1.0 Accountability

HDC is accountable for personal information in our custody and control, including that information that is managed, accessed, and stored on our behalf by our contracted service providers.

Our accountability is embedded at the highest level of our organization with HDC’s Board of Directors, who have a fiduciary duty to ensure that HDC has sound privacy practices. HDC’s Executive Director is accountable for HDC’s overall strategy, including HDC’s commitment to privacy. HDC’s Privacy Officer is responsible for day-to-day compliance with our Privacy Policy, our obligations under PIPA, and our Privacy by Design Certification.

2.0 Identifying Purposes for Collection and Use of Personal Information

HDC identifies our purposes for collecting personal information before or at the time we collect it. We do this by stating these purposes clearly, or where the purposes are obvious, by providing links to this Policy. We have listed the purposes for which we collect and use personal information below.

Our Website

HDC does not automatically collect personal information from visitors to our website through cookies or other means. We may request that you provide some basic personal information voluntarily, such as when you email us, sign up with a mailing list, or indicate interest enrolling in our services.

We use Google Analytics, a web analytics service to understand the effectiveness of our website. Google Analytics collects Internet Protocol (IP) addresses which contains some information about your computer device and its location. We ensure privacy is protected by using IP masking, a customization within Google Analytics, to anonymize all IP addresses.

HDC Discover

HDC collects personal information directly from all users of HDC Discover, our secure data sharing platform. The information we collect from users is limited, but necessary to ensure we can make our platform work as intended and keep it secure. HDC is transparent about these purposes as outlined in HDC’s Registration Agreement.

HDC processes Electronic Medical Record (EMR) data containing patient-level personal information from participating medical clinics as necessary to provide our services. Participating clinics always retain control over their patient’s information.

HDC’s Data Sharing Agreement outlines our purpose for processing personal information from clinics, our limited uses of that information, and how we manage and protect that information to provide our service.

Job Applicants to HDC

If you provide personal information to us for the purpose of employment but do not end up working with the HDC, we will retain your information for the minimum time required by law and destroy your information securely.

3.0 Consent

We rely on your consent to collect, use, and disclose the personal information you provide to us. If we identify a purpose for using your information that was not previously indicated, we will ensure to gain your consent.

Implied Consent

Implied consent refers to an assumption of permission to collect and use personal information based on an individual’s actions in the situation. HDC relies on implied consent where the purposes for using the information are obvious, and where the information collected is appropriate for the situation.

We collect and use personal information with your implied consent when you provide your information at conferences, if you apply for an employment position with us, or if you sign up for information about our services on our website.

Express Consent

Express consent occurs where an individual is presented with an option to agree or disagree with the collection, use, or disclosure of their personal information and indicates their agreement by providing a signature or clicking “I Agree”. HDC collects and uses personal information with your express consent when you register to become a user of HDC Discover and agree to HDC’s Registration Agreement, or when you agree through our Data Sharing Agreement to share your clinic’s EMR data with the HDC to receive our services

Patient Consent

We are authorized by PIPA to process personal information about patients on behalf of participating medical clinics in order provide our services. We process personal information indirectly from clinics that have contracted us to support them in providing the highest quality of care to their patients. Physicians and medical clinics rely on their patients implied and express consent to receive care when they share personal information with service providers, such as the HDC, that support them in providing their services.

We access personal information about patients solely to carry out our services. For more information about our service and how we protect health data, please review our FAQs.

Revoking Consent

Where you have provided us with your personal information directly, you are able to  revoke consent for our use of that information. We will support you in terminating any HDC service you have requested without undue delay. Contact privacy@hdcbc.ca for more information.

4.0 Limits to Collection of Personal information

We limit our collection of personal information to only what is reasonable and relevant for the purposes we identify upon collection.

5.0 Limiting Use, Disclosure, and Retention

We use your personal information only as necessary to facilitate the purposes for which you provided the information. This includes using your information for those necessary activities that enable us to carry out that purpose.

HDC’s employees and contractors are only authorized to access and use personal information for legitimate business purposes based on a need-to-know basis to perform their responsibilities. We take reasonable steps to limit access and use of personal information through administrative, physical, and technical controls that are built into our services and infrastructure.

Disclosing Information to Third Parties

We will only share your information for legitimate purposes that are authorized by law. These purposes include, but are not limited to:

• Where you have provided consent to the information being shared.
• Where we have contracted a service provider to work on our behalf to support us in providing our services.
• Where the disclosure is deemed necessary and is authorized by PIPA or another law. For example, we are not limited by consent where compelling circumstances necessitate sharing information that could affect the safety of an individual. We are not limited in sharing information to comply with terms of a court order, subpoena, or warrant.

Retention and Disposal of Personal information

We retain personal information only as necessary to provide our services, manage our operations, maintain our relationship with our staff, and as required by law. We securely dispose of personal information where the reason for retaining it no longer applies and ensure this is done in a timely manner, or as specified in any agreements that govern the management of the information.

6.0 Accuracy

You have the right to ensure that personal information about you is accurate and complete. We take reasonable steps to ensure that any personal information that we collect directly from you remains accurate and complete.

7.0 Securing Personal Information

We are committed to protecting and securing all information in our custody and control, regardless of format. We build the necessary safeguards into all operations to ensure information is managed proactively from collection to destruction. We train staff to be human firewalls against cybercrime and we test our controls continuously.

8.0 Individual Access and Correction to Personal Information

You have the right to request access and correction to your personal information in HDC’s control and we are committed to promptly supporting you with this. Should there be a scenario where we cannot provide access to your information, we will be transparent as to the reasons.

Example scenarios where access may not be granted include:

• Where the access may reveal personal information about another individual.
• Where the information requested is subject to solicitor-client privilege.
• Where the provision of access could reasonably be expected to threaten the health or safety of an individual.
• Where HDC manages the personal information on behalf of another party, such as a medical clinic, and is not authorized to provide access.

Contact privacy@hdcbc.ca for more information.

9.0 Openness and Transparency

We are committed to transparency about how we collect, use, disclose, handle, and safeguard personal information within our organization.

We routinely review our communication tools, policies, and agreements to ensure they are clear and that our practices are easily understood. Below is a list of our communication tools, policies, and agreements related to privacy.

HDC policies

• HDC Mission and Vision – why we do what we do
• Privacy Policy – the overarching principles that govern the entire HDC organization

HDC Discover specific policies

• FAQs – some commonly asked questions and answers
• Use and Disclosure of Anonymized Aggregate Data Policy – the details of how HDC uses the anonymized aggregated information created in the HDC Discover application
• Registration Agreement – our terms of use for HDC Discover
• Data Sharing Agreement – our agreement with clinics that outlines how HDC processes and protects clinical data
• User Code of Conduct – outlines appropriate behaviour when using HDC Discover

Our commitment to transparency includes the management of privacy breaches. If a breach of personal information were to ever pose a risk of significant harm to individuals, we will report to the Office of the Information Privacy Commissioner and notify those affected.

10.0 Challenging Compliance

You may challenge HDC’s compliance with the above principles by contacting HDC’s Privacy Officer in writing at suite 201-1009 Cook Street, Victoria, BC, V8V 3Z6, or by emailing privacy@hdcbc.ca.