The Board of Trustees of the Joint Community Benefits Trust (the “Board”) administers an employee life and health plan for eligible members and their dependents known as the Joint Community Benefits Trust Benefits Plan (the “Plan”) which provides extended health, dental, group life, accidental death and dismemberment and long term disability benefits (the “Benefits”).
The Board engages a number of third parties to provide plan administration, claims adjudication and benefit payments including a third party administrator, a benefits carrier and an insurer (the “Service Providers”).
The Board itself does not collect, store, use, retain, disclose, archive or dispose of any personal information of Plan members and their dependents.
However, the Service Providers collect, store, use, retain, disclose archive and/or dispose of data including personal information of Plan members and their dependents (“Member Data”) in the course of administering the Plan and fulfilling their contractual obligations with the Board. Personal information may be collected directly from Plan members or their employer.
One of the Service Providers is Healthcare benefit Trust (“HBT”) who acts as a third party administrator responsible for inter alia liaising with the other Service Providers. The Board has designated the individual serving as HBT’s privacy officer from time to time to act as its privacy officer as required by the Act.
The policies and practices contained herein are intended to ensure the Board meets its obligations under the Personal Information Protection Act [SBC 2003] Chapter 63 (the “Act”) with respect to Member Data.
Section 8 (1) of the Act provides that an individual is deemed to consent to the collection, use or disclosure of personal information for a purpose that would be considered to be obvious and reasonable and the information is voluntarily provided. Section 8 (2) of the Act provides that an individual who is a beneficiary of a benefit plan but not the applicant for the plan is deemed to consent to the collection, use or disclosure personal information for the purpose of his or her enrollment or coverage under the Plan.
WHAT INFORMATION IS COLLECTED
Member data includes personal information such as age, gender, address, name of employer, particulars of employment, union affiliation, banking information, health history, claims history, dual benefit plan coverage, and enrollment and claims status under government sponsored benefit plans such as PharmaCare, Medical Services Plan of B.C., Employment Insurance and Canada Pension Plan.
WHY IS THE INFORMATION COLLECTED
The Service Providers are responsible to manage Plan administration, enrollment, claims adjudication and claims management all in accordance with the Plan provisions. Each Service Provider will collect such Member Data as is necessary to fulfill their particular contractual obligations with the Board with respect to the Plan.
Personal information of members on disability, including start and end date of disability, is also shared with the British Columbia Pension Corporation for purposes of ensuring disabled members continue to accrue pensionable service while on disability under either the Municipal Pension Plan or the Public Service Pension Plan.
The Board is responsible for the establishment of this policy, and has sole authority to amend it. The Board’s Service Providers are responsible for the development and adherence to their own policies and practices necessary to comply with the Act. The Board shall seek reasonable contractual assurances from its Service Providers that they will comply with the Act with respect to personal information and will seek to receive notice of any breach of confidentiality including cyber attacks.
On occasion the Board, or members thereof, may be involved in a benefit claim review or appeal process involving a Service Provider and an identifiable individual. In such cases the Service Provider will be requested to depersonalize all information shared with the Board or members thereof.
The following principles shall guide the Board in respect of the protection of personal information under the Act and serve as standards expected of the Service Providers:
- Accountability: The Board must select, monitor and assess the performance of the Service Providers including an assessment of their respective privacy policies and procedures and related infrastructure, periodic performance monitoring and where warranted, conducting a privacy audit. Aspects of this oversight function may be delegated to a third party agent.
- Proper Use: Personal information should only be collected, used and disclosed as required to administer the Plan and in a manner which is compliant with the Act.
- Member Consent: As a practical matter the Board relies on the deemed consent under section 8(2) of the Act. Certain Service Providers may obtain specific forms of member consent in addition to the deemed statutory consent.
- Safeguarding Personal Information: Service providers shall be expected to make reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal of personal information.
- Retention: Personal information shall be retained for as long as appropriate legal and business purposes warrant and as required by the Act. Destruction of personal information shall be recorded and documented and shall be carried out with reasonable protections against unauthorized disclosure.
- Accuracy and Access to Personal Information: Service Providers are expected to take reasonable measures to ensure the accuracy and completeness of personal information. Individuals must have the ability to access their personal information in the possession or control of Service Providers and to avail themselves of appropriate procedures to correct inaccurate personal information as specified by the Act. The Board’s Privacy Officer shall assist members where necessary in accessing and correcting personal information under in the possession or control of a Service Provider.
QUESTIONS AND COMPLAINTS AND THE ROLE OF THE PRIVACY OFFICER
Any complaints, concerns or questions regarding the Board’s compliance or that of a Service Provider, including the Healthcare Benefit Trust, should be directed in writing to the Privacy Officer (see below). If the Privacy Officer is unable to resolve the concern, the individual may also write to the Information and Privacy Commissioner of British Columbia.
Contact information for the Healthcare Benefit Trust’s Privacy Officer:
Healthcare Benefit Trust
350 – 2889 E. 12th Avenue
Vancouver, BC V5M 4T5
Telephone 604-736-2087 or 1-888-736-2087
SERVICE PROVIDER PRIVACY POLICIES
Healthcare Benefit Trust:
Pacific Blue Cross: