Privacy
Green Shield Canada (“GSC”, “we”, “us”, or “our”) respects your privacy and is committed to protecting it through our compliance with this policy.
GreenShield means, collectively, Green Shield Canada (GSC), the Green Shield Association, and Green Shield Holdings Inc., which is the primary company that houses health services and benefits administration subsidiaries, including but not limited to, Inkblot Therapy, Benecaid, Computer Workware Inc., NKS Health and The Health Depot. Green Shield Holdings Inc. is a wholly-owned subsidiary of the not-for-profit Green Shield Association.
This policy describes:
- How we collect, receive, use, share, disclose, process, and protect the personal information of our customers (collectively, “you” or “your”);
- The types of information we may collect from you; and
- Our practices for collecting, using, maintaining, protecting, and disclosing that information.
We will only use your personal information in accordance with this policy unless otherwise required by applicable law. We take steps to ensure that the personal information that we collect about you is adequate, relevant, not excessive, and used for limited purposes.
Privacy Principles
GSC follows ten privacy principles based on the same privacy principles outlined in Canada’s Personal Information Protection and Electronic Documents Act.
1. Accountability
We are responsible for the personal information under our control. We have established this Privacy Policy and procedures to keep your information safe and we have specific people who make sure that we stay compliant with this policy.
-
All GSC employees and other persons or organizations who act for or on behalf of GSC, are responsible for the protection of your information. Our Privacy Officer is responsible for overseeing our privacy program, which includes policies, procedures and staff training to ensure that our employees are adhering to these privacy principles. GSC’s internal audit department also regularly monitors the adherence to these privacy principles. See section 10 of this policy for the contact information of our Privacy Officer.
2. Identifying purposes
We will clearly identify the purposes for which we are collecting personal information before or at the time of collection. When we authorize other parties to collect information on our behalf, they do the same.
-
We ask for your personal information for various purposes related to the administration of your benefits plan, including:
- To provide you with benefits coverage;
- To confirm your identity and the accuracy of your information;
- To create and administer your account when you register for our service, including through our website, apps and service providers;
- To determine eligibility for services for you and your dependents;
- To transfer personal information with other benefit carriers for the coordination and continuation of benefits;
- To bill and collect premiums;
- To process claims and administer the products and services we provide;
- To communicate with service providers relating to the services provided to you by them;
- To communicate with Plan Sponsor(s) and Employers, as applicable, with respect to any claims for services not covered by the benefit plan;
- To provide payment to you and/or service providers for eligible claims and services;
- To retain appropriate records with GSC;
- To protect you and us from errors, misrepresentations, fraud, and/or contravention of laws or criminal activity;
- To audit, investigate and take steps as may be needed and connected to the prevention or suppression of suspected or proven improper or fraudulent claims;
- To perform medical underwriting;
- To analyze data to help us make decisions and improve the products and services we offer;
- To combine GSC data with external data for health management purposes or programs that we offer;
- To facilitate sharing of data to monitor health outcomes;
- To anonymize the personal information and to use that anonymized information in studies, reports and other programs that we offer; and
- To perform any other activities that a person would reasonably expect are associated with the administration of your benefits plan.
We may also analyze how you use our products and services, including through our websites and other electronic means. This might include your preferences for certain products, demographics, interests and lifestyle activities. If we know this information, we can offer products and services that are more relevant to you. With this information, we might recommend other products or services offered by GreenShield that you or your dependents might be interested in, and send you details about them. You can opt to unsubscribe from our promotional marketing lists at any time, however we may still communicate with you from time to time about matters directly related to the administration of your benefits plan.
3. Consent
We need your consent to collect, use, share and disclose your personal information, with some limited exceptions as determined by law. These limited exceptions can include times where legal, medical, or security reasons make it impossible or impractical to seek consent. You can withdraw your consent any time, subject to legal, regulatory or contractual requirements.
-
Your consent can be either express or implied. Express consent can be verbal or written. For example, when you sign an enrollment form you are giving us written consent to use your personal information to provide you and your dependents with benefits.
Consent can be implied or inferred from certain actions. For example, if you present your benefit identification card to a pharmacist/dentist in lieu of paying for a prescription/dental procedure, it can be implied as consent for the pharmacist/dentist to provide your personal information to GSC to obtain payment for the service rendered, and for GSC to process the related claim for payment and provide other services.
For our existing groups and benefit plan participants, we will continue to use and disclose your personal information previously collected in accordance with this privacy policy, unless you inform us otherwise. We will infer that consent has been obtained for the continued use or disclosure of your personal information by the processing of any existing or future benefit claims that you submit for reimbursement or access to other services.
-
We may collect, use or disclose your personal information without your consent in the following limited circumstances:
- Emergencies that may threaten your life, health or security. We will subsequently inform you of this disclosure;
- For legal reasons. We may be compelled to release your information by a court of law or other legal or regulatory authority. In those instances, we will only disclose the information that we are legally required to provide;
- For the purposes of investigating a breach of an agreement or a contravention of laws that has been, is being, or is about to be committed and it is reasonable to expect that disclosure with your knowledge or consent would compromise the investigation; and
- For the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with your knowledge or consent would compromise the ability to prevent, detect or suppress the fraud.
In accordance with provisions provided for in the Personal Information Protection and Electronic Documents Act.
-
You may withdraw your consent for us to collect, use, keep, or disclose your personal information, subject to legal or contractual restrictions and reasonable notice. However, withdrawing your consent, may impact our ability to process and reimburse your claims under your benefits plan.
4. Limiting collection
We will limit the collection of your personal information to that which is needed for the purposes identified by us or as otherwise permitted by law.
-
Depending on the product or service, we may collect or receive personal information about you and your dependents, including:
- First, Last Name, date of birth, gender, employer plan, salary;
- Address, postal code, email address, phone number(s), provincial government health ID (e.g. Ontario Health Insurance Plan); user ID/authentication;
- Banking information including account holder name, account number, transit number, and bank number;
- Claims detail information submitted to us, such as providers you have visited, prescription dispensing data and/or other information, including dependent relationship;
- Interaction and relationship data information with us, such as telephone recordings, communications (CRM data, emails, letters etc);
- Electronic/digital information such as geolocation, IP address, tracker, activities on our website/app etc; and
- How you use our products and services, including through our websites and other electronic means, and your preferences for certain products, demographics, interests and lifestyle activities.
-
We may collect or receive personal information from:
- Completed applications and forms;
- Your interactions with us, including engaging with us over social media and through surveys;
- Your advisor or other representative(s);
- Your plan sponsor or employer, if applicable;
- Your plan sponsor or employer’s insurance advisor and/or plan administrator, if applicable;
- Your doctor, pharmacist and/or other medical and health professionals;
- Medical facilities or providers;
- Professional regulatory bodies (e.g. College of Pharmacists);
- Governmental agencies;
- Industry drug pooling entity;
- Other carriers with which you have or have had coverage;
- Third party service providers that provide or have provided services related to the benefit plan (such as, but not limited to payroll, enrolment, claims handling services, travel assistance benefits providers, paramedical service providers); and
- Third parties, including GreenShield, to whom you have provided your consent for the collection, use and disclosure of your personal information for health-related programs.
5. Limiting use, retention and disclosure
We will only use or disclose personal information for the purposes for which it was collected and consented to, or as otherwise required by law. We will keep the personal information only for as long we need to serve those purposes, or as required by or allowed by law.
-
Depending on the product or service, we may disclose personal information to:
- People, financial institutions and other parties we work with to administer the products and services we provide;
- Authorized employees, agents and representatives who need the information to complete their duties for us;
- Your advisor and any agency we work with that has direct or indirect supervisory authority over your advisor, and their employees;
- Your employer and benefit plan sponsor, as may be reasonably necessary to properly administer the benefits plan;
- Any person or third party organization you give consent to;
- People who are legally authorized to view your personal information;
- Other entities within GreenShield;
- Service providers who need this information to perform their services for us. Examples of the services include: data processing, data storage, administration of your benefits, printing and distribution services, claims analysis and fraud detection, health management programs; and
- People, organizations, and investigative bodies who work to prevent, detect, or investigate suspected fraud, breaches of agreement, or contravention of law.
When we disclose or allow access to personal information with anyone inside or outside of GSC, we will take the appropriate precautions to maintain the confidentiality of the information. This includes limiting the disclosure to what is reasonably required for the purposes listed in this privacy policy. We will attempt to satisfy requests for information in ways that do not disclose any personal information.
-
We keep your personal information as long as we need to for managing the products and services we provide you and for a reasonable time thereafter in order to meet our legal, regulatory and tax requirements. We have retention standards, which meet these requirements. We destroy your personal information when we no longer need to retain it, or we anonymize the information.
6. Accuracy
We will endeavour to ensure personal information under our control is accurate, complete, and as up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
-
You can check your personal information to verify its accuracy. You can ask our Customer Service Representatives by phone at 1-888-711-1119 to obtain the personal information we hold about you, or if you have signed up for online access, you may visit our website at www.greenshield.ca and log on to the Plan Member section. There is no charge for verifying your personal information; however, depending on the circumstances, there may be a minimal charge for the retrieval of personal information that you request. We will inform you if there is a charge. If you identify information that requires correction, we will assist you in identifying the appropriate means to have the correction(s) made.
Whenever possible, we will correct any personal information which we may have given to an outside organization. If a third party has given us personal information which you tell us is wrong, we will give you the name and address of that party so that you can correct the information directly with them.
7. Safeguards
To protect your personal information from intrusion, release or misuse, we will use appropriate physical, administrative and technological safeguards that match the sensitivity of the information under our control
-
Our employees who have access to your personal information are made aware of how to keep it confidential. As a condition of employment with GSC, all employees sign an agreement requiring all information that they have access to be treated confidentially. They are also required to participate in annual security and privacy awareness training programs. We have security standards to protect our systems and your personal information against unauthorized access and use. This protects your personal information at all times when it is stored in data files or handled by our employees.
Your personal information will be kept in a secure environment using appropriate technical, physical and organizational measures designed to protect the information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as well as other forms of unlawful processing until it is no longer needed for the administration of the benefits plan, or as long as necessary for record retention and legal compliance purposes.
Although the sharing of personal information is inherently risky, we implement commercially-acceptable procedures to ensure our systems are secure. We will notify you in the event of a systems security breach resulting in the unauthorized release of your personal information where we assess a real risk of significant harm to you or your dependents.
8. Openness
We will make information about our policies and procedures and how we manage your personal information available to you. In order to make a written request, see section 10 of this policy for the contact information of our Privacy Officer.
9. Individual access
If you send us a written request, we will tell you what personal information about you we have and how we use and disclose it. We give you access to the information, with certain exceptions allowed by law. You may verify the accuracy and completeness of your information and request changes, if appropriate.
Please note that we may not be able to provide information about you from our records if it:
- is prohibitively costly to provide;
- contains references to other individuals;
- cannot be disclosed for legal, security or commercial proprietary reasons;
- is subject to solicitor-client or litigation privilege; or
- cannot be disclosed for any other reason.
10. Questions, concerns or inquiries
We are committed to answering and resolving any privacy related questions, concerns and inquiries.
Please feel free to contact GSC’s Privacy Officer:
By email: privacy.office@greenshield.ca
By facsimile: 1-519-739-2253
By mail:
Privacy Officer
Green Shield Canada
5140 Yonge St., Suite 2100
Toronto, Ontario M2N 6L7
The GSC privacy office will acknowledge receipt of your enquiry. Within 30 days of receiving your enquiry, GSC’s Privacy Officer will write or call to tell you if the problem has been resolved, or, in more complex cases, advise you what further steps are being taken and when you may expect a resolution.
If your concern remains unresolved, please contact:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec
K1A 1H3
Telephone: 1-819-994-5444
Toll Free: 1-800-282-1376
Fax: 1-819-994-6591
Website: www.priv.gc.ca
Changes to this policy
We may from time to time revise our Privacy Policy to reflect changes in, for example, legislation / regulation, our personal information handling practices or as we introduce new products and services. The most current version of the policy will govern how we process your personal information and will always be available at www.greenshield.ca. You may determine when this policy was last updated by referring to the “Last revised” date found at the bottom of this Privacy Policy. By continuing to use your benefits plan, you agree to be bound by the revised Privacy Policy.
Your Rights
You can contact us directly any time at the address(es) listed in section 10 above to update your personal information or make another type of request regarding the information you know or believe GSC holds about you.
Here are some additional rights that you may have according to where you are located:
A. Dissemination, De-Indexation or Re-Indexation
Subject to applicable law, you will have the right to require us to cease disseminating your personal information or to de-index any hyperlink to your personal information if the dissemination of the information contravenes the law or a court order.
In addition, subject to applicable law, and provided certain conditions are met, you may require us to cease disseminating your personal information, de-index any hyperlink to such information, or re-index any hyperlink to such information.
B. Deletion
Subject to applicable law, you may request deletion of your personal information by us, but please note that we may be required (by law or otherwise) to keep this information and not delete it (or to keep this information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). When we delete personal information, it will be deleted from the active database, including from our archives, though we may also retain de-identified information about your use of our services. Once we disclose some of your personal information to third parties, we may not be able to access that personal information any longer (as maintained by the third party), and we cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures.
C. Data Processing Use and Objection
Subject to applicable law, you have the right to request we restrict our use or disclosure of your personal information for certain purposes. You also have the right to object to the processing of your personal information. We may not be required to agree to a requested restriction or objection. We will agree to restrict use, or disclosure of, your personal information provided the law allows it and we determine the restriction does not impact our ability to operate our business, provide diagnostic services, and comply with the law. Subject to applicable law, even when we agree to a restriction request, we may still disclose your personal information in a medical or other emergency and use or disclose your personal information for public health, safety and other similar public benefit purposes permitted or required by law.
D. Automated Decision Making
Subject to applicable law, if at any time our services use automated decision making to process personal information, you have the right to object to the use of your personal information.
E. Data Portability
Subject to applicable law, you have the right to receive your personal information in a structured, commonly used technological format.
F. Cross Border Transfers
This paragraph F is only applicable to residents of Quebec. Where permitted by applicable law, we may disclose and/or store the personal information we have collected about you outside of Quebec. You may, subject to the requirements in this policy, withdraw your consent regarding such disclosure or storage of your personal information.
Our Voice Recognition Program
GSC’s Interactive Voice Recognition Program ("IVR") system is a secure method for accessing your personal information when you call us as well as a simpler way for you to do business with us, while we continue to protect both you and us against fraud, misrepresentations and other errors.
1. Your consent
When you enroll in our IVR system, you give us consent to use your voiceprint password to confirm your identity.
2. How we use your voiceprint
We will only collect information that is pertinent and consistent with this Policy.
Every time you call us after you have enrolled in our IVR system, your voiceprint will be authenticated and you will either be transferred to one of our representatives or to an IVR self-service function. Your voiceprint will be used to replace other methods of verification such as questions asked by our representatives.
We will only use your voiceprint to confirm your identity; it will not be used to reverse engineer, reuse or recreate your voice.
Your voiceprint will be encrypted and kept in accordance with the Safeguards set out in Section 7 of our Privacy Policy and will only be accessible by:
- GSC’s authorized employees, agents and representatives who need the information to complete their duties for us
- Service providers who need this information to perform their services for us
- People, organizations, and investigative bodies who work to prevent, detect, or investigate suspected fraud, breaches of agreement, or contravention of law
3. Withdrawing your consent
You may withdraw your consent for us to use your voiceprint but doing so will prevent you from using the voiceprint password system in the future, unless you re-enroll. If you choose to withdraw your consent for any reason, your voiceprint will be de-activated and retained in accordance with this Policy or as permitted by law.
Last revised: September 2023