Health Privacy Policy – Project Ravenclaw Covid-19 Services
Effective Date: December 2, 2020
- General Information About This Health Privacy Policy
- This Health Privacy Policy (“Policy”) outlines how Ravenclaw Health Coalition (“Ravenclaw Health” “we”, “our” or “us”) protects the personal information we collect about our customers (“you” or “your”), including information about your health and COVID-19 status. This Policy also describes how we collect, use, and disclose/share your Personal Health Information.
- At Ravenclaw Health, your privacy is a top priority and is at the core of how we deliver our services. In handling your personal information, Ravenclaw Health abides by the Privacy by Design (PbD) framework through the use of proactive privacy protection measures and ensuring privacy by default. We don’t collect more information that what we absolutely require in order to deliver our services to you. Through limiting the amount of personal information collected about you from the outset, we strive to minimize potential privacy risks by default, while still delivering our services securely, safely and effectively.
- This notice should be read together with any other privacy statements or notices available at our locations where our services are provided, websites or mobile applications, which may have additional information relevant to your experience]
2. Our Commitment to Privacy
We appreciate that you trust us with your personal information, and we intend to always keep that trust. We value your privacy and are committed to being accountable for how we treat your personal information. All employees, affiliates at partners working with Ravenclaw Health are required to adhere to the protections described in this policy.
Ravenclaw Health Coalition recognizes its obligation to respect privacy and is committed to maintaining the confidentiality of your Personal Health Information. This policy was developed in compliance with the Ontario’s Personal Health Information Protection Act (PHIPA). PHIPA sets out rules for how organizations such as Ravenclaw Health can collect, use, disclose, store and retain your Personal Health Information. We also adhere to the privacy principles, described below.
Privacy Principles
The Canadian Standards Association has developed 10 Privacy Principles that underpin Canadian privacy legislation. These form the basis of our Privacy Policy and how Ravenclaw Health collects, uses, discloses and safeguards the personal information (including personal health information) we hold about you.
- Accountability: Ravenclaw Health is responsible for the collection, use and disclosure of personal health information in our custody or control. Our Privacy Officer is accountable for compliance with our Privacy Policy and can be reached by email privacy@ravenclawhealth.com.
- Identifying purposes for collecting personal information: We will identify the purposes for which personal information is collected at or before the time the information is collected.
- Consent for collection, use, and disclosure of personal information: Your knowledge and consent (or of a person authorized to consent on your behalf) is required for the collection, use or disclosure of personal health information, except where otherwise permitted or required by law
- Limiting collection of personal information: We will limit the collection of personal information to that which is necessary for the authorized purposes identified. Information will be collected by fair and lawful means.
- Limiting use, disclosure, and retention of personal information: Personal information will not be used or disclosed for purposes other than those for which it was collected. Personal information will be retained only as long as necessary to fulfil those purposes.
- Accuracy of personal information: Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
- Ensuring safeguards for personal information: Personal information will be protected by security safeguards appropriate to the nature and format of the information being stored
- Openness about privacy policy: We will provide you with specific information about our policies and practices relating to how we manage your personal information.
- Individual access to personal information: Upon written request by you or your substitute decision-maker, we will inform you of the existence, use and disclosure of your personal information and will give you access to that information, with limited exceptions. You may challenge the accuracy and completeness of the information and may request to have it amended.
- Challenging compliance with the privacy policy: You may address a challenge or complaint concerning compliance with the above principles to our Privacy Officer at privacy@ravenclawhealth.com or to the relevant regulatory oversight body. For details on the various relevant privacy authorities, see section 19 of this policy.
3. Purpose and Scope
The purpose of this policy is to assert Ravenclaw Health’s (“Ravenclaw Health” “we”, “our” or “us”) commitment to the protection of personal health information (“PHI”) from unauthorized collection, access, use, or disclosure, and protection of PHI from theft or loss. This policy addresses the appropriate collection, use and disclosure of PHI, the individual’s right to limit access to his/her record, and the secure disposal of PHI when it is no longer required.
In this Health Privacy Policy, we explain how we collect, use and disclose your personal information that we obtain when you use our services, visit or use our websites, or otherwise interact with us, and the steps we take to protect your Personal Information. The purpose of this Policy is to inform you of our privacy practices including:
- how and why we collect your Personal Information;
- how we intend to use your Personal Information;
- how to obtain access or request correction of your Personal Information;
- how we may share your Personal Information;
- and to provide you with contact information should you have questions or concerns about our practices.
To assist with meeting our privacy obligations, Ravenclaw Health Coalition has designated a contact person, the Corporate Privacy Officer, who is accountable for Ravenclaw Health Coalition’s compliance with applicable privacy legislation. They can be reached by email at privacy@ravenclawhealth.com .
Ravenclaw Health recognizes its obligation to respect privacy and is committed to maintaining the confidentiality of PHI, whether written, verbal, electronic, photographic or stored on any other medium.
Ravenclaw Health recognizes its obligation to ensure and facilitate timely access to information as required by authorized individuals for direct patient care, administrative use, or where required to do so by law.
Ravenclaw Health will keep private the information they receive about you, subject to applicable exceptions, as discussed in section 8 of this policy – “How We Share Your Information.”
Accordingly, it is the obligation of all of those who collect, receive and share confidential information concerning users of Ravenclaw Health’s services to exercise the utmost vigilance in the protection of user privacy.
4. Overview of Our Privacy Practices
Our privacy practices are summarized here. Under this Policy, Ravenclaw Health Coalition:
(1) collects Personal Information when you access or provide information through our Website, provide information by using our services, or make inquiries with us;
(2) may collect non-identifiable information regarding users, including the date and time users access our Website, Internet protocol (IP) address, cookies and web beacons;
(3) share this information with our authorized employees, agents, service providers and legal representatives, and may also share this information with third parties engaged to provide products and services on our behalf (“Third Parties”). When connecting to a Third-party portal within our website, such use is governed and controlled by the terms and conditions for those Third Parties. Ravenclaw Health does not control the terms of Third-Party web sites. We may, however, share your Personal Information with these Third Parties in order to fulfil the services you have requested through the use of our Website;
(4) will not share your Personal Information with Third Parties without your consent, except as set out in (3), unless you have (i) authorized us to do so; (ii) as required by law; or (iii) as disclosed to you when the Personal Information is collected;
(5) may collect and use your Personal Information to comply with applicable laws and regulations, to administer our Website, to protect you and us from fraud or other illegal activities, to contact you regarding your inquiries, and to communicate with you (provided you have opted to receive such information);
(6) allows you to withdraw your consent to the collection, storage, use, disclosure and retention of your Personal Information at any time by contacting us privacy@ravenclawhealth.com and;
(7) will mitigate the risk and impact of potential harms involved in the disclosure of Personal Information through the adoption of reasonable physical, technical and organizational procedures appropriate to the sensitivity of the data in an effort to safeguard the Personal Information you provide to us. Even with physical, technical and organizational measures adopted by Ravenclaw Health to safeguard your Personal Information, there is a residual risk of the loss of, unauthorized access to or unauthorized disclosure of your information.
5. What Information Do We Collect?
We limit the collection of personal information to what is reasonably required to fulfill the purposes for which it was collected. We understand the responsibility that comes with collecting, using and sharing your personal health information, and are committed to protecting your privacy.
“Personal Health Information” (PHI), as used in this Health Privacy Policy is information about you that is gathered through the use of our services that identifies or can identify you and relates to the state of your health, including your COVID-19 (Coronavirus) status. Any other information about an individual that is included in a record containing PHI is also part of this definition. It is not necessary for the individual to be actually named for the information to be considered PHI.
Personal information collected through the use of our services may include:
- Your contact information, including your name, telephone number, email, address
- personal health information including:
- your health card number if required by law
- your health status (including your COVID-19 status)
- date of birth
- height
- weight
- health conditions
- prescription and medical history
- the type of healthcare service received.
6. How Do We Collect Your Information?
In general, your personal health information is collected directly from you or your authorized representative, or your healthcare provider. We collect your personal information directly from you, when you are interacting with us online, telephone through our mobile applications.
We do not collect any other information, or allow information to be used for other purposes, without your express (i.e., verbal, written or electronic) consent – except where authorized to do so by law. We maintain information relating to the visitors of our Website and the information they provide. Only Personal Information that is reasonably necessary is collected.
The personal information we collect comes from the following sources:
Source | Personal Information Categories Collected |
Information You Provide on the Ravenclaw Health Website | When you provide your contact details within our Website, on the “Get in Touch” with us page, we collect the information you provide in the web-form. The specific categories of personal information we collect about you are: Your Name (First Name, Last Name); Your Email Address; and Any information you provide in the text box, including questions, comments or feedback. |
Information Automatically Collected From Visitors of Ravenclaw Health’s Website | Our Website may automatically collect certain information regarding our Website users, such as the date and time you access the Website, the IP address assigned to you by your Internet service provider, the Internet address of the website from which you linked directly to the Website, the operating system and browser you are using, the features of the Website you use, the content and information accessed, and the materials you post to or download from the Website. We may collect, use, transfer and disclose aggregated and/or non-Personal Information. |
Information Related to the Use of Our Services | When using our services at our on-site locations we may collect the following information: Personal Information required under Ontario’s Contract-Tracing Initiative (e.g., name, postal address, telephone number and/or email).Transaction Information (e.g., products purchased, method of payment, amount paid, signature and/or credit or debit card number).Your Personal Preferences (e.g., language preferences, marketing consent).Any other information you provide to us. |
7. Purpose of Collection and Use of Your Personal Information
Ravenclaw Health Coalition collects and uses the Personal Information that you supply to us or that is collected through your use of our Website or from the emails we send for the following purposes:
- To administer our Website and to manage the e-mails that we send;
- To contact you in connection with services you have requested and your inquiries;
- To provide our services to you;
- To verbally communicate results of your COVID-19 test result to you, on-site.
- To protect us and those visiting our Website against fraud;
- To notify you in connection with any changes to our services or this Policy;
- As permitted by, and to comply with, applicable laws and regulations; and
- If you opted in to allow us to do so, to communicate with you about us or the services we offer.
8. How Do We Share Your Personal Information?
We will keep Personal Information that you provide to us private and will disclose such Personal Information only in accordance with this Policy. Ravenclaw Health Coalition does not sell, rent, or lease to third parties any Personal Information we collect from you. We may disclose or share Personal Information with our authorized employees, agents, legal representatives and service providers for the purposes described in this Policy. Please note that third party providers may change from time to time. We also share your Personal Information with service providers who assist with administering, hosting and supporting our Website. These service providers may be located outside of Canada and data in transit may pass through other Countries (see ‘Storage and Location of Information’ section below).
We will not otherwise share your Personal Information with third parties without your consent, unless authorized or required by law or as disclosed to you when the information is collected. We may disclose your Personal Information to a government institution or agency that has asserted its lawful authority to obtain the information or where we have reasonable grounds to believe the information could be useful in the investigation of unlawful activity, or to comply with a subpoena or warrant or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with court rules regarding the production of records and information, or to protect our rights and property.
We disclose your personal health information if:
- Your ordering physician and members of your health care team, often referred to as members within your “circle of care”
- For the purpose of carrying out an investigation as a result of a court order, warrant, subpoena or summons or other purpose as permitted by law
- To eliminate or reduce a significant risk of serious bodily harm to another person or group
- For research purposes (only with your consent), subject to restrictions and conditions such as use of only certain set of data to meet a research objective
- Permitted or prescribed by law.
9. How Do We Secure and Protect Your Personal Information?
Safeguards are in place to protect the security of your information. We keep the Personal Information we collect about you confidential and have adopted reasonable physical, technical and organizational procedures appropriate to the sensitivity of the data to safeguard the Personal Information you provide to us. These safeguards are aimed at protecting personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Notwithstanding these measures, no collection, storage or transmission of information over the Internet on websites or otherwise can be guaranteed to be 100% secure, and therefore we cannot ensure, warrant or guarantee the security of any such information. As a result, we cannot warrant the security of any information you transmit to us, and you do so at your own risk.
10. How Long Do We Keep Your Personal Information?
In accordance with our data retention schedule and, we will keep and retain your Personal Information in compliance with our legal obligations, and only as long as necessary for the purposes for which it was collected. We will ensure that your records are disposed of in a secure and privacy protective manner.
11. Where Do We Store Your Information?
We may store, process or allow access to your Personal Information collected through the Website on our servers located in Canada, from time to time, in other locations outside Canada that we deem necessary or convenient in order to provide you with efficient and effective service. Personal Information you send to us or that is collected from you may also cross jurisdictional borders while in transit. As such, foreign governments, courts, law enforcement or regulatory agencies, including national security agencies, may be able to access your Personal Information under foreign laws
12. Providing and Withdrawing Your Consent
By choosing to provide your personal information on our website, you consent to the collection, use, storage and disclosure of Personal Information for the purposes identified within this Policy. We will not collect, use, or disclose your Personal Information in the course of any other activities, including commercial activities, without your consent.
You may withdraw your consent to the collection, storage, use, disclosure and retention of Personal Information about you at any time. To do this, please contact us at privacy@ravenclawhealth.com. Withdrawal of your consent to the collection, storage, use, disclosure and retention of Personal Information may result in us being unable to contact you or you being unable to continue use of our Website or services.
13. Verifying and Amending Your Personal Information
Subject to certain exceptions prescribed by law, you will be given reasonable access to your Personal Information held by us and you may request that your Personal Information be corrected or updated. You can also request that we erase any Personal Information we hold about you, except for any information we are obligated to retain for regulatory, legal or security purposes. Please email our Privacy Officer at: privacy@ravenclawhealth.com and we will assist you. It is your responsibility to notify us of any changes to your Personal Information, including contact information, so we can contact you and inform you about updates to this Policy and any other relevant information with respect to your use of our Website or services..
14. Our Use of Cookies
Our Website uses “cookies”, a technology that installs information on your device to permit websites to recognize future visits using that device. Cookies enhance the convenience and use of websites. For example, if you leave a comment on our Website, you may opt-in to saving your name, e-mail address and website in cookies. This is provided for your convenience so that you do not have to provide your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in to your User Account, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your User Account, the login cookies will be removed.
If you edit or publish an article on our Website, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after one day.
You may choose to decline cookies if your browser permits but doing so may affect your use of the Website and your ability to access certain features of the Website.
15. Our Use of Web Beacons
We may also include web beacons in the e-mails that we send to you. Web beacons allow us to collect information about when e-mail recipients open the emails we send, what parts of the e-mail they review, their IP address, browser and other similar details. Some of this information may be correlated with recipients’ e-mail addresses. We use this information to review how recipients are responding to the e-mails we send.
16. Third Party Hyperlinks and Embedded Website Content
Our Website may contain hyperlinks to the websites of third parties. We are not responsible for the privacy practices or the content of such other websites. Linked websites are maintained by third parties. Such links are provided for your convenience and reference only. Project Ravenclaw Coalition does not operate or control, in any respect, any information, software, products or services available on such third party websites. The inclusion of a link to such website does not imply any endorsement of the services or the site, its contents, or its sponsoring organization. We strongly advise you to review the privacy policy of every website you visit.
Articles on our Website may include embedded content, such as videos, images, articles, etc. Embedded content from other websites behaves in the exact same way as if you have visited the other websites. These websites, operated by third parties, may collect information about you, use cookies, embed additional third party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website. We are not responsible for the privacy practices or the content of such websites. We strongly advise you to review the privacy policies of the websites from which the embedded content originates.
17. Policy Updates and Changes
We may revise this policy from time to time. We may choose to notify you of a change to this policy by announcing the change on our website. It is your responsibility to review our Website to ensure you are up to date on any changes that may affect you. Your continued use of the Website constitutes your consent to the contents of any updated policy. Please review this site periodically to ensure that you are aware of any such updates.
18. Privacy Concerns or Questions
If you would like more information about this Policy or the Personal Information and our collection, storage, use, disclosure and retention policies and practices, please contact us by e-mail at: privacy@ravenclawhealth.com
You may submit a complaint and/or other feedback (including inquiries, compliments and suggestions) related to our:
- privacy and data protection practices;
- information management practices;
- non-compliance with Ravenclaw Health’s policies, or statutory or regulatory requirements; or
- any other privacy related concern you may have.
Please let us know your questions or concerns and we will do our best to assist you.
19. Complaints to Oversight Authorities
You may choose to file a complaint with the relevant oversight authority. Each province and territory in Canada has a commissioner or ombudsperson responsible for overseeing provincial and territorial privacy legislation.
Visit the Office of the Privacy Commissioner of Canada Website here, for a full list of the provincial and territorial privacy laws as well as who is responsible for their enforcement. You may also choose to contact the Office of the Privacy Commissioner of Canada directly, to report your concern.
Office of the Privacy Commissioner of Canada
30 Victoria Street Gatineau, Quebec K1A1H3
Toll-free: 1800-282-1376 Phone: (819) 993-5444 TTY: (819) 994-6591
Website: https://www.priv.gc.ca/en/
Province | Regulatory Oversight Authority |
Ontario | Office of the Information and Privacy Commissioner of Ontario (OPC) Phone: Toll-free: 1-800-387-0073 Toronto: 416-326-3333 Fax: 416-325-9195 TTY:416-325-7539 Email: info@ipc.on.ca Mailing Address: Information and Privacy Commissioner/Ontario 2 Bloor St. E., Suite 1400 Toronto, ON M4W 1A8 Website: www.ipc.on.ca |