Mr. Speaker, there has been no breach of Wellness Together Canada, WTC, portal or PocketWell app privacy or data. The Government of Canada commissioned the portal and app, funding both their establishment and maintenance. They are led by a consortium of established leaders in mental health and substance use care, including Stepped Care Solutions, Homewood Health and Kids Help Phone. The contract between the Government of Canada and the WTC consortium stipulates that all involved organizations, resources and third party service providers are subject to legal privacy obligations, privacy policies or contractual agreements that include appropriate privacy standards. All services must comply with applicable privacy and health information legislation to maintain the security of client information.
The WTC consortium contracts Greenspace Health to host and maintain the WTC portal platform. Privacy practices for WTC Portal and PocketWell app by Greenspace are service organization control, SOC, type 2 compliant, meeting the industry standard for best practices. SOC 2 defines criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality and privacy. WTC’s SOC 2 compliance means that an independent auditing firm has reviewed and examined their control objectives and activities and tested the controls to ensure operational excellence. The independent auditing firm found that WTC complies with these principles and has the proper systems and controls in place to protect client information and interests.
Specific details on response activities under Greenspace’s privacy breach policy cannot be disclosed, as protected proprietary information. However, any breach would be subject to Greenspace’s incident response plan, which structures Greenspace’s investigation and resolution of privacy and security incidents using a three-phased approach: identification and notification of relevant individuals, partners and authorities in accordance with applicable laws and contractual obligations; containment and eradication of the threat; and post-incident activity, including reporting, review and prevention.
The incident response training and testing policy requires Greenspace to be prepared to respond to all potential and actual security and privacy incidents by training an incident response team on the company’s incident response plan, and by conducting incident response exercises.
As set out in the privacy policy on the WTC portal website, while using the platform users have the option of providing information related to the state of their mental health and personal quality of life. Greenspace is compliant with all Canadian federal and provincial privacy legislation, including the Personal Information Protection and Electronic Documents Act; the Personal Health Information Protection Act, 2004, of Ontario; the Personal Information Protection Act of Alberta; the Personal Information Protection Act of British Columbia; and An Act respecting the protection of personal information in the private sector of Quebec.