CareNucleus — Privacy operations playbook

Not legal advice. Use with your Privacy Officer and counsel. Last updated March 23, 2026.

1. Data subject access requests (DSAR)

  1. Intake — Record type, patient ID, date received, identity verification.
  2. Route — Custodian is primary; CareNucleus assists as processor where applicable.
  3. Timeline — Target 30 days (PIPEDA) unless lawfully extended.
  4. Fulfillment — Export/redact; minimize disclosure.
  5. Close — Record in Privacy Dashboard and retain audit trail.

2. Breach of security safeguards

  1. Contain — Stop exposure; preserve evidence.
  2. Assess — Scope, sensitivity, RROSH.
  3. Notify — OPC / provincial commissioner / individuals as required.
  4. Record — Breach record in Privacy Dashboard.
  5. Remediate — Root cause and controls.

3. Complaints

Acknowledge within 5 business days; investigate; respond with recourse to OPC/IPC.

Compliance · Subprocessors