Privacy Program - Gotcare

Got Questions?

We’ve got answers.

Green Phone Icon+1 (888) 819-1244

Green Email Iconsupport@gotcare.ca

Update your profile

Update and add any new information in your care worker profile to help us send you more tailored job requests!


Verify your identity

Please enter your phone number and we will send you a verification code shortly!

Verification Code

Please enter the verification code sent to
.

Didn't receive a code? Resend Code

Have you moved?

Have you moved home addresses since ?

Update your current home address so we can send you more tailored job requests!

Update your profile

If you do not need to update a section, feel free to leave it blank.

Access to car

What languages do you speak?

Press enter or add a comma after each additional language.

Drag & Drop or

SELECT A FILE

What is your specialization?


Thank you!

Your profile has been updated successfully. This allows us to send you improved care matches that fit your schedule and needs.



Privacy Program

Last updated: 22 May 2025

Gotcare Privacy Program Plan

Section 1 – Introduction

1.0 Purpose and Overview

Gotcare’s mission is to deliver the best possible care in the comfort of the home, enabled by greater trust and collaboration between people who need care, people who provide care, and people who fund care. Our vision is to create relationship-driven health care experiences that are equitable, personalized, and maximize appropriate technology.

Gotcare believes that protecting privacy effectively involves not only complying with applicable privacy laws but also having a strong culture of privacy protection. This document mandates Gotcare’s Privacy Program Plan (the “Plan”) and ensures compliance with applicable privacy requirements, develops and evaluates privacy policy, and manages privacy risks.

The mission of the Plan is to preserve and enhance privacy protections for all individuals who entrust their personal health information (“PHI”) to Gotcare by embedding and enforcing privacy protections throughout all of Gotcare’s activities.

The Plan provides an overview of the following:

  • a description of the structure of the privacy program;
  • the resources dedicated to the privacy program;
  • the roles of the Chief Privacy Officer and other privacy related staff;
  • the strategic goals and objectives of the privacy program;
  • the program management controls in place or planned for meeting applicable privacy requirements and managing privacy risks; and
  • any other information determined necessary by the agent’s privacy requirements.

1.1 Background

The Plan formally documents Gotcare’s comprehensive safeguards for Personal Health Information and programs, practices, processes, tools and techniques, as amended from time to time, to protect privacy proactively. Gotcare establishes a culture of privacy protection by maintaining and continuously improving its Privacy Program. This framework is updated as Gotcare’s Privacy and Information Security programs evolve over time. It can also be used for the purposes of communicating Gotcare’s commitment to privacy and information security to regulators; federal, provincial and territorial governments; the public; and other stakeholders. This Plan therefore serves as a living document which will be updated when warranted and will be reviewed annually.

Section 2 – Infrastructure and Organization

2.0 Accountability Framework

It is the mission of Gotcare’s Privacy Program to protect the privacy of all individuals through compliance, training, and consultation. Among other activities, the Plan is designed to align with applicable privacy laws and regulations in Ontario, Canada, including but not limited to the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Personal Health Information Protection Act (“PHIPA”). It reflects Gotcare’s commitment to meet its legal obligations regarding the protection of personal information and best practices issued in furtherance of those Acts.

The Privacy Program carries out the following core functions:

  • Adjudicates requests for access and amendment in accordance with privacy laws;
  • Develops and administers Gotcare’s privacy policies and procedures;
  • Provides privacy awareness training and remediation training to Gotcare’s personnel;
  • Assesses new or proposed programs, systems, technologies, and business processes for privacy risks and provides recommendations to strengthen privacy protections;
  • Collaborates with the Chief Privacy Officer to implement and operationalize policies to secure the confidentiality, integrity, and availability of Gotcare’s information and information systems;
  • Operates a data breach response program to ensure that all incidents involving Personal Health Information are properly reported, investigated, and mitigated, as appropriate;
  • Maintains updated privacy artifacts in compliance with legal requirements (e.g., Privacy Impact Assessments (“PIA”), and Privacy Act Notices);

2.1 Organizational Structure

Gotcare’s Privacy Program has dedicated personnel resources, including the Chief Executive Officer (“CEO”). Gotcare’s CEO has delegated the day-to-day responsibility for ensuring compliance with PHIPA and its regulation to Gotcare’s Chief Privacy Officer (“CPO”). The CPO may consult with Gotcare’s President and Engineering Lead to provide guidance and advice to the CEO on matters of privacy, security, and the collection, quality, and disclosure of data.

2.1.1 Chief Privacy Officer – Roles and Responsibilities

  • Implements and manages the Privacy Program and ensures compliance with the Acts, and other Federal requirements.
  • Sets the strategic direction for the Privacy Program to include defining privacy risk management, privacy policies, creating awareness, designing effective incident response and data / PII breach notification procedures.
  • Develops and promotes Gotcare’s privacy policy, guidance, and requirements for all Gotcare systems in alignment with applicable laws, regulations, and standards.
  • Ensures appropriate privacy controls are integrated into the enterprise architecture and investment processes.
  • Ensures appropriate privacy controls are implemented on Gotcare’s information systems that contain PII
  • Ensures that Gotcare meets reporting requirements regarding Gotcare’s activities that involve PII or otherwise impact privacy.
  • Reviews and approves privacy compliance documentation.
  • Identifies and analyzes breaches and manages the analysis and Gotcare’s response.
  • Approves external notifications and communications, including, but not limited to notifications, press releases, and notifications to individuals potentially affected by a breach.
  • Serves as the principal liaison with organizations outside of Gotcare for matters relating to privacy.
  • Communicates to leadership the significance of privacy risk.

2.1.2 Additional Roles and Responsibilities

The CEO has delegated responsibility for:

  • Day to day management of privacy and information security matters to the Chief Privacy Officer and Engineering Lead;
  • Further consultation related to privacy and information security matters to the Chief Privacy Officer, President, and Board of Directors;
  • Day to day management of privacy and information security requirements within Gotcare projects to Project Managers; and
  • Day to day management, administration, submission, reporting, deadlines, research and other aggregated and/or de-identified disclosure requests for the purposes of improving or facilitating healthcare to the Executive Coordinator.

Privacy stewardship and governance are keys to a successful Privacy Program. Gotcare has a formal mechanism in place for reviewing and revising privacy policies on a regular basis. An internal Privacy Program Review meeting is held annually to assess the effectiveness of existing policies. Any proposed changes to privacy policies are then presented at the leadership stewardship meetings, which occur every Tuesday, ensuring that updates are discussed and approved at the highest level.

Gotcare’s Privacy Program operates as a program within the mandate of the Chief Privacy Officer and Engineering Lead. The Gotcare CPO considers privacy implications when developing and reviewing policy and in making program decisions about business operations, application development, and related activities.

The Engineering Lead supports the CPO by ensuring that information security is effectively managed across all platforms. To this end, Gotcare has implemented Sucuri across our web applications and sites, providing a robust layer of security through its suite of features. Sucuri performs critical security checks to prevent SQL injections, cross-site scripting (XSS), Remote File Inclusion (RFI), Local File Inclusion (LFI), as well as scanning for a wide range of potential attacks. It also offers virtual patching, ensuring that outdated software cannot be exploited to compromise our systems. The Engineering Lead works closely with the CPO to review best practices, offering recommendations and implementing necessary technical components related to privacy and security. This proactive approach guarantees that our platforms remain secure while meeting privacy standards. Additionally, the Engineering Lead ensures that the Gotcare privacy plan is fully integrated into the organization’s security framework, prioritizing both compliance and the safety of user data.

In the day-to-day operations of the Privacy Program, beyond the CPO, the Office Manager is typically involved in managing specific administrative tasks. The Office Manager may be delegated various responsibilities related to maintaining documentation, coordinating privacy-related communications, and supporting the execution of routine privacy tasks. This ensures smooth operations and alignment with Gotcare’s privacy plan, allowing the CPO to focus on strategic oversight while the Office Manager assists in the efficient administration of privacy policies and procedures.

The Chief Privacy Officer, Engineering Lead, Project Managers, and Executive Coordinator can delegate work to other Gotcare employees. To successfully protect PII/PHI, Gotcare employees work daily to implement the policies and program requirements into their program functions and activities.

2.3 Shared Responsibilities and Transparency

All Gotcare employees play a significant role in the privacy and information security of the data holdings at Gotcare. The accountabilities set out in this document specifically relate to those individuals who play leadership roles and carry specific accountability for privacy and information security.

Accountability for privacy and information security ultimately resides with the co-founder and CEO of Gotcare, who has formally delegated these functions at an operational level to the CPO, respectively.

All Gotcare employees are responsible to:

  • Keep informed of privacy policies and procedures.
  • Ask for guidance and clarification from their supervisors when necessary.
  • Access internal knowledge management resources and information databases, as necessary.

Gotcare has established processes to ensure all employees stay informed of privacy policies and procedures. Privacy training is provided as part of the onboarding process for all new hires. Additionally, Gotcare holds monthly company-wide meetings to make announcements, which include any updates or revisions to privacy policies and procedures. Employees who handle Personal Health Information are required to complete an online training certificate once a year to ensure compliance with privacy standards.

Gotcare stores all privacy-related information in databases that can be accessed and viewed through the internal CRM (Salesforce). Additionally, Gotcare maintains an internal wiki on Notion, which houses information about privacy-related processes. These resources are regularly updated and maintained to ensure that employees have access to the latest privacy policies and procedures.

Section 3 – Controls and Requirements

3.0 Accountability and Ownership

Gotcare’s Privacy Program includes ownership of personal information throughout its lifecycle and being answerable for the organization’s privacy practices as follows:

  • Gotcare assumes responsibility for the personal information it collects, uses, discloses, and retains. This includes designating individuals or teams responsible for privacy management and establishing clear lines of accountability within the organization.
  • Gotcare implements appropriate governance structures and mechanisms to oversee privacy practices. This includes developing and communicating privacy policies, procedures, and guidelines, and ensuring that they are understood and followed by all individuals involved in personal information handling.
  • Gotcare ensures compliance with applicable privacy laws, regulations, and contractual obligations. This involves understanding the legal requirements, regularly reviewing and updating privacy practices, and conducting privacy impact assessments to identify and address any potential privacy risks.
  • Gotcare provides privacy training and awareness programs to its employees and stakeholders to ensure a comprehensive understanding of privacy principles. This includes educating employees on their responsibilities and obligations related to the protection of personal information.
  • Gotcare implements appropriate technical, organizational, and administrative measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. This includes implementing safeguards, data breach response plans, and ongoing risk assessments to mitigate privacy risks.
  • Gotcare exercises caution when sharing personal information with third parties, such as service providers or business partners. It ensures that appropriate agreements and contracts are in place to govern the handling of personal information by these parties and holds them accountable for maintaining the same level of privacy protection.
  • Gotcare demonstrates its commitment to accountability by keeping records of its privacy practices, including policies, procedures, training records, and audit trails. It may also conduct regular privacy audits or engage in third-party assessments to verify compliance and identify areas for improvement.

3.1 Legal and Statutory Drivers – Model Code for the Protection of Personal Information

Gotcare is a prescribed entity under Section 45 of Ontario’s PHIPA and is authorized to collect, use and disclose Personal Health Information for prescribed purposes. As a prescribed entity, Gotcare is subject to oversight by the Information and Privacy Commissioner of Ontario and internally reviews its practices and procedures with respect to privacy and the protection of health information.

PHIPA and all privacy codes generally are based on the 10 fair information principles set out in the Canadian Standards Association’s Model Code for the Protection of Personal Information:

  • Principle 1: Accountability
  • Principle 2: Identifying purposes
  • Principle 3: Consent
  • Principle 4: Limiting collection
  • Principle 5: Limiting use, disclosure and retention
  • Principle 6: Accuracy
  • Principle 7: Safeguards
  • Principle 8: Openness
  • Principle 9: Individual access
  • Principle 10: Challenging compliance

These principles are the basis for Gotcare’s self-regulatory efforts. Gotcare also adheres to other provincial and territorial privacy legislation as applicable to Gotcare’s mandate and core functions.

3.2 Trust and Confidence

Gotcare is a source of credible information. Maintaining the trust and confidence of stakeholders — including federal, provincial and territorial government bodies, health care providers and institutions, health institutions and associations and, ultimately, the public — is critical to the success of Gotcare and the achievement of its goals. All its activities must be conducted, and all partnerships established and maintained, in a manner that reflects these expectations.

The CPO actively monitors the legislative and regulatory landscape to ensure Gotcare continues to comply with all relevant legislation. Similarly, the leadership monitors the IT security environment to identify emerging trends and best practices.

3.3 Privacy Controls

Gotcare’s Privacy Program is in the process of formalizing certain baseline privacy controls, as contained in its Privacy Policy and Security Policy. Privacy controls are selected and implemented under the leadership and oversight of the CEO and CPO and in collaboration with legal professionals. A privacy control is an administrative, technical, or physical safeguard employed to ensure compliance with privacy requirements and manage privacy risks. Privacy controls may be common, system-specific, or hybrid. The CPO updates policies, processes, and designations as necessary to ensure that privacy controls are implemented and remain effective to protect PII.

3.3.1 Collection of PHI

  • Gotcare only collects Personal Health Information if the collection is permitted by PHIPA and its regulation.
  • Gotcare does not collect Personal Health Information that will not reasonably facilitate or improve the provision of health care or if other information will serve the purpose of the Registry.
  • Gotcare collects only those data elements that have been identified through the review process set out below. The purpose of the review process is to identify the minimum data elements necessary to achieve the Registry’s purpose of facilitating and improving the provision of care.
  • Gotcare ensures that each identified use of Personal Health Information is consistent with the uses of Personal Health Information permitted by the Act and its regulations. Gotcare does not use Personal Health Information if other information will reasonably serve the purpose and does not use more Personal Health Information than is reasonably necessary to meet the purpose, using de-identified or aggregate information wherever possible.

3.3.2 Disposal of PHI

The CPO, Engineering Lead and project managers determine when the data collected by Gotcare is no longer needed to fulfill its purposes as a prescribed registry and ensure that the collection of that particular data is discontinued. Existing data must then be de-identified or destroyed.

Gotcare conducts weekly project oversight meetings, typically on Thursdays or Fridays, to facilitate collaboration between the CEO, CPO, Engineering Lead, and Project Managers on privacy-related matters, including the assessment and discontinuation of data collection. During these meetings, any leadership member or employee can raise data collection or disposal issues as action items. If the topic cannot be adequately addressed during the meeting, a separate session is scheduled to focus specifically on the disposal or de-identification of Personal Health Information for the relevant project.

3.3.3 Data Elements and Enhancements

The CPO is responsible to:

  • Review and advise on the addition of new data elements, as well as review and approve proposed enhancements to existing Gotcare data elements to improve accuracy, relevancy, usability, and/or reliability, considering:
    • whether the data collection is permitted by the Personal Health Information Protection Act (PHIPA) and its regulation;
    • whether any and all conditions or restrictions set out in PHIPA and its regulation have been satisfied;
    • whether other information (i.e., de-identified and/or aggregate information) will serve Gotcare’s purposes; and,
    • ensuring that no more Personal Health Information (PHI) is collected than is reasonably necessary to serve Gotcare’s purposes.

3.3.4 Secure Collection

  • Personal Health Information is collected electronically through secure internet connections and may involve manual data entry and automated extraction and uploading from existing information systems. Gotcare ensures the secure electronic collection, transfer, and storage of data through robust mechanisms. All data transfers occur via encrypted channels, such as HTTPS with TLS 1.3 encryption. Data is stored in encrypted repositories utilizing PHI-compliant algorithms. Secure APIs are used for data extraction and interaction between system components. Additionally, end-to-end encryption is employed to maintain data integrity and confidentiality during uploading and processing.
  • Gotcare prohibits paper records of Personal Health Information.
  • Gotcare ensures that electronic records are kept safe and secure as follows. Electronic records of Personal Health Information are securely retained in identifiable format within its database per its retention policy, after which they are converted to a de-identified format and then securely destroyed. Secure retention, timeline, and secure destruction are detailed by the CPO.

3.3.5 Retention and Secure Disposal

  • Records will be maintained in identifiable form within a secure database, then converted to a de-identified format and then destroyed as per secure disposal practices concerning Personal Health Information. Gotcare does not return records of Personal Health Information.
  • The CPO is responsible for securely maintaining:
    • A list of all data elements or holdings to be collected, the health information custodians from whom the Personal Health Information is to be collected, and the rationale or statement of purpose(s) for each data element; and
    • Any relevant correspondence.

Section 4 – Privacy Program Plan Execution

Gotcare maintains a comprehensive suite of privacy and information security policies, procedures, standards, and guidelines. These policy instruments inform all information practices within the organization.

4.0 Policies

Gotcare’s Privacy Policy and its Security Policy set the overall direction for other privacy and information security policies, standards, and guidelines. Gotcare’s privacy and information security policies communicate, at a high level, the goals and directions in consultation with the Board of Directors and senior management and reflect legislative requirements and best practices for the protection of information. Gotcare’s privacy and information security policies are accessible, transparent, and comprehensive. Gotcare implements all recommendations made by the Information and Privacy Commissioner of Ontario. Updates or changes to Gotcare’s privacy and information security policies, procedures, and practices take into consideration:

  • Any orders, decisions, guidelines, fact sheets, and best practices issued by the Information and Privacy Commissioner of Ontario and the courts under the act and its regulations;
  • Evolving industry privacy and information security standards and best practices;
  • Amendments to the act and its regulations relevant to Gotcare as a prescribed entity;
  • Findings and recommendations arising from privacy and information security audits, PIAs, and investigations into privacy complaints, privacy and information security breaches or incidents;
  • Findings and associated recommendations arising from the Information and Privacy Commissioner of Ontario;
  • Whether the privacy policies, procedures, and practices of the prescribed person or prescribed entity continue to be consistent with its actual practices; and
  • Whether there is consistency between and among the privacy and information security policies, procedures, and practices implemented.

4.1 Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is a systematic process used to identify and assess the privacy implications of a project or system.

The assessment helps ensure that privacy risks are identified and appropriately managed, in compliance with relevant privacy laws and regulations. A PIA is typically necessary in situations where Gotcare is planning to implement a new project, system, or process that involves the collection, use, or handling of personal information. The goal of a PIA is to identify and assess potential privacy risks associated with the project and to develop strategies to mitigate or manage those risks. Here are some common scenarios where a PIA may be necessary:

  • Introduction of New Systems or Technologies: When Gotcare is planning to implement new information systems, databases, or technologies that involve the processing of personal data, a PIA is often necessary. This could include new information management systems, operational platforms, or any other technology that deals with sensitive information.
  • Changes to Fundamental Processes: If significant alterations are made to core processes involving the handling of personal information—such as substantial modifications to data storage, data sharing practices, or data retention policies—a PIA may be required. Minor adjustments or routine updates to existing processes will not necessitate a PIA.
  • Third-Party Relationships: If Gotcare is entering into partnerships or contracts with third-party vendors or service providers that will have access to personal information, a PIA may be necessary to assess and manage the privacy implications of these relationships.
  • Research Projects: In the case of research projects involving the collection or processing of personal data, especially sensitive data, a PIA may be required to ensure that privacy considerations are adequately addressed.
  • Legislative or Regulatory Requirements: Some jurisdictions or regulatory bodies may require Gotcare to conduct PIAs for certain types of projects or data processing activities to ensure compliance with privacy laws and regulations.

The CPO and the CEO are responsible for communicating the amended or newly developed privacy and/or security policies, procedures, and practices both internally to Gotcare staff and externally to the public and other stakeholders. Communication to staff occurs through Gotcare’s internal communication tool, where privacy and security policies, procedures, and practices are posted. External communication occurs through Gotcare’s public website (https://www.gotcare.ca), where relevant privacy and security policies are posted.

4.2 Secure Information Life Cycle

Gotcare has in place administrative, technical, and physical safeguards to protect the privacy of individuals whose Personal Health Information is received and to maintain the confidentiality of that information throughout its life cycle: creation and collection, access, retention and storage, use, disclosure, and disposition.

Gotcare takes steps to protect Personal Health Information against theft, loss, and unauthorized use or disclosure and to protect records of Personal Health Information against unauthorized copying, modification, or disposal.

A comprehensive suite of policies and associated standards, guidelines, and procedures reflect best practices in privacy and information security for the protection of the confidentiality, integrity, and availability of Gotcare’s information assets. This includes, for example, Gotcare’s Confidentiality of Information and Ownership of Proprietary Property Agreement that every person signs and includes confidential business data and PHI, and the employee’s use of data through cloud services is traceable and auditable that specifies the necessary controls for protecting information stored on mobile or removable devices and requirements for strong encryption of personal information.

For project management, Gotcare exclusively uses internal tools, such as Google Suite, which are accessible only to Gotcare employees. Since all data is stored in the cloud, we maintain the ability to audit user activity, including who viewed, edited, or interacted with project materials, ensuring compliance with privacy and security protocols throughout the project lifecycle.

Gotcare’s technical safeguards include:

  • Multi-factor authentication for all users (i.e. Gotcare employees and agents)
  • Anti-virus, anti-spam and anti-spyware measures
  • Retaining third parties to conduct penetration testing, vulnerability assessments and threat-risk assessments for internal and external systems when required
  • Manual backup of necessary information
  • Mandatory password-protected screen savers after a 15-minute timeout period on user devices and mandatory idle timeout on Gotcare portal pages.

4.3 De-Identification

Gotcare uses de-identification for protection of PHI. De-identification is the process of removing or obscuring personal information from a record or data set to the extent necessary so that it is no longer reasonably foreseeable in the circumstances that it could be used, either alone or in combination with other information, to identify an individual. Gotcare has taken significant steps to implement data masking techniques, which help protect sensitive information from unauthorized access. This process ensures that any sensitive data displayed to users is masked, limiting exposure to only the necessary elements required for job functions while maintaining data privacy and security.

Gotcare enforces strict data masking practices when communicating patient information to external stakeholders. Only patient initials are used in correspondence, ensuring full names are not disclosed to maintain privacy and confidentiality.

4.4 Strict Employee Transition Protocols

Gotcare has established robust protocols to manage employee transitions, including departures or role changes. These protocols include updating or changing security codes, passwords, and access credentials to ensure that unauthorized individuals do not retain access to sensitive information. These measures protect the integrity and security of Personal Health Information during times of staff turnover or change.

4.5 User Access

Gotcare implements role-based access controls to ensure that only authorized personnel have access to PHI. Gotcare implements a role-based access control system to manage platform permissions. Super admins have full access to system settings, including database exports/imports and disaster recovery processes, as well as the ability to create or remove admin accounts. Admins manage specific operational functions and user roles but are restricted from accessing critical system settings. All user actions within the platform are logged and subject to audit to ensure accountability.

Gotcare defines two types of access:

  1. The Gotcare premises where Gotcare employees work
    • Any secure Gotcare building protected by two levels of secure access and/or a Gotcare employee’s personal residence (i.e., teleworkers).
  2. Security Policy
    • Passwords and Multi-Factor Authentication. Agents must ensure that a strong and complex password is used and that the password for the mobile device and for remote access is different from the passwords for files containing the Personal Health Information and that the password is supported by security measures as per Gotcare’s implementation of Multi-Factor Authentication.
    • Gotcare enforces physical security compliance for teleworkers by requiring all systems to be secured behind Multi-Factor Authentication. While there is currently no specific tool for tracking device physical security, Gotcare mandates employees to change their computer passwords every six months as part of its policy to ensure secure access.
    • Limiting Agent Access to and Use of Personal Health Information address the physical security of devices used by personnel.
    • When not in use, portable computers must be stored in locked cabinets or locked offices.
    • No personal health information is retained on these premises.
  3. The Data Centre where records of personal health information in Gotcare’s custody are retained
    • All personal health information is stored in this secure location; there is no personal health information stored anywhere else.
    • Gotcare ensures that Protected Health Information is safeguarded in the data center by utilizing a Hosting Service Provider that adheres to rigorous security standards. The provider, AWS, complies with HIPAA requirements and maintains certifications such as ISO/IEC 27001, SOC 1/2/3, and NIST 800-53. Data is encrypted in transit using TLS and at rest with AES 256 encryption. Additionally, sensitive information like access tokens and keys is encrypted at the application level prior to being stored in the database.

4.5.1 Multi-Factor Authentication

Multi-Factor Authentication (MFA) is required for all Gotcare Information System users. Gotcare has reviewed critical applications, and all systems containing Personal Health Information are protected with two-factor authentication. MFA is implemented to cover most enterprise practices.

Gotcare utilizes two MFA options to enhance security:

  • PIN via SMS: A one-time PIN is sent to the user’s registered phone number via text message, which can be used for authentication.
  • Authenticator App Code: Users can authenticate using a time-based one-time code generated by their Authenticator app, which refreshes automatically every 30 or 60 seconds.

In cases where a user loses access to their phone, Gotcare requires a Super Admin to reset the account to restore access securely.

Gotcare enforces compliance with MFA through mandatory requirements for login access and regular monitoring of user activity via audit logs. Users cannot access the platform without successfully completing MFA.

  • For users in organizations that cannot have access to a smart phone or direct phone number (PIN).
  • For users in organizations that have access to a smart phone (one-time use code).

4.6 Agreements

Gotcare is a leading source of credible health information and data in Canada. Hospitals, regional health authorities, health care practitioners, insurance companies and governments all entrust sensitive data to Gotcare. Accordingly, Gotcare is committed to maintaining the trust of its data suppliers by entering into information-sharing agreements that reflect jurisdictional requirements and that require Gotcare to maintain the privacy and ensure the security of its data holdings.

Agreements with third-party service providers are initiated by the CEO based on the level of sign-off authority according to Gotcare policies.

Gotcare ensures that all Personal Health Information is hosted exclusively within Canada. All data is securely stored and managed within Canada, and strict controls are in place to prevent access, transfer, or storage of Personal Health Information outside of Canada.

Gotcare ensures that all tools and systems related to the storage and transfer of Personal Health Information are configured to restrict data residency within Canada. Only platforms that allow the designation of Canadian server locations are utilized, and fees are adjusted based on the server’s geographic location.

Access by Out-of-Canada Personnel

Gotcare restricts access to information assets by personnel located outside of Canada (“Out-of-Canada Personnel”) unless such access is specifically required and expressly approved by the party to an agreement. When approved, Gotcare prioritizes the use of dummy, masked, or de-identified data to limit exposure of personal information. Approved Out-of-Canada access is subject to strict controls, including use of secure, company-managed devices, VPN connections, and restrictions on location, remote access, and data transfers. All such access is tracked, logged, and monitored. Gotcare regularly reviews these access permissions to ensure compliance and revoke access when no longer necessary.

We are committed to maintaining compliance with all applicable privacy and data protection laws, ensuring the confidentiality and integrity of Personal Health Information at all times.

Prior to receiving data, an agreement must be signed requiring recipients to comply with the conditions and restrictions imposed by Gotcare relating to the collection, purpose, use, security, disclosure, and return or disposal of data. It also permits Gotcare to audit compliance upon reasonable notice.

Gotcare acknowledges and confirms that it is a “service provider” as defined in the Personal Information International Disclosure Protection Act, S.N.S. 2006, c. 3 (“PIIDPA”), that it has read and understands its obligations as a service provider thereunder, and that as a service provider, it is legally bound by the obligations imposed on it by PIIDPA.

4.7 Contractors and Third-Party Requirements

Gotcare’s Privacy Program coordinates with agency contracting officials to ensure contractors and third parties that (1) create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII on behalf of the agency; or (2) operate or use information systems on behalf of the agency comply with the mandated privacy requirements. Gotcare’s Privacy Program ensures that the applicable privacy clauses are included in the terms and conditions in contracts and other agreements involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of Gotcare information.

All outsourcing and supplier arrangements involving confidential information or information systems are formally documented in written contracts that contain privacy and information security requirements, confidentiality obligations, and service-level objectives. Access to data holdings or any other business information by suppliers is conducted strictly in accordance with Gotcare’s privacy and information security policies and procedures.

The obligations of Gotcare contained in its agreements are flowed down by Gotcare to its subcontractors, to the extent applicable to each subcontractor.

Approved Personnel – Access Governance and Compliance Process

Where applicable, Gotcare acknowledges its obligation to obtain express approval prior to granting any individual access to certain subsets of data. To satisfy this requirement and ensure compliance, Gotcare has implemented a formalized pre-access approval process as part of its Privacy Program.

This process includes the following components:

  • Access Request Protocol
    All requests for access must be submitted through Gotcare. Each request must specify the individual’s name, role, justification for access, and the specific information to which access is sought.
  • Province Approval Mechanism
    Gotcare compiles and maintains an Access List of all personnel requiring access. Prior to granting access, the Access List and associated justifications are submitted to the requesting body for express written approval. No access is granted until written confirmation of approval is received from the requesting body that is the subject of the agreement.
  • Access Level Tracking and Auditability
    Gotcare maintains a record of all access approvals, including access levels, date of approval, and associated documentation. These records are reviewed regularly to ensure ongoing compliance.
  • Need-to-Know Principle
    Access is granted strictly on a need-to-know basis. Access privileges are limited to the minimum necessary to perform assigned duties. Role-based access controls (RBAC) are enforced to align permissions with job responsibilities.
  • Periodic Review and Revocation
    Gotcare conducts reviews of personnel access to ensure continued compliance and to promptly revoke access when it is no longer required or upon role change/termination.

Through this process, Gotcare ensures that only individuals with prior, express approval may access information, in alignment with legal and contractual obligations.

Data Sharing with Third Parties

Gotcare does not enter into any data sharing, disclosure, or access arrangements with third parties involving information without the prior, explicit written approval of the party that is the subject of an agreement, unless such sharing is expressly permitted under applicable privacy law. All data handling activities must be reviewed and approved by Gotcare’s Privacy Officer to ensure compliance. Any proposed data sharing must be formally documented, justified, and subject to appropriate legal and contractual safeguards before proceeding.

4.8 Privacy Awareness and Training

Gotcare requires all employees and contractors with access to PII to complete privacy training when first beginning work with the agency and annually thereafter. The training provides an overview of important statutory, regulatory, and other federal privacy requirements.

4.8.1 New Employee Orientation Training

Gotcare’s Privacy Program provides live privacy training to all new employees upon onboarding. New employee orientation sessions provide an overview about the importance of privacy at Gotcare, how to handle privacy-protected information, and the penalties for violating privacy legislation.

Employees are required to complete an Ontario health certificate (official questionnaire) requiring resources (relevant personnel) on an annual basis.

4.8.2 Role-Based Training

In addition to new-hire and annual privacy training requirements, Gotcare’s Privacy Program looks for opportunities to provide role-based training to employees with specialized roles on a periodic basis, focusing on how employees in various Gotcare offices should leverage privacy principles and best practices as part of their official duties.

Project Managers at Gotcare are trained during onboarding on privacy and data protection laws applicable to the healthcare sector, including PIPEDA in Canada. This ensures that they are equipped with the knowledge required to manage privacy and security requirements effectively within projects.

Technical personnel review a disaster recovery plan.

4.9 Incident Response and Breach Management

Gotcare has an obligation to protect the information of Gotcare partners, employees, and other stakeholders. The Privacy Program takes this obligation very seriously and has developed a policy and procedures to inform Gotcare employees and contractors of their obligation to protect PII and to instruct them on specific steps they must take in the event there is an actual or potential compromise of PII. To safeguard PII, Gotcare has established a Breach Response Plan. The Breach Response Plan informs Gotcare employees and contractors of their responsibilities and obligations to protect PII, as well as defines standards for responding to suspected or confirmed breaches of PII and creates standards for compliance.

Upon identification of a privacy incident, Gotcare initiates its internal response protocol, which includes containment, assessment, documentation, and remediation. Gotcare has a defined process for addressing suspected or confirmed breaches of PII, including prompt reporting, investigation, and communication with affected individuals. If an employee or contractor suspects or confirms a breach of PII, they are required to inform the CPO. This notification is documented through an internal ticket, email, or Slack message. The CPO then investigates the incident and involves the Engineering Lead if necessary to conduct an audit within 1 hour of receiving the notification. Once the audit is completed, any action items arising from the audit are addressed within the same or next business day, wherever possible. If a breach is confirmed, Gotcare ensures that communication is sent to the affected users within 1 business day of the breach being confirmed.

Cooperation in Privacy Investigations and Non-Compliance Reporting

Gotcare is committed to supporting its partners and customers in the event of any privacy-related disputes, incidents, or investigations. This includes providing timely and reasonable assistance, conducting thorough security investigations in the case of a breach.

In addition, Gotcare will promptly notify the party to the agreement of any actual or suspected non-compliance with applicable privacy obligations.

Gotcare ensures that employees and contractors are trained on their responsibilities regarding PII protection through a structured onboarding process, with ongoing education and regular updates. During onboarding, employees and contractors are trained on their responsibilities regarding PII protection through the “Gotcare Privacy Protocols” program. Ongoing education and refreshers are provided “just in time” as needed. Additionally, during weekly internal meetings, there is dedicated time and space to discuss privacy concerns or issues. Any new documents, policies, or updates resulting from the Annual Privacy meeting are shared with employees as separate documents, labeled “Gotcare Privacy Program Update – MM.DD.YY,” ensuring that staff remains informed and up to date.

Gotcare also maintains a privacy incident log, which documents all reported incidents and actions taken in response. These records are securely retained for a minimum of twenty-four (24) months. This structured approach ensures that Gotcare meets its contractual obligations and upholds strong data protection practices in the event of a Privacy Incident.

Section 5 – Review and Approval

5.0 Ongoing Commitment

Gotcare is committed to upholding the principles and practices outlined in this Plan. This privacy framework commitment extends to all staff, contractors and constituents who handle personal and sensitive information on behalf of the organization.

Close