Ateb Canada Ltd., is a corporation incorporated under the laws of Ontario, with its registered office at 3760 14th Avenue, Suite 300, Markham, Ontario L3R 3T7.When the term Ateb is used in this policy, it means Ateb Canada Ltd. Its servers for Canadian operations are located in Canada. Ateb will not transfer personal information outside of Canada without the prior authorization of Ateb’s customers.
Ateb is engaged in providing services to Canadian pharmacies and other healthcare institutions to better serve their customers for pharmaceutical preparations and to achieve better health outcomes for their patients.
As technology increasingly facilitates the circulation and exchange of information, there is a need for rules to govern the collection, use and disclosure of personal health information in a manner that recognizes the privacy rights of individuals in Canada with respect to their personal information, and the needs of Canadian businesses, communities and other organizations to collect, use or disclose personal information for purposes that a reasonable Canadian would consider appropriate in the circumstances.
“Collection” – the act of gathering, acquiring or obtaining personal information from any source, including from third parties, by any means.
“Consent” – voluntary agreement with what is being done or proposed. Consent can be either expressed or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the persons seeking the consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
“Disclosure” – making personal information available to other persons outside of Ateb and, where applicable, the particular pharmacy or healthcare institution that Ateb is servicing.
“Personal health information” – with respect to an individual, whether living or deceased, means
(a) information concerning the physical or mental health of the individual;
(b) information concerning any health service provided to the individual;
(c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
(d) information that is collected in the course of providing health services to the individual; or
(e) information that is collected incidentally to the provision of health services to the individual.
“Personal information” – means information about an identifiable individual, including personal health information, but does not include business contact information unless the individual is using such contact information for personal purposes.
“PIPEDA” – means the Canadian Personal Information Protection and Electronic Documents Act, as amended from time to time.
“Use” – treatment and handling of personal information within Ateb.
PRINCIPLE 1: ACCOUNTABILITY
Accountability for Ateb Canada Ltd.’s compliance with the privacy principles shall rest with an individual as appointed by the Board of Directors from time to time. This individual may delegate other individuals to act in his or her behalf. The individual will be known as the “Privacy Officer”.
PRINCIPLE 2: IDENTIFYING PURPOSES
The purposes for which personal information and personal health information are collected shall be identified by Ateb before or at the time the information is collected.
Members of Ateb shall collect personal information only for the purposes of:
Ateb generally uses such personal information to carry on its business and serve its customers as described above. If the business is transferred to a new owner, subject to the limitations of Principle 5, the personal information will also be transferred. Personal health information will only be transferred for the purposes of providing health care or assisting in providing health care, or where it has been provided by a third party, back to that third party.
The purposes for which a member of Ateb is collecting personal information shall be identified by the member at or before the time the information is collected. Only information that is necessary for the purposes that have been identified may be collected. The purposes for the collection shall be communicated to the subject individual.
PRINCIPLE 3: CONSENT
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except as provided by law.
Consent is required for the collection of personal information and the subsequent use or disclosure of such information. The exceptions to such requirement are specified in PIPEDA or other applicable legislation.
To the extent, if any, that Ateb acts as a service provider to another organization with respect to the collection, use or disclosure of personal information, a member of Ateb shall obtain and adhere to any form of consent previously obtained by such organization, subject to the exceptions provided for in PIPEDA purposes of providing health care or assisting in providing health care.
Ateb may not, as a condition for the supply of services or employment for example, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary for such purposes.
The adequacy of the form of consent depends upon the circumstances and the type of information that is being collected. Generally speaking, the more sensitive the information (such as health records or employment evaluations), the more explicit or manifest is the form of consent that is required. In obtaining consent, the reasonable expectations of the individual must also be taken into account. Consent shall not be obtained through deception.
In the collection of personal health information consent may only be implied when it is for the purposes of providing health care or assisting in providing health care.
An individual may withdraw a consent at any time, subject to legal or contractual restrictions and reasonable notice. The individual shall be informed of the implications of such withdrawal.
PRINCIPLE 4: LIMITING COLLECTION
The collection of personal information shall be limited to that which is necessary for the purposes identified by Ateb. The information shall be collected by fair and lawful means.
Personal information shall not be collected indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified.
PRINCIPLE 5: LIMITING USE, DISCLOSURE AND RETENTION
Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information, and particularly personal health information, collected in Canada by Ateb will not be used or disclosed outside of Canada without the informed consent of the individual, except that for the purposes maintaining, troubleshooting or expanding the computer operations in Canada qualified individuals may access the relevant computer servers and programs, provided that they have signed appropriate confidentiality and privacy agreements.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous. Ateb shall conduct regular reviews to determine whether information is still required.
Before disposing of electronic devices, such as computers, photocopiers and cell phones, Ateb shall ensure that all personal information is fully deleted.
PRINCIPLE 6: ACCURACY
Personal information shall be accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
This is particularly important where the information is being used to make some evaluation or judgement about the individual, or as contact information for the delivery of sensitive personal information, such as personal health information. The extent to which the personal information shall be accurate, complete and up-to-date will depend upon the use of the information taking into account the interests of the individual.
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date.
PRINCIPLE 7: SAFEGUARDS
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The security safeguards shall take reasonable precautions to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. The nature of the safeguards will vary according to the sensitivity of the information.
The methods of protection will include physical measures, organizational measures and technological measures. All personal information shall be handled on a “need-to-know” basis and each member of Ateb shall be responsible for the protection of the personal information used in his or her job function.
Where personal information, and especially personal health information is maintained in an electronic form, Ateb shall implement additional safeguards for such information. Ateb shall create and maintain a record of user activity for any electronic information system it uses to maintain personal health information.
Ateb shall regularly make all of its members aware of the importance of maintaining the security of personal information.
Care shall be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
Ateb shall review and update security measures regularly.
PRINCIPLE 8: OPENNESS
Ateb shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Ateb shall be open about its policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about Ateb’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. Ateb should also ensure front-line staffs are familiar with the procedures for responding to individual inquiries.
The information made available must include:
This information is also to be made available on the website.
PRINCIPLE 9: INDIVIDUAL ACCESS
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Before granting an individual access to the personal information, a member of Ateb must consult the Privacy Officer or that person’s delegate. There are restrictions on the grant of access in PIPEDA where it would reveal personal information about a third party that cannot be severed from the information about the individual making the request, and in certain other circumstances there needs to be notification of governmental institutions before release.
Access may also be refused where the information is protected by solicitor-client privilege; where revealing the information would also reveal confidential commercial information; where revealing the information could reasonably be expected to threaten the life or security of another individual; if the information was collected during an investigation of a breach of an agreement or a contravention of the laws of Canada or a province on the expectation that the knowledge or consent or consent of the individual would compromise the availability or accuracy of the information; or where the information was generated in the course of a formal dispute resolution process.
Upon such a request, Ateb shall inform an individual whether or not Ateb holds personal information about the individual. When disclosure is made to the individual, the organization shall provide an account of the use that has been made or is being made of the information and an account of the third parties to which the information has been disclosed.
Where the request for access is with respect to personal information collected, used or disclosed in the course of serving a customer or other third party, the customer or other third party shall immediately be provided with a copy of the request.
Ateb shall respond to an individual’s request within 30 days and at minimal or no cost to the individual. Ateb may require a reasonable payment for the information provided only if it has informed the individual in advance of the approximate cost and the individual has advised Ateb that the request is not being withdrawn.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, Ateb must amend the information as required. Depending upon the nature of the information challenged, amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the customer, the substance of the unresolved challenge shall be recorded by the member of Ateb. When appropriate, the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.
PRINCIPLE 10: CHALLENGING COMPLIANCE
An individual shall be able to address a challenge concerning compliance with the above privacy principles to the Privacy Officer of Ateb.
The individual accountable for Ateb’s compliance is the Privacy Officer as appointed by the Board of Directors of Ateb from time to time. The Board of Directors will establish procedures to receive and respond to complaints or inquiries about Ateb’s policies and practices relating to the handling of personal information.
Members of Ateb shall inform individuals who make inquiries or lodge complaints of the existence of the relevant complaint mechanisms of Ateb. Ateb shall investigate all complaints. If a complaint is found to be justified through either the internal or external compliant review process, Ateb will take appropriate measures, including amending its policies and practices if necessary.
Where the complaint arises out of a customer matter, the customer shall be informed immediately.
Alternatively, an individual could contact Office of the Information and Privacy Commissioner in Canada about alleged breaches of the law.
From time to time Ateb may make changes to this policy to adapt to changing business conditions and for other reasons. In the event that in the opinion of Ateb acting reasonably such changes will allow Ateb to make materially greater use and/or disclosure of any personal information, the individuals affected by the changes will be clearly and concisely notified of the changes and their proposed effect, and provided with an opportunity to withdraw their consent to the collection, use and/or disclosure of their personal information.
Date Adopted: January 5th, 2016
Contacting Ateb Canada Ltd.:
Address: 3760 14th Avenue, Suite 300, Markham, Ontario L3R 3T7
Phone No.: 919.872.1275
Email Address: PrivacyOfficer@atebcanada.ca
Offices of the Information and Privacy Commissioners in Canada
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec, K1A 1H3
Phone: (819) 994-5444
Fax: (819) 994-5424
TTY: (819) 994-6591
Web Site: https://www.priv.gc.ca/index_e.asp
Office of the Information and Privacy Commissioner of Alberta
Suite 410, 9925 109 Street, Edmonton, Alberta T5K 2J8
Phone: (780) 422-6860
Toll Free: 1 (888) 878-4044
Web Site: http://www.oipc.ab.ca
Office of the Information and Privacy Commissioner for British Columbia
P.O. Box 9038, Stn. Prov. Govt.
756 Fort Street, 3rd Floor
Victoria, British Columbia V8V 1X4
Phone: (250) 387-5629
1 (800) 663-7867
(free within B.C.)
Web Site: http://www.oipc.bc.ca/
Office of the Ombudsman
P. O. Box 6000
767 Brunswick Street
Fredericton, NB E3B 5H1
Phone: (506) 453-2789
Web Site: http://www.gnb.ca/0073/indexe.asp
Newfoundland and Labrador
Office of the Information and Privacy Commissioner for Newfoundland and Labrador
2nd floor, 34 Pippy Place
P.O. Box 13004, Station A
St. John’s, NL A1B 3V8
Phone: (709) 729-6309
Web Site: http://www.oipc.gov.nl.ca/default.htm
Information and Privacy Commissioner of the Northwest Territories
5018, 47th street
Yellowknife, Northwest Territories X1A 2N2
Phone: (867) 6690976
Fax: (867) 920-2511
Nova Scotia Freedom of Information and Privacy Review Office
P.O. Box 181
Halifax, Nova Scotia B3J 2M4
Phone: (902) 424-4684
Web Site: http://www.gov.ns.ca/foiro/
Information and Privacy Commissioner of Nunavut
5018, 47th street
Yellowknife, Northwest Territories X1A 2N2
Phone: (867) 669-0976
Fax: (867) 920-2511
Web Site: http://www.infoprivacy.nu.ca/en/home
Office of the Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: (416) 326-3333
1 (800) 387-0073
(free within Ontario)
Web Site: http://www.ipc.on.ca/
Prince Edward Island
Office of the Information and Privacy Commissioner of Prince Edward Island
180 Richmond Street
P.O. Box 2000
Charlottetown, Prince Edward Island
Telephone: (902) 368-4099
Web Site: www.oipc.pe.ca
Commission d’accès à l’information du Québec
575 St. Amable Street
Québec, Québec G1R 2G4
Phone: (418) 528-7741
1 (888) 528-7741
(free within Québec)
Web Site: http://www.cai.gouv.qc.ca/indexen.html
Office of the Information and Privacy Commissioner of Saskatchewan
Phone: (306) 787-8350
Web Site: http://www.oipc.sk.ca
Office of the Yukon Ombudsman and Information and Privacy Commissioner
211 Hawkins Street, Suite 201
P.O. Box 2703
Whitehorse, Yukon Territory Y1A 2C6
Phone: (867) 667-8468
Web Site: http://www.ombudsman.yk.ca/