The Board of Trustees of the Joint Facilities Benefits Trust (“JFBT”) administers an employee life and health plan for eligible beneficiaries and their dependents known as the Joint Facilities Benefits Plan (the “Plan”) which provides extended health, dental, group life, accidental death and dismemberment, and long term disability benefits (the “Benefits”).
The JFBT engages a number of third parties to provide plan administration, claims adjudication and benefit payments including a third party administrator, a benefits carrier and an insurer (the “Service Providers”).
The JFBT itself does not collect, store, use, retain, disclose, archive or dispose of any personal information of the beneficiaries and their dependents. However, the Service Providers collect, store, use, retain, disclose archive and/or dispose of data including personal information of the beneficiaries and their dependents in the course of administering the plan and fulfilling their contractual obligations with the JFBT. Personal information may be collected directly from the beneficiaries or their employer.
One of the service providers is Healthcare Benefit Trust (“HBT”) who acts as a third party administrator responsible for, among other things, liaising with the other service providers. The JFBT has designated the individual serving as HBT’s privacy officer from time to time to act as its privacy officer as required by the Act.
The policies and practices contained herein are intended to ensure the JFBT meets its obligations under the Personal Information Protection Act [SBC 2003] Chapter 63 (the “Act”) with respect to Beneficiary Data.
Section 8 (1) of the Act provides that an individual is deemed to consent to the collection, use or disclosure of personal information for a purpose that would be considered to be obvious and reasonable and the information is voluntarily provided. Section 8 (2) of the Act provides that an individual who is a beneficiary of a benefit plan but not the applicant for the plan is deemed to consent to the collection, use or disclosure personal information for the purpose of his or her enrollment or coverage under the plan.
WHAT INFORMATION IS COLLECTED?
The service providers are responsible to manage plan administration, enrollment, claims adjudication and claims management all in accordance with the plan provisions. Each service provider will collect such beneficiary data as is necessary to fulfill their particular contractual obligations with the JFBT with respect to the plan.
Personal information of beneficiaries on disability, including start and end date of disability, is also shared with the British Columbia Pension Corporation for purposes of ensuring disabled beneficiaries continue to accrue pensionable service while on disability under either the Municipal Pension Plan or the Public Service Pension Plan.
The JFBT is responsible for the establishment of this policy and has sole authority to amend it. The JFBT’s service providers are responsible for the development and adherence to their own policies and practices necessary to comply with the Act. The JFBT shall seek reasonable contractual assurances from its service providers that they will comply with the Act with respect to personal information and will seek to receive notice of any breach of confidentiality (including cyber-attacks) and the service provider’s mitigation and beneficiary communication plan.
On occasion the JFBT, or beneficiaries thereof, may be involved in a benefit claim review or appeal process involving a service provider and an identifiable individual. In such cases the service provider will be requested to depersonalize all information shared with the JFBT or beneficiaries thereof.
The following principles shall guide the JFBT in respect of the protection of personal information under the Act and serve as standards expected of the service providers:
The JFBT must select, monitor and assess the performance of the service providers including an assessment of their respective information security and privacy policies and procedures and related infrastructure, periodic performance monitoring and where warranted, conduct an information security and privacy audit. Aspects of this oversight function may be delegated to a third party agent by the JFBT.
Personal information should only be collected, used and disclosed as required to administer the plan and in a manner which is compliant with the Act.
As a practical matter the JFBT relies on the deemed consent under section 8(2) of the Act. Certain service providers may obtain specific forms of beneficiary consent in addition to the deemed statutory consent.
Safeguarding Personal Information:
Service providers shall be expected to make reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal of personal information.
Personal information shall be retained for as long as appropriate legal and business purposes warrant and as required by the Act. Destruction of personal information shall be recorded and documented and shall be carried out with reasonable protections against unauthorized disclosure.
Accuracy and Access to Personal Information:
Service providers are expected to take reasonable measures to ensure the accuracy and completeness of personal information. Individuals must have the ability to access their personal information in the possession or control of service providers and to avail themselves of appropriate procedures to correct inaccurate personal information as specified by the Act. The service provider will refer beneficiaries to JFBT’s Privacy Officer who will assist beneficiaries where necessary in accessing and correcting personal information under in the possession or control of a Service Provider.