courtyard group privacy code

Document Sample
courtyard group privacy code Powered By Docstoc
					Courtyard Group Privacy Code

Purpose                                                                            Scope

Courtyard Group is committed to respecting personal privacy, safeguarding          This Privacy Code applies to Courtyard Group partners, principals,
confidential information and ensuring the security of personal health              consultants, employees, students and any other individual (collectively
information handled in the course of providing consulting services and             “Courtyard Group”) with access to personal information or personal health
personal information it holds about its employees, consultants, sub-               information. Courtyard Group must comply with this Privacy Code strictly
contractors and clients. The term “personal information” means information         at all times. The Privacy Code shall be interpreted in accordance with
about an identifiable individual, including any confidential information about     the applicable privacy statutes where Courtyard Group accesses, holds
a Courtyard Group employee, consultant, sub-contractor and client. Personal        or manages personal information as a result of providing services to its
information does not include contact information, such as the name, title,         clients.
business address or telephone number of an employee of an organization.
                                                                                   This Privacy Code reflects internationally accepted fair information practices
While many of Courtyard Group’s clients are governed by various private,           which form the basis for the legislative statutes and regulations in many
public and/or health sector specific privacy legislation, this Privacy Code also   countries around the world. The Privacy Code will continue to evolve over
recognizes and assumes responsibility for the protection of any “personal          time to reflect legislative changes and current best practices in privacy and
information” or “personal health information” (as these terms are defined in       data protection.
the applicable statute) provided to, or accessed by, Courtyard Group for the
sole purpose of providing contracted services to its clients in any country        Practices for handling personal information in compliance with these
where Courtyard Group conducts business. Such information is considered            principles are summarized below.
strictly confidential and may only be accessed on a need-to-know basis.
All Courtyard Group activities in relation to personal health information will     1.1     Principle 1 – Accountability for Personal Information
adhere to the clients’ policies and procedures.
                                                                                   Courtyard Group is responsible for protecting personal information and
The purpose of the Privacy Code is to establish privacy guidelines for             personal health information it accesses, holds or manages on behalf of or
Courtyard Group when it accesses, modifies, transmits, retains or disposes         about its employees, consultants, sub-contractors and clients whether off
of personal information or personal health information during the course of        site or on site. Courtyard Group is also responsible for protecting personal
its business activities. To this end, this Privacy Code fosters transparency,      information and personal health information that it transfers to its sub-
accountability and increased awareness of Courtyard Group’s information            contractors as a result of or in connection with providing services to its
practices.                                                                         clients.
Courtyard Group Privacy Code

In the case of sub-contractors, Courtyard Group will use contractual means         purposes. From time to time, Courtyard Group may also access personal
to ensure a comparable level of data protection while a third party handles        health information in the custody/control of its clients for the purpose of
such information on its behalf. Such contracts shall include standard privacy      providing contracted services on behalf of its clients.
clauses dealing with the confidentiality and security of personal information
                                                                                   Upon request, Courtyard Group shall inform its employees, sub-contractors
in accordance with applicable privacy legislation and this Privacy Code, which
                                                                                   and clients of the purpose for which it collects, uses or discloses personal
are to form part of the Terms and Conditions of the contract.
                                                                                   information as well as the purpose for which it may need to access personal
                                                                                   health information. Personal information is collected, wherever possible,
Accountability for Courtyard Group’s compliance with this Privacy Code and
                                                                                   directly from employees, consultants, clients or through referrals where an
relevant privacy legislation rests with the Privacy Officer who reports directly
                                                                                   individual has requested that such information be provided to Courtyard
to one of the Managing Partners of the firm. The Privacy Officer is responsible
                                                                                   Group. Courtyard Group may also collect personal information from third
for ensuring compliance with this Privacy Code and relevant legislation as
                                                                                   parties, including government agencies, who have the authority to disclose
well as receiving privacy complaints and managing privacy breaches. A
                                                                                   the information.
breach of this Privacy Code may result in suspending the user’s access rights
to personal information and personal health information and disciplinary
                                                                                   1.3     Principle 3 - Consent
action, including suspension or dismissal. In the case of sub-contractors, a
breach may result in termination of the sub-contract agreement.
                                                                                   Except where the law authorizes collection and use of personal information or
Courtyard Group provides a privacy orientation session and on-going                personal health information on behalf of its clients without consent, prior to
privacy training to give effect to this Privacy Code and relevant legislation.     collecting and using such information, Courtyard Group shall obtain consent
In addition, Courtyard Group ensures that every employee, consultant or            of the individual who supplied the information or someone duly authorized to
student with access to personal information or personal health information         act on that individual’s behalf. Such consent may be withdrawn at any time by
shall sign a confidentiality agreement that includes an acknowledgement            contacting the Privacy Officer, subject to any legal or contractual restrictions
that he or she is bound by this Privacy Code.                                      and upon reasonable notice to Courtyard Group. Where Courtyard Group
                                                                                   requires access to personal health information in the course of providing
1.2     Principle 2    –   Identifying   Purposes   for   Collecting   Personal    services to its clients, Courtyard Group acknowledges that obtaining consent
        Information                                                                at the point of collection rests with the client and that additional consent is
                                                                                   not required by Courtyard Group for the sole purposes of assisting its clients
                                                                                   with work on its behalf and for the purpose consented to by the individual,
Courtyard Group collects personal information from its employees,
                                                                                   except as required by law.
consultants, sub-contractors and clients. Courtyard Group collects personal
information from its clients for the purpose of providing them with business
services and products; it also collects personal information about its
employees and sub-contractors for general contact and human resources
Courtyard Group Privacy Code

1.4     Principle 4 – Limiting Collection                                           Courtyard Group is required to destroy the information, it shall ensure that
                                                                                    its employees, consultants, sub-contractors or personnel:
Courtyard Group only collects personal information and/or accesses personal
health information as required to fulfill the purposes identified in this Privacy         a) physically destroy all print and other hard copies by cross-shredding
Code. Courtyard Group collects and/or accesses such information by fair                      it;
and lawful means. Courtyard does not collect personal health information.                 b) erase, scrub or otherwise remove all electronic, digital or other
                                                                                             versions of it from every item of equipment and all media (including
1.5     Principle 5 – Limiting Use, Disclosure and Retention                                 disks, tapes, computers, servers, and related peripheral equipment
                                                                                             such as disk arrays, tapes or disk backup units) that it has installed,
Courtyard Group shall not use or disclose personal information or personal                   downloaded, or otherwise put onto; or
health information in its custody or control, or to which it has access in the            c) otherwise obliterate it.
course of providing contract services, except as necessary in the course of
providing the services. Courtyard Group will only access, use, disclose the         Courtyard Group shall also ensure that any partners, principals, consultants,
minimum amount of personal information or personal health information               employees, students, sub-contractors or any other individual with access
necessary to fulfill the identified purpose.                                        to personal information or personal health information who have been
                                                                                    terminated or have resigned immediately return the information as well as
For example, Courtyard Group uses personal information to provide                   any hardware belonging to Courtyard Group. Courtyard Group administrators
business services, for billing, record-keeping, account collection and other        shall also ensure that pass cards are returned, usernames and passwords
client contact and service matters, to manage and develop its business and          are revoked and changed to ensure no access to any applications, hardware,
operations. Courtyard Group will never disclose personal information or             software, network and facilities belonging to Courtyard Group and any
personal health information to a third party without consent or unless it is        client.
required by law or as necessary to provide client services (e.g. to a sub-
contractor) provided that adequate contractual measures are in place to             1.6       Principle 6 – Accuracy
protect the information in accordance with this Privacy Code and applicable
legislation.                                                                        Courtyard Group shall ensure that all personal information it collects and
                                                                                    holds is accurate, complete and up-to-date by routinely updating such
Courtyard Group shall retain personal information and personal health               information and/or making amendments upon request, where appropriate.
information no longer than necessary to provide its clients with contracted         Courtyard Group must notify its Human Resources Department of any
services. As such, Courtyard Group takes security precautions when                  changes or updates that will affect their personnel records.
disposing and/or destroying such information. Specifically, upon completion
of a contract, all personal information and personal health information it
receives or accesses from its clients shall be returned or destroyed. If
Courtyard Group Privacy Code

1.7        Principle 7 – Safeguards
                                                                                Courtyard Group will notify its clients and its Privacy Officer at the
Courtyard Group takes reasonable efforts to protect personal information        first reasonable opportunity if personal information or personal health
against loss, theft, unauthorized access, disclosure, copying, use,             information handled by Courtyard Group and/or its sub-contractors is
modification or destruction by using appropriate physical, organizational and   stolen, lost or accessed by unauthorized persons.
technological measures to respect the confidentiality of all personal and/or
personal health information it holds or accesses. Methods of protection         1.9     Principle 9 – Individual Access
include but are not limited to:

                                                                                Courtyard Group provides it employees, consultants, sub-contractors and
      •	    Physical Safeguards: locked filing cabinets, restricted access to
                                                                                clients with access to their personal information upon request so that they
            offices (access keys, pass cards);
                                                                                may know what information Courtyard Group holds about them and to
      •	    Organizational Safeguards: limited access to personal information
                                                                                provide an opportunity to verify the accuracy of their information and to
            on a need-to-know basis, staff privacy orientation and training,
                                                                                correct any inaccuracies.
            confidentiality pledges; random audits;
      •	    Technical Safeguards:       username and passwords, anti-virus      Courtyard Group reserves the right not to provide access where providing such
            protection, encryption, firewalls, acceptable business disaster     access would compromise the personal security or commercial confidentiality
            recovery plans and date backup.                                     of Courtyard Group or its clients or where personal information is protected by
                                                                                professional confidentiality standards or solicitor-client privilege. Courtyard
1.8        Principle 8 – Openness about Policies and Practices                  Group does not provide access nor does it have the authority to provide
                                                                                patients with any access to the personal health information it accesses on
Courtyard Group makes this Privacy Code, including the name, title, and         behalf of its clients during the course of providing its contracted services.
contact information of its Privacy Officer accountable for Courtyard Group’s
Privacy Code and to whom access requests, inquires and complaints may
                                                                                1.10    Principle 10 – Challenging Compliance
be directed.

                                                                                Any privacy-related questions, concerns or complaints should be made in
The Privacy Code will be available at
                                                                                writing to the designated Privacy Officer at

Subject to applicable legislation, Courtyard Group reserves the right to
                                                                                Courtyard Group will inform its staff and clients who make inquires or
monitor any and all aspects of its information systems and infrastructures
                                                                                lodge complaints of relevant complaint procedures. Courtyard Group will
including, but not limited to visited internet sites, instant messaging
                                                                                investigate all complaints and will take appropriate measures, including
systems, chat groups, news groups and e-mail sent and/or received via
                                                                                amending its Privacy Code as necessary.
Courtyard Group’s business email address.

Shared By:
Description: courtyard group privacy code