- Accountability: NRC Health is accountable for the personal information we collect, use, retain and disclose in the course of our commercial activities, including, but not limited to, the appointment of a Privacy Officer;
- Identifying Purposes: NRC Health must explain to the client the purposes for which the information will be used must use the information for those purposes;
- Consent: Prior to a client transmitting to us personal health information, NRC Health relies on our clients to ensure that they have obtained an individual’s express or implied consent to collect, use, and disclose the individual’s personal information for this purpose. In addition, NRC Health informs those who may be responding to a survey about the collection, use or disclosure of the individual’s personal information;
- Limiting Collection: NRC Health limits its collection of personal information to only the amount and type that is reasonably necessary for the identified purposes;
- Limiting Use, Disclosure and Retention: personal information is used for only the identified purposes, and unless the law permits or requires otherwise, is not disclosed to third parties without consent;
- Accuracy: NRC Health keeps personal information in active files accurate and up-to-date;
- Safeguards: NRC Health uses physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure;
- Openness: At NRC Health we inform our clients and those may receive their surveys, and NRC Health associates, our privacy policies and procedures;
- Individual Access: An individual has a right to access his or her personal information held by NRC Health and to challenge its accuracy if need be; and
- Provide Recourse: NRC Health responds promptly to requests for information, access requests and complaints, and informs clients and employees of how to bring these forward to the Privacy Officer.
This policy applies to NRC Health’s associates, subcontracted employees and third party vendors. NRC Health will review and revise this document in accordance with Canada’s evolving privacy laws.
Protecting personal information is fundamental to NRC Health’s mandate to provide services and products that are designed to measure and improve the patient experience.
NRC Health is accountable to our clients and their patients and employees regarding the protection of their personal information in our custody.
NRC Health has appointed a Privacy Officer who is responsible for privacy compliance issues and who has the authority to intervene on privacy issues relating to any of NRC Health’s operations. NRC Health’s Privacy Officer contractually ensures all subcontracted organizations are in compliance with our policies and those of our clients.
NRC Health’s Privacy Officer has developed and implemented policies and training for associate regarding handling of personal information. This includes defining the purposes of the information we collect, consent, limiting its collection, use and disclosure, ensuring information is correct, complete and current, ensuring adequate security measures are in place, managing a retention and destruction timetable, processing access requests and responding to inquiries and complaints.
In addition, the Chief Security Officer for NRC Health, our parent company, is the executive responsible for the organization’s entire security profile and practices.
NRC Health identifies the reasons for collecting Personal Information prior to and/or at the time of survey administration by means of the contracts with clients, survey covering letter or interview introduction.
Potential survey respondents are also informed that their information will only be used for the stated purpose.
Personal information (patient or employee contact data) is provided to NRC Health. Unless the law permits or requires otherwise, an individual’s express or implied consent is obtained by the client organization, for the collection, use or disclosure of the individual’s personal information.
At the time of surveying, NRC Health informs individuals from whom they collect Personal Information: the purpose for collecting it; the rights of the prospective respondent; and the fact that they can choose not to participate without any negative impact on the care they receive from client organizations. This is done by means of a cover letter signed by the client, that is distributed with each survey (mail or web). For phone or face to face interviews, this information is provided prior to the interview commencing. Contact information is provided for those who have questions regarding the survey, or for those persons who wish to have their name removed from a survey mailing list.
NRC Health does not collect personal information indiscriminately. NRC Health limits the collection of Personal Information to what is necessary for the identified purposes of the survey project. This is agreed to by the client and NRC Health.
NRC Health associates understand and articulate why the information is needed. Questions regarding the handling policies and practices of personal information that are not adequately addressed by associates are directed to NRC Health’s Privacy Officer.
Limiting Use, Disclosure, and Retention
Personal Information is only used or disclosed for the purpose for which it was collected, unless an individual consents, or the use or disclosure is authorized by Canadian privacy law, with the exceptions, as permitted under PIPEDA:
Purposes for using Personal Information are to be identified for potential participants as part of the consent process undertaken by clients as part of their standard processes.
Personal Information will be disclosed to NRC Health associates on a need-to-know basis for the purposes of their work as decided upon in advance and documented by contract.
If a request for access to Personal Information comes from a person other than the survey respondent or Client Organization, NRC Health promptly directs the person requesting the information to submit their request to the appropriate person at the Client Organization, and the contact information of an official from the Client Organization is provided.
PIPEDA permits NRC Health to transfer Personal Information to a third party, without the individual’s knowledge or consent, if the transfer is simply for processing purposes and the third party only uses the information for the purposes for which it was transferred.
NRC Health is obliged to report to its clients any foreign demand for disclosure. As a Canadian company, regulated by Canadian laws and under NRC Health Client Organization contracts, NRC Health would: immediately notify the Client Organization of the request; notify the requesting body of the privacy legal requirements in Canada; and seek legal advice and support.
As an incorporated Canadian company, NRC Health abides by the Federal and Provincial laws impacting our clients. Some of these laws prohibit disclosure of any identifiable personal information to a foreign country.
Nonetheless, under unusual circumstances PIPEDA permits NRC Health to disclose Personal Information to third parties, without an individual’s knowledge and consent, to:
a lawyer representing NRC Health;
comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
a law enforcement agency in the process of a civil or criminal investigation;
a government agency or department requesting the information; or
as required by law.
NRC Health will never sell personal information to any organization or individual and we are obliged to limit the use of the personal information in our custody to the stated purpose of the contracted services.
Personal Information is kept only for as long as necessary to satisfy the purposes for which it was collected. NRC Health contracts specify how long Personal Information will be retained and how and when it will be destroyed. Retention periods take into account any legal requirements or restrictions and redress mechanisms.
Electronic data are destroyed using industry standard protocols. Hardcopy files are shredded and securely disposed of.
NRC Health makes every reasonable effort to ensure personal information it has collected or created is accurate, complete and up to date.
NRC Health protects Personal Information against unauthorized access, collection, use, disclosure or disposal by means of physical, organizational, and technological safeguards regardless of the format in which it is held. All security measures are regularly reviewed and updated as needed.
The NRC Health office is located in a secure and monitored environment. Public access is restricted and managed by NRC Health staff. Staff require electronic passkeys to enter the premises. Storage of personal information onsite, whether electronic or hardcopy, is secured.
Organizational controls in place at NRC Health include associate training, fostering a culture of privacy, explicit security practices limiting access on a “need-to-know” basis, and monitoring access. In addition, all full- and part-time associates and third party contractors sign non-disclosure agreements.
Technological tools in place at NRC Health include computer system passwords, encryption, and network firewalls. Data are sent to and from NRC Health via secure methods including a secure file transport protocol (FTPS) portal and secure socket layer (SSL) for web-based surveys.
Questions, complaints or concerns about how NRC Health manages personal information, are directed to NRC Health’s Privacy Officer for immediate attention.
An individual who wishes to review or verify what Personal Information is held by NRC Health, or to whom the information has been disclosed (as permitted by Provincial and Federal law), may make the request for access to the Privacy Officer.
NRC Health provides any help needed in response to a request for access to Personal Information and informs individuals as to whether or not their Personal Information is included in NRC Health data holdings. Once the identity of the individual requesting information is confirmed, access to his or her Personal Information is provided. An explanation of how it is or has been used or disclosed is provided. Help and access are provided by NRC Health at no cost. Any changes or corrections to Personal Information are made within 5 business days from the date of the correction request. NRC Health then forwards the correction to any other party to whom, within one year prior to the date of the correction request, the receiving party disclosed the information being corrected or annotated.
Concerns about NRC Health’s Personal Information handling practices may be directed to NRC Health’s Privacy Officer, at:
7100 Woodbine Ave, Suite 411
Email: firstname.lastname@example.org Attention: Privacy Officer
NRC Health’s Privacy and Security Policies can be viewed here:
NRC Health associates are also asked to bring any privacy questions, concerns, or possible breaches to the immediate attention of the Privacy Officer.
NRC Health will not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an associate, or deny that associate a benefit, because he/she brought any privacy related concern or complaint forward internally or externally to a Privacy Commissioner or any other Canadian official responsible for privacy law.
NRC Health pledges to quickly and effectively deal with any privacy complaint that might arise, no matter who the complaint is from (e.g., survey respondent, client or associate). Upon verification of the individual’s identity, the Privacy Officer will act promptly to investigate the complaint and provide a written report of the investigation’s findings to the individual.
If the Privacy Officer decides that the individual’s complaint is well founded, he or she will take the necessary steps to correct the practice complained of and/or revise NRC Health’s privacy policies and procedures.
If the Privacy Officer determines that the individual’s complaint is not well founded, the individual will be notified in writing. If the individual is dissatisfied with the finding and corresponding action taken by NRC Health’s Privacy Officer, the individual will be informed that he or she may take the complaint to the Federal Privacy Commissioner (or provincial equivalent) at the address below:
The Privacy Commissioner of Canada
112 Kent Street, Ottawa,
Ontario K1A 1H3