Policy Content
Privacy
Version 1.0.2
Created: July 12, 2022 13:59
Last Modified: April 03, 2023 08:42
​
1 Purpose and Application
​
1.1 Background
​
The SiftMed application (the “Application”) offered by SiftMed Inc. (the “Company”) is medical
case analysis software used to support insurance claims management, medico-legal case
management, and Independent Medical Evaluations (IMEs).
SiftMed is a service provider to clients who need to sort and organize medical files. As a service
provider, SiftMed:
-
Maintains the confidentiality of client information and the information of the client end users
-
Helps clients and end users comply with privacy laws by providing a secure system and aligning the system with privacy best practices
-
Helps clients and end users do their work in a privacy-aware and privacy-compliant manner.
1.2 Purpose
​
The purpose of this policy is to describe the ways SiftMed keeps personal information safe and secure, and how SiftMed complies with privacy laws. This helps SiftMed show accountability and build trust with clients and end users.
​
1.3 Application
​
This Policy applies to the development, operation, management, and delivery of SiftMed, including the data stored, collected, created, used, transmitted, disclosed, retained, modified, destroyed, or otherwise handled by SiftMed. Some parts of this policy apply to the SiftMed Company as a whole. This policy applies to all employees, contractors, service providers, and others acting on behalf of SiftMed. Anyone listed here that disobeys this policy will face disciplinary action and may be dismissed or have their contract terminated.
​
1.4 Privacy Notice and Transparency
​
It is important ethically and legally to provide reasonable transparency to data subjects in respect to the processing and handling of their personal data. SiftMed maintains an up-to-date privacy notice that is made available to all customers and users of the SiftMed platform and services. It is imperative that employees and contractors read this privacy notice. In the event that errors or concerns are discovered, findings must be shared with the Privacy Officer.
​
2 Additional Definitions
​
The following defined terms are also used in this Policy.
-
“Client” means a party to which the Company is providing the Application.
-
“End User” means an individual who uses the Application. An “End User” may be a “Client”.
-
“Subject” means an individual who is the subject of a medical case being analyzed using the Application
-
“Application Information” means information associated with the Application.
-
“Personal Information” means Application Information about an identifiable individual.
-
“Confidential Information” means Application Information which a Client or End User expects to remain confidential, either by way of contract, express instruction, or reasonable expectation. Confidential Information includes Personal Information.
​
3 General
​
3.1 Review
​
The Company shall review this Policy at least every year, or when significant changes are made to the application, the company, or legislation. The review shall be overseen by the Chief Privacy Officer who will record the date of each review.
​
3.2 Commitment to the Model Code
​
The Company shall uphold the Canadian Standards Association Model Code for the Protection of Personal Information (CAN/CSA-Q830-03) (the “Model Code”), as it applies to the development, operation, management,and delivery of the Application. The privacy principles of the Model Code form the basis for most Canadian privacy legislation and are comparable to the principle found in many other privacy codes. This Policy serves to augment and/or clarify the Company’s commitment to the Model Code.
​
3.3 Policy to Comply with Law
​
The Company shall ensure that this Policy complies with applicable privacy law.
​
4 Accountability
​
4.1 Privacy Accountability
​
The Company’s Chief Executive Officer (the “CEO”) is accountable for privacy with respect to the development, operation, management, and delivery of the Application; however, the CEO may delegate this accountability to another individual within the Company.
​
4.2 Chief Privacy Officer
​
The Chief Privacy Officer (the “CPO”) has been designated by the CEO and is responsible for privacy with respect to the development, operation, management, and delivery of the Application. The CPO is also responsible for review, maintenance, and enforcement of this Policy.
​
5 Identifying Purpose
​
5.1 Explaining the Application and its Purpose
​
SiftMed customers use the application to sort through medical records. SiftMed customers upload the medical records, initiate the sorting of the records, review the records, put medical information into provided templates, and download the populated templates.
​
SiftMed staff review the medical files uploaded by the customers as part of the Companies QA process, or if there is a problem with the system or operations that they must fix and that cannot be fixed without seeing the information. SiftMed staff do not share personal information in the system to anyone unless required by law.
5.2 Limiting the Purpose for which the Application can be Used
​
The Terms and Conditions Agreement ensure that Clients and End Users use the Application
only for its intended purpose.
​
6 Consent
​
The Application facilitates the work of Clients and End Users who are responsible for obtaining
and managing any consents associated with their use of SiftMed.
​
7 Limiting the Collection, Use, and Disclosure
​
Clients and End Users are responsible for ensuring that their collection, creation, use,
transmission, disclosure, or other handling of Personal Information is limited to that which is
necessary to perform their work.
​
7.1 Avoiding Unnecessary Collection and Disclosure
​
SiftMed does not have any mechanisms to limit or change the information clients upload to the system; it is the responsibility of the client to upload the required information. SiftMed supports limiting disclosure by not having any integrations with third party systems for sending the information and making only the user of the account able to take information from the system.
​
7.2 Development to Avoid the Use of Real Data
​
SiftMed will minimize the use of real data when developing and testing the application and
when using machine learning by reducing the ability to re-identify data subjects through
pseudonymization and the removal of data fields. In addition, the number of individuals who
have access to the testing data will be strictly as required.
​
7.3 Handling and Recording Disclosure Requests
​
As a service provider, SiftMed will only respond directly to requests to provide personal information if required by law to do so. In this case, the CEO or CPO will follow the established procedures for disclosing information. Otherwise, SiftMed will forward requests to the client and inform the individual of this action. SiftMed will keep a record of all requests received, date, time, name of requestor, and outcome of the request (information released/request forwarded).
​
7.4 Company Access Limited to “Minimum Necessary”
​
SiftMed staff will see the personal information uploaded by clients into the system as part of the companies QA process. Once the QA process is complete, the SiftMed staff will no longer be able to see the personal information unless there is a technical problem or for legal reasons. Only limited people will do so and only for one of the specific reasons listed.
​
8 Limiting Retention
​
Clients and End Users are responsible for ensuring appropriate retention of their Confidential Information. SiftMed will retain collected information until the deletion is requested by the Clients or End Users.
​
9 Accuracy
​
Clients upload the records they wish to work on. SiftMed is not responsible for the accuracy of
the data but does have safeguards in place to ensure that data is not changed.
​
10 Safeguards
​
10.1 General
​
The Company shall use administrative, physical, and technical safeguards to protect the Confidential Information against loss and theft, as well as unauthorized access, disclosure, copying, use, modification, and deletion.
10.2 Administrative Safeguards
​
Information Security Policy
The Company shall establish information security policies and procedures that apply to the Application.
​
Confidentiality Agreements
The Company shall establish confidentiality agreements with all parties who have access to the personal information.
​
Access and Property at the End of Relationships
The Company will revoke or terminate access and collect and/or securely destroy property at the end of an employment, contractual, or other relationship.
​
Internal & Service Provider Privacy and Information Security Training
All staff and service providers receive privacy and information security training when onboarded to the company and annually thereafter. The training will include the following topics: privacy best practices, confidentiality, system use, safeguarding personal information, and other legal requirements.
​
Privacy and Information Security Assessments
The Company shall conduct privacy and information security assessments of the Application (e.g. Privacy Impact Assessment, Threat Risk Assessment, Vulnerability Assessment). These assessments shall be conducted by appropriately-qualified personnel in accordance with industry-standard practices.
​
SiftMed will assist any clients who want to complete information security assessments by providing information, documents, etc. except where the information is considered sensitive (i.e. trade secrets).
​
Privacy and Information Security Incident Response
The Company will maintain processes for tracking, managing, and documenting privacy and information security incidents associated with its development, operation, management, and delivery of the Application. These processes address privacy breach reporting (i.e. to the Privacy Commissioner of Canada) and privacy breach notification (i.e. to Clients and affected individuals).
​
Supporting Client Privacy and Information Security Incident Response
The Company will reasonably assist Clients with their responses to privacy and information security incidents (including notification of privacy breach where there is a real risk of significant harm).
​
Protecting those who Report Privacy and Information Security Incidents and Risks, as well as those who Refuse to do Certain Work
SiftMed encourages individuals to identify privacy risks and incidents and supports individuals’ right to refuse work that they believe may result in a privacy incident.
​
Risk Management Process
SiftMed will maintain a processes for tracking and managing privacy and information security risks associated with, or impacting, the Application.
​
Clarifying Privacy-Related Expectations with Clients, End Users & Contractors
SiftMed’s Terms and Conditions provide clear privacy expectations for clients and end users. These expectations extend to contractors.
Auditing Interactions with Personal Information
The Company shall ensure that it is able to determine what Personal Information was created, collected, accessed, transmitted, modified, or deleted by its directors, officers, employees, contractors service providers, representatives, and agents, for a reasonable period. Such ability is typically achieved using user logging, subject to a retention/destruction schedule.
​
The Company shall periodically audit, or ensure that audits are performed on, the creation, collection, access, transmission, modification, and deletion of Personal Information by its staff and contractors.
​
Extending this Policy to External Parties
This Privacy Policy will extend to any third parties that SiftMed uses or works with in the future.
Auditing Compliance of External Parties
SiftMed will periodically audit any future contractors, service providers, representatives, and agents to ensure that they are complying with the privacy-related expectations that have been placed on them.
​
Maintaining Privacy-Impacting Information about External Parties
The Company shall maintain a record of any future contractors, service providers, representatives, and agents that captures:
-
the name of the contractor, service provider, representative, or agent;
-
a general description of the role of the contractor, service provider, representative, or agent with respect to the Application;
-
locations of the contractor, service provider, representative, or agent (relevant to the Application);
-
a general description of the Personal Information the contractor, service provider, representative, or agent is authorized to store, collect, create, use, disclose, retain, modify, destroy, or otherwise handle;
-
the date on which Personal Information in the care of the contractor, service provider, representative, or agent was securely disposed of, or returned to, the Company, as applicable.
​
The Company shall provide this information to Clients upon request (note that, under certain privacy legislation, some Clients may be required to inform Subjects about the use of parties outside of Canada to manage or otherwise handle Personal Information).
​
10.2 Physical Safeguards
​
The Company monitors service providers for a high-level of physical safeguarding of information.
​
10.3 Technical Safeguards
​
The Company has made use of various technical safeguards that align with the requirements of safeguarding highly-sensitive information.
​
11 Openness
​
This policy provides information on SiftMed’s privacy- related activities and safeguards such as what information SiftMed collects and uses, data subject rights, the Chief Privacy Officer’s contact information, and an invitation to make privacy-related complaints. Additional information and/or policies can be requested from the Chief Privacy Officer at privacy@siftmed.ca.
​
12 Access and Correction
​
SiftMed supports individuals in contacting the user to access and/or correct personal information held in the SiftMed system. If legally required, SiftMed will respond directly and follow established processes. SiftMed will assist clients with responding to access and correction requests if possible and feasible.
​
13 Privacy Complaints and Inquiries
​
13.1 Complaints and Inquiries Regarding the Application
​
Individuals can direct privacy questions and complaints to the Chief Privacy Officer at privacy@siftmed.ca. We will follow our procedures for responding to a complaint or question, which may include forwarding your complaint to the appropriate client and/or end user if applicable.
​
13.2 Complaints and Inquiries Regarding the Company
​
If you have a complaint against SiftMed, please contact the Chief Privacy Officer at privacy@siftmed.ca. We will help you file your complaint with us and help you understand how we handle your complaint. We will let you know when you can expect to hear from us, give you information on what we are doing to make things right, and will communicate to you in easy-to-understand ways.
​
If you disagree with the outcome of your complaint, please contact the Privacy Commissioner of Canada at https://www.priv.gc.ca/en/report-a-concern/ or Toll-free: 1-800-282-1376 Phone: (819) 994-5444 Fax: (819) 994-5424 TTY: (819) 994-6591
​
13.3 Actioning Founded Complaints
​
If a complaint regarding the Company’s development, operation, management, and delivery of the Application or its development, operation, management, and delivery of the Application in compliance with privacy-related law is found to be justified, the Company shall take action to address it.
​
​
​