Personal Information in this Notice is defined as “information about an identifiable individual” under the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA). Customer Data is all data and information provided or made accessible to Arthur Health by Customers for Arthur Health to provide services and support. Customer Data may include Personal Information as defined under PIPEDA, and Personal Health Information as defined under the Customer’s provincial legislation. Neither Personal Information nor Customer Data shall include information about Arthur Health employees in such employees’ capacity as employees of Arthur Health.
Personal Information Collection and Processing
Arthur Health offers strategic data advice and enables healthcare providers to take advantage of cloud-based technology. As part of these services, Arthur Health may at times, on behalf of its healthcare provider customers, collect, process, use, retain or disclose Personal Information as part of the Customer’s Data. The exact information collected and processed is determined by the customers. When processing Personal Information, Arthur Health relies on its customers to collect consent and explain the purpose prior to Arthur Health’s processing of data.
If Arthur Health is asked to collect Personal Information on our customers’ behalf, such as the collection of email addresses, information will be available to explain the purpose and capture appropriate consent at the time of acquisition.
Arthur Health relies on customers to provide data as accurate and complete as necessary for our processing purposes. We make every reasonable effort to keep Personal Information as accurate as possible through data integrity controls and safeguards. Individuals may always verify the accuracy and completeness of their Personal Information; requests should be made to Arthur Health’s customer. If Arthur Health receives direct requests for access to or for amending information, Arthur Health will forward the request to the individual’s healthcare provider.
For details on access and corrections to Personal Information supplied by our customers, please contact your healthcare provider directly.
Collection, Use and Disclosure of Personal Information
Arthur Health only collects, uses and discloses Personal Information for the purpose of providing services to the healthcare provider for the provision of care.
Access to private, sensitive and confidential information is restricted to authorized employees with legitimate business reasons. We require all of our employees to abide by Arthur Health’s privacy standards. Our employees understand the importance of keeping information private. For this reason, our employees are required to agree to a confidentiality agreement that prohibits the disclosure of any Customer Data, including Personal Information, to unauthorized parties.
Employees are strictly prohibited from accessing or disclosing Personal Information without authorization. All employees are expected to maintain the confidentiality of Personal Information at all times and failure to do so will result in appropriate disciplinary measures including dismissal.
Arthur Health will never rent or sell the Personal Information it processes.
Arthur Health will never disclose Personal Information to third parties except as agreed upon with the Customer, or as otherwise required by law. The type of information Arthur Health is legally required to disclose may relate to criminal investigations or government tax reporting requirements. In some instances, such as a legal proceeding or court order, we may also be required to disclose Personal Information to authorities. We may be required to comply with a court order or governmental regulatory requirement or disclose information in connection to legal proceedings. Only the information specifically requested is disclosed and we take precautions to satisfy ourselves that the authorities that are making the disclosure request have legitimate grounds to do so. If required to do so, we will make every effort to notify the relevant parties about the proceedings.
Arthur Health relies on its partner solutions providers for the storage of data. Arthur Health uses Microsoft Azure hosting services to retain information in Canada. Microsoft and provider solution support may have access to Customer Data as an incidental result of the services provided by them to Arthur Health and the Customer. They may also have to access information outside of Canada to provide high-level support. However, the access these third parties have to such information is strictly controlled in accordance with the safeguards detailed below.
Should Arthur Health conduct market or product research, it will never use Personal Information; rather, it would use fully anonymized information, meaning that it would render it unlikely to be traced back to an individual.
Arthur Health maintains the right to inform customers about any change that may affect information collected or stored. We may be required to comply with a court order or governmental regulatory requirement or disclose information in connection to legal proceedings. If required to do so, we will make every effort to notify the relevant parties about the proceedings.
Arthur Health compiles aggregate data as part of its services. Aggregate data is data that has been compiled into summaries, where individuals cannot be personally identified by reasonably foreseeable methods. Arthur Health uses aggregate data to analyze trends, administer, troubleshoot, enhance, and improve Arthur Health’s services. Aggregate data is also used to carry out system audits of the data retained in by platform providers. Healthcare providers may also be provided reports of aggregate data upon request.
Arthur Health is not anticipating any changes in corporate status, however as we grow and develop that may change. We may use Personal Information and disclose Personal Information to third parties in connection with the proposed or actual financing, insuring, sale, securitization, assignment or other disposal of all or part of our business or assets (including accounts) for the purposes of evaluating and/or performing the proposed transaction. These purposes may include, as examples, permitting such parties to determine whether to proceed or continue with the transaction, fulfilling any reporting or audit requirements to such parties, and/or disclosing Personal Information as part of concluding a sale or transfer of assets. Our successors and assigns may collect, use and disclose Personal Information for substantially the same purposes as those set out in this Policy. In the event the transaction does not go through, we will require, by contract, the other party or parties to the transaction not to use or disclose Personal Information in any manner whatsoever for any purpose, and to return or destroy such Personal Information. Personal Information that is collected online remains subject to applicable legislation and corporate policy.
Control of Personal and Customer Data
Arthur Health takes reasonable steps to protect Customer Information and Personal Information, to prevent loss, misuse and unauthorized access, disclosure, alteration and destruction.
Arthur Health has appointed a designated privacy contact who acts as Privacy Officer (PO) responsible for overseeing information system monitoring and information security policy and procedure management. The PO is responsible for overseeing compliance with Arthur Health’s privacy program including,
- Undertaking privacy impact assessment and threat and risk assessments on a regular basis;
- Adopting policies and procedures on the basis of privacy impact assessment and threat and risk assessments to mitigate all identified risks and updating these as necessary.
Should individuals require assistance regarding Arthur Health’s processing of their Personal Information, they may contact our privacy office for more information. Contact information can be found below.
Arthur Health stores all Customer Information and Personal Information in Canada, with Microsoft Azure. Microsoft is hosting all Arthur Health servers, databases and applications in the Microsoft Azure secure cloud. Microsoft Azure is certified as compliant with ISO Standard 27018 Code of Practice for personal identifiable information (PII) protection in public clouds acting as PII processors. In addition to the independent certification process under ISO27018, the Standard also includes the right to audit Microsoft for compliance.
Contacting Arthur Health
All complaints, inquiries or access requests specific to individual privacy will be directed back to their healthcare provider. Individuals may, however, contact our privacy office to make enquiries on our privacy practices. Any query, comments or concerns can be sent to us by email at [email protected] or by mail at the following address:
50 Binscarth Rd
Toronto, ON M4W1Y4
2022-11-22 marks the last update of this policy.