1. AURUM GROUP
The Aurum Group of Companies is committed to protecting your right to privacy. The following describes how the personal information, which we collect from you in connection with our business relationship, will be handled and your rights to limit use of that information.
2. PIPEDA AND WHAT IT MEANS TO US AND YOU
3. PERSONAL INFORMATION
The Government of Canada has announced its Digital Charter, and launched its National Digital and Data consultations by publishing an accompanying paper entitled Strengthening Privacy for the Digital Age, which included numerous recommendations for amending PIPEDA.
In its Digital Charter, the Government of Canada tackles digital and data transformation, setting out its ten principles to guide amendments to PIPEDA. The proposed amendments include:
a) Enhancing the control and transparency that individuals have over their personal information by requiring specific standardized plain language information on its use;
b) Providing data mobility opportunities to support greater individual control over data and promotion of consumer choice; and
c) Strengthening enforcement mechanisms, including enhanced penalties for non-compliance.
The Prime Minister’s Office has delivered a mandate letter to the Minister of Innovation, Science and Industry, outlining a number of data protection initiatives for the Ministry, to potentially include:
a) advancing Canada’s Digital Charter;
b) enhancing the power of the Office of Privacy Commissioner of Canada, such as adding the ability to award administrative monetary penalties, creating new offences, or providing additional oversight by the Federal Court of Canada to incentivize compliance;
c) establishing a new set of rights for individuals online, including:
i. data portability/privacy; and
ii. the right to be forgotten.
d) enhancing knowledge of how personal data is being used; and
e) creating new regulations for large digital companies to protect personal data and to encourage greater competition in the digital space.
Each of these amendments, if implemented, have the potential to effect a fundamental change in the way we would be able to collect, use, and disclose personal information. These amendments would serve to better align us with the data protection regime in the European Union under the General Data Protection Regulation (GDPR); to better allow for free data exchanges between the EU and Canada, with the exception of employee data and under certain conditions.
4. Health Insurance Portability and Accountability Act (HIPAA)
The Privacy rules in the USA under HIPAA address patient privacy issues and regulates how private health information can be used and disclosed. This private health information includes all personal medical records and any other health information that is created or received by a health care provider. As we work closely with dentists to treat their patients, we may come into contact with some of this health information, and as such we have a duty to protect patient privacy. We have implemented policies and procedures for ensuring proper protection of privacy and data security.
However, the Privacy Rules under HIPAA do not require that we establish a Business Associate Agreement with our Dentist customers regarding the protected health information, as dental laboratories are defined as “Health Care Providers” under HIPPA, and the “laboratory services” being rendered by us are for “treatment” purposes only and do not include any other administrative services provided on behalf of the dentist. Moreover, the Aurum Group does not receive the following patient information:
a) patients’ telephone numbers;
b) patients’ addresses
c) patients’ medical records;
d) patients’ personal family information
e) or any other personal information belonging to the patient not required for treatment purposes.
The information that we receive from the dentist is limited to the patient’s name, sometimes gender, and if required, the patient’s health issues, used to identify and in the treatment of their case. We do not receive, collect, or maintain a patients’ telephone numbers, addresses, birth dates, social security numbers, medical records or data directly identifying individuals’ relatives, employers or household members; such information being defined as the “Protected Health Information”.
Health care providers are allowed under the HIPAA privacy rule to disclose individually
identifiable health information to another health care provider as necessary for patient treatment. In the case of a dental laboratory, such treatment includes the actions of the laboratory in providing the prosthetic, the communication between the dentist and the laboratory, and supplying prosthesis to the patient.
Furthermore, the NADL, the ADA, and the Office of Civil Rights (the Health and Human Services agency charged with HIPAA Privacy Rule enforcement provisions) reinforce the belief that dental laboratories are health care providers, and as such so no Business Associate Agreement is required to share protected health information for treatment purposes.
Concerned dentists can access the American Dental Associate’s HIPAA Hotline at 312-440-2899, ext.3, for a recorded message explaining that dental laboratories are not business associates and thus no business associate agreements are required. Although a business associate agreement is not required between us and the dentist we are dedicated to preserving the confidentiality of all of our customers, and no privileged doctor-patient confidential information we receive from you will be released without the dentists’ specific permission.
5. Personal Information
The Aurum Group collects personal information by reasonable, lawfully permitted means and thus we limit the collection, use and disclosure of personal information to that which is reasonably necessary to administer our dental laboratory business. Thus, this may include collection in order to understand your specific needs, in order to meet legal, regulatory and contractual requirements, to facilitate the delivery of products and services to you, to maintain your contact information, and to provide information to you. We will identify the reasons for which we collect your personal information, either before or at the time of collection. We will only collect, use and disclose your personal information with your knowledge and consent, except where otherwise permitted or required by law. Our collection of your personal information will be restricted to what is reasonable and necessary for the reasons identified to you, and shall only be collected by reasonable and lawful means. Your personal information will only be used, disclosed or retained for the purposes for which it was originally collected, unless you have permitted otherwise, or when required or permitted by law. We will only retain your personal information for the period of time necessary to fulfill the purposes for which it was collected. Lastly, information about our policies and practices at Aurum Group will be made readily available to you upon request.
5.2 Personal Information Defined
“Personal Information” includes all the information provided to us by our customers, employees, suppliers, contractors, and consultants, and may also include, but is not limited to, customer account information, dentist’s patient health information if required for the treatment of that patient’s case, information customers provide to us during the normal course of communication between dentists and Aurum Group staff.
More specifically that we may collect is dependent upon the party who the information is being collected from and the reason for its collection.
5.3 Forms of Collection
Depending on the relationship you have with us, we may collect your personal information through various forms not limited to, Aurum Group prescription pads, email, the Brightsquid Dental platform, employment forms, insurance forms, our website, etc.
5.3 (a) Email and Email Campaigns:
If you are a customer, prior to marketing to you through email, we will confirm with you that we have your permission to do so. Any and all email campaigns will be compliant with HIPAA and PIPEDA guidelines, will comply with CASL, as well as any other USA legislation applicable to email use, and specifically will include the following:
• a double opt-in where permission to send the email is received both at the time of sign-up with us, and upon receipt of the first message;
• identification of the message source, and if to US recipients’, a postal address for the message origin;
• an “unsubscribe” function; and
• a contact email address for questions and concerns
5.3 (b) The Aurum Group Website:
Prior to collecting any of your personal information through our website, we will explain to you what we intend to do with that information.
5.4 Employees, Suppliers, Consultants, & Contractors
If you are, or are potentially, an employee or contractor/consultant, we collect your name, address, telephone number, and other relevant personal information including emergency contacts, family and health benefit information, past employment, educational experience and evaluative information.
We use your personal information for lawfully authorized purposes relevant to our employment/contracting relationship including:
• Administration of benefits and payroll
• Entitlement for benefits, raises, bonuses and/or promotions
• Business development and marketing
If you are a customer, we may collect personal information that we require in order to complete your project satisfactorily. We may collect information about you, and, if applicable, your employees, and/or others associated with your organization (such as contractors or consultants). These requests may include name, telephone, fax, email address, job title, and any other information that may be required as your project progresses. This information is used for:
• Confirming your business identity
• Entering into a service contract with us
• Development of plans and documents necessary to the satisfactory completion of your project
Providing ongoing service in doing a project for you, we may require your patient information, including:
• the name of your patient
• your patient’s health information provided solely for the purpose of completing the project
Consent is defined as the “voluntary agreement with what is being done or proposed”. Consent can be explicit or implied, or by not opting out. Express consent is given explicitly, either orally or in writing. Express consent is undisputable and does not necessitate any presumption on the part of Aurum Group when seeking the consent. Implied consent occurs where consent may logically be understood from the action or inaction of the individual.
Consistent with privacy principles and applicable legislation, and where reasonably possible, the Aurum Group only collects, uses or discloses personal information with the consent from the individual. The Aurum Group is careful to select a fair and reasonable form for the consent required in the circumstances.
If you are an employee or contractor/consultant, you are hereby notified that your personal information will be collected, used and disclosed to establish and generally to manage our employee or contractor/consultant relationship and facilitate the completion of projects with third parties. In certain limited circumstances consistent with law and regulation (e.g., legal, medical, or security reasons) personal information can be collected, used or disclosed without your knowledge or consent.
If you are a customer, you consent to supply certain pertinent personal information. You consent to the use of that personal information to administer, implement and perform our services as they relate to your project. You also represent that you have obtained the consent required by applicable laws and policies to the disclosure of that personal information. In certain limited circumstances consistent with law and regulation (e.g., legal, medical, or security reasons) the personal information can be collected, used, or disclosed without your knowledge or consent.
7. Use & Disclosure of Personal Information
The Aurum Group will not use or disclose Personal Information for purposes other than those for which it was collected, except with your consent or as required by law. Your Personal Information shall be disclosed only to those who have a “need to know” and the specific information shall be restricted to only that information relevant to the recipients’ need to know. Those who need to know may include employees, contractors, consultants, and dental and other health benefit providers. Also, the Personal Information disclosed is limited to only that Personal Information required for the purpose. You may specify any restrictions on which we want to disclose your Personal Information to or restrict the content.
WE WILL NOT SELL YOUR PERSONAL INFORMATION. We will not use or disclose it to third parties without your knowledge or permission, except in special circumstances, where consent is not required under legislation.
7.1 When we may use your information without your consent
The Aurum Group may use your Personal Information without your consent or knowledge only where:
• We have reasonable grounds to believe that the Personal Information could be useful when investigating a contravention of a federal, State, provincial or foreign law and the information is used for that investigation;
• for an emergency that threatens an individual’s life, health, or security;
• for statistical or scholarly study or research (in such case the Aurum Group must notify the Privacy Commissioner of Canada before using the information);
• if it is publicly available as specified in the applicable legislations;
• if the use is clearly in the individual’s interest and consent is not available in a timely way; or
• if knowledge and consent would comprise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of federal, State, or provincial law.
7.2 When we may disclose your information without your consent
The Aurum Group may disclose your Personal Information without your consent or knowledge only:
• to a lawyer representing the Aurum Group;
• to collect a debt you may owe to the Aurum Group;
• to comply with a subpoena, a warrant or an order made by the court or other body with appropriate jurisdiction;
• to the Financial Transaction and Reports Analysis Centre of Canada (FINTRAC) as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, or any other applicable anti-money laundering Act;
• to a government institution that has requested the information, identified its lawful authority to obtain the information, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; or is for the purpose of administering any federal, state, or provincial law;
• to an investigative body named in the Regulations of the Act or government institution on the Aurum Group’s initiative where the Aurum Group has reasonable grounds to believe that the Personal Information concerns a breach of an agreement, or a contravention of a federal, State, provincial, or foreign law, or suspects the information relates to national security, the defence of Canada or the USA, or the conduct of international affairs;
• if made by an investigative body for the purposes related to the investigation of a breach of an agreement or a contravention of a federal, State, or provincial law;
• in an emergency threatening an individual’s life, health, or security (the organization must inform the individual of the disclosure);
• for statistical scholarly study or research (Aurum Group must notify the Privacy Commissioner before disclosing the Personal Information);
• to an archival institution;
• 20 years after the individual’s death or 100 years after the record was created if in Canada;
• if it is publicly available as specified in the applicable legislations; or
• if required by law.
We may disclose your personal information as follows:
• To someone authorized to collect it on your behalf
• To others within Aurum Group for management and administration of our business relationship
• For benefits, raises and payroll purposes
For business development and marketing we may disclose the information we collect to certain third parties including:
• Third parties such as contractors, suppliers and consultants, as required to satisfactorily complete their contractual obligations with you
• Other business units of Aurum Group to help serve you better
Any information shared will be done so with the condition that they will only use and retain such Personal Information for the specific purpose for which they are engaged by Aurum Group. Any third party to which Aurum Group discloses your Personal Information is required to protect the confidentiality of your Personal Information in a manner consistent with our own internal process, or as required by law.
8. Third Party Transfers
As specified in Section 6 above, from time to time the Aurum Group may retain third parties to help us promote, implement and administer our services. As such, the Aurum Group may need to transfer to these third parties the personal information they need to perform their obligations. “Transfer” is a “use” by an organization and is not to be confused with disclosure. In such cases, the Aurum Group must take all reasonable steps to protect the personal information from unauthorized uses and disclosures while in the hands of the third party. The Aurum Group will thus take all reasonable contractual steps to ensure that a comparable level of personal information protection is provided by these third parties, including restricting their using the information for any other purpose.
When we disclose or provide your personal information to a third party as permitted by these principles, the Aurum Group will require them, by agreement, instruction or otherwise, to comply with the requirements that are embodied in these principles. We will also ensure that it is satisfied that the third party has similar policies and processes in place, including training of the staff and other effective security measures to ensure that the information in its care is properly safeguarded at all times. The Aurum Group will also retain the right to audit and inspect how the third party handles and stores the information transferred to them, and we will, if needed, exercise our right to audit and inspect the information.
The Aurum Group will make every reasonable effort to ensure that the personal information we obtain from you will be maintained as accurately and completely as necessary for its purpose. Your personal information will be verified in our records and updated if necessary each time you notify us of a change, and as practical during the course of our business relationship with you. It is your responsibility to notify us immediately of any change in personal information which you have previously supplied to us. For more information on accuracy of your information, please see Section 10 below.
10. Retention and Security of Your Information:
We will only retain your personal information for the period of time required to fulfill the purposes for which it was collected, or as required by law. We will protect the personal information we collect with security safeguards appropriate to the sensitivity of the information.
The Aurum Group maintains complete records of the storage locations of personal information, both paper and electronic.
The Aurum Group will take appropriate security measures to protect your personal information against loss, theft, unauthorized access or disclosure, improper use, alteration or destruction. We currently employ physical safeguards such as security systems, locked storage on and off-site, locked storage access limited to restricted personnel only, offsite backup, etc.
We also have technological safeguards in place such as, network security, firewalls, antivirus, and encryption, etc. The administrative safeguards we have in place include employee training in privacy issues, circulation and mandatory compliance with Privacy Policies and Privacy Code.
If you are a customer, upon your written and reasonable request, your personal information will be erased from our records, though removal of your personal information from our records may affect our ability to provide you with our services or products.
If you are an employee or contractor/consultant, personal information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. We may retain your personal information for up to seven (7) years.
If you are a customer, personal information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. When seven (7) years have elapsed after the substantial completion of your last contract, all personal information pertaining to you and your employees will be permanently destroyed and erased from our records.
You have the right to ask whether we hold any personal information about you, what kind of information we are holding, and what we use and disclose your information for. You can request access to your personal information maintained by Aurum Group at any time. We will respond to your request within 45 days. There may be a small charge for each request. If charges apply, we will notify you in writing and seek your approval of the charges prior to processing your request. If you believe any of the information we have collected from you is incorrect or incomplete, you have the right to request us to change it. Where we have obtained medical information about you from a dentist, we will only release this information to you and /or back to the dentist.
You may submit your request in writing to the Aurum Group’s Privacy Officer:
115-17th Avenue S.W.
Calgary, AB T2S 0A1
Attn: Rita Schlegel
Chief Privacy Officer
Please specify as much as possible which personal information you are requesting. We will respond as quickly as possible, and we will inform you if for some reason we are unable to respond within the 45 day time frame. In certain specific circumstances, we have the legal right to refuse your request for access.
115-17th Avenue S.W. Calgary, AB
Attn: Rita Schlegel
Chief Privacy Officer
We reserve the right to revise this policy from time to time, as privacy laws and practices evolve and will publish revisions at our earliest reasonable convenience.
Aurum Group © (2020). Reproduction of this work in whole or in part by any means whatsoever is strictly prohibited without the express written consent of Aurum Ceramic Dental Laboratories Co. All rights reserved.