Prococious Technology Inc. (referred to as “we”, “us,” or “our”) collects and stores personal information in compliance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in Canada, the Personal Health Information Protection Act (“PHIPA”) in Ontario, the Health Information Act (“HIA”) in Alberta, the Personal Information Protection Act (“PIPA”) in British Columbia, and comparable legislation in the jurisdictions where we may operate (all collectively known as the “Act”).
We are subject to the privacy requirements set out under the Act as an “agent” that handles personal health information on behalf of health information custodians. The Act defines an “agent” as “a person that, with the authorization of the health information custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated.”
The activities performed by us in conjunction with its services and software applications require the organization to collect, use and process personal health information on behalf of health information custodians. Typically, such custodians are individual dentists in private practices who have been licensed to use our software application(s) or who have retained our software application(s) to perform various types of services or analysis on information, including, in some instances, personal health information that has been provided to us by such custodians or collected by us at such custodian’s request. The provision of information, the specification of information to be collected, and the type of analysis to be performed; the disclosure; and the eventual destruction of that information will be under the control of or at the direction of the custodian or the custodian’s authorized employees. The physical location of the information may be on the custodian’s premises, on our premise, or both.
We are committed to the protection of personal health information and has therefore put into place policies and safeguards relating to its collection, use, disclosure, retention and disposition of personal health information. In particular, this policy has been developed to provide direction and help to directors, officers, employees, contractors, agents and other individuals having cause to work with us to understand their roles and responsibilities under all applicable legislation and how to comply with their provisions.
This policy applies to all directors, officers, employees, contractors and agents of us (collectively, the “representatives”).
We are governed by the Act in Canada to the extent that personal information other than personal health information is collected, used, disclosed, retained or disposed by us, or to the extent that any of our activities cross the borders of Canada, such activities are governed by the Act. For the purposes of this policy, the term “personal information” shall include both “personal information” as well as “personal health information” as defined under PIPEDA, PHIPA, HIA, and PIPA. In addition, where we collect and use personal information in other jurisdictions, other legislation may apply. This policy has been drafted based on privacy principles that are common to most legislation dealing with the protection of personal information. As a result, compliance with this policy is intended to allow for substantial compliance with such other legislation. Nonetheless, we reserve the right to modify this policy so that this policy is consistent with any such piece of legislation as required.
In addition to satisfying the requirements set out under the Act, we and our representatives undertake to satisfy the requirements set out under this policy. In particular, representatives will not:
- Disclose personal information to a third party during any business or transaction unless such business or transaction is properly consented to in accordance with this policy;
- In the performance of their official duties, disclose personal information to family members, friends or colleagues, or to organizations in which their family members, friends or colleagues have an interest;
- Derive personal benefit from personal information that they have acquired during the course of fulfilling their official duties with us; and
- Accept any gift or favor that could be construed as being given in anticipation of, or in recognition for, the disclosure of personal information.
Our representatives and other individuals having cause to work with us will demonstrate their respect for individual privacy rights and their compliance to legislation by following the rules for collection, use, disclosure, retention and disposal of personal information in accordance with the Act and any other applicable legislation and by adhering to all privacy and security policies, procedures and guidelines.
Ruling on Policy
Except as provided in the applicable piece of legislation, the Cleardent Board of Directors will have the authority to interpret any provision of this policy that is contradictory, ambiguous or unclear.
We will designate an individual (the “Chief Privacy Officer”) to manage the implementation and monitoring of this policy and the security of personal information that is within the control of the organization. we are responsible for the personal information received from or collected on behalf of health information custodians. Accountability for compliance with the Act rests with our Chief Privacy Officer.
The Chief Privacy Officer will:
- Implement procedures to protect personal information;
- Establish procedures to receive and respond to complaints and inquiries;
- Train staff and communicate to staff information about our policies and practices;
- Undertake to get all Representatives of the organization to sign confidentiality agreements that acknowledge their obligation to comply with the terms of such policies; and
- Develop information to explain our policies and procedures to the public, as appropriate.
The Chief Privacy Officer will be responsible for implementing appropriate procedures to train all representatives who may be exposed to personal information.
The identity of the Chief Privacy Officer and her/his contact information will be communicated to members of the public and we will make every effort to ensure the identity and contact method is up-to-date on our website.
The Chief Privacy Officer will be responsible for responding to all requests and inquiries in regards to personal information.
We will implement policies and practices to secure all personal information during collection, use, disclosure, retention and disposition.
Disclosure to Third Parties
All agreements executed with third parties that will have access to personal information held by us will include provisions that are intended to require such third parties to comply with our privacy policies.
Our policy and procedures relating to privacy of information will be communicated to the public, as appropriate.
The Chief Privacy Officer will review this policy on an annual basis and make all necessary changes to provide for the protection of personal information in compliance with the law.
Repercussion for Breach
In the event of a breach of this policy by a Representative, the following repercussions will be imposed:
- Directors: first offence: warning; second offence: termination for cause;
- Officers: first offence: warning; second offence: termination for cause;
- Employees: first offence: warning; second offence: 1 week suspension without pay; third offence: termination for cause;
- Contractors and agents: first offence: termination for cause unless breach is cured as per the terms of the applicable agreement between the contractor (or agent) and us.
We will only collect personal information reasonably necessary for the identified purposes set out in the section “Purpose,” and only as provided by a health information custodian or as collected by us upon direction from a health information custodian. We collect the following types of personal information:
- Patient name, address, contact information, and other demographic data such as gender, age, date of birth;
- Services necessary and/or provided by health information custodian; and
- Diagnosis codes (e.g. USCLS or other similar coding systems).
We collect personal information from health information custodians for purposes that include, but are not limited to, the following:
- Preventive care and wellness services;
- Extended, uninsured patient services;
- Chronic disease management;
- Practice analysis;
- Electronic billing, scheduling and maintenance of dental records; and
- Visit to our website properties for internal research only; no data will be shared with any 3rd party, and visitors can opt-out via this link.
We will identify in writing to the health information custodian the purposes for which personal information is collected at or before the time of collection. The purposes will be stated in a manner that the referring health information custodians (or affected individuals, if applicable) can reasonably understand how the information will be used or disclosed.
We will seek consent from the appropriate health information custodians (or individuals, if applicable) when personal information is used for a purpose not previously identified. This consent will be documented as to when and how it was received.
In addition to appropriate explanation at the time of information collection, we will also identify the following general purposes and uses of personal information, personal health information, and personal contact information collected:
- Deliver products and services to our customers
- Deliver newsletters, updates, and all other written communications to our customers and prospective customers.
- Deliver promotional materials to past, current, and prospective customers.
- Maintain business relationship with our business partners who also have active and mutual relationship with our customers.
We do not sell or lease out our customer list, nor personal information that we have collected. The information will only be transferred to a third party in whole as an asset of an entire business unit within our organization when our organization have sold that entire business unit to a third party. In such event, the ownership of the personal information collected will no longer remain in our organization.
Consent for the collection
When personal information is provided to us from a health information custodian, the obligation for obtaining consent from the applicable individual to disclose such information to us rests with the referring health information custodian. We shall endeavour to execute agreements with health information custodians that address the issue of consent. The health information custodian will generally be responsible for obtaining consent. When we receive personal information from a health information custodian, we will be entitled to assume that the custodian has obtained the explicit or implied consent of the individuals from whom such information was obtained. We will NOT collect any personal information, including personal health information, except: as provided to us by a health information custodian or collected from individuals at the direction of a health information custodian.
We may collect, use or disclose personal information without your knowledge or consent in exceptional circumstances where such collection, use or disclosure is permitted or as required by law. In addition, we may also collect, use, or disclose personal information without your knowledge or consent when:
- We are to provide products or service to a person acting as your agent in our reasonable judgement;
- We are to provide our legal representative the information for legal matters, such as investigation into a breach or contravention of a law;
- We need the information to protect and defend us and our customers’ rights and properties;
- We need the information for debt collection or compliance to a law authority;
- We are to provide information to a third party that has active and mutual relationship with you and such information is needed to complete business related functions to you such as product and service fulfillment and data processing or conversion;
- Where the Act permits disclosure without your consent;
When you refuse to consent, subject to prior contractual agreement, we may not be able to offer or continue products and services that may be of value to you.
We will not obtain consent by deceptive means.
We will not require an individual, or representative of the health information custodian, to consent to the collection, use or disclosure of personal information beyond that required to fulfill the specified purpose.
We do not collect any personal information except as provided by a health information custodian or as collected from individuals who have given consent to us or the applicable health information custodian for whom we are acting as an agent. The custodian must take into account the sensitivity of the personal information, as well as the individual’s reasonable expectations, in determining the form of consent to use. Individuals may consent to the collection and specified use of personal information in the following ways:
- By signing an application form;
- By completing an information request form;
- By checking a check-off box;
- By providing written consent either physically or electronically;
- By consenting verbally in person; or
- By consenting verbally over the telephone.
We expect that individuals will understand that the referring health information custodian will use tools provided by us, or other vendors, to analyze their personal information.
We respect an individual’s right to withdraw consent, subject to legal or contractual restrictions and reasonable notice. We will normally act on this only on the instruction of an appropriately authorized representative of the health information custodian or on behalf of an individual. We will make a reasonable effort to inform the applicable health information custodian and/or individual, if applicable, of the implication of such withdrawal, including the fact that the withdrawal will not have retroactive effect.
Pledge of Confidentiality
All of our employees and contractors have pledged to maintain confidentiality of all personal information.
We will limit the collection of personal information to that which is necessary for its purposes unless required by law to collect additional information. Personal information collected will be for the purposes specified in the sub-section “Purpose” of the section “Identifying Purpose”. We will only collect information as provided by the health information custodian or the applicable individual.
We will collect directly personal information of our current and prospective customers, who are typically personal health information custodians. However, we may also collect personal information of our current and prospective customers from external sources such as public or commercial directories and listings. Under no circumstance, except when we have the consent of our customers who are the health information custodian of the individuals, will we collect personal information or personal health information of such individuals.
Method of Collection
We will collect information by fair and lawful means and will not collect personal information indiscriminately.
Limiting use, disclosure, and retention
Limiting UseWe will not use or disclose personal information for purposes other than those for which it was collected as specified in the sub-section “Purpose” of the section “Identifying Purpose,” except with the consent of the health information custodian (or individual, if applicable) or as required by law.
Limiting disclosureThe following persons shall have access to the personal information:
- Representatives developing, maintaining, administering or providing the services, including software maintenance, with sensitive data securely managed; and
- Representatives providing consulting services to dentists and their staff about our services or software applications. We will not disclose any personal information to any entities that are not representatives.
- We make no use of Customer Database except to perform the services for the Customer described above.
- The Customer is responsible to obtain the appropriate Consent for the collection, use and disclosure of personal information contained in the Customer Database and to ensure that its Customer Database is maintained in compliance with the Act.
- The Customer Database remains the sole property of the Customer. Pursuant to our licensing and service agreement with the customer, we will keep the confidentiality of the Customer Database and make no use of the Customer Database other than providing technical services outlined in the license and service agreement or per customer’s request. We will treat the Customer Database the same way we treat our own confidential information and will provide all reasonable effort to safeguard the information from being disclosed inadvertently. The Customer Database, in whole or in part, will only be disclosed when permitted or required by law.
Retention PeriodsWe will retain personal information only as long as necessary for the fulfillment of the purposes set out in the sub-section “Purpose” of the section “Identifying Purpose”.
Destruction of InformationWe shall destroy physical documents by way of shredding and electronic files will be deleted in their entirety, in a manner such that no personal information can be recovered. When hardware is discarded, we will have the hard drive on which personal information was stored physically destroyed or securely wiped with appropriate security software.
We will take reasonable steps so that that the personal information that it collects, uses and discloses is as accurate, complete and up-to-date as is necessary for the purposes that are known at the time of the disclosure; otherwise, we must clearly set out for the recipient of the disclosure the limitation if any on the accuracy, completeness or up-to-date character of the information.
We will update personal information when such a process is necessary to fulfill the purposes for which the information was collected.
We will take all appropriate and reasonable measures to assure the security of all personal information received or stored. Our security policy may be different depending on the sensitivity and storage medium of the information. All electronic data is stored on secure servers and access is only limited to network administrators and authorized personnel on a need-to-know basis. Paper files are kept in controlled facilities and access is restricted.
As a condition of employment, personnel in our organization are required to abide by our rules and guidelines and are prohibited from disclosing any personal information except when it is necessary to carry on assigned duties.
- A required party that will assist us in providing the products and services that we are offering you;
- A party that has active and mutual business relationship with you, and the information we provide will help them and/or ourselves to provide the products and services you need or we offer.
Further, we will only provide the minimum information needed to the third party.
The nature of the safeguards used to protect the personal information will be directly related to the level of sensitivity of the information in question. The more sensitive the information, the higher the level of security employed.
Methods of Protection
The methods of protection used by us to protect personal information include, but are not limited to:
- Administrative safeguards (e.g. privacy and security policies, limiting access to
- information on a need-to-know basis, use of security clearances);
- Physical safeguards (e.g. locked filing cabinets, restricted access to offices); and
- Technical safeguards (e.g. use of passwords, encryption and firewalls).
We will make our representatives aware of the importance of maintaining confidentiality of personal information and will be required to sign confidentiality agreements, where appropriate.
We will make readily available (i.e. via our website) to individuals a written public statement about our policies and practices relating to the management of personal information.
The information made available to individuals will include:
- The name and contact information of our Chief Privacy Officer;
- The means of gaining access to personal information held by us; and
Upon written request, and provided that we are authorized to provide this by law, an individual will be informed of the existence, use and disclosure of his or her personal information under our custody and control, and will be given access to this information either directly or through a health information custodian. Such an individual will be required to provide sufficient information to permit us to provide an account of the existence, use and disclosure of personal information. The information provided will only be used for this purpose by us.
An individual may challenge the accuracy and completeness of the information and have it amended as appropriate. We will cooperate as appropriate with the applicable health information custodian in order to make the requested amendments to the personal information.
In certain situations, we may not be able to provide access to all the personal information it holds about an individual. The reasons for denying access will be provided to the individual or health information custodian, as applicable. Exceptions may include:
- Reveal personal information about a third party who we do not have Consent;
- Subject to legal privilege or legal restrictions;
- Contain other confidential information which would be revealed;
- Have information that was generated in the course of a formal dispute resolution process;
- Relate to an investigation of a breach or contravention of laws;
- Be prohibitively costly to provide.
Contents of Refusal
If we determine that the disclosure of personal information should be refused, we will inform the individual in question of the following:
- The reasons for the refusal and the provisions of the applicable legislation on which the refusal is based;
- The name and contact information of the Chief Privacy Officer, who can answer the individual’s questions; and
- Notification that the individual may ask for a review within thirty (30) days of being notified of the refusal.
Upon request, and in collaboration with the applicable health information custodian, we will disclose the source of personal information to the individual along with an account of third parties to whom the information may have been disclosed.
We will disclose requested information within thirty (30) days of receipt of the request at no cost to the individual, or at nominal cost relating to photocopying, shipping, and other reasonable administrative expenses, unless there are reasonable grounds to extend the time limit. The requested information will be provided to the individual in a form that is generally understandable.
We may levy costs only if an individual is informed in writing in advance of the approximate cost and has agreed to proceed with the request.
An unresolved complaint from an individual regarding the accuracy of personal information will be recorded and transmitted to third parties having access to the information in question.
An individual may address a challenge concerning compliance with the above principles or with legislation to our Chief Privacy Officer. Instructions for making complaints will be made available to individuals as part of the information we make publicly available as described in Section 9.
Upon receipt of a complaint, we will:
- Record the date the complaint is received;
- Notify the Chief Privacy Officer who will serve in a neutral, unbiased capacity to resolve the complaint;
- Notify the applicable health information custodian of the complaint;
- Acknowledge receipt of the complaint by way of telephone conversation and clarify the nature of the complaint within three (3) business days of receipt of the complaint;
- Appoint an investigator using our personnel or an independent investigator, who will have the skills necessary to conduct a fair and impartial investigation, and who will have unfettered access to all files and personnel, within ten (10) business days of receipt of the complaint;
- Upon completion of the investigation and within twenty-five (25) business days of receipt of the complaint, the investigator will submit a written report to us;
- Notify the health information custodian of the outcome of the investigation and any relevant steps taken to rectify the complaint, including any amendments to policies and procedures, within thirty (30) business days of receipt of the complaint; and
- Notify the complainant, in cooperation with the applicable health information custodian, of the outcome of the investigation and any relevant steps taken to rectify the complaint, including any amendments to policies and procedures, within thirty (30) business days of receipt of the complaint.
We will assist an individual in preparing a request for information.
We will not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee of ours, or deny that employee a benefit because the employee, acting in good faith and on the basis of reasonable belief:
- Has disclosed to a privacy commissioner that we have contravened or is about to contravene applicable legislation;
- Has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene applicable legislation;
- Has refused to do or stated an intention of refusing to do anything that is in contravention of applicable legislation.