent privacy and information protection strategies across all corporate services and work units.
Touchstone Institute collects, holds and uses personal information and personal health information information about identifiable individuals in the course of providing its core services.
This Policy applies to all aspects of Touchstone Institute’s business operations. Reference to Touchstone Institute’s staff include the CEO, directors, employees, contract workers, consultants and agents of Touchstone Institute who collect, hold or use personal or personal health information. Touchstone Institute staff will comply with the requirements of this Policy. Failure to comply with privacy practices could expose Touchstone Institute to legal risk and may result in disciplinary action for Touchstone Institute staff.
Personal or personal health information refers to any information concerning an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization. Some examples of personal information collected by Touchstone Institute include:
- National origin, age, marital status
- Education and employment history
- Correspondence with Touchstone Institute that is explicitly or implicitly of a private nature
- Views or opinions concerning an employee’s or individual’s performance evaluation
- Salary information
- Banking information
- A person’s image (e.g. photograph, videos)
Personal information is not restricted to the examples listed above. Personal information may be stored on paper, electronically or digitally, and includes videos, photographs, and/or tape recordings.
Some examples of personal health information collected by Touchstone Institute include:
- Details regarding a candidate’s special needs accommodation
- Health history of a Touchstone Institute staff member
Personal health information is not restricted to the examples listed above. Personal health information includes any information concerning an identifiable individual’s physical or mental health status; the provision of their health care; the eligibility of payment for their health care; the identity of the provider of their health care; and where required for an authorized purpose their personal health care plan numbers. Personal health information also includes information about an identifiable individual that is not personal health information but is contained in the same record or file as personal health information about the individual.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the legal requirements for the protection of personal information. Touchstone Institute business processes within the organization will be designed to meet the principals of this legislation. In Ontario, the Personal Health Information Policy Act (PHIPA) governs the legal requirements for the protection of personal health information. In keeping with its legal requirements and best practices in the management of personal or personal health information:
- Touchstone Institute staff must obtain informed consent from individuals before they collect personal and personal health information. This means open communication and transparency of Touchstone Institute’s information management practices.
- Touchstone Institute employees must be sensitive and rigorous in the handling of files, correspondence and other records containing personal health information about individuals.
- Touchstone Institute must understand and comply with information retention standards including the secure sharing and storage of all personal and personal health information.
Touchstone Institute is responsible for personal and personal health information under its control and has designated the Director of Human Resources and Operations as the Chief Privacy Officer who along with the management team is accountable for ensuring Touchstone Institute has processes, procedures and practices in place for the organization’s compliance with the following principals:
Identifying Purpose: the purposes for which personal and personal health information are collected will be identified by the organization at or before the time the information is collected.
Consent: the knowledge and consent of the individual are required for the collection, use or disclosure of personal and personal health information, unless exceptions apply.
Limiting Collection: The collection of personal and personal health information will be limited to that which is necessary for the purposes identified by Touchstone Institute. Information will be collected by fair and lawful means.
Limiting Use, Disclosure, and Retention: Personal and Personal Health Information will not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal and personal health information will be retained only as long as necessary for fulfillment of these purposes.
Accuracy: Personal and personal health information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
Safeguards: Security safeguards appropriate to the sensitivity of the information will protect personal and personal health information.
Individual Access: Upon request, an individual will be informed of the existence, use and disclosure of his or her personal and personal health information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Challenging Compliance: An individual will be able to address a challenge concerning compliance with the above principles to the Chief Privacy Officer/Director of Human Resources and Operations of Touchstone Institute. Appeals will be forwarded to Touchstone Institute’s Board of Directors. When necessary the Board of Directors will seek consultation with the Privacy Commissioner(s) to inform investigation processes and/or validate decisions.
Chief Privacy Officer
Touchstone Institute Staff
The Chief Executive Officer, Directors, Managers and designated Touchstone Institute staff are the custodians of the personal and personal health information collected, retained and used within their respective organizational units and organizational roles. Touchstone Institute staff are responsible for ensuring that:
- Consent has been obtained prior to collection of information, and processes to manage exceptions are in place;
- Only personal and personal health information necessary for the business purpose is collected, retained and used;
- Appropriate controls are in place to physically secure both hard copy (including external computer readable media) and electronically stored personal and personal health information;
- Electronic files that contain personal and/or personal health information will not be stored in the generally accessible electronic file system, directories or databases;
- Appropriate system access controls including “business related need to know” restrictions are in place and kept up to date.
- Personal and personal health information is appropriately updated and accurate, having regard for the purpose of such information;
- Personal and personal health information is destroyed or made anonymous when it is reasonable to conclude that it is no longer required for any of the purposes for which it was collected.
- Management and staff will consistently adhere to Touchstone Institutes record retention standards;
- Contracts with third parties who provide Touchstone Institute with personal and personal health information will include appropriate clauses asserting that they have obtained the required consent from their staff; and,
- Appropriate resources will be assigned to retrieve information requested by an individual.
Touchstone Institute Management is also responsible for ensuring that appropriate safeguards are in place for the physical security of personal and personal health information stored in offsite archiving facilities, and for ensuring that such personal and personal health information is appropriately destroyed within a reasonable time following the destruction date established by the document owner.
Before collecting information about individuals, Touchstone Institute staff will explain the purpose for collection. Consent forms or verbal explanations will contain sufficient information about the use of such information. “Sufficient” means that an ordinary person should be able to make the link between the data requested and its relationship with the process. Where an individual’s consent is required, it must constitute informed consent. This means that the individual must understand why the information is being collected and how Touchstone Institute intends to use the information. Therefore, Touchstone Institute staff collecting consent must be sufficiently knowledgeable to explain the processes.
Consent may be either implicit (for example, if information is requested for a specific purpose and the information is provided, that would generally constitute implied consent) or explicit, depending on the circumstances and the nature of the information being collected. Explicit consent may be obtained either in writing or verbally. Where verbal consent is obtained, however, the verbal consent must be documented by those who collected it and retained in a relevant file for future reference, along with a summary of the information provided to the individual to ensure the individual’s verbal consent was give on an informed basis. Where the collection, use, and/or disclosure of sensitive personal or personal health information are concerned (e.g., medical information or personal financial information such as salary), the consent must be explicit. Guidance on the classification of data by level of security can be obtained from the Chief Privacy Officer.
Touchstone Institute staff who are responsible for obtaining consent need to be familiar with the type of information collected and how it is used, to be able to explain and answer questions from the individual. The following are some examples of common situations requiring explicit consent:
- Human Resources gather a broad range of consent from employees when they start at the company.
- Touchstone Institute obtains consent from examination applicants requesting specific accommodations before disseminating accommodation plans to test sites for implementation.
- Touchstone Institute gathers explicit consent from credentialing and examinations candidates to release personal information to its member regulatory bodies if, in the course of conducting its business, Touchstone Institute becomes aware of circumstances or actions related to regulatory issues. All releases of this sort will be done with the knowledge of the affected applicant.
The following are some examples of common situations involving implied consent:
- Individuals providing their resumes are deemed to consent for Touchstone Institute to use their personal information for employment and contracting purposes. Touchstone Institute’s practice is to retain and use resumes for three months after receipt. In order to circulate or use the resume information of an unsuccessful candidate, his or her consent is required. Touchstone Institute implements practices to ensure this obligation is met.
- Touchstone Institute provides information on its external web site about the information collected when a user accesses a Touchstone Institute web page. Users of Touchstone Institute web site are deemed to consent to the collection and use of such information for the purpose of monitoring website activity.
- Touchstone Institute publishes aggregate data in written performance reports and individual data reports as required in the course of it business activities. Applicants and candidates are deemed to consent to the use of such information for organizational and client required reporting.
Consent Process Exceptions
Some external parties, such as law enforcement agencies, have a lawful or investigative need to collect, use and disclose personal information without having to obtain the consent of the concerned individuals.
Individuals have the right to withdraw consent to the collection, use or disclosure of personal or personal health information in whole or in part, at any time, upon providing reasonable written notice. The individual must be informed about any potential consequences that may result from the withdrawal of their consent, prior to making such a decision (e.g., closure of applications, associated administrative fees). If an individual withdraws their consent, it is not retroactive and does not apply to personal and personal health information already collected, used or disclosed by Touchstone Institute.
Collecting and Using Personal and Personal Health Information
Touchstone Institute may use personal and personal health information without the knowledge and consent of an individual only:
- For contracted specific business purposes;
- For research purposes. Any data reported will be in aggregate format, with all identifiers removed.
- If there are reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
- For an emergency that threatens an individual’s life, health or security; or
- If the information is publicly available.
Disclosure of Personal and Personal Health Information
Personal and personal health information concerning an individual may only be disclosed to others when the purpose for the disclosure is consistent with the purpose for which the information was collected. This includes internal disclosure when there is a business-related need to know. It also includes external disclosure if the information is given to Touchstone Institute’s third party service providers to assist Touchstone Institute and/or its clients in carrying out their business activities.
Disclosure Process Exceptions
There are specific situations in which exceptions to disclosure procedures are permitted:
- For the purposes of a business transaction between two or more organizations (e.g., joint venture or partnership), the parties to the transaction may collect, use or disclose employee information without the consent of the individual, under certain circumstances.
- Touchstone Institute may disclose personal information without the individual’s knowledge and consent only:
- To a lawyer representing Touchstone Institute.
- To collect a debt the individual owes to Touchstone Institute.
- To comply with a subpoena, warrant or an order made by a court or other body with appropriate jurisdiction.
- To a regulatory body or government institution that has requested the information, identified its lawful authority and indicates that disclosure is for the purpose of carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security or the conduct of international affairs, or is for the purpose of administering a federal or provincial law.
- In an emergency threatening an individual’s life, health or security. (Touchstone Institute must then inform the individual of the disclosure).
- If it is publicly available.
- If required by law.
All other disclosure process exceptions require the approval of Touchstone Institute’s Chief Privacy Officer.
Transmission / Sharing of Personal and Personal Health Information
Touchstone Institute staff will demonstrate extreme care when transmitting personal and personal health information internally or externally to ensure that:
- The persons who have requested the information and those to whom Touchstone Institute staff are sending it have been authenticated; and
- The method of transmission (whether by telephone, mail, fax, electronically or otherwise) is appropriate to protect the confidentiality of the information in light of its sensitivity.
Retention and Disposal of Personal and Personal Health Information
The retention and disposal of personal and personal health information will comply with Touchstone Institute’s Records Management Policy. Personal and personal health information no longer required to fulfill the purposes for which it was collected will be destroyed, erased or made anonymous. Touchstone Institute will maintain a secure centralized filing system with appropriate access and retrieval controls for both employee and client information data. Care will be used in the disposal or destruction of personal and personal health information to prevent unauthorized parties from gaining access to the information. When disposal of hard copy information is authorized, shredding will be used to maintain confidentiality.
If mailed, the information will be enclosed in a securely sealed envelope and stamped “Private and Confidential”. In all instances, the name of the intended recipient must be clearly identified. Email flags will be used to denote personal or confidential information in email communications. Because of the ease with which email is transmitted, and issues relating to control over storage of multiple copies of email, the use of email to transmit personal and personal health information is discouraged where a reasonable alternative is available except with the expressed consent of the individual.
Updating Personal and Personal Health Information
Personal and personal health information will be updated to fulfill the purpose for which it was collected. Touchstone Institute information management processes will minimize the possibility of using incorrect information when making decisions about the individual, or when disclosing information to third parties.
Protection of Personal and Personal Health Information
Touchstone Institute’s corporate and business practice standards specify operating procedures that protect electronically stored personal and personal health information. The physical security of such information will be managed through office security practices, records management practices and individual discretion, based on the sensitivity of the information. When developing safeguards for personal and personal health information, Touchstone Institute will consider loss, theft, alteration, unauthorized access, copying and use. If an incident occurs where personal or personal health information is inadvertently disclosed, lost, corrupted, or transmitted contrary to Touchstone Institute standards, Touchstone Institute staff will contact the Chief Privacy Officer immediately to report the incident and develop an appropriate remediation plan.
Third Party Service Providers
From time to time, Touchstone Institute may retain third party service providers to assist Touchstone Institute in administering its programs or conducting its business (e.g., service providers that keep records relating to our employee insurance and benefit plans). In some cases, to perform the services, Touchstone Institute must disclose personal and personal health information about its employees. Touchstone Institute staff entering into these contracts with third party service providers will ensure that:
- Use of the personal and personal health information by the third party service provider is limited to the purposes specified to exercise the contract;
- The third party service provider refers any individuals looking for access to their personal and personal health information to Touchstone Institute;
- The third party service provider uses appropriate safeguards to protect the personal and personal health information;
- The personal and personal health information is destroyed or returned to Touchstone Institute upon termination or completion of the contract; and,
- Touchstone Institute has the right to audit the third party service provider’s compliance with the contract.
Open and Transparent Practices
An Individual’s Access to Their Personal and Personal Health Information
Any individual has the right to request access to their information. Access to specified information is given by allowing an individual to view Touchstone Institute documentation, or by providing them with a reproduced copy of the information. Under no circumstances will documents that are the property of Touchstone Institute be given to the individual requesting access.
Requests for access may be made verbally or may be written. Documents or files provided to an individual will be reviewed to ensure that no personal or personal health information about another individual is disclosed. If so, that information must be masked, or made anonymous before the person making the request views the document. Personal or personal health information to which an individual has requested access cannot be removed or destroyed under any circumstances.
Touchstone Institute has the right to charge an individual a reasonable amount to recover the cost of producing and delivering documents requested by the individual. The Chief Privacy Officer in consultation with management will be responsible for assessing related costs based on compliance with Touchstone Institute’s policy and determining the reasonability of charging the individual. If Touchstone Institute plans to charge, the individual must be informed, and the individual must accept the charge before the documents are produced.
Access Process Exceptions
Access shall be subject to any prohibitions, exceptions or exemptions in applicable privacy laws. If access is denied, then the requesting individual shall be informed in writing of the reason for the denial. Touchstone Institute must refuse access to personal and personal health information that it has disclosed to a government institution for law enforcement or national security reasons. In some cases, the fact that such information was disclosed must also be withheld. The Chief Privacy Officer should be contacted if Touchstone Institute staff require direction on the refusal of access. It is also Touchstone Institute policy to refuse access, as permitted under applicable law, if:
- The information falls under solicitor/client privilege
- The information contains confidential commercial information
- Disclosure could harm an individual’s life, health or security
- It was collected to investigate a breach of an agreement or contravention of a law
- It was generated in the course of a formal dispute resolution process,
Unless the Chief Privacy Office specifically authorizes access to any of the foregoing.
Individuals whose personal and personal health information has been collected, used, disclosed and/or disposed of by Touchstone Institute may make complaints about Touchstone Institute’s policies and practices relating to the handling of their personal and personal health information. A complaint may be made in writing to the Chief Privacy Officer/Director, Human Resources and Operations specifying the nature of the complaint. In the case of a complaint, the Chief Privacy Officer will undertake an investigation. The Chief Privacy Officer will provide a written response to the complainant outlining the results of the investigation and the actions, if any, taken or to be taken by Touchstone Institute in respect of the complaint. Appeals regarding a complaint decision will be escalated to the Chief Executive Officer. The Chief Executive Officer may seek consultation legal experts or governmental authorities to inform the investigation process, seek advice and/or validate decisions. Touchstone Institute will not penalize, sanction nor discriminate against any individual who has made a complaint or inquiry.
For more information please contact:
Chief Privacy Officer/Director, Human Resources and Operations
145 Wellington Street West, Suite 600
Toronto, ON M5J 1H6