Privacy and Security Policies
As enterprise software engineers and architects, Inovex has built a large number
of applications across many verticals, all with unique security needs. We remain
committed to delivering solutions that exceed those security needs. We maintain
high quality software solutions by working closely with our clients and
following our polished SDLC. We believe that
gathering and documentation at the design stage is the key to producing a
quality application that truly meets the client's security and privacy needs. Currently Inovex has
applications in highly data sensitive verticals, such as healthcare and government,
where security and integrity of data is of paramount importance.
To ensure that each piece of software we produce is completed with security
best practices in mind, we employ seasoned security consultants. Our consultants inspect
all software architecture and design prior to the development and implementation
stages. Having CISSP and CISA certifications, they are qualified to complete security reviews or security audits of our design documents based on a set of
security requirements or criteria as deemed important to our clients, or based
on industry standards such as ISO 17799 or PIPEDA. The consultants complete a
detailed security review report, identifying findings and/or gaps and making
recommendations as to how such gaps can be rectified and the associated risks
can be mitigated.
Inovex abides by the national and provincial legislation for the collection of
data in the health sector as specified by the PIPEDA and PHIPA acts. We employ
seasoned consultants with years of experience ensuring systems adhere to
governmental privacy regulations. Below is a summary of the Privacy Principles
based on legislative requirements that Inovex abides by:
An organization is responsible for personal information under its control and
shall designate an individual or individuals who are accountable for the
II Identifying Purposes:
The purposes for which personal information is collected shall be identified by
the organization at or before the time the information is collected.
The knowledge and consent of the individual are required for the collection, use
or disclosure of personal information, except when inappropriate.
IV Limiting Collection:
The collection of personal information shall be limited to that which is
necessary for the purposes identified by the organization. Information shall be
collected by fair and lawful means.
V Limiting Use, Disclosure, and Retention:
Personal information shall not be used or disclosed for purposes other than
those for which it was collected, except with the consent of the individual or
as required by the law. Personal information shall be retained only as long as
necessary for fulfillment of those purposes.
VI Accuracy: Personal information shall be as accurate,
complete, and up-to-date as is necessary for the purposes for which it is to be
VII Safeguards: Personal information shall be protected by
security safeguards appropriate to the sensitivity of the information.
VIII Openness: An organization shall make readily available to
individuals specific information about its policies and practices relating to
the management of personal information.
IX Individual Access: Upon request, an individual shall be
informed of the existence, use and disclosure of his or her personal information
and shall be given access to that information. An individual shall be able to
challenge the accuracy and completeness of the information and have it amended
X Challenging Compliance: An individual shall be able to address
a challenge concerning compliance with the above principles to the designated
individual or individuals for the organization's compliance
Policies and/or protocols respecting the protection of the data from a
Inovex has tools, infrastructure and processes to ensure that any attempted or
actual breach of privacy is handled in a very specific way in accordance with
its own internal management procedures aligned with the ISO 27001 standard.
ISO/IEC 27001 requires that management:
- Systematically examine the organization's information security risks, taking
account of the threats, vulnerabilities and impacts;
- Design and implement a coherent and comprehensive suite of information security
controls and/or other forms of risk treatment (such as risk avoidance or risk
transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security
controls continue to meet the organization's information security needs on an
Processes in place in the event of privacy breach
In the event of a privacy breach, the client is immediately notified and full
disclosure of the incident is provided in a written report which is then
supplied to the client. ISO 27001 defines an overarching set of processes;
Inovex takes these processes and customizes them for each individual
client based upon their industry. For example PIPEDA & HL7 for the
healthcare industry have some very specific wording around control and
transmission of data outside of borders. We must understand how we ensure
encryption to standards and what is to be done if we suspect a breach, in terms
of process and ensuring total transparency with the client regarding an
attempted attack or breach.