Policy:
LIMITING COLLECTION
Collection of Personal Information shall be limited to that which is necessary for the fulfillment of ErinoakKids services.
LIMITING DISCLOSURE AND RETENTION
Personal Information will not be disclosed except in accordance with ErinoakKids’ obligations under its Agreements.
ErinoakKids is committed to the proper classification, secure retention, and timely disposal of any record containing Personal Information (PI) or Personal Health Information (PHI).
ENSURING ACCURACY
ErinoakKids will ensure that appropriate reviews are executed for client data integrity, will report any data integrity issues to the health records and data quality team, and will correct all data integrity issues in a timely manner.
A process for the correction of any PI/PHI will be implemented as deemed necessary, to handle issues that cannot be corrected through normal system use or update mechanisms.
SAFEGUARDS
ErinoakKids implements security safeguards appropriate to the sensitivity of the information to protect Personal Information against loss or theft, as well as unauthorized use, access, disclosure, copying, modification, or disposal.
OPENNESS
ErinoakKids will:
- Disseminate to each client and to the public a plain language description of the services that is appropriate for sharing with the individuals to whom the PI/PHI relates, including a general description of the safeguards in place to protect against loss, theft, unauthorized use, access, disclosure, copying, modification, or disposal, and to protect the integrity of the Personal Information;
- Disseminate to the public any directives, guidelines, and policies of ErinoakKids that apply to client services;
- Disseminate to the public a general description of the safeguards implemented by ErinoakKids in relation to the security and confidentiality of Personal Information.
INDIVIDUAL ACCESS
ErinoakKids has a documented process and procedure, with clear accountabilities, to comply with applicable legislation referring to individual access.
Systems and documented processes and procedures are developed with adequate controls and audit trails to respond to privacy and security violations and breaches, and to individual requests for access.
GOVERNANCE
In order to meet its governance obligations and its Agreements with its clients, ErinoakKids has:
- Assigned a privacy and security officer (PSO) to ensure compliance with obligations related to privacy and security.
- Assigned an information security officer (ISO) to be responsible for overseeing the information security aspects of the solution(s) being used.
- Developed a RACI (responsible, accountable, consulted, and informed) chart to clearly define all privacy and security roles and responsibilities as they relate to ErinoakKids’ obligations in client systems.
- Used or developed practices, processes, and procedures to:
- Develop key performance indicators to assess and report on privacy or security metrics reports for the particular engagement.
- Review the ErinoakKids privacy and security policy, practices, processes, and procedures annually to ensure that they comply with applicable legal, contractual, industry, and regulatory standards and requirements and to determine whether changes are necessary or appropriate based on changes in laws and regulations or significant legal or other developments.
HUMAN RESOURCES
ErinoakKids uses and develops practices, processes, and procedures to ensure that employees, consultants, or permitted agents who perform services or otherwise have access to Personal Information will:
- Sign a confidentiality agreement and code of conduct.
- Be informed of all privacy and security related policies and procedures and ensure that all privacy and security related policies and procedures are readily accessible to all personnel.
- Obtain a satisfactory background screening, in accordance with its Agreement(s).
TRAINING AND AWARENESS
ErinoakKids believes that a culture of privacy and security is necessary to meet the individual and collective responsibilities of the organization, and delivers comprehensive training and ongoing awareness initiatives.
AUDITING POLICY AND PROCEDURES
For each project, ErinoakKids will draft policies, procedures, and processes to regularly, and with a predefined frequency, audit projects to monitor that ErinoakKids is in accordance with partner agreements and legislation, and to identify privacy incidents and breaches.
BREACH RESPONSE PROTOCOL
ErinoakKids promises the ability to promptly and appropriately respond to, contain, and mitigate the impact of a privacy or security breach or incident. Accordingly, ErinoakKids will have a documented breach response protocol to identify, manage, and resolve privacy and security breaches and incidents which occur as the result of loss, theft, unauthorized use, access, disclosure, copying, modification, or disposal of Personal Information.
COMPLAINT MANAGEMENT
ErinoakKids has documented procedures, with clear accountabilities, to ensure that it promptly notifies clients in writing of any enquiry or complaint received by ErinoakKids relating to the processing of Personal Information.
OPERATING PROCEDURES
ErinoakKids has practices, processes, and procedures in place to ensure that it meets all requirements of the Personal Health Information Protection Act and its Client Agreements.