Our privacy policy
Updated on September 19, 2023
The protection of your personal information is of utmost importance to us.
This privacy policy ensures transparency by outlining what information is collected, how it is used, and how it is safeguarded.
Also, when purchasing a Blue Cross product, our various insurance policies include specific provisions regarding the handling and protection of personal information.
Feel free to contact us if you have any questions about how your personal information is handled (see below for contact information).
Your Privacy, Our Commitment
Canadian Hospital Service Association (operating in Canada in the provinces of Quebec and Ontario as Québec Blue Cross®, Ontario Blue Cross™ and Blue Cross Canassurance®) and its subsidiaries Canassurance Financial Corporation and Canassurance Insurance Company (collectively, “Blue Cross”, “we”, “us” and “our”) acknowledge our obligation to adopt, implement and maintain procedures that meet and comply with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and any other applicable provincial privacy legislation in the conduct of their business .
We are committed to establishing a transparent process to respect our customers’ privacy and we undertake to comply with the following statements concerning the manner in which we collect, use, disclose and manage personal information in our possession and under our control that can be used, directly or indirectly, to identify a person (“you,” “your” and “yours”).
Chief Privacy Officer
We have appointed a Chief Privacy Officer (“CPO”) to oversee privacy matters. The CPO’s duties include ensuring compliance with this Privacy Policy (“Policy”) within our organization and implementing our practices and procedures for handling your personal information. The CPO is also responsible for handling your personal information requests and for dealing with privacy authorities, where applicable.
Privacy Policy
Our Privacy Policy is constantly evolving and will apply to the various interactions we may have with you in the course of our business relationship, such as when you interact with us on our website, send us new personal information via online or paper forms or over the phone, or submit documents to our secure document transfer sites, or by any other means.
We regularly update our Policy, which is written as transparently as possible in clear and simple language. We want to help you better understand our privacy practices.
What is the scope of your consent?
By providing us with your personal information, you consent to our collection, use, retention and disclosure of your personal information in accordance with this Policy, as amended from time to time, or in any other manner in accordance with applicable privacy legislation.
Your consent is required when you purchase an insurance product, file a claim, or at any other time when the collection of new personal information is required in the course of our business relationship with you. Note that, subject to applicable legislation, your consent may be given explicitly, verbally or in writing, or in some cases, implicitly.
By providing us with the requested information, including, without limitation, your personal information, you certify that this information is true, accurate and complete in all respects, and you acknowledge that we rely on such information to provide you with information, products or services.
Can you withdraw your consent?
You can withdraw your consent to our collection, retention, use and disclosure of your personal information at any time, subject to legal restrictions.
However, if you withdraw your consent, you understand that it may have an impact on our business relationship with you. For example, we may be unable to provide you with insurance coverage, assistance or other products or services. In some cases, even if you withdraw your consent, we may continue to retain, use and disclose your personal information due to our legal or contractual obligations.
If you refuse to allow us to collect some kinds of personal information, we may be unable to provide you with the requested product or service.
How do we collect your personal information?
When we collect personal information, by the means deemed most appropriate, we inform you of the manner in which your personal information is collected, used and disclosed and we obtain your consent before or during its collection.
We collect your personal information in person, through our website, by mail, email, online chat or telephone. For example, we may collect your personal information when you use our website, submit an insurance application, fill out one of our forms, purchase one of our products, use one of our services, or communicate with us.
Directly from you
We may collect your personal information directly from you or through our representatives, including our brokers and other authorized representatives.
Directly from a related person
Depending on the product or service we offer, we may collect information from a third party related to you, such as a parent, spouse, or other dependent, for example. We ask for their consent to collect your personal information, and they certify that they have obtained your consent to provide it to us. Note that even if we obtain your personal information from a related person, you always retain the right to access and correct it.
From other sources
Depending on the product or service we offer, we may also collect personal information from other sources, including, without limitation, any physicians, health professionals, hospitals, clinics, pharmacies, other medical or related institutions, insurance companies, governments or regulatory authorities, or other organizations, institutions or persons holding records or information about you or your health. In all cases, we undertake to obtain your consent prior to collecting your personal information, whether it is collected by us directly or through a third party (except to the extent that collection from a third party is authorized by law).
What personal information do we collect?
We only collect personal information that is necessary for us to provide you with our insurance products and services, fulfil our obligations, and any other purposes identified prior to the collection. As part of our business relationship with you, we may collect personal information about you that includes:
Identifying information
- First and last name
- Address
- Date of birth
- Telephone number
- Email address
- Sex or gender
- Language
- Status
- Country of residence
Authentication information
- Identifier
- Passwords
- IP address
- Passport number
- Health insurance number
Financial Information
- Information about your job
- Information related to your transactions and operations (bank account, transaction date and amount, etc.)
Medical Information
- Information from third parties (physician, hospital, medical information office, etc.)
- Medical record
- Medical history
- Health checkup
- Information about your lifestyle
- Information about a medical procedure that you had
- Health insurance number
Information about your products and services
- Insurance policy number
- Insured amount
- Authorized individuals on account
- Beneficiary names and contact information
- Insurance needs analysis
- Insurance quotes and proposals
- Claim information
Information about communications arising from your relationship with us
- Communication preferences
- History, recording and reporting of your communications with us
- Written communications (emails, chat transcripts, etc.)
- Replies to communications (including surveys)
Other information
- Additional insurance information (names of any other insurers, policy number, etc.)
- Information about your trips (date, number of days covered, destinations, etc.)
These are just examples. Some of this personal information is collected only for specific products and services. As a result, we do not collect personal information associated with these products and services if you have not purchased them. For example, trip-related information is only collected for products that include travel insurance coverage.
What do we use your personal information for?
Depending on the interactions we may have with you, and subject to the uses permitted by law, personal information that you provide to us or that is collected from a third party may be used for the following purposes:
To verify your identity
To determine your eligibility for products and services that you request
- Determine the suitability of our products and services based on your needs and preferences
- Review your insurance proposals and quotes
- Identify specific exclusions
- Determine the insurance premium
- Assess the insurance risk
To administer your products and services
- Offer insurance products and services or any other service that we believe may meet your needs
- Process a transaction for the purchase of a product or service
- Process and pay your claims and settlements
- Administer your insurance policy
- Provide our medical and travel assistance services
- Provide personalized promotional offers and special discounts
- Communicate with you
- Respond to a request you have made to us
- Handle complaints
- Update your personal information on file
For internal administrative purposes
- Assess the performance of our products and services
- Improve our products and services
- Ensure the quality of our products and services
- Develop internal audit practices and procedures
- Manage risks effectively
Other uses
- Respond to requests, warrants and orders from organizations that may require us to disclose your personal information
- Prevent, promptly detect, and any investigate security breaches or fraud and inform the competent authorities, where appropriate
- Help us comply with our contractual, regulatory and legal obligations
- Any other legal use. For example, the law allows your personal information to be used for other purposes, including:
- When we have anonymized it
- When we obtain the express consent of the individual in question
- When its use is for compatible purposes
- When its use is clearly to the benefit of the individual in question
- When its use is necessary for other purposes prescribed by law
To what extent is your personal information disclosed?
We limit the information we provide to authorized individuals to that which they need to perform their duties.
With whom do we share your personal information?
For the above-mentioned purposes, we may disclose your personal information to certain third parties to which it must be provided for the purposes for which it is collected, including:
Within our organization
Within our organization, access to your personal information is limited to authorized employees, officers, directors, mandataries, consultants, agents and representatives who require it to perform their duties.
Our subsidiaries
Partners and providers
- Other Canadian Blue Cross organizations
- Medavie Inc. (Medavie Blue Cross) who performs certain administrative functions for our health insurance products
- Airlines for the purposes of insurance coverage, including trip cancellation, loss of baggage, flight cancellation or delay
- Our reinsurers
- Your physician or any other specialized health care provider
- The financial institutions and other parties with whom we process financial transactions in connection with your products and services
- Other third-party partners and service providers so they can provide services on our behalf in connection with the administration of our products
In our contracts with these partners and service providers, we provide for the protection and handling of your personal information. Among other things, we require them to maintain the confidentiality of this personal information, to use it solely for the purposes of the contract, to destroy it at the end of the contract, to notify our Chief Privacy Officer of any breach or attempted breach of confidentiality obligations, and to authorize audits of their confidentiality obligations by our Chief Privacy Officer.
Entities to which you have given your consent to share your personal information with us
Other entities authorized by law or regulation
Authorities, courts, and other law enforcement agencies
We may need to share some of your personal information when required by law, as in the case of a search warrant, court order or subpoena. We may also be required to disclose your personal information to regulatory authorities such as the Autorité des marchés financiers (AMF).
How do we protect your personal information?
Employee training and supervision
Protecting the confidentiality of our customers’ personal information is important to us. Our staff places a high value on our security and privacy policies. We provide excellent mandatory privacy training and awareness programs to all our employees. We are committed to enforcing our Policy at all times in accordance with applicable privacy legislation.
Security measures
We follow industry best practices to safeguard the personal information we hold and protect against loss, theft, unauthorized access, disclosure, reproduction, use or modification. For this purpose, we have also implemented reasonable, appropriate and consistent procedures, practices and standards, including those established by the AMF.
We apply security measures that can take several forms:
Administrative security measures
- Limiting access to your personal information to those individuals who need it to perform their duties
- Security and privacy policies and procedures
- Mandatory privacy training and awareness for staff members
Physical security measures
- Surveillance cameras
- Facility access cards
- Security guard
- Locked areas with access limited to people who need it to perform their duties
- Secure storage and digitization of paper files
Technological security measures
- Passwords
- Data encryption
- Access management system
- Monitoring and control to detect suspicious activity
All data is classified according to criteria based on its level of integrity, availability and confidentiality. Appropriate security measures vary based on this classification. Sensitive data such as personal information is protected accordingly.
Notice concerning the transmission of personal information by email
Your business relationship with us may require you to share confidential information with us by email. However, you must understand that we cannot guarantee the security of all personal information you send us by email. Please be aware that you send such information at your own risk. In addition, when you communicate with us by email, you authorize us to communicate with you by email. To ensure your security and the protection of your personal information when sharing personal information by email, you can use encryption software or a password.
In addition, we have also created a secure site for filing documents available at https://qc.bluecross.ca/depot for Quebec Blue Cross and https://on.bluecross.ca/depot for Ontario Blue Cross. We recommend that you use this site to share personal information with us.
How long do we keep your personal information?
Generally speaking, we try to retain your personal information only as long as necessary for the purposes for which we obtained it. However, you must understand that in order for us to govern ourselves as insurers in accordance with industry best practices, in particular those regarding fraud detection and insurance risk assessments, or to comply with legal or regulatory requirements, we may be required to retain your personal information for longer periods of time. To this end, we have established a data retention schedule that we make available to all our employees. This schedule helps our team better manage your personal information and ensure that it is retained in accordance with the legislative and regulatory requirements we are subject to.
What happens to your personal information after the retention period?
At the end of the retention period provided for in our data retention schedule, your personal information will be securely destroyed and/or anonymized in accordance with applicable legislation, industry best practices and security practices we adopt from time to time. To be clear, “anonymization” means the irreversible removal of information so that you can no longer be identified, directly or indirectly.
Where do we keep your personal information?
Your personal information is hosted and processed on our servers and servers owned by our third-party providers. We take all necessary steps to ensure your personal information is protected in accordance with applicable privacy laws and this Policy.
In addition, please bear in mind that all paper documents we receive that contain personal information about you are stored in our computer systems. Indeed, for safety and environmental reasons, we now promote a paperless culture. As a result, we have been digitizing paper documents for several years and we encourage our customers to use our electronic forms and other digital communications to reduce paper use.
Note as well that your personal information may be stored and disclosed outside of your province of residence and/or Canada. For example, your personal information may be stored on cloud solutions, which may require the transfer of data outside your home province or even Canada. By providing us with your personal information, you are consenting to the transfer of this personal information outside your province of residence, including to countries other than Canada. If your data is transferred outside Canada, local government authorities may have access to it, in accordance with the applicable legislation of the country in question.
Access to your personal information
Upon receipt of a written request from you, we will provide you with access to your personal information so that you may verify its accuracy or completeness and, if necessary, request that the information be updated and/or corrected. Your request must be detailed enough to allow us to verify your identity as well as identify the personal information that you wish to access.
You may request a copy of your personal information that is in our possession. However, a reasonable fee may be required to cover the costs of transcription, reproduction and handling. You will be informed of the costs prior to reproduction.
Correction of your personal information
If you believe that the personal information we have about you is inaccurate, incomplete or ambiguous, or if the collection, disclosure or retention of this information is not authorized by law, you may request a correction in writing. We will then make the appropriate changes as required. Your application must be detailed enough to allow us to verify your identity as well as identify the personal information that you wish to correct.
Deletion of your personal information
You may make a written request to delete personal information about you if it is out of date or not relevant to the purpose of the file. Beyond these rights, we may refuse any request to delete your personal information. In particular, we may refuse a request to delete your personal information if its retention is required as part of our activities as insurers, if it is necessary to comply with any legislative, regulatory or contractual obligations, or for any other purpose that justifies its retention.
Complaints about your personal information
You may first submit a complaint about your personal information. We investigate all complaints. Following the investigation, if the complaint is justified, we will take all necessary steps to correct the situation.
If you believe that your personal information has not been handled in accordance with the law, you may also file a written complaint with a privacy control authority.
How do we handle your requests and complaints?
Your requests and complaints are very important to us. Processes have been established to ensure that your requests are processed within 30 days of receipt. Please note that in certain circumstances permitted under applicable legislation, the 30-day period may be extended.
For more information regarding the handling of your personal information, or to make a request or complaint regarding its handling, see the relevant sections of this Policy or write to:
Chief Privacy Officer
Canassurance Insurance Company and its subsidiaries
1981 McGill College Avenue, Suite 105
Montreal, Quebec H3A 0H6
Or email:
privacyofficer@qc.bluecross.ca
Consent to receive emails and newsletters
When the law allows us to send you commercial electronic messages, or when you consent to receive commercial electronic messages from us, you understand that this correspondence may include our newsletter, information content, exclusive product and service offers, or invitations to participate in contests.
You may withdraw your consent at any time by writing to us at the following email address whether you are in Quebec or in Ontario: consentement@qc.croixbleue.ca. Note that you can also always unsubscribe from Blue Cross commercial e-mails by clicking on the "Unsubscribe" link at the bottom of the e-mail.
When you unsubscribe, we will remove you from our lists within 10 business days, in accordance with the provisions of Canada’s anti-spam legislation.
Interaction with the virtual assistant
The Blue Cross virtual assistant was created to answer your general questions only. This tool cannot advise you on the purchase of an insurance product. For reasons of confidentiality, please do not transmit your personal information during your interactions with the virtual assistance. Please be aware that your interactions with our virtual assistant may be recorded while you use it.
Links to third-party websites
Our websites may contain links to third-party websites or applications. You understand that these third parties may be able to collect and disclose your personal information. When you leave our site, our Policy no longer applies. Note that we have no control over the personal information practices of these third-party sites. It is your responsibility to consult their privacy policies.
This Cookie Policy is an integral part of our Privacy Policy. It details our use of cookies and similar technologies on our websites as well as your options for managing cookies and helps you make informed decisions about what information you want to share with us on our websites.
Your consent
As part of your visit to our website, you will be asked for your consent to certain cookies using a pop-up window. We may use cookies to the extent that you consent.
What is a cookie?
A cookie is a text file containing small amounts of information that is used by a website to record certain information about your browsing activity on the device you used to connect to the Internet. Most web pages contain elements from multiple web domains and your browser may receive cookies from many sources when browsing our website.
Why do we use cookies?
Strictly necessary cookies
Strictly necessary cookies are essential for the website to function and allow you to navigate the site and access its features. You cannot disable these cookies. You can configure your browser to block or be informed of these cookies, but this may affect some parts of the website.
Functionality cookies
Functionality cookies are used to enhance and customize website functionalities and optimize the user experience on our website. You may disable these cookies. In that case some or all of these services may not work properly.
Performance cookies
Performance cookies are used to measure website audience and content performance. You can disable these cookies.
Advertising and marketing cookies
Advertising and marketing cookies also help us better understand your preferences in order to personalize content for you. They can be used to profile your interests and show you relevant advertising on other websites. This kind of cookie does not affect navigation quality on the website or basic website features. You can disable these cookies. In that case, we will be unable to provide you with targeted advertising.
How do you manage your cookie preferences?
You can refuse the use of these cookies which are not necessary for the proper functioning and security of our website.
Web browsers usually also let you control most cookies in their settings. For more information, please see the instructions on your web browser’s website. However, some services will not work or will work only partially if the cookies are disabled.