Table of Contents

User Agreement

Data Collection

The Behavioural Supports Ontario (BSO) Data Portal, herein referred to as ‘the platform’, collects the following personal information from users during registration:

  • First name, last name, email address, phone number (with extension if applicable), role, professional designation, and organization of employment


Users must agree to this privacy policy and the user agreement during registration.

Data Access

  • Collected data are stored securely within the WordPress platform’s MySQL database, which is managed through tools such as phpMyAdmin.
  • Submitted data are saved in custom fields created using the Advanced Custom Fields (ACF) plugin. These fields are mapped to the WordPress database, allowing administrators to query and export the information as needed. Each set of submitted data is associated with the profile and organization of employment of the platform user who submitted the data, ensuring accurate linkage between each submitter and their data.
  • For administrative purposes, collected data are exported in CSV format using the WP All Export – ACF Export Add-On Pro plugin. This export process ensures that only the data necessary for BSO data reporting purposes are included.
  • Exported data are accessible only by the BSO Provincial Coordinating Office, BSO Regional Leadership organizations, the BSO Data Portal Project Team, including staff members of St. Joseph’s Health Care London and the North Bay Regional Health Centre, and the web developer – Dialectic Solutions. Access to the data export function is restricted to authorized personnel to prevent unauthorized use or sharing.

Data Storage and Security

The database is hosted on Web Hosting Canada’s servers, ensuring high availability, security, and compliance with Canadian privacy laws like PIPEDA. Data is stored within Canada, with data centers protected by 24/7 surveillance infrastructure.

Encryption and Access Controls

  • Data in transit is protected using SSL/TLS encryption to secure communication between users and the platform.
  • The database itself is secured using industry-standard encryption protocols to protect sensitive information at rest.
  • Access to the database is restricted to authorized personnel via secured credentials and role-based access controls.
  • Administrator accounts undergo an additional layer of scrutiny, and IP-based restrictions are applied to sensitive admin areas, such as the WordPress dashboard and phpMyAdmin.

 

Firewall and Malware Protection

  • The platform is safeguarded by firewall rules that prevent unauthorized access to the database and website infrastructure.
  • The Anti-Malware Security and Brute-Force Firewall plugin is installed to monitor for and mitigate potential security threats in real time.

 

Regular WordPress Updates

    • WordPress core files, plugins, and themes are updated regularly to close vulnerabilities and improve security.
    • A proactive approach is taken to monitor plugin compatibility and update schedules to ensure system stability.
    • Daily backups of the database and website files are performed to ensure data is not lost in the event of a failure or cyberattack.
    • Plugins such as Advanced Custom Fields (ACF) and WP All Export are reviewed for their security practices before use.
    • Only trusted, well-supported plugins from reputable developers are installed to minimize risks.

Data Retention

Data submitted through the platform are retained on the platform and available for user export for two years to support reporting, research, quality improvement, and other evaluation purposes. After this period, submissions will be archived and no longer available directly through the platform; access will then require a request to the BSO Provincial Coordinating Office. Once archived, user account information (e.g., name, contact details) will be retained for two additional years and then permanently deleted. The underlying raw data submissions will be securely retained indefinitely at the North Bay Regional Health Centre, the host organization for the BSO Provincial Coordinating Office. 

User account information remains active on the platform unless one of the following conditions is met:

  • The user has been inactive for eight consecutive quarters (i.e., two years).
  • The user or the BSO Lead for the region where the user is employed requests account deletion.
  • The user is no longer associated with a location (LTC home, Hospital, Community organization), which is reported by the BSO Regional Lead, other BSO Management, or detected during periodic scheduled user account reviews.

User Rights

Users have the right to request their account be removed.

Upon account removal, personal information such as the user’s name and email will be deleted, but all data submitted by the user will be retained by the BSO Provincial Coordinating Office indefinitely and will remain linked to the user’s BSO organization(s).

Requests for account removal can be submitted to the site admin at info@bsodataportal.ca.

Compliance

The platform complies with Canada’s PIPEDA regulations. Compliance is ensured through secure data handling practices and user agreement enforcement. Recommendations for compliance monitoring include periodic audits and reviews of data handling procedures.

Cookies and Tracking

The platform uses cookies to enhance user experience and track activity. Additional tracking may occur through installed plugins. These include, but are not limited to:

  1. Anti-Malware Security and Brute-Force Firewall
    • Tracks IP addresses to monitor and block suspicious activity, such as brute-force login attempts.
    • Logs failed login attempts and security events for reporting and analysis.
    • Collects data like IP addresses, timestamps of login attempts, and system/browser information for detecting unusual patterns.
  2. WordPress and Elementor Template
    • Tracks user interactions on pages, such as clicks, scrolls, and session activity.
    • Uses cookies to store preferences for design features (e.g., animations or display settings) and optimize loading times.
    • Collects non-personal data, including device type, screen resolution, and browser type, to improve performance.
  3. Gravity Forms
    • Tracks form submission patterns, such as timestamps and the number of submissions, for data collection management.
    • Uses cookies to enhance user experience by saving partially completed forms or pre-filling fields for returning users.
    • Collects submission metadata (e.g., time of submission, user IP address) and optional user-entered data (e.g., name, email).

No additional tracking beyond plugin functionalities is implemented by the admin team.

Third-Party Services

All third-party tools are carefully selected for their security standards and functionality. Data processed by these tools is strictly limited to what is necessary for their operation and is never shared with unauthorized parties.

Policy Updates

Users will be notified of any updates or changes to this privacy policy via email.   Emails regarding policy updates will come from info@bsodataportal.ca. Users are encouraged to add this address to their safe sender list to avoid missing important notifications.

Users who have questions or concerns about the updates can contact the platform’s support team at info@bsodataportal.ca for clarification.