Privacy Policy

1. Purpose

Background

Who is Sentrex?

Sentrex Health Solutions Inc. is a fully integrated specialty distributor and patient support provider for pharmaceutical manufacturers, physicians, and their patients. We provide innovative solutions to ensure customers have the access and support they need to maximize treatment outcomes. Our core scope of services include distribution, patient support program sand pharmacy services. In the regular course of our business, we accumulate a considerable amount of personal information (PI) and personal health information (PHI). We value the trust placed in us by our customers and employees, and we know that maintaining this trust requires transparency and accountability in how we collect, use, and disclose the PI and PHI. To show our commitment to protecting privacy we have created this policy to provide a simple and straight-forward explanation of what data we collect and how we use and share that information.

What privacy laws are important for this policy?

Since January 1, 2004, all Canadian organizations engaged in commercial activities have been required to comply with certain privacy laws. Different business units within Sentrex (such as Pharmacies) are required to comply with their specific provincial legislation whereas the overarching company is required to comply with national legislation. Relevant privacy laws we address in this policy are,

  • Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA).
  • Canadian Anti-Spam Legislation, 2014 (CASL).
  • British Columbia: Personal Information Protection Act, 2004 (PIPA).
  • Alberta: Personal Information Protection Act, 2004 (PIPA).
  • Saskatchewan: The Freedom of Information and Protection of Privacy Act, 1990-1991.
  • Manitoba: The Freedom of Information and Protection of Privacy Act, 1997.
  • Ontario: Personal Health Information Protection Act, 2004 (PHIPA).
  • Quebec: Quebec Privacy Act. In 2022, Law 25 (previously Bill 64), An Act to Modernize Legislation Provisions Respecting the Protection of Personal Information.
  • New Brunswick: PIPEDA is followed for private sector commercial businesses.
  • Nova Scotia: PIPEDA is followed for private sector commercial businesses.
  • Prince Edward Island: Freedom of Information and Protection of Privacy Act, 1988.
  • Newfoundland and Labrador: PIPEDA is followed for private sector commercial businesses.

How is this policy organized?

For clarity, we have structured this policy around the ten PIPEDA fair information principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information to detail how we protect PI and PHI data. The 10 principles are,

  • Principle 1: Accountability
  • Principle 2: Identifying Purposes
  • Principle 3: Knowledge and Consent
  • Principle 4: Limiting Collection
  • Principle 5: Limiting Use, Disclosure and Retention
  • Principle 6: Accuracy
  • Principle 7: Safeguards
  • Principle 8: Openness
  • Principle 9: Individual Access
  • Principle 10: Challenging Compliance

2. Scope

Who does this policy apply to?

This policy covers all our employees, directors, and officers (the “employees”), and compliance is mandatory. The employees will respect and obey all the laws, rules, and regulations of the countries in which they work, including but not limited to PIPEDA, CASL and specific provincial legislation mentioned previously.

Will this policy change in the future?

We can change this policy from time to time as legislation requirements change. This policy maybe changed or not enforced by us if required by law, and all employees will be bound by any changes. Our collection, use and disclosure of the PI and PHI gained through our services will be governed by the version of this policy in effect at the time the information was collected, used, or disclosed.

How do I get a copy of the policy?

The latest version of this policy will be posted on our website and will be available upon request to us via email or mail.

Email: privacy@sentrex.com

Mailing address:
Attn: Chief Privacy Officer
120 Valleywood Drive
Markham, ON L3R 6A7

3. Roles and Responsibilities

The Chief Privacy Officer is responsible for:

  • Development and maintenance of all privacy policies and procedures for Sentrex and ensuring employees are aware of requirements.
  • Ensuring compliance with privacy information practices (e.g., privacy incident reporting or reporting to regulatory bodies), and
  • Overseeing day-to-day management of the privacy program including providing support to employees and monitoring for compliance.

Directors, Managers and Supervisors are responsible for:

  • Ensuring that employees within their areas of responsibility are aware of and comply with this policy and the information practices that support it.

Employees:

  • All employees will complete the annual privacy and security training provided.
  • The employees will provide, upon request, written evidence of the completion of the training.
  • If an employee becomes aware of a suspected or actual information privacy and/or security breach, they should follow the Privacy Breach Reporting procedure SOPSHS-2 Privacy Breach Reporting.

4. Policy

4.1 Definitions and Abbreviations

Definitions

Agent: A person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated (the Personal Health Information Protection Act, 2004, s.2).

Collect: To gather, acquire, receive, or obtain information by any means from any source, and “Collection” and “Collected” have a corresponding meaning. As set out in section 2 of PHIPA with respect to PHI and PI.

Confidentiality: Confidentiality is the obligation of an organization, custodian and individual to protect the information entrusted to it, to maintain the secrecy of the information and not misuse or wrongfully disclose it (National Initiative for Telehealth Framework or Guidelines, 2003).

Privacy: Privacy is the right of an individual to control the collection, use and disclosure of personal information about them (Canadian Institute for Health Information, 2002).

Privacy breach: An event or series of events where one or more of the following occurs:

  • Collection, Use or Disclosure of PHI or PI not in compliance with PHIPA or its regulation (i.e., without legal authority).
  • There is a contravention of Sentrex’s privacy policies, procedures, or practices.
  • There is a contravention of data sharing agreements, research agreements, confidentiality agreements or agreements with third party service providers retained by Sentrex, including written acknowledgements acknowledging and agreeing not to use PHI or PI which has been de-identified and/or aggregated, to identify an individual.
  • Where PI or PHI is stolen, lost or subject to unauthorized Collection, Use or Disclosure or where records of PHI or PI are subject to unauthorized copying, modification, or disposal.

Personal health information: Personal health information is defined in the Personal Health Information Protection Act, 2004 (Ontario) (“PHIPA”) as identifying information about an individual that:

  • Relates to that individual’s physical or mental health.
  • Relates to the provision of health care to that individual.
  • Relates to payments or eligibility for health care or health care coverage of that individual.
  • Is the individual’s provincial health card number; and/or Identifies an individual’s substitute decision-maker(s).

PHI also includes identifying information about an individual that is not PHI listed above but that is contained in a record that includes PHI listed above.

Information is “identifying” when it identifies an individual or when it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.

Personal information: Personal information is defined in the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Specifically, it means recorded information about an identifiable individual, including:

  • Information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual.
  • Information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved.
  • Any identifying number, symbol or other assigned to the individual.
  • The address, telephone number, fingerprints, or blood type of the individual.
  • The personal opinions or views of the individual except where they relate to another individual.
  • Correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature and replies to that correspondence that would reveal the contents of the original correspondence.
  • The views or opinions of another individual about the individual; and The individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

Security: Security is the protection of personal health information from unauthorized or unintentional loss, theft, access, use, modification or disclose (Canadian Institute for Health Information, 2002). Security involves the protection of computer hardware and software from accidental or malicious access, use, modification, destruction, or disclosure. Security also pertains to personnel, data, communications, and the physical protection of computer installations. (IEEE Standard Dictionary of Electrical and Electronic Terms).

Third-Party service: A third-party contracted or otherwise engaged to provide services to Sentrex, including Electronic Service Providers.

Use: In relation to PHI or PI in custody or under the control of a Sentrex, “Use” means to view, handle, or otherwise deal with the information, but does not include to Disclose the information, and “Use”, as a noun, has a corresponding meaning. For the purposes of PHIPA, the providing of PHI between Sentrex and an agent of Sentrex is a Use by Sentrex, and not a Disclosure by the person providing the information or a Collection by the person to whom the information is provided.

Abbreviations

Attn: Attention.
CASL: Canadian Anti-Spam Legislation.
CPO: Chief Privacy Officer.
IPC: Information and Privacy Commissioner of Ontario.
PHIPA: Personal Health Information Protection Act, 2004 (Ontario).
PHI: Personal health information.
PI: Personal information.
PIPEDA: Personal Information Protection and Electronic Documents Act.
PSP: Patient Support Program.
SOPSHS: Standard Operating Procedure Sentrex Health Solutions.

4.2 The Fair Information Principles

Principle 1: Accountability

What is the principle of ‘Accountability’?

The principle of accountability is ‘An organization is responsible for the PI/PHI under its control. It must appoint someone to be accountable for its compliance with the fair information principles’.

How do we meet this principle?

Sentrex has appointed a CPO who oversees the privacy program. The CPO is responsible for ensuring the privacy program is designed, delivered, and monitored appropriately. This includes but is not limited to management of privacy risks/complaints/incidents or inquiries, managing patient access requests, reporting to regulatory authorities as needed and updating privacy policies and training as required and performing any privacy audits.

How are third-party service providers held accountable?

We remain responsible for the protection of all PI and PHI that is collected, received, viewed, used, disclosed, handled, or otherwise dealt with by our employees and other Sentrex Agents, including third-party service providers who are allowed to handle the PI or PHI on our behalf. We use contracts or other means to ensure that these providers follow the same principles as outlined in this policy for the protection of the PI and PHI.

Principle 2: Identifying Purposes

What is the principle of ‘Identifying Purposes’?

The principle of identifying purposes is ’the purposes for which the PI/PHI is being collected must be identified by the organization before or at the time of collection’.

When do we collect the PI/PHI data?

The information we collect depends on what products or services the customer is using. We identify what types of information as part of the consent process.

We can collect information from customers when they,

  • Visit our website.
  • Use our services both through the website and through other means such as telephone, fax, or mail.
  • Receive information from us by e-mail and/or other downloadable material.
  • Provide information freely to us whilst using one of our services.
  • Use a computer or other electronic device to connect to our website or services.
  • We can also gain information from the public or third-party service providers.

What is the purpose for collecting the information?

Our employees will process the PI or PHI (which includes creating, collecting, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing, or destroying the data) on behalf of us, and for the purposes of performing functions, activities, or services on behalf of us, required in the service being accessed. Specifically, we collect, use, and disclose PI/PHI for the following reasons,

  • To better understand customers’ needs and to provide them with a better level of service.
  • To identify products, facilitate orders and provide services.
  • To provide information and reminders to the customer regarding their prescriptions.
  • To ensure customers are not given inappropriate medication(s).
  • To contact the customers’ pharmacist or prescribing doctor to discuss prescription related information and concerns.
  • To receive payment from the customer and health plan providers.
  • To communicate with individuals involved in our customers’ care or the payment of their care.
  • To co-ordinate our customers’ care with other pharmacies and health care providers.
  • To register our customers for and facilitate their participation in certain areas of the website.
  • To customize the website according to customer interests.
  • To tell our customers about health-related benefits or services that may be of interest.
  • To gather our customers’ opinion and feedback.
  • To audit online resources for authorized access and security.
  • To submit reports to Health Canada.
  • For internal record keeping, such as records of medications dispensed, to comply with federal and provincial laws.
  • To identify possible adverse events, product complaints, special situation reports or medical inquiries.
  • For purposes related to the filing and/or prosecution of any regulatory applications, including new drug and/or patent applications.
  • Other uses may be permitted or required by law.

Principle 3: Consent

What is the principle of ‘Consent’?

The principle of consent is ‘the knowledge and consent of the individual are required for the collection, use, or disclosure of PI/PHI, except where inappropriate’, as defined in PIPEDA.

How do we meet this principle?

All PI/PHI collected and maintained by us will be subject to consent in the following ways,

  • Express consent – given from the customer to us either verbally or in writing.
  • Implied consent – consent assumed by the customer’s actions or inactions.

All Patient Support Programs (PSPs) which are run on behalf of manufacturers at Sentrex have expressed consent to participate. Customers are required to sign (either at the physician’s office during the initial enrolment or as part of the PSP enrolment process at Sentrex). Other services such as pharmacy services will share privacy information with customers and ensure customers are informed but can rely on implied consent. By sharing prescriptions with the pharmacy, the patient is agreeing to the privacy use terms and conditions.

What happens if a customer does not consent?

If a patient does not consent to the privacy terms and conditions within a particular PSP or pharmacy service, the services cannot be provided. Data previously collected will still be retained as per data retention requirements, but additional information will not be collected.

How can consent be withdrawn?

The customer may withdraw consent to our collection, use and disclosure of their PI and PHI at any time, subject to legal restrictions and upon reasonable notice, by contacting our CPO.

Consent and electronic messages

We are committed to reducing the harmful effects of spam and related threats to electronic commerce and are working towards a safer and more secure online marketplace. CASL regulates certain forms of electronic contact, consisting of, the sending of commercial electronic messages, the alteration of transmission data in electronic messages, and the installation of computer programs on a person’s computer system during a commercial activity. The key principle of CASL is that such activities may only be carried out with a customer’s consent. We comply with CASL and work with all our affiliates, customers, and partners to seek consent before communicating any commercial electronic messages. We have an unsubscribe mechanism on our websites and electronic correspondence.

Principle 4: Limiting Collection

What is the principle of ‘Limiting Collection’?

The principle of limiting collection is ’the collection of PI/PHI must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.

How do we meet this principle?

Sentrex only collects PI and PHI necessary to meet the specific need for which it is being collected. We may collect PH and PHI provided by customers voluntarily, such as information entered in forms or data fields on our website, interactions through our PSP or Pharmacy services, or by other means. Different functions within Sentrex businesses have different data collection needs and thus, the data collected in one department may vary from another (e.g., PSP versus Pharmacy services).

Employee data collection is limited to the necessary information to perform the employer function related to payroll, taxes, contact information etc.

Principle 5: Limiting Use, Disclosure and Retention

What is the principle of ‘Limiting use, disclosure and retention’?

The principle of limiting use, disclosure and retention is ‘Unless the individual consents or it is required by law, PI/PHI can only be used or disclosed for the purposes for which it was collected. PI/PHI must only be kept as long as required to serve those purposes’. How do we limit the use and disclosure of the PI and PHI? Access to PI and PHI will be limited to those with a legitimate business need to use the PI or PHI, and it will only be used for the purposes for which it was originally obtained. PI/PHI contained in our files, whether physical or electronic, will not be disclosed to any individual by any employee until proper authorization for such disclosure has been obtained. Expressed consent will be obtained before there is any external disclosure, unless required by law.

Sentrex employees will maintain confidentiality in connection with PI or PHI entrusted to them, except when disclosure is authorized by our CPO or required by law. Whenever feasible, our employees will consult our CPO if the employee believes that there is a legal obligation to disclose PI or PHI.

We may notify external individuals and organizations if we become aware of any non-compliance with any privacy laws. This includes, but is not limited to,

  • Any unauthorized or unlawful collection, use or disclosure.
  • Any accidental loss or destruction of or damage to PI or PHI.
  • Any circumstances that would cause a reasonable data security professional to suspect that such collection, use or disclosure, loss, destruction, damage a non-compliance had occurred or will occur.

Who do we share PI and PHI with?

We share data for the following reasons:

  • If we believe, in good faith, that disclosure is appropriate to comply with applicable law, regulation, or legal process. For example, a court order.
  • Disclosing information, including PI and PHI, as required by any applicable government laws or regulations, and to financial institutions or governmental authorities.
  • We may communicate with and disclose PI or PHI to persons selected to be involved in the health care or health care decisions, such as doctors, guardians, or an attorney.
  • PI and PHI will be available to us, and third party service providers that use PIand PHI gathered by us. When we allow a third-party service provider to have access to the PI/PHI, they will only be permitted to take it or use it for purposes that are consistent with this policy.
  • Sharing a customer’s contact details and information of their interactions with Sentrex health services or products to third parties so that those third parties may contact the customer with a view to providing additional services to them.
  • Combining information relating to a customer with other information linked to that customer, such as any reviews of that customers interaction with Sentrex health services or products, and any information received from third parties such as recruitment with agencies.
  • In connection with a change in ownership or control of all or a part of our business. For example, a merger, acquisition, or reorganization. In this case we will require the new owner(s) to agree to treat the PI and PHI in line with this policy.
  • Pharmacy Specific Services: We allow requests to fill prescriptions and refills directly to customers or medical clinics. To complete this process, we will collect, use and transmit PI and PHI across computer systems and networks. By submitting the prescription information and other PH and PHI, our representatives, pharmacists, and pharmacy technicians will have access to customers’ PI/PHI. To properly provide customers with pharmacy services, we may need to contact: (1) Health insurance providers to assess coverages and benefits, (2) Doctors or other medical professionals to discuss customers medical background and prescription requests, and/or, (3) Other people as required to fill a customer’s prescription request.

How long is the PI and PHI retained?

To comply with federal and provincial legislation, and to ensure that we can refer to the PI and PHI, when necessary, we keep records of all prescription medications dispensed. This information will be physically secured and protected. Personal and sensitive information will never be sent over public networks by e-mail unless secured by encryption and authorized by us. PI and PHI are retained by us for minimum time periods required by law. When PI and PHI are no longer required to be maintained, we will delete it, or remove personal identifying data from such information.

Principle 6: Accuracy

What is the principle of ‘Accuracy’?

The principle of accuracy is ‘PI/PHI must be as accurate, complete, and as up to date as possible in order to properly satisfy the purposes for which it is to be used’.

How do we meet this principle?

If PI or PHI is needed, wherever possible, it will be obtained directly from the person concerned. We will take reasonable steps to ensure that the PI and PHI collected is reliable, accurate, complete, and current for its intended use.

Principle 7: Safeguards

What is the principle of ‘Safeguards’?

The principle of safeguards is ‘PI/PHI must be protected by appropriate security relative to the sensitivity of the information’.

How do we meet this principle?

Our security policies and practices are designed to protect the confidentiality and integrity of the PI and PHI. We employ physical, administrative, and technological security safeguards appropriate to the sensitivity of the information. With respect to PI/PHI collected we act as custodian of the data and take all precautions required by PHIPA and other relevant legislation to prevent against any anticipated, suspected, or actual threats relating to the unauthorized access, disclosure, alteration, or destruction of the data. Specifically, we,

  • Take all reasonable and legally required steps to protect PI and PHI as it is transmitted from computers to our website or other online resources and servers.
  • We ensure that all our affiliates and third parties that perform services on our behalf are contractually required to follow this policy.
  • We may remove identifying data from the PI and PHI when it is aggregated for analysis purposes, for example when looking at trends in prescriptions, compliance, and health to improve our services. PI and PHI from which identifying data has been removed may be shared with third parties for the purposes set out in this policy.

In certain limited circumstances, we may be required to release or provide access to PI or PHI in response to a subpoena, search warrant, court order, law, or regulation. In such cases, we will take all appropriate measures to ensure that the PI and PHI are protected to the greatest extent possible while cooperating fully with court and law enforcement authorities.

Principle 8: Openness

What is the principle of ‘Openness’?

The principle of openness is ‘An organization must make detailed information about its policies and practices relating to the management of PI/PHI publicly and readily available’.

How do we meet this principle?

To ensure we are open and transparent about how we manage and protect PI and PHI and to inform customers of their privacy rights, we post this policy on our website. If customers would like additional information about our policies and practices relating to the management and handling of PI and PHI, they can contact our CPO via,

Email: privacy@sentrex.com

Mailing address:
Attn: Chief Privacy Officer
120 Valleywood Drive
Markham, ON L3R 6A7

Principle 9: Individual Access

What is the principle of ‘Individual Access’?

The principle of individual access is ‘Upon request, an individual must be informed of the existence, use, and disclosure of their PI/PHI and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate’.

How do we meet this principle?

Customers may access, update, and correct PI/PHI in our possession, subject to certain legal exceptions. Upon written request (see mailing address below), Sentrex will provide them with their PI and PHI in our possession to the extent required by law. If customers would like to access any of their PI and PHI or believe that any of their PI and PHI collected by us is in corrector incomplete, they can send an email to our CPO at privacy@sentrex.com.

Mailing address:
Attn: Chief Privacy Officer
120 Valleywood Drive
Markham, ON L3R 6A7

Principle 10: Challenging Compliance

What is the principle of ‘Challenging Compliance’?

The principle of challenging compliance is ‘An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA and other provincial legislations, usually their CPO’.

How do we meet this principle?

If customers have any questions or complaints about this policy, or about our privacy practices in general, they can contact us via,

Email: privacy@sentrex.com

Mailing address:
Attn: Chief Privacy Officer
120 Valleywood Drive
Markham, ON L3R 6A7

For more information on privacy rights or to submit a complaint regarding our privacy practices please contact the Information and Privacy Commissioner of Ontario (IPC) at,

Office of the Privacy Commissioner of Canada
112 Kent Street Place de Ville Tower B, 3rd Floor
Ottawa, Ontario K1A 1H3

5. Attachments

SHS-POL-HR-001-3 (Sentrex Privacy Policy) 10-Nov-2020TRsig.pdf