Privacy code
Last updated: December 15, 2020
Our privacy commitment to you
The privacy of member (“you” and “your”) information is of the utmost importance to us at Saskatchewan Blue Cross and its subsidiaries (“we”, “us” and “our”). As a business that operates in Canada and collects and uses personal information, we are held to the Personal Information Protection and Electronic Documents Act (PIPEDA). Our Privacy Code reflects the requirements and privacy protection measures of PIPEDA.
We respect the trust you place in us when you provide us with your personal information, and we take our responsibility to you very seriously. We have always been, and will continue to be, committed to protecting your privacy and ensuring personal information remains confidential. Respecting our members’ privacy and the confidentiality of their personal information is fundamental to the way we do business.
Our Privacy Code (“Code”) explains how we collect, manage, and protect your privacy and safeguard your personal information. This Code applies to all aspects of managing your personal information in any form, whether oral, electronic or written, and to all of your interactions with us whether in person, via our website, our online member portal, or through our Member Experience Centre.
Accountability
We are accountable for all personal information in our possession or control. Responsibility for ensuring compliance with the provisions of the Code rests with our senior management. We have appointed a Chief Privacy Officer to oversee our privacy management program, designed to build and maintain your trust in our information handling practices in a manner consistent with the principles set out in PIPEDA.
Each Saskatchewan Blue Cross employee plays a role in ensuring that personal information is respected and protected within their control. We promote good privacy practices by providing ongoing training and education to employees and authorized contractors to ensure their continued awareness of and compliance with privacy laws and our policies.
What is personal information
“Personal information” means any information that on its own or when put together with other information, allows you to be identified.
Some examples of personal information include your name, address, birthdate, identifying numbers, employment information, medical records and financial information. Personal information does not include business contact information, anonymous information or de-identified information that is not associated with a particular individual.
Why we collect, use and disclose your information
We collect certain information about you and your use of our products and services, or your application for, or interest in, our products and services. We respect your privacy, which is why we will always tell you the main reason for asking for your personal information when we collect it from you. When we authorize other parties to collect information on our behalf, they will do the same. The main reasons will usually be to provide you with programs, products and services, to communicate information we think will be of interest to you and to maintain our relationship with you, to manage our business and as permitted or required by law.
Generally, we need to collect your personal information for the following reasons:
A. To provide products and services
- To confirm your identity and the accuracy of your information.
- To determine your eligibility for coverage for a product or service.
- To process registrations and transactions with us.
- To evaluate applications and underwrite the products you apply for.
- To adjudicate and process your claims.
- To fulfill your product and service requests and inquiries.
B. To communicate and maintain a relationship with you
- To provide you with notices about your account, including expiration and renewal notices and payment details.
- To provide you with information and updates about products and services you are enrolled in.
- To maintain and manage our relationship with you.
- To contact you for marketing purposes; for example, sending you occasional email messages on products which may be of interest to you, promotions, contests, news and community support.
- To respond to your questions.
- To ask for your feedback.
C. To manage and develop our business
- To detect and protect you and us from errors, misrepresentations, fraud, or contravention of laws or criminal activity.
- To maintain the security of our employees, members, and property (for example, through the use of video surveillance).
- To assess and respond to a complaint you might make relating to our products and services.
- To determine and offer other products or services you may be interested in.
- To plan benefit enhancements and sound financial management.
- To analyze data to help us make decisions and improve the products and services we offer, including through our website and other electronic means.
- For quality assurance or training.
D. To meet legal and regulatory requirements
- To comply with any court order, law or legal process, including responding to any government or regulatory requests. For example, to satisfy a request for information from a regulator about a customer complaint and how it was resolved.
- To carry out our obligations and enforce our rights arising from any contracts with you, including for billing and collection.
- To fulfil statutory requirements, including tax reporting obligations.
If we want to use your personal information for a purpose other than those stated at the time of collection, that new purpose will be documented and if required, we will obtain your consent.
What do we collect
We will only ask for personal information that is reasonably required for our business relationship with you and we will only collect your personal information in fair and legal ways.
The type of personal information collected depends on the type of product or service involved. For example, we may collect:
- Information that identifies you or your named dependents, such as: your name, address, telephone number, email address, marital and dependent status, date of birth, Saskatchewan Health Card number and other personal identification information to identify you, set you up in our system or communicate with you.
- If you apply for individual or group benefits, we may collect health or lifestyle-related information, such as your medical information, occupation, place of employment and annual income.
- Information you provide to us relating to insurance claims that you make, such as healthcare providers, treatments or services received, or drug expenses.
- Banking or credit card information to set up payments for your claims or to collect payment from you.
- We may record or monitor incoming and outgoing calls for quality assurance and training purposes, or to create a record of the information you provided and your instructions. You will always be informed that your call is being recorded and why.
How we collect your personal information
We collect most personal information directly from you. We may also need to collect your personal information from third parties, through technology, and when you are interacting with us online.
A. We collect your personal information directly from you:
- When you complete paper or web-based applications and forms.
- Through our interactions with you in person, by telephone, by email, through our website, member portal, or other methods.
B. We may receive personal information about you from third parties that may include:
- Your employer or third-party administrator if you apply for group benefits.
- Third parties we work with to issue and manage our products and services, whether now or in the future.
- Third parties you allow to disclose information to us.
- Public sources, such as government agencies.
- With your consent, we may verify or gather personal information from your physician(s) and health care provider(s), other health and life insurers and reinsurers to confirm or obtain additional information about you.
In these cases, we take steps to ensure the individual providing the personal information understands their obligations regarding the collection, use, and disclosure of that personal information. We receive your personal information from these other sources with your consent, or if the law requires or permits us to do so.
C. Through technologies
- We may collect personal information through various technologies used at our offices. These include point of sale systems, video surveillance, and other similar types of technologies which we may use from time to time. For example, we use video surveillance in areas surrounding our offices for security purposes, to protect against theft, to prevent damage to our properties, and to prevent fraud.
D. Through our website and member portal
- We may collect certain types of personal information electronically when you interact with our websites, email, social media accounts, and online advertising, or when you use a third-party’s technologies. These technologies include cookies and your internet protocol (IP) address, which can be downloaded when you visit our websites, or open an email link (see ‘Use of cookies and similar technologies’).
Your consent is important to us
Personal information is used or shared only after obtaining your consent. When subscribing to our products and services and/or submitting information to us in connection with our products and services, you are providing your consent to the collection, use and disclosure of personal information as set out in this Code. Your consent may be implied, based upon your actions or explicit through an agreement.
A. Directly from you
- When we collect personal information directly from you, we may obtain your consent in writing, as well as verbally, electronically, or through authorized representatives.
B. Implied consent
- When we can reasonably conclude that you have given permission by some action you take. For example, by presenting your benefits card, you give consent for your health service provider to disclose your personal information to us. Or when you use our Member Experience Centre service and continue the conversation after hearing that your call may be recorded.
How you can withdraw your consent
We rely on your consent to continue to collect, use and disclose your personal information for the purposes we have identified to you. However, we want you to know that you do have choices and can refuse or withdraw your consent, under certain circumstances. If you withdraw your consent, we may not be able to provide with the product or service you requested. We will always explain the impact of withdrawing your consent to help you with your decision.
- You may withdraw your consent to receive electronic or printed documents from us by contacting our Member Experience Centre or controlling your preferences online through our member portal.
- If you do not want your calls recorded, you have other options for conducting business with us; for example, by visiting one of our in person locations, or by writing to us, or using our member portal.
- If at any time after you have consented to us using your information for marketing purposes you wish to stop receiving this information, you may ask us not to contact you by telephone, mail or email. Simply modify your communication preference settings by contacting our Member Experience Centre or by adjusting them online using our member portal. When you opt out of marketing promotions, you may still receive information from us relating to the products and services you hold with us, including renewal notices, payment details, service notices or updates, and information which allows you to make informed decisions about the continued suitability of our products and services to you.
How you can access your personal information
You have the right to request access to and verify the personal information that we have about you, subject to certain legal restrictions. Upon request, we will tell you what personal information about you we have, and how we use and share it.
Depending on the information you are requesting, you may be able to receive the information via telephone inquiry, online through our member portal, or in person. For example, checking to see what address or telephone number we have recorded. Requests for more substantial amounts of personal information should be made in writing. We will respond to such a request within a reasonable timeframe in compliance with applicable law.
In certain circumstances, we may not be able to provide you with all your personal information, as access may be limited or prohibited by privacy legislation. For example, if the release of the information would reveal personal information about another individual.
If we cannot provide you with all or part of your personal information, we will inform you of the reason why and provide you with a contact to answer your questions. When information is not easily accessible, there may be a charge for the personal information you request. If this happens, we will let you know. Please contact the Chief Privacy Officer at the address below for more information.
How you can correct your personal information
We rely on you to keep your personal information up to date and accurate. If you notice any errors in your personal information or if you need to update it, please contact us. You may challenge the accuracy and completeness of your personal information and request it be amended.
You can contact us via telephone, the member site, or in person to update your personal information. If you have a group plan, ensure your employer or third-party administrator has your updated personal information as well.
If we are unable to update your personal information, we will explain why, and we will make note of your requested correction(s). We will also provide you with a contact to answer your questions, and information on how you can request a review of our decision.
How we secure your personal information
We are committed to safeguarding the personal information you provide us. We take all reasonable precautions to protect personal information from misuse and loss and from unauthorized access, modification or disclosure.
Your personal information may be stored electronically, in paper format or in telephone recordings and may only be accessed by people with the proper authority. We use security safeguards that match the sensitivity level of the information, including but not limited to:
A. Physical safeguards such as our building security measures and restricted access to offices.
B. Organizational safeguards through our policies, practices, and access levels, including:
- We take privacy and security training and awareness seriously. We educate employees as to their obligations with regard to your personal information, including confidentiality agreements.
- Conducting strict identification checks on all people requesting access to personal information.
- Limiting access to personal information to those employees, contractors, and third parties on a need to know basis and who require the information for one of the identified purposes.
- Making reasonable efforts to ensure third-party service providers have appropriate security to protect your personal information.
- In the event that there is a privacy breach involving your personal information that presents a real risk of significant harm, we will notify you as per the guidelines outlined by the Office of the Privacy Commissioner of Canada.
C. Technical safeguards by using various methods including:
- A robust information security program that makes use of firewalls, intrusion detection systems and virus scanning tools to protect against unauthorized persons and viruses from entering our systems.
- Password protection. If you use a password to access our web services, including our member portal, you are responsible for choosing a strong password that is difficult for others to guess, and keeping the password confidential to prevent unauthorized access, disclosure, copying, use and modification through the web service.
- Anonymization, which is the process of altering your personal information so that it can no longer be used to identify you (See ‘Combining data’).
- Masking, which is the process of modifying your personal information so that the structure remains the same, but the content is no longer identifiable.
- Encryption, which is the process of obscuring your information to make it unreadable without the use of a code or a key.
How long we keep your personal information
We keep your personal information for a reasonable period of time after it is no longer needed to fulfill the purposes identified, or for purposes required by law. Once your personal information is no longer needed, it will be securely destroyed, erased or anonymized so that it no longer identifies you, in accordance with our record retention obligations and practices. We may keep an anonymized form of your personal information, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.
Combining data
Combining data
We may combine anonymous information to create a collection of data that may be used or disclosed in the following ways:
- To understand overall user needs and design new products and services.
- To perform research and studies aimed at improving our products, services and technologies.
- For market research, education and other related projects.
- Where you are part of a group health benefits program, for your employer to gauge the health of their organization and identify areas for health and wellness improvements.
Your privacy and the internet
We are committed to protecting the privacy of all personal information in our care, including what we collect through digital channels like our websites and member portal.
Our website and online services
When you register to use our member portal you will need an account. We will ask for personal information to confirm your identity as well as ask for your email address to set up your account. You will be required to create a password to protect your information from unauthorized access. You can change your password at any time.
In order to serve you better, we use third party web analytics services (such as Google Analytics) to collect information on website activity, including our member portal, through the use of cookies, such as:
- The number of users who visit the website.
- The browser and device you are using.
- The date and time of your visit, and the pages you visit within our websites and member portal.
- The number of times you visit our websites, member portal.
- Your geolocation and IP address, which is provided by your device.
- How long you stay on our websites, member portal, and at what point you exit.
This information is only viewed in the aggregate and on its own does not identify an individual. We will only collect information that is required for, or related to providing products and services, conducting business, understanding member needs, and analyzing and improving our website quality and performance.
Use of cookies and similar technologies
We use cookies to understand how you interact with our websites, emails and member portal primarily with the aim of improving your user experience. Cookies are small text files placed on your device to store data that can be recalled by the web server in the domain that placed the cookie. The cookies we use do not store personal information about you. We do not link non-personal information in a cookie to personally identifiable information. We do not use cookies to collect or store personal health information about you.
Our websites and electronic communications assign each electronic device with a different cookie for select purposes. For example:
- To assist us in authenticating you and your device.
- To collect anonymous statistical information to help us understand the website and member portal use.
- To remember and honour your preferences and settings to speed-up load time of our pages.
- To enhance the security features.
- To improve and provide better service.
- To help develop interest-based advertising.
- To show us how many people opened a link in an email.
- You can control cookies by setting your preferences on your browser. We suggest using the help button on your computer or web browser to find out more on how to set the browser to notify you about cookies. You may opt out of the analytics we collect at any time by adjusting your settings.
Our web pages may also contain electronic images known as web beacons. These are clear GIF images or action tags embedded in a web page or an email and usually invisible to the individual. Web beacons are used for many of the same purposes as cookies. They allow us to compile aggregate statistics about website usage patterns, such as how many times a link or an area on a website is clicked or whether or not an email is opened.
Links to other sites
Our website and member portal may contain links to external sites managed by third parties. These links are provided for your convenience, and you should be aware that our privacy standards, policies and procedures do not apply on these websites. You should check the privacy statements for each site that you visit.
Electronic communication preferences
We need your consent to send you offers or promotions by electronic means, such as email. As our member, we have your implied consent to send you electronic messages under Canada’s anti-spam legislation (CASL), unless you tell us otherwise. You can inform us of your preferences by using the unsubscribe option included in the email we send you, where applicable.
We remove your name from our electronic mailing lists within ten (10) business days of your request. You still receive electronic communications about the products and services that you have with us.
Changes to our Privacy Code
We may make changes to this Code and privacy practices from time to time to reflect changes to our business practices or applicable laws. We will publish those changes on our website and update our Code. We will include an effective date on the revised Code, which indicates when the changes became effective.
By continuing to participate in our programs and/or use our services or purchase our products after the effective date of the revised Privacy Code, you are accepting changes to this Code.
Contacting our Chief Privacy Officer
If you have any questions or would like further information about our privacy and information handling practices, please contact us at:
Saskatchewan Blue Cross Chief Privacy Officer:
Email: privacyofficer@sk.bluecross.ca
Note: Email is not a 100% secure medium. Please consider the type of personal information you are sending to us when contacting us via email.
Address:
PO Box 4030, 516 2nd Avenue North
Saskatoon, SK
S7K 3T2
Phone: 1-800-667-6853
How to make a privacy complaint
We realize that even in the best-run organizations, things can go wrong. If you are unhappy with, or should have a privacy complaint, please notify us as it gives us the opportunity to fix the problem. We have a defined resolution process that will ensure your privacy concerns are fully investigated and responded to, and that any identified issues are addressed.
The Chief Privacy Officer will acknowledge your formal written concern by contacting you within a reasonable timeframe. You will be informed of the process we will follow to address your concerns and determine the outcome.
If the identified privacy issue is not resolved to your satisfaction, you may file a complaint in writing to:
Office of the Privacy Commissioner of Canada
1st Floor, 30 Victoria Street
Gatineau, QC
K1A 1H3