National Research Corporation Canada
- Accountability: NRCC is accountable for the personal information we collect, use, retain and disclose in the course of our commercial activities, including, but not limited to, the appointment of a Privacy Officer;
- Identifying Purposes: NRCC must explain to the client the purposes for which the information will be used must use the information for those purposes;
- Consent: Prior to a client transmitting to us personal health information, NRCC relies on our clients to ensure that they have obtained an individual’s express or implied consent to collect, use, and disclose the individual’s personal information for this purpose. In addition, NRCC informs those who may be responding to a survey about the collection, use or disclosure of the individual’s personal information;
- Limiting Collection: NRCC limits its collection of personal information to only the amount and type that is reasonably necessary for the identified purposes;
- Limiting Use, Disclosure and Retention: personal information is used for only the identified purposes, and unless the law permits or requires otherwise, is not disclosed to third parties without consent;
- Accuracy: NRCC keeps personal information in active files accurate and up-to-date;
- Safeguards: NRCC uses physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure;
- Openness: At NRCC we inform our clients and those may receive their surveys, and NRCC associates, our privacy policies and procedures;
- Individual Access: An individual has a right to access his or her personal information held by NRCC and to challenge its accuracy if need be; and
- Provide Recourse: NRCC responds promptly to requests for information, access requests and complaints, and informs clients and employees of how to bring these forward to the Privacy Officer.
This policy applies to NRCC’s associates, subcontracted employees and third party vendors. NRCC will review and revise this document in accordance with Canada’s evolving privacy laws.
Protecting personal information is fundamental to NRCC’s mandate to provide services and products that are designed to measure and improve the patient experience.
NRCC is accountable to our clients and their patients and employees regarding the protection of their personal information in our custody.
NRCC has appointed a Privacy Officer who is responsible for privacy compliance issues and who has the authority to intervene on privacy issues relating to any of NRCC’s operations. NRCC’s Privacy Officer contractually ensures all subcontracted organizations are in compliance with our policies and those of our clients.
NRCC’s Privacy Officer has developed and implemented policies and training for associate regarding handling of personal information. This includes defining the purposes of the information we collect, consent, limiting its collection, use and disclosure, ensuring information is correct, complete and current, ensuring adequate security measures are in place, managing a retention and destruction timetable, processing access requests and responding to inquiries and complaints
In addition, the Chief Security Officer for National Research Corporation (NRC), our parent company, is the executive responsible for the organization’s entire security profile and practices.
NRCC identifies the reasons for collecting Personal Information prior to and/or at the time of survey administration by means of the contracts with clients, survey covering letter or interview introduction. Potential survey respondents are also informed that their information will only be used for the stated purpose.
Personal information (patient or employee contact data) is provided to NRCC. Unless the law permits or requires otherwise, an individual’s express or implied consent is obtained by the client organization, for the collection, use or disclosure of the individual’s personal information.
At the time of surveying, NRCC informs individuals from whom they collect Personal Information: the purpose for collecting it; the rights of the prospective respondent; and the fact that they can choose not to participate without any negative impact on the care they receive from client organizations. This is done by means of a cover letter signed by the client, that is distributed with each survey (mail or web). For phone or face to face interviews, this information is provided prior to the interview commencing. Contact information is provided for those who have questions regarding the survey, or for those persons who wish to have their name removed from a survey mailing list.
NRCC does not collect personal information indiscriminately. NRCC limits the collection of Personal Information to what is necessary for the identified purposes of the survey project. This is agreed to by the client and NRCC.
NRCC associates understand and articulate why the information is needed. Questions regarding the handling policies and practices of personal information that are not adequately addressed by associates are directed to NRCC's Privacy Officer.
Limiting Use, Disclosure, and Retention
Personal Information is only used or disclosed for the purpose for which it was collected, unless an individual consents, or the use or disclosure is authorized by Canadian privacy law, with the exceptions, as permitted under PIPEDA:
Purposes for using Personal Information are to be identified for potential participants as part of the consent process undertaken by clients as part of their standard processes.
Personal Information will be disclosed to NRCC associates on a need-to-know basis for the purposes of their work as decided upon in advance and documented by contract.
If a request for access to Personal Information comes from a person other than the survey respondent or Client Organization, NRCC promptly directs the person requesting the information to submit their request to the appropriate person at the Client Organization, and the contact information of an official from the Client Organization is provided.
PIPEDA permits NRCC to transfer Personal Information to a third party, without the individual's knowledge or consent, if the transfer is simply for processing purposes and the third party only uses the information for the purposes for which it was transferred.
NRCC is obliged to report to its clients any foreign demand for disclosure. As a Canadian company, regulated by Canadian laws and under NRCC Client Organization contracts, NRCC would: immediately notify the Client Organization of the request; notify the requesting body of the privacy legal requirements in Canada; and seek legal advice and support.
As an incorporated Canadian company, NRCC abides by the Federal and Provincial laws impacting our clients. Some of these laws prohibit disclosure of any identifiable personal information to a foreign country.
Nonetheless, under unusual circumstances PIPEDA permits NRCC to disclose Personal Information to third parties, without an individual's knowledge and consent, to:
- a lawyer representing NRCC;
- comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
- a law enforcement agency in the process of a civil or criminal investigation;
- a government agency or department requesting the information; or
- as required by law.
NRCC will never sell personal information to any organization or individual and we are obliged to limit the use of the personal information in our custody to the stated purpose of the contracted services.
Personal Information is kept only for as long as necessary to satisfy the purposes for which it was collected. NRCC contracts specify how long Personal Information will be retained and how and when it will be destroyed. Retention periods take into account any legal requirements or restrictions and redress mechanisms.
Electronic data are destroyed using industry standard protocols. Hardcopy files are shredded and securely disposed of.
NRCC makes every reasonable effort to ensure personal information it has collected or created is accurate, complete and up to date.
NRCC protects Personal Information against unauthorized access, collection, use, disclosure or disposal by means of physical, organizational, and technological safeguards regardless of the format in which it is held. All security measures are regularly reviewed and updated as needed.
The NRCC office is located in a secure and monitored environment. Public access is restricted and managed by NRCC staff. Staff require electronic passkeys to enter the premises. Storage of personal information onsite, whether electronic or hardcopy, is secured.
Organizational controls in place at NRCC include associate training, fostering a culture of privacy, explicit security practices limiting access on a "need-to-know" basis, and monitoring access. In addition, all full- and part-time associates and third party contractors sign non-disclosure agreements.
Technological tools in place at NRCC include computer system passwords, encryption, and network firewalls. Data are sent to and from NRCC via secure methods including a secure file transport protocol (FTPS) portal and secure socket layer (SSL) for web-based surveys.
Questions, complaints or concerns about how NRCC manages personal information, are directed to NRCC's Privacy Officer for immediate attention.
An individual who wishes to review or verify what Personal Information is held by NRCC, or to whom the information has been disclosed (as permitted by Provincial and Federal law), may make the request for access to the Privacy Officer.
NRCC provides any help needed in response to a request for access to Personal Information and informs individuals as to whether or not their Personal Information is included in NRCC data holdings. Once the identity of the individual requesting information is confirmed, access to his or her Personal Information is provided. An explanation of how it is or has been used or disclosed is provided. Help and access are provided by NRCC at no cost. Any changes or corrections to Personal Information are made within 5 business days from the date of the correction request. NRCC then forwards the correction to any other party to whom, within one year prior to the date of the correction request, the receiving party disclosed the information being corrected or annotated.
Concerns about NRCC’s Personal Information handling practices may be directed to NRCC’s Privacy Officer, at:
7100 Woodbine Ave, Suite 411
Email: info@NationalResearch.ca Attention: Privacy Officer
NRCC’s Privacy and Security Policies can be viewed here:
NRCC associates are also asked to bring any privacy questions, concerns, or possible breaches to the immediate attention of the Privacy Officer.
NRCC will not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an associate, or deny that associate a benefit, because he/she brought any privacy related concern or complaint forward internally or externally to a Privacy Commissioner or any other Canadian official responsible for privacy law.
NRCC pledges to quickly and effectively deal with any privacy complaint that might arise, no matter who the complaint is from (e.g., survey respondent, client or associate). Upon verification of the individual's identity, the Privacy Officer will act promptly to investigate the complaint and provide a written report of the investigation's findings to the individual.
If the Privacy Officer decides that the individual's complaint is well founded, he or she will take the necessary steps to correct the practice complained of and/or revise NRCC’s privacy policies and procedures.
If the Privacy Officer determines that the individual's complaint is not well founded, the individual will be notified in writing. If the individual is dissatisfied with the finding and corresponding action taken by NRCC’s Privacy Officer, the individual will be informed that he or she may take the complaint to the Federal Privacy Commissioner (or provincial equivalent) at the address below:
The Privacy Commissioner of Canada
112 Kent Street, Ottawa,
Ontario K1A 1H3