Privacy and Security - HSPnet Overview

Summary:
Personal information is used and disclosed in HSPnet according to the national HSPnet Policies on Privacy, Security and Data Access, which are designed to protect the privacy and security of personal information on students, instructors, supervisors and preceptors, and agency contacts. HSPnet Privacy ensures that personal information is accessed only on a need-to-know basis by authorized individuals involved in coordinating student placements.

The complete set of Policies are available at at https://hspcanada.net/p-s-resources/.

Student Consent for Release of Personal Information
In general, personal information on students is collected, used and disclosed via HSPnet for the purpose of identifying, coordinating and evaluating appropriate placements for students. Students authorize their educational program to use HSPnet for this purpose by signing a consent form.

Once the consent form is signed, a school may enter the student's information into HSPnet for use by authorized staff within the educational program. Student information is normally not released to Receiving Agencies until a placement is confirmed, at which time the receiving agency may view student name and resumé/profile as provided by the student to their educational program. At the time of confirmation, the student's name is released to the Receiving Agency and the agency releases the name and contact information of the supervisor or preceptor. The educational program may release student name before the placement is confirmed if there is a demonstrated need for the receiving agency to have this information earlier (such as when an interview is required prior to accepting a student).

User Roles, User Level & Access Rights
Each HSPnet user has (1) a user role (such as Placing Coordinator or Preceptor), (2) an access level such as Local Administrator and (3) a set of access rights that limits their view to sites or programs that are appropriate for their agency and role. For example, a Practicum Coordinator for Nursing at ABC University would be given the "Placing Coordinator" user role, the Local Administrator level to allow setup changes, and access rights to all nursing programs at ABC. Alternately, a preceptor for a Palliative Program would be given the Supervisor user role, read-only level, and access to placement destinations or units in the Palliative program.

User IDs and Passwords
Each individual receives a unique user ID and key transactions are tracked in an audit log for that individual; there are no shared User IDs in HSPnet.

Passwords will be of a format complex enough to prevent guessing or other efforts to use another individual's User ID, and users are required to change their password every 90 days.

HSPnet will automatically timeout if left inactive for 30 minutes, at which point user will be required to login again.

System Security
All HSPnet data is stored on central servers and maintained in a secured physical environment, and all data is backed up each night.

As a web-enabled application, HSPnet uses the Internet to exchange information among users. However, all internet transmissions for HSPnet are encrypted to protect it from unauthorized access, using industry-standard 128-bit encryption for all traffic.

Privacy Governance and Management
Each province using HSPnet is required to establish the following roles and structures: 

Data Stewardship Committee
This Committee is guided by applicable provincial and federal privacy legislation, ethical standards, and best practices on privacy protection. They are responsible for monitoring and setting policy on the integrity of user data, the the privacy and security of personal information, and the appropriate use of data in support of business objectives. The committee is supported by the national HSPnet Policies on Privacy, Security and Data Access, and receives quarterly reports of audits and reports for their province as required by the Policies.

Privacy Officer
The Privacy Officer is a local resource to HSPnet user agencies, staff, students or anyone with questions regarding the use, disclosure, and protection of personal information via HSPnet in that province. Contact information for each local Privacy Officer, as well as the national Privacy Officer for HSPnet, is posted on the HSPnet website at https://hspcanada.net/p-s-resources/.