Privacy Policy - North York Eye Clinic

Last revised: February 14, 2023

Privacy Statement

This Privacy Statement applies to the North York Eye Clinic.

At North York Eye Clinic, we recognize the importance of protecting your privacy and safeguarding your personal information.

This Privacy Statement describes the types of personal information that we collect, use and disclose. It explains how we collect, use and disclose that information, the choices you have regarding such use and disclosure, and how you may access and correct that information.

From time to time, we may make changes to this Privacy Statement. The Privacy Statement is current as of the “last revised” date which appears at the top of this page.

The following topics will be covered in this Privacy Statement:

1. What personal information do we collect?
2. How do we collect your personal information?
3. Why do we collect your personal information?
4. To whom do we provide your personal information?
5. When and how do we obtain your consent? Can you withdraw your consent?
6. Where do we store your personal information?
7. How long will we utilize, disclose or retain your personal information?
8. How do we ensure the privacy of your personal information when dealing with service providers?
9. What safeguards have we implemented to protect your personal information?
10. How can you review your personal information that we have collected, utilized or disclosed?
11. How do you know that the personal information we have on you is accurate?
12. What if the personal information we have on you is inaccurate?
13. How fast will we respond to your written requests?
14. Are there any costs to you for requesting information about your personal information or our privacy practices?
15. How do we know that it is really you requesting your personal information? What if you have a substitute decision maker or other agent?
16. How do you contact us regarding access to your personal information or our privacy practices?

1. What personal information do we collect?

Personal information is any information that is identifiable with you, as an individual (although it may not include your business contact information where collected, used or disclosed for business communication purposes).

We may collect, use, and disclose different kinds of personal information, depending on our relationship with you.  For example:

• if you are a patient, we collect the name, contact information, gender, date of birth, health status and history, family health history, diagnosis and other health information, insurance information, and payment information (such as credit card information);
• if you communicate with us, we collect whatever personal information you choose to provide to us; and
• if you use our online portals or applications, we may collect technical and usage data (such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites).

We may also collect, use and share aggregated and anonymized data, such as statistical or demographic data. Aggregated and anonymized data is not considered personal information as it does not reveal your identity.

2. How do we collect your personal information?

We will collect your personal information by fair and lawful means. We generally collect personal information directly from you.  We may also collect personal information from third parties, with your consent or as otherwise required or permitted by law.  For example, we may obtain health information, medical records and test results from your past, current and future health providers where relevant to the provision of health care to you.

3. Why do we collect your personal information?

We identify the purposes for which we use your personal information at the time we collect such information from you and obtain your consent, in any case, prior to such use. We generally use your personal information for the following purposes (the “Purposes”):

• if you are a patient, to provide health care to you, as well as related services and programs that you request;
• to conduct research, which may be subject to a separate written authorization;
• if you use any of our online portals or applications, to administer your use of those portals or applications;
• to send you information about additional clinical services or general wellness;
• to manage our business – including to detect and prevent errors and fraud;
• to respond to your inquiries, complaints or requests;
• to collect opinions and comments about our operations;
• to improve the effectiveness and efficiency of our operations, products, services and programs (although we generally only use de-identified information for this purpose);
• if you visit our premises, to ensure safety and security
• if you apply for employment with us, to process your application;
• to investigate legal claims;
• for such purposes, as you may otherwise consent from time to time; and
• as otherwise required or permitted by law.

4. To whom do we provide your personal information?

We generally identify to whom, and for what purposes, we disclose your personal information, at the time we collect such information from you and obtain your consent to such disclosure.

We may disclose your personal information to other health care providers involved in providing health care to you. This is an important part of coordinating your health care, as it ensures that everyone involved in your health care has the right information to meet your health care needs.

We may also disclose your personal information to your health insurance provider.

We may transfer your personal information to service providers that are assisting us with the Purposes, including those providers than deliver medications on our behalf.  We ensure that those service providers are subject to appropriate privacy standards.

5. When and how do we obtain your consent? Can you withdraw your consent?

We generally obtain your consent prior to collecting, and in any case, prior to using or disclosing your personal information for any purpose – unless we are otherwise permitted to handle your personal information under applicable law. You may provide your consent to us either orally, electronically or in writing. The form of consent that we seek, including whether it is express or implied, will largely depend on the sensitivity of the personal information and the reasonable expectations you might have in the circumstances.

Where feasible or required by applicable law, we will accommodate requests to withdraw consent – subject to legal or contractual restrictions.  However, this may mean that you are no longer eligible for certain services, or to participate in certain programs – or may otherwise limit our ability to provide health care to you or to fully meet your needs.

6. Where do we store your personal information?

We will keep the personal information that we collect in our clinic in Ontario and in the data centres of our third party service providers, as applicable.

7. How long will we keep your personal information?

We will keep your personal information for as long as necessary to fulfill the purposes for which that personal information was collected and as permitted or required by law.  If you are a patient, we retain personal information related to your care pursuant to health regulatory College of Optometrists of Ontario guidelines.

8. How do we ensure the privacy of your personal information when dealing with service providers?

We ensure that any service providers that handle personal information on our behalf are contractually required to observe the intent of this Privacy Statement and our privacy practices and to comply with applicable privacy laws.

9. What safeguards have we implemented to protect your personal information?

We have implemented physical, organizational, contractual and technological security measures in an effort to protect your personal information from loss or theft, unauthorized access, use, or disclosure. For example:

• we restrict access to your personal information to those employees or agents who need access for authorized purposes;
• electronic data is protected by technological means, such as firewalls, access controls, and encryption;
• we sensitize our employees and agents to the importance of safeguarding personal information; and
• we confidentially destroy your personal information when we no longer need it for permitted purposes.  

Retention and destruction of personal information

We need to retain personal information for some time to ensure that we can answer and questions you might have about the services we provided to you and for our own accountability to external regulatory bodies.

In compliance with the requirements of other legislation, we keep our patient files and records for a minimum of 10 years. You can ask us, in writing, to restrict our uses and disclosures of personal information at any time. We will also discontinue to use or to disclose your personal information after a written revocation of your implied or informed consent is received, unless we have already acted in reliance upon this consent.

We destroy paper files containing personal information by shredding. We destroy electronic information by deleting it and, when the hardware is discarded, we ensure that that information on the hard drive is destroyed. Alternatively, we may send some or the entire patient file to our patient.

Like most companies, we cannot guarantee that our safeguards will always be effective.  A breach of security safeguards can result in such risks as phishing and identity theft. In such cases, we act promptly to mitigate the risks and to inform you where there is a real risk of significant harm, or as otherwise required by law.

We may also require you to assist us to safeguard your personal information.  For instance, if you use our applications or online portals, you should use unique and strong passwords, not share your passwords with others, and promptly alert us if you believe your password has been compromised.

10. How can you review your personal information that we have collected, used or disclosed?

If you make a written request to review any personal information about you that we have collected, utilized or disclosed, we will provide you with any such personal information according to applicable law. We will attempt to make such personal information available to you in a form that is generally understandable.  We will need to confirm your identity, before providing you with this access. We reserve the right to charge a fee for such requests. 

11. How do you know that the personal information we have on you is accurate?

We will attempt to ensure that your personal information is kept as accurate, complete and up-to-date as possible. We will not routinely update your personal information, unless such a process is necessary. We expect you, from time to time, to supply us with written updates to your personal information, when required.

12. What if the personal information we have on you is inaccurate?

At any time, you can challenge the accuracy or completeness of your personal information in our records. If you successfully demonstrate that your personal information in our records is inaccurate or incomplete, we will amend the personal information as required. Where appropriate, we will transmit the amended information to third parties having access to your personal information.

13. How fast will we respond to your written requests?

We will attempt to respond to each of your written requests not later than 30 days after receipt of such requests. We will advise you in writing if we cannot meet your requests within this time limit. You have the right to make a complaint to the Privacy Commissioner of Canada or applicable provincial privacy commissioner if you object to how we have handled your request.  For example, if you are a patient, you have the right to complain to your provincial privacy commissioner.

14. Are there any costs to you for requesting information about your personal information or our privacy practices?

We will not charge any costs for you to access your personal information in our records without first providing you with an estimate of the approximate costs, if any.

15. How do we know that it is really you requesting your personal information? What if you have a substitute decision maker or other agent?

We may request that you provide sufficient identification to permit access to the existence, use or disclosure of your personal information. We will only use that identifying information to help us respond to your request.  If you are an agent of the individual that the personal information is about, we may require you to provide documentation to prove that you have the authority to act for that individual.

16. How do you contact us regarding access to your personal information or our privacy practices?

If you wish to make a formal complaint about our privacy practices or the application of those practices, you may make it in writing to our Information Officer. She will acknowledge receipt of your complaint, ensure that it is investigated promptly and that you are provided with a formal decision and reasons in writing.

If you have a concern about the professionalism or competence of our services or the mental or physical capacity of any of our professional staff we would ask you to discuss those concerns with us. However, if we cannot satisfy your concerns, you are entitled to file a complaint with our regulatory body by writing or communicating with:

College of Optometrists of Ontario

65 St. Clair Avenue East, #900, Toronto, Ontario M4T 2YC
Telephone 416-962-4071
www.collegeoptom.on.ca

This policy is made under the Personal Information Protection and Electronic Documents Act. That is a complex Act and provides some additional exceptions to the privacy principles that are too detailed to set out here. There are some rare exceptions to the commitments set our above.

For more general inquiries, the Information and Privacy Commissioner of Canada oversees the administration of the privacy legislation in the private sector. The commissioner also acts as a kind of ombudsman for privacy disputes. The Information and Privacy Commissioner can be reached at:

Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3

Toll-free: 1-800-282-1376 Phone: (819) 994-5444 Online Information Request Form Fax: (819) 994-5424 TTY: (819) 994-6591

www.privcom.gc.ca