Prococious Technology Inc. (referred to as "we", "us," or "our") collects and stores personal information in compliance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") in Canada, the Personal Health Information Protection Act ("PHIPA") in Ontario, the Health Information Act ("HIA") in Alberta, the Personal Information Protection Act ("PIPA") in British Columbia, and comparable legislation in the jurisdictions where we may operate (all collectively known as the "Act").
We are subject to the privacy requirements set out under the Act as an "agent" that handles personal health information on behalf of health information custodians. The Act defines an "agent" as "a person that, with the authorization of the health information custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent's own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated."
The activities performed by us in conjunction with its services and software applications require the organization to collect, use and process personal health information on behalf of health information custodians. Typically, such custodians are individual dentists in private practices who have been licensed to use our software application(s) or who have retained our software application(s) to perform various types of services or analysis on information, including, in some instances, personal health information that has been provided to us by such custodians or collected by us at such custodian's request. The provision of information, the specification of information to be collected, and the type of analysis to be performed; the disclosure; and the eventual destruction of that information will be under the control of or at the direction of the custodian or the custodian's authorized employees. The physical location of the information may be on the custodian's premises, on our premise, or both.
We are committed to the protection of personal health information and has therefore put into place policies and safeguards relating to its collection, use, disclosure, retention and disposition of personal health information. In particular, this policy has been developed to provide direction and help to directors, officers, employees, contractors, agents and other individuals having cause to work with us to understand their roles and responsibilities under all applicable legislation and how to comply with their provisions.
This policy applies to all directors, officers, employees, contractors and agents of us (collectively, the "representatives").
We are governed by the Act in Canada to the extent that personal information other than personal health information is collected, used, disclosed, retained or disposed by us, or to the extent that any of our activities cross the borders of Canada, such activities are governed by the Act. For the purposes of this policy, the term "personal information" shall include both "personal information" as well as "personal health information" as defined under PIPEDA, PHIPA, HIA, and PIPA. In addition, where we collect and use personal information in other jurisdictions, other legislation may apply. This policy has been drafted based on privacy principles that are common to most legislation dealing with the protection of personal information. As a result, compliance with this policy is intended to allow for substantial compliance with such other legislation. Nonetheless, we reserve the right to modify this policy so that this policy is consistent with any such piece of legislation as required.
In addition to satisfying the requirements set out under the Act, we and our representatives undertake to satisfy the requirements set out under this policy. In particular, representatives will not:
Our representatives and other individuals having cause to work with us will demonstrate their respect for individual privacy rights and their compliance to legislation by following the rules for collection, use, disclosure, retention and disposal of personal information in accordance with the Act and any other applicable legislation and by adhering to all privacy and security policies, procedures and guidelines.
Except as provided in the applicable piece of legislation, the Cleardent Board of Directors will have the authority to interpret any provision of this policy that is contradictory, ambiguous or unclear.
We will designate an individual (the "Chief Privacy Officer") to manage the implementation and monitoring of this policy and the security of personal information that is within the control of the organization. we are responsible for the personal information received from or collected on behalf of health information custodians. Accountability for compliance with the Act rests with our Chief Privacy Officer.
The Chief Privacy Officer will:
The Chief Privacy Officer will be responsible for implementing appropriate procedures to train all representatives who may be exposed to personal information.
The identity of the Chief Privacy Officer and her/his contact information will be communicated to members of the public and we will make every effort to ensure the identity and contact method is up-to-date on our website.
The Chief Privacy Officer will be responsible for responding to all requests and inquiries in regards to personal information.
We will implement policies and practices to secure all personal information during collection, use, disclosure, retention and disposition.
All agreements executed with third parties that will have access to personal information held by us will include provisions that are intended to require such third parties to comply with our privacy policies.
Our policy and procedures relating to privacy of information will be communicated to the public, as appropriate.
The Chief Privacy Officer will review this policy on an annual basis and make all necessary changes to provide for the protection of personal information in compliance with the law.
In the event of a breach of this policy by a Representative, the following repercussions will be imposed:
We will only collect personal information reasonably necessary for the identified purposes set out in the section "Purpose," and only as provided by a health information custodian or as collected by us upon direction from a health information custodian. We collect the following types of personal information:
We collect personal information from health information custodians for purposes that include, but are not limited to, the following:
We will identify in writing to the health information custodian the purposes for which personal information is collected at or before the time of collection. The purposes will be stated in a manner that the referring health information custodians (or affected individuals, if applicable) can reasonably understand how the information will be used or disclosed.
We will seek consent from the appropriate health information custodians (or individuals, if applicable) when personal information is used for a purpose not previously identified. This consent will be documented as to when and how it was received.
In addition to appropriate explanation at the time of information collection, we will also identify the following general purposes and uses of personal information, personal health information, and personal contact information collected:
We do not sell or lease out our customer list, nor personal information that we have collected. The information will only be transferred to a third party in whole as an asset of an entire business unit within our organization when our organization have sold that entire business unit to a third party. In such event, the ownership of the personal information collected will no longer remain in our organization.
When personal information is provided to us from a health information custodian, the obligation for obtaining consent from the applicable individual to disclose such information to us rests with the referring health information custodian. We shall endeavour to execute agreements with health information custodians that address the issue of consent. The health information custodian will generally be responsible for obtaining consent. When we receive personal information from a health information custodian, we will be entitled to assume that the custodian has obtained the explicit or implied consent of the individuals from whom such information was obtained. We will NOT collect any personal information, including personal health information, except: as provided to us by a health information custodian or collected from individuals at the direction of a health information custodian.
We may collect, use or disclose personal information without your knowledge or consent in exceptional circumstances where such collection, use or disclosure is permitted or as required by law. In addition, we may also collect, use, or disclose personal information without your knowledge or consent when:
When you refuse to consent, subject to prior contractual agreement, we may not be able to offer or continue products and services that may be of value to you.
We will not obtain consent by deceptive means.
We will not require an individual, or representative of the health information custodian, to consent to the collection, use or disclosure of personal information beyond that required to fulfill the specified purpose.
We do not collect any personal information except as provided by a health information custodian or as collected from individuals who have given consent to us or the applicable health information custodian for whom we are acting as an agent. The custodian must take into account the sensitivity of the personal information, as well as the individual's reasonable expectations, in determining the form of consent to use. Individuals may consent to the collection and specified use of personal information in the following ways:
We expect that individuals will understand that the referring health information custodian will use tools provided by us, or other vendors, to analyze their personal information.
We respect an individual's right to withdraw consent, subject to legal or contractual restrictions and reasonable notice. We will normally act on this only on the instruction of an appropriately authorized representative of the health information custodian or on behalf of an individual. We will make a reasonable effort to inform the applicable health information custodian and/or individual, if applicable, of the implication of such withdrawal, including the fact that the withdrawal will not have retroactive effect.
All of our employees and contractors have pledged to maintain confidentiality of all personal information.
We will limit the collection of personal information to that which is necessary for its purposes unless required by law to collect additional information. Personal information collected will be for the purposes specified in the sub-section "Purpose" of the section "Identifying Purpose". We will only collect information as provided by the health information custodian or the applicable individual.
We will collect directly personal information of our current and prospective customers, who are typically personal health information custodians. However, we may also collect personal information of our current and prospective customers from external sources such as public or commercial directories and listings. Under no circumstance, except when we have the consent of our customers who are the health information custodian of the individuals, will we collect personal information or personal health information of such individuals.
We will collect information by fair and lawful means and will not collect personal information indiscriminately.
We will not use or disclose personal information for purposes other than those for which it was collected as specified in the sub-section "Purpose" of the section "Identifying Purpose," except with the consent of the health information custodian (or individual, if applicable) or as required by law.
The following persons shall have access to the personal information:
We receive from our individuals' personal information or personal health information contained in our customer's databases for our duty and responsibility as a provider of information technology, and having access to our customer's database is crucial for us to provide quality services such as troubleshooting, technical support, practice management consultation, and any other business functions that relates directly or indirectly to the use of our productions and services.
We will retain personal information only as long as necessary for the fulfillment of the purposes set out in the sub-section "Purpose" of the section "Identifying Purpose".
We shall destroy physical documents by way of shredding and electronic files will be deleted in their entirety, in a manner such that no personal information can be recovered. When hardware is discarded, we will have the hard drive on which personal information was stored physically destroyed or securely wiped with appropriate security software.
We will take reasonable steps so that that the personal information that it collects, uses and discloses is as accurate, complete and up-to-date as is necessary for the purposes that are known at the time of the disclosure; otherwise, we must clearly set out for the recipient of the disclosure the limitation if any on the accuracy, completeness or up-to-date character of the information.
We will update personal information when such a process is necessary to fulfill the purposes for which the information was collected.
We will take all appropriate and reasonable measures to assure the security of all personal information received or stored. Our security policy may be different depending on the sensitivity and storage medium of the information. All electronic data is stored on secure servers and access is only limited to network administrators and authorized personnel on a need-to-know basis. Paper files are kept in controlled facilities and access is restricted.
As a condition of employment, personnel in our organization are required to abide by our rules and guidelines and are prohibited from disclosing any personal information except when it is necessary to carry on assigned duties.
Further, we will only provide the minimum information needed to the third party.
The nature of the safeguards used to protect the personal information will be directly related to the level of sensitivity of the information in question. The more sensitive the information, the higher the level of security employed.
The methods of protection used by us to protect personal information include, but are not limited to:
We will make our representatives aware of the importance of maintaining confidentiality of personal information and will be required to sign confidentiality agreements, where appropriate.
We will make readily available (i.e. via our website) to individuals a written public statement about our policies and practices relating to the management of personal information.
The information made available to individuals will include:
Upon written request, and provided that we are authorized to provide this by law, an individual will be informed of the existence, use and disclosure of his or her personal information under our custody and control, and will be given access to this information either directly or through a health information custodian. Such an individual will be required to provide sufficient information to permit us to provide an account of the existence, use and disclosure of personal information. The information provided will only be used for this purpose by us.
An individual may challenge the accuracy and completeness of the information and have it amended as appropriate. We will cooperate as appropriate with the applicable health information custodian in order to make the requested amendments to the personal information.
In certain situations, we may not be able to provide access to all the personal information it holds about an individual. The reasons for denying access will be provided to the individual or health information custodian, as applicable. Exceptions may include:
If we determine that the disclosure of personal information should be refused, we will inform the individual in question of the following:
Upon request, and in collaboration with the applicable health information custodian, we will disclose the source of personal information to the individual along with an account of third parties to whom the information may have been disclosed.
We will disclose requested information within thirty (30) days of receipt of the request at no cost to the individual, or at nominal cost relating to photocopying, shipping, and other reasonable administrative expenses, unless there are reasonable grounds to extend the time limit. The requested information will be provided to the individual in a form that is generally understandable.
We may levy costs only if an individual is informed in writing in advance of the approximate cost and has agreed to proceed with the request.
An unresolved complaint from an individual regarding the accuracy of personal information will be recorded and transmitted to third parties having access to the information in question.
An individual may address a challenge concerning compliance with the above principles or with legislation to our Chief Privacy Officer. Instructions for making complaints will be made available to individuals as part of the information we make publicly available as described in Section 9.
Upon receipt of a complaint, we will:
We will assist an individual in preparing a request for information.
We will not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee of ours, or deny that employee a benefit because the employee, acting in good faith and on the basis of reasonable belief: