Personal Information Protection Policy
At Cyper, we are committed to providing our clients, customers and partners with exceptional service. As providing this service involves the collection, use and disclosure of some personal information about our clients, customers and partners, protecting their personal information is one of our highest priorities.
While we have always respected our clients, customers and partners' privacy and safeguarded their personal information, we have strengthened our commitment to protecting personal information and this policy outlines our company's commitment to complying with the Health Insurance Portability and Accountability Act (HIPAA), the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec’s Law 25, An Act to modernize legislative provisions as regards the protection of personal information . Our company is dedicated to safeguarding the privacy and confidentiality of personal information and protected health information (PHI) in compliance with applicable laws and regulations.
1. HIPAA Compliance
Cyper is committed to complying with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. We safeguard PHI by implementing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of client’s, customer’s, partner’s ePHI.
2. PIPEDA Compliance
Cyper is committed to complying with the PIPEDA regulations governing the collection, use, and disclosure of client’s, customer’s, partner’s personal information. We will safeguard personal information by implementing appropriate security measures, obtaining consent for collection, use, and disclosure, and providing individuals with access to their personal information.
We will inform our clients, customers and partners of why and how we collect, use and disclose their personal information, obtain their consent where required, and only handle their personal information in a manner that a reasonable person would consider appropriate in the circumstances.
Cyper Personal Information Protection Policy, in compliance with HIPAA, PIPEDA and Quebec’s Law 25, outlines the principles and practices we will follow in protecting clients, customers and partners personal information. Our privacy commitment includes ensuring the accuracy, confidentiality, and security of our clients, customers and partners personal information and allowing our clients, customers and partners to request access to, and correction of, their personal information.
3. Quebec’s Law 25 Compliance
Cyper is committed to complying with Quebec's Law 25, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.
2. Research: Disclosure of personal information for research purposes and have a procedure in place for research projects, including privacy impact assessment
3. Promptly notify the Commission d'accès à l'information and affected individuals of any confidentiality incidents, including privacy data breaches and the unauthorized access/use/disclosure of personal information
4. In the event of a privacy incident, Cyper will immediately take all reasonable measures to mitigate the risk of injury and to prevent any further incidents of a similar nature.
This policy applies to all employees, contractors, and partners who access, use or disclose PHI or personal information in the course of their duties. This policy applies to all forms of PHI or personal information, whether it is written, oral, electronic or other formats.
Personal Information, also known as personally-identifiable information (PII) and personal data, refers to information that can be used to identify, locate, or contact an individual, alone or when combined with other personal or identifying information.
Chief Privacy Officer – means the individual designated responsibility for ensuring that Cyper complies with this policy, HIPAA, PIPEDA and Quebec’s Law 25.
Policy 1 – Collecting Personal Information
1.1 Unless the purposes for collecting personal information are obvious and the clients, customers and partners voluntarily provide their personal information for those purposes, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of collection.
1.2 We will only collect clients, customers and partners information that is necessary to fulfill the following purposes:
Policy 2 – Consent
2.1 We will obtain clients, customers and partners consent to collect, use or disclose personal information.
2.2 Consent can be provided orally, in writing, electronically, through an authorized representative or it can be implied where the purpose for collecting, using or disclosing the personal information would be considered obvious and the clients, customers and partners voluntarily provide personal information for that purpose.
2.3 Consent may also be implied where a client, customer or a partner is given notice and a reasonable opportunity to opt-out of their personal information being used for mail-outs, the marketing of new services or products, fundraising and the client, customer, partner does not opt-out.
2.4 Subject to certain exceptions (e.g., the personal information is necessary to provide the service or product, or the withdrawal of consent would prevent the performance of a legal obligation), clients, customers and partners can withhold or withdraw their consent for Cyper to use their personal information in certain ways. A client’s, customer’s, partner’s decision to withhold or withdraw their consent to certain uses of personal information may restrict our ability to provide a particular service or product. If so, we will explain the situation to assist the client, customer, or partner in making the decision.
2.5 We may collect, use or disclose personal information without the client’s, customer’s, partner’s knowledge or consent in the following limited circumstances:
Policy 3 – Using and Disclosing Personal Information
3.1 We will only use or disclose client, customer, or partner personal information where necessary to fulfill the purposes identified at the time of collection, or for a purpose reasonably related to those purposes such as:
3.2 We will not use or disclose client, customer, partner personal information for any additional purpose unless we obtain consent to do so.
3.3 We will not sell client, customer, partner lists or personal information to other parties.
Policy 4 – Retaining Personal Information
4.1 If we use client, customer, partner personal information to make a decision that directly affects the client, customer, partner, we will retain that personal information for at least one year so that the client, customer, partner has a reasonable opportunity to request access to it.
4.2 Subject to policy 4.1, we will retain client, customer, partner personal information only as long as necessary to fulfill the identified purposes or a legal or business purpose.
Policy 5 – Ensuring Accuracy of Personal Information
5.1 We will make reasonable efforts to ensure that client, customer, partner personal information is accurate and complete where it may be used to make a decision about the client, customer, partner or disclosed to another organization.
5.2 client, customer, partner may request correction to their personal information in order to ensure its accuracy and completeness. A request to correct personal information must be made in writing and provide sufficient detail to identify the personal information and the correction being sought.
A request to correct personal information should be forwarded to Cyper’s Chief Privacy Officer at email@example.com
5.3 If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information in the previous year. If the correction is not made, we will note the clients’, customers’, partners’ correction request in the file.
Policy 6 – Securing Personal Information
6.1 We are committed to ensuring the security of client, customer, partner personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
6.2 The following security measures will be followed to ensure that client, customer, partner personal information is appropriately protected, when applicable :
6.3 Cyper will use appropriate security measures when destroying client’s, customer’s, partner’s personal information.
6.4 We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security.
Policy 7 – Providing Clients, Customers, Partners Access to Personal Information
7.1 Clients, Customers, Partners have a right to access their personal information, subject to limited exceptions.
7.2 A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought. A request to access personal information should be forwarded to Cyper’s Chief Privacy Officer at firstname.lastname@example.org
7.3 Upon request, Cyper will also tell clients, customers, partners how we use their personal information and to whom it has been disclosed if applicable.
7.4 We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request.
7.5 If a request is refused in full or in part, we will notify the client, customer, partner in writing, providing the reasons for refusal and the recourse available to the client, customer, partner.
Policy 8 – Questions and Complaints: The Role of the Chief Privacy Officer
8.1 The Chief Privacy Officer is responsible for ensuring Cyper’s compliance with this policy and the HIPAA, PIPEDA and Quebec’s Law 25.
8.2 Clients, Customers, Partners should direct any complaints, concerns or questions regarding Cyper’s compliance in writing to Cyper’s Chief Privacy Officer at email@example.com
Cyper is committed to complying with all applicable laws and regulations governing the privacy and security of PHI and personal information. This policy outlines our commitment to protecting the confidentiality, integrity, and availability of PHI and personal information through administrative, physical, and technical safeguards. All employees, contractors, and partners are responsible for complying with this policy and reporting any violations.