DATA RETENTION & DELETION POLICY

Purpose

This DATA RETENTION & DELETION POLICY (“Policy”) is established to outline the detailed practices of Ontario Speech & Language Services (“Company”) for retaining, storing, and securely deleting personal information and personal health information collected in the course of its operations, including but not limited to information collected through its websites.

This Policy should be read in conjunction with the Company’s Privacy Policy, which provides an overview of our data handling practices and references this Policy for detailed retention schedules and deletion procedures.

This Policy is designed to ensure the Company’s compliance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Personal Health Information Protection Act, 2004 (“PHIPA”), the Canada Anti-Spam Legislation (“CASL”), Ontario Regulation 164/15, made under the Audiology and Speech-Language Pathology Act, 1991 and other applicable privacy laws and regulations of Ontario, Canada (the “Applicable Law”).

Scope

This Policy applies to all personal health information (“PHI”) and personal information (“PI”) collected, used, disclosed, stored, and managed by the Company, including but not limited to paper records, electronic records, databases, cloud systems, backups, emails, and communication logs containing client data.

The scope of this Policy extends to all employees, contractors, technical vendors, and third parties handling or having access to PHI and PI on behalf of the Company.

Retention Periods

In compliance with Applicable Law, and cybersecurity best practices, the Company establishes the following retention periods for the different types of information it collects, uses, and discloses:

1. Personal Health Information (PHI): PHI will be retained for at least 10 years from the date of the last entry in the record, or as necessary to meet legal or professional obligations. For individuals who were under the age of 18 at the time of service, records will be retained until 10 years after the individual reaches the age of 18, whichever period is longer, as required by Applicable Law and professional standards.
2. Personal Information (PI): Personal information that is not health-related will be retained only as long as necessary to fulfill the purposes for which it was collected. Once no longer required, it will be securely destroyed unless further retention is justified by law, regulation, or ongoing business needs.
3. Consent Records: Records of client consent, authorization, and withdrawal of consent will be maintained for at least 10 years after the consent is withdrawn or the relationship ends, in compliance with legal requirements and to support potential inquiries, audits, or legal claims.
4. Marketing Opt-In/Opt-Out Records: Records documenting individuals’ opt-in or opt-out preferences for marketing communications will be retained for a minimum of 3 years from the date of the request, in compliance with the limitation periods of Applicable Laws.
5. System Logs: Logs of system activity, including security-related events, will be retained for a minimum of one year, or longer if required by Applicable Law, cybersecurity best practices, or in connection with investigations or legal obligations.
6. Audio Recordings and Voice Transcripts: Audio recordings and transcripts of interactions with its websites, captured in any manner, will be retained for a period of 90 days from the date of collection, unless required longer for legal, clinical, or audit purposes. After this period, recordings and transcripts will be securely deleted or anonymized in accordance with the deletion procedures outlined below.

These retention periods are subject to modification as required by changes in law or regulation or as deemed necessary by the Company’s Privacy Officer.

Deletion and Secure Disposal Procedures

This Policy outlines the procedures to be followed for the deletion and secure disposal of PHI and PI at the end of their retention period, in compliance with Applicable Laws.

Spoken data, including call recordings or voice-to-text transcripts, will be reviewed at the end of the applicable retention period. Audio files will be permanently deleted using secure deletion methods to ensure they cannot be reconstructed or recovered. Transcripts stored electronically will be purged from databases using secure data wipe protocols consistent with industry standards.

Upon reaching the end of the retention period, the following procedures will be followed:

1. Review of Data: The Company will take reasonable steps to confirm that data scheduled for deletion has met its applicable retention period and is not subject to legal or regulatory holds.
2. Electronic Records Deletion: Electronic records will be deleted using secure methods that align with industry standards and meet the reasonable safeguards requirement under Applicable Law.
3. Physical Records Destruction: Physical records containing PHI and PI will be securely destroyed in a manner that prevents reconstruction or retrieval of the information. This includes, but is not limited to, shredding, incineration, or pulping.

Where appropriate, the Company may maintain logs of destruction activities, particularly for PHI or other high-sensitivity records, in a log including:

1. Date and time of destruction;
2. Type of records destroyed (e.g., PHI, PI, file category, date range);
3. File type (e.g., audio or transcript);
4. Method of destruction;
5. Identity and signature of the person who performed or oversaw the destruction; and
6. If appropriate, a verification of destruction may be completed by the Privacy Officer or a designated delegate.

The Company’s Privacy Officer is responsible for overseeing the implementation of these procedures and ensuring compliance with all Applicable Laws.

Data Subject Access and Verification Before Deletion

Upon receiving a deletion request, the Company will:

1. Require the requester to provide sufficient identification to verify their identity and their entitlement to request the deletion of the specified PI or PHI.
2. Review the request to ensure that it complies with applicable legal and regulatory requirements of the Applicable Laws.
3. Confirm that the deletion of the requested information does not conflict with any legal obligations for data retention or other regulatory requirements.
4. Proceed with the deletion of the PI or PHI from the Company’s records in a secure manner, in accordance with established data deletion protocols, once the above steps have been satisfactorily completed.

The Company will respond to the request within a reasonable timeframe, confirming whether the data was deleted or explaining why deletion was not possible under Applicable Law.

Backup Systems

The Company acknowledges that PI and PHI that have been deleted from the Company’s primary data storage systems may remain within the Company’s encrypted backup systems. These backups are maintained for the sole purpose of disaster recovery and to ensure the integrity and continuity of the Company’s operations.

Where technically feasible, the Company endeavours to ensure that deleted data is excluded from routine restoration backups within approximately 90 days.

The Company’s Privacy Officer is responsible for overseeing the implementation of this policy and ensuring that all backup data is handled in compliance with this policy and the relevant data protection laws.

Review and Updates

This Policy will be reviewed at least annually by the Company’s designated Privacy Officer, who shall actively monitor changes in privacy laws, regulations, and industry standards that may affect data retention and deletion practices. The Privacy Officer shall conduct more frequent reviews as required by changes in legal requirements, system updates, or operational needs, and shall proactively implement necessary modifications to ensure ongoing compliance.

Any amendments to this Policy will be communicated to all relevant parties within the Company in a timely manner to ensure continued compliance with Applicable Laws, as well as any new or amended privacy legislation that may come into effect.