The website is under maintenance

At Cyper, we are committed to providing our clients, customers and partners with exceptional service.  As providing this service involves the collection, use and disclosure of some personal information about our clients, customers and partners, protecting their personal information is one of our highest priorities.

While we have always respected our clients, customers and partners' privacy and safeguarded their personal information, we have strengthened our commitment to protecting personal information and this policy outlines our company's commitment to complying with the Health Insurance Portability and Accountability Act (HIPAA), the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec’s Law 25, An Act to modernize legislative provisions as regards the protection of personal information . Our company is dedicated to safeguarding the privacy and confidentiality of personal information and protected health information (PHI) in compliance with applicable laws and regulations.

Cyper is committed to complying with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. We safeguard PHI by implementing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of client’s, customer’s, partner’s ePHI.

• (a) Administrative Safeguards: We establish policies and procedures to govern the use and disclosure of PHI, train employees on HIPAA requirements, and implement a risk management program to identify and mitigate risks to PHI.
• (b) Physical Safeguards: We implement physical safeguards to protect PHI from unauthorized access, theft, or damage, including restricting access to PHI, monitoring access logs, and securing electronic media.
• (c) Technical Safeguards: We implement technical safeguards to protect PHI from unauthorized access or disclosure, including encrypting ePHI, conducting security risk assessments, and implementing security measures to prevent unauthorized access, hacking, or malware attacks.

Cyper is committed to complying with the PIPEDA regulations governing the collection, use, and disclosure of client’s, customer’s, partner’s personal information. We will safeguard personal information by implementing appropriate security measures, obtaining consent for collection, use, and disclosure, and providing individuals with access to their personal information.

• (a) Collection, Use, and Disclosure: Only collect personal information that is necessary for the purposes identified, obtain consent for collection, use, and disclosure, and limit the use and disclosure of personal information to only those individuals who need to know it.
• (b) Security Measures: Implement appropriate security measures to protect personal information from unauthorized access, use, or disclosure, including physical, administrative, and technical safeguards.
• (c) Access and Correction: Provide clients, customers, partners  the ability to access their personal information and correct any inaccuracies in their information. 

We will inform our clients, customers and partners of why and how we collect, use and disclose their personal information, obtain their consent where required, and only handle their personal information in a manner that a reasonable person would consider appropriate in the circumstances.

Cyper Personal Information Protection Policy, in compliance with HIPAA, PIPEDA and Quebec’s Law 25, outlines the principles and practices we will follow in protecting clients, customers and partners personal information.  Our privacy commitment includes ensuring the accuracy, confidentiality, and security of our clients, customers and partners personal information and allowing our clients, customers and partners to request access to, and correction of, their personal information.

Cyper is committed to complying with Quebec's Law 25, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.

1. Governance and cybersecurity: Implement all appropriate security measures to protect personal information from unauthorized access, use, or disclosure, including physical, administrative, and technical safeguards.

• Appoint a Privacy Officer
• Have an organizational structure for incident prevention, management and response
• Establish a security policies and incident response plan
• Review of contracts with service providers
• Set up a cyber security training program
• Create a register of security incident

2. Research: Disclosure of personal information for research purposes and have a procedure in place for research projects, including privacy impact assessment

3. Promptly notify the Commission d'accès à l'information and affected individuals of any confidentiality incidents, including privacy data breaches and the unauthorized access/use/disclosure of personal information

4. In the event of a privacy incident, Cyper will immediately take all reasonable measures to mitigate the risk of injury and to prevent any further incidents of a similar nature.

This policy applies to all employees, contractors, and partners who access, use or disclose PHI or personal information in the course of their duties. This policy applies to all forms of PHI or personal information, whether it is written, oral, electronic or other formats.

Personal Information, also known as personally-identifiable information (PII) and personal data, refers to information that can be used to identify, locate, or contact an individual, alone or when combined with other personal or identifying information.

Chief Privacy Officer – means the individual designated responsibility for ensuring that Cyper complies with this policy, HIPAA, PIPEDA and Quebec’s Law 25.

1.1  Unless the purposes for collecting personal information are obvious and the clients, customers and partners voluntarily provide their personal information for those purposes, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of collection. 

1.2  We will only collect clients, customers and partners information that is necessary to fulfill the following purposes: 

• To verify identity;
• To verify creditworthiness;
• To identify clients, customers and partners preferences;
• To understand the product or service needs of our clients, customers and partners; 
• To open and manage an account, when applicable;
• To deliver requested products and services
• To provide counselling services;
• To enrol the clients, customers and partners in a program, product or solution, when requested or required;
• To send out information needed to set up or implement a product or service for our clients, customers and partners;
• To contact our clients, customers and partners for new or related service offerings;
• To ensure a high standard of service to our clients, customers and partners; 
• To meet regulatory requirements; 
• To collect and process payments when required;

2.1  We will obtain clients, customers and partners consent to collect, use or disclose personal information. 

2.2  Consent can be provided orally, in writing, electronically, through an authorized representative or it can be implied where the purpose for collecting, using or disclosing the personal information would be considered obvious and the clients, customers and partners voluntarily provide personal information for that purpose. 

2.3  Consent may also be implied where a client, customer or a partner is given notice and a reasonable opportunity to opt-out of their personal information being used for mail-outs, the marketing of new services or products, fundraising and the client, customer, partner does not opt-out. 

2.4  Subject to certain exceptions (e.g., the personal information is necessary to provide the service or product, or the withdrawal of consent would prevent the performance of a legal obligation), clients, customers and partners can withhold or withdraw their consent for Cyper to use their personal information in certain ways.  A client’s, customer’s, partner’s decision to withhold or withdraw their consent to certain uses of personal information may restrict our ability to provide a particular service or product.  If so, we will explain the situation to assist the client, customer, or partner in making the decision. 

2.5  We may collect, use or disclose personal information without the client’s, customer’s, partner’s knowledge or consent in the following limited circumstances: 

• When the collection, use or disclosure of personal information is permitted or required by law;
• In an emergency that threatens an individual's life, health, or personal security;
• When the personal information is available from a public source 
• When we require legal advice from a lawyer;
• To protect ourselves from fraud;
• To investigate an anticipated breach of an agreement or a contravention of law 

3.1  We will only use or disclose client, customer, or partner personal information where necessary to fulfill the purposes identified at the time of collection, or for a purpose reasonably related to those purposes such as: 

• To conduct clients, customers, partners surveys in order to enhance the provision of our   products and services;
• To contact our  clients, customers, partners directly about products and services that may be of interest;

3.2  We will not use or disclose client, customer, partner personal information for any additional purpose unless we obtain consent to do so. 

3.3  We will not sell client, customer, partner lists or personal information to other parties.

4.1  If we use client, customer, partner personal information to make a decision that directly affects the client, customer, partner, we will retain that personal information for at least one year so that the client, customer, partner has a reasonable opportunity to request access to it. 

4.2  Subject to policy 4.1, we will retain client, customer, partner personal information only as long as necessary to fulfill the identified purposes or a legal or business purpose.

5.1  We will make reasonable efforts to ensure that client, customer, partner personal information is accurate and complete where it may be used to make a decision about the client, customer, partner or disclosed to another organization. 

5.2  client, customer, partner may request correction to their personal information in order to ensure its accuracy and completeness.  A request to correct personal information must be made in writing and provide sufficient detail to identify the personal information and the correction being sought. 

A request to correct personal information should be forwarded to Cyper’s Chief Privacy Officer at privacy@cyper.ca

5.3  If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information in the previous year.  If the correction is not made, we will note the clients’, customers’, partners’ correction request in the file.

6.1  We are committed to ensuring the security of client, customer, partner personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. 

6.2  The following security measures will be followed to ensure that client, customer, partner personal information is appropriately protected, when applicable : 

• The use of locked filing cabinets
• Physically securing offices where personal information is held
• The use of user IDs, passwords, encryption, firewalls
• Restricting employee access to personal information as appropriate and only granted to those individuals who require it in order to perform specific tasks ; access to personal information is monitored and regularly reviewed to ensure it is only used for the intended purpose
• Contractually requiring any service providers to provide comparable security measures

6.3  Cyper will use appropriate security measures when destroying client’s, customer’s, partner’s personal information.

6.4  We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security. 

7.1  Clients, Customers, Partners have a right to access their personal information, subject to limited exceptions. 

7.2  A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought. A request to access personal information should be forwarded to Cyper’s Chief Privacy Officer at privacy@cyper.ca 

7.3  Upon request, Cyper will also tell clients, customers, partners how we use their personal information and to whom it has been disclosed if applicable. 

7.4  We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request. 

7.5  If a request is refused in full or in part, we will notify the client, customer, partner in writing, providing the reasons for refusal and the recourse available to the client, customer, partner. 

8.1  The Chief Privacy Officer is responsible for ensuring Cyper’s compliance with this policy and the HIPAA, PIPEDA and Quebec’s Law 25.

8.2  Clients, Customers, Partners should direct any complaints, concerns or questions regarding Cyper’s compliance in writing to Cyper’s Chief Privacy Officer at privacy@cyper.ca 

Cyper is committed to complying with all applicable laws and regulations governing the privacy and security of PHI and personal information. This policy outlines our commitment to protecting the confidentiality, integrity, and availability of PHI and personal information through administrative, physical, and technical safeguards. All employees, contractors, and partners are responsible for complying with this policy and reporting any violations.