Background
Who is Sentrex?
Sentrex Health Solutions Inc. is a fully integrated specialty distributor and patient support provider for pharmaceutical manufacturers, physicians, and their patients. We provide innovative solutions to ensure customers have the access and support they need to maximize treatment outcomes. Our core scope of services include distribution, patient support program sand pharmacy services. In the regular course of our business, we accumulate a considerable amount of personal information (PI) and personal health information (PHI). We value the trust placed in us by our customers and employees, and we know that maintaining this trust requires transparency and accountability in how we collect, use, and disclose the PI and PHI. To show our commitment to protecting privacy we have created this policy to provide a simple and straight-forward explanation of what data we collect and how we use and share that information.
What privacy laws are important for this policy?
Since January 1, 2004, all Canadian organizations engaged in commercial activities have been required to comply with certain privacy laws. Different business units within Sentrex (such as Pharmacies) are required to comply with their specific provincial legislation whereas the overarching company is required to comply with national legislation. Relevant privacy laws we address in this policy are,
How is this policy organized?
For clarity, we have structured this policy around the ten PIPEDA fair information principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information to detail how we protect PI and PHI data. The 10 principles are,
Who does this policy apply to?
This policy covers all our employees, directors, and officers (the “employees”), and compliance is mandatory. The employees will respect and obey all the laws, rules, and regulations of the countries in which they work, including but not limited to PIPEDA, CASL and specific provincial legislation mentioned previously.
Will this policy change in the future?
We can change this policy from time to time as legislation requirements change. This policy maybe changed or not enforced by us if required by law, and all employees will be bound by any changes. Our collection, use and disclosure of the PI and PHI gained through our services will be governed by the version of this policy in effect at the time the information was collected, used, or disclosed.
How do I get a copy of the policy?
The latest version of this policy will be posted on our website and will be available upon request to us via email or mail.
The Chief Privacy Officer is responsible for:
Directors, Managers and Supervisors are responsible for:
Employees:
4.1 Definitions and Abbreviations
Definitions |
Agent: A person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated (the Personal Health Information Protection Act, 2004, s.2). |
Collect: To gather, acquire, receive, or obtain information by any means from any source, and “Collection” and “Collected” have a corresponding meaning. As set out in section 2 of PHIPA with respect to PHI and PI. |
Confidentiality: Confidentiality is the obligation of an organization, custodian and individual to protect the information entrusted to it, to maintain the secrecy of the information and not misuse or wrongfully disclose it (National Initiative for Telehealth Framework or Guidelines, 2003). |
Privacy: Privacy is the right of an individual to control the collection, use and disclosure of personal information about them (Canadian Institute for Health Information, 2002). |
Privacy breach: An event or series of events where one or more of the following occurs:
|
Personal health information: Personal health information is defined in the Personal Health Information Protection Act, 2004 (Ontario) (“PHIPA”) as identifying information about an individual that:
|
Personal information: Personal information is defined in the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Specifically, it means recorded information about an identifiable individual, including:
|
Security: Security is the protection of personal health information from unauthorized or unintentional loss, theft, access, use, modification or disclose (Canadian Institute for Health Information, 2002). Security involves the protection of computer hardware and software from accidental or malicious access, use, modification, destruction, or disclosure. Security also pertains to personnel, data, communications, and the physical protection of computer installations. (IEEE Standard Dictionary of Electrical and Electronic Terms). |
Third-Party service: A third-party contracted or otherwise engaged to provide services to Sentrex, including Electronic Service Providers. |
Use: In relation to PHI or PI in custody or under the control of a Sentrex, “Use” means to view, handle, or otherwise deal with the information, but does not include to Disclose the information, and “Use”, as a noun, has a corresponding meaning. For the purposes of PHIPA, the providing of PHI between Sentrex and an agent of Sentrex is a Use by Sentrex, and not a Disclosure by the person providing the information or a Collection by the person to whom the information is provided. |
Abbreviations |
Attn: Attention. |
CASL: Canadian Anti-Spam Legislation. |
CPO: Chief Privacy Officer. |
IPC: Information and Privacy Commissioner of Ontario. |
PHIPA: Personal Health Information Protection Act, 2004 (Ontario). |
PHI: Personal health information. |
PI: Personal information. |
PIPEDA: Personal Information Protection and Electronic Documents Act. |
PSP: Patient Support Program. |
SOPSHS: Standard Operating Procedure Sentrex Health Solutions. |
4.2 The Fair Information Principles
Principle 1: Accountability
What is the principle of ‘Accountability’?
The principle of accountability is ‘An organization is responsible for the PI/PHI under its control. It must appoint someone to be accountable for its compliance with the fair information principles’.
How do we meet this principle?
Sentrex has appointed a CPO who oversees the privacy program. The CPO is responsible for ensuring the privacy program is designed, delivered, and monitored appropriately. This includes but is not limited to management of privacy risks/complaints/incidents or inquiries, managing patient access requests, reporting to regulatory authorities as needed and updating privacy policies and training as required and performing any privacy audits.
How are third-party service providers held accountable?
We remain responsible for the protection of all PI and PHI that is collected, received, viewed, used, disclosed, handled, or otherwise dealt with by our employees and other Sentrex Agents, including third-party service providers who are allowed to handle the PI or PHI on our behalf. We use contracts or other means to ensure that these providers follow the same principles as outlined in this policy for the protection of the PI and PHI.
Principle 2: Identifying Purposes
What is the principle of ‘Identifying Purposes’?
The principle of identifying purposes is ’the purposes for which the PI/PHI is being collected must be identified by the organization before or at the time of collection’.
When do we collect the PI/PHI data?
The information we collect depends on what products or services the customer is using. We identify what types of information as part of the consent process.
We can collect information from customers when they,
What is the purpose for collecting the information?
Our employees will process the PI or PHI (which includes creating, collecting, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing, or destroying the data) on behalf of us, and for the purposes of performing functions, activities, or services on behalf of us, required in the service being accessed. Specifically, we collect, use, and disclose PI/PHI for the following reasons,
Principle 3: Consent
What is the principle of ‘Consent’?
The principle of consent is ‘the knowledge and consent of the individual are required for the collection, use, or disclosure of PI/PHI, except where inappropriate’, as defined in PIPEDA.
How do we meet this principle?
All PI/PHI collected and maintained by us will be subject to consent in the following ways,
All Patient Support Programs (PSPs) which are run on behalf of manufacturers at Sentrex have expressed consent to participate. Customers are required to sign (either at the physician’s office during the initial enrolment or as part of the PSP enrolment process at Sentrex). Other services such as pharmacy services will share privacy information with customers and ensure customers are informed but can rely on implied consent. By sharing prescriptions with the pharmacy, the patient is agreeing to the privacy use terms and conditions.
What happens if a customer does not consent?
If a patient does not consent to the privacy terms and conditions within a particular PSP or pharmacy service, the services cannot be provided. Data previously collected will still be retained as per data retention requirements, but additional information will not be collected.
How can consent be withdrawn?
The customer may withdraw consent to our collection, use and disclosure of their PI and PHI at any time, subject to legal restrictions and upon reasonable notice, by contacting our CPO.
Consent and electronic messages
We are committed to reducing the harmful effects of spam and related threats to electronic commerce and are working towards a safer and more secure online marketplace. CASL regulates certain forms of electronic contact, consisting of, the sending of commercial electronic messages, the alteration of transmission data in electronic messages, and the installation of computer programs on a person’s computer system during a commercial activity. The key principle of CASL is that such activities may only be carried out with a customer’s consent. We comply with CASL and work with all our affiliates, customers, and partners to seek consent before communicating any commercial electronic messages. We have an unsubscribe mechanism on our websites and electronic correspondence.
Principle 4: Limiting Collection
What is the principle of ‘Limiting Collection’?
The principle of limiting collection is ’the collection of PI/PHI must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
How do we meet this principle?
Sentrex only collects PI and PHI necessary to meet the specific need for which it is being collected. We may collect PH and PHI provided by customers voluntarily, such as information entered in forms or data fields on our website, interactions through our PSP or Pharmacy services, or by other means. Different functions within Sentrex businesses have different data collection needs and thus, the data collected in one department may vary from another (e.g., PSP versus Pharmacy services).
Employee data collection is limited to the necessary information to perform the employer function related to payroll, taxes, contact information etc.
Principle 5: Limiting Use, Disclosure and Retention
What is the principle of ‘Limiting use, disclosure and retention’?
The principle of limiting use, disclosure and retention is ‘Unless the individual consents or it is required by law, PI/PHI can only be used or disclosed for the purposes for which it was collected. PI/PHI must only be kept as long as required to serve those purposes’.
How do we limit the use and disclosure of the PI and PHI?
Access to PI and PHI will be limited to those with a legitimate business need to use the PI or PHI, and it will only be used for the purposes for which it was originally obtained. PI/PHI contained in our files, whether physical or electronic, will not be disclosed to any individual by any employee until proper authorization for such disclosure has been obtained. Expressed consent will be obtained before there is any external disclosure, unless required by law.
Sentrex employees will maintain confidentiality in connection with PI or PHI entrusted to them, except when disclosure is authorized by our CPO or required by law. Whenever feasible, our employees will consult our CPO if the employee believes that there is a legal obligation to disclose PI or PHI.
We may notify external individuals and organizations if we become aware of any non-compliance with any privacy laws. This includes, but is not limited to,
Who do we share PI and PHI with?
We share data for the following reasons:
How long is the PI and PHI retained?
To comply with federal and provincial legislation, and to ensure that we can refer to the PI and PHI, when necessary, we keep records of all prescription medications dispensed. This information will be physically secured and protected. Personal and sensitive information will never be sent over public networks by e-mail unless secured by encryption and authorized by us. PI and PHI are retained by us for minimum time periods required by law. When PI and PHI are no longer required to be maintained, we will delete it, or remove personal identifying data from such information.
Principle 6: Accuracy
What is the principle of ‘Accuracy’?
The principle of accuracy is ‘PI/PHI must be as accurate, complete, and as up to date as possible in order to properly satisfy the purposes for which it is to be used’.
How do we meet this principle?
If PI or PHI is needed, wherever possible, it will be obtained directly from the person concerned. We will take reasonable steps to ensure that the PI and PHI collected is reliable, accurate, complete, and current for its intended use.
Principle 7: Safeguards
What is the principle of ‘Safeguards’?
The principle of safeguards is ‘PI/PHI must be protected by appropriate security relative to the sensitivity of the information’.
How do we meet this principle?
Our security policies and practices are designed to protect the confidentiality and integrity of the PI and PHI. We employ physical, administrative, and technological security safeguards appropriate to the sensitivity of the information. With respect to PI/PHI collected we act as custodian of the data and take all precautions required by PHIPA and other relevant legislation to prevent against any anticipated, suspected, or actual threats relating to the unauthorized access, disclosure, alteration, or destruction of the data. Specifically, we,
In certain limited circumstances, we may be required to release or provide access to PI or PHI in response to a subpoena, search warrant, court order, law, or regulation. In such cases, we will take all appropriate measures to ensure that the PI and PHI are protected to the greatest extent possible while cooperating fully with court and law enforcement authorities.
Principle 8: Openness
What is the principle of ‘Openness’?
The principle of openness is ‘An organization must make detailed information about its policies and practices relating to the management of PI/PHI publicly and readily available’.
How do we meet this principle?
To ensure we are open and transparent about how we manage and protect PI and PHI and to inform customers of their privacy rights, we post this policy on our website. If customers would like additional information about our policies and practices relating to the management and handling of PI and PHI, they can contact our CPO via,
Principle 9: Individual Access
What is the principle of ‘Individual Access’?
The principle of individual access is ‘Upon request, an individual must be informed of the existence, use, and disclosure of their PI/PHI and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate’.
How do we meet this principle?
Customers may access, update, and correct PI/PHI in our possession, subject to certain legal exceptions. Upon written request (see mailing address below), Sentrex will provide them with their PI and PHI in our possession to the extent required by law. If customers would like to access any of their PI and PHI or believe that any of their PI and PHI collected by us is in corrector incomplete, they can send an email to our CPO at privacy@sentrex.com.
Mailing address:
Attn: Chief Privacy Officer
120 Valleywood Drive
Markham, ON L3R 6A7
Principle 10: Challenging Compliance
What is the principle of ‘Challenging Compliance’?
The principle of challenging compliance is ‘An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA and other provincial legislations, usually their CPO’.
How do we meet this principle?
If customers have any questions or complaints about this policy, or about our privacy practices in general, they can contact us via,
For more information on privacy rights or to submit a complaint regarding our privacy practices please contact the Information and Privacy Commissioner of Ontario (IPC) at,
Office of the Privacy Commissioner of Canada
112 Kent Street Place de Ville Tower B, 3rd Floor Ottawa, Ontario K1A 1H3.