Last updated: [September, 2024]
Purpose and Scope
CDL Laboratoires (“CDL”, the “Enterprise,” “Us,” or “We”), operating under the parent Enterprise ELNA Medical Group Inc. (“ELNA,” the “Enterprise,” “Us,” or “We”) is dedicated to upholding the highest standards of privacy and protection regarding data and Personal Information in our care. We recognize our role as a trusted steward in the collection and management of sensitive information. We value the right to full transparency in how we handle and process data and we are dedicated to building privacy into every aspect of our services and systems.
In this Policy, we explain how we collect, use, disclose, and protect information, ensuring that you are fully informed about your rights and the measures we take to uphold the privacy and security of your information. The principles outlined in this Policy are applicable during your entire relationship with us.
Whether by accessing this Website, using ELNA’s mobile app, submitting Personal Information to us of any kind, discussing your care and treatment with our medical team, or engaging with services provided by CDL, you can be confident that your Personal Information is treated with the adequate protection afforded under Canadian law, provincial legislation, and this Policy. CDL further ensures that all of our business partners, third party affiliates, and subsidiaries are aware when they have an obligation to act in accordance with either this Policy or other relevant CDL policies. CDL encourages the review of all CDL’s affiliates and subsidiaries privacy policies, procedures, and website, mobile, or cloud service standards.
By accessing or using the Website or by otherwise giving us your Personal Information or Personal Health Information through our Services, you indicate that you understand, accept, and consent to the privacy practices described in this Policy.
Applicable legislation
This policy is constructed in accordance with the Government of Québec’s Law 25 amendments to the Act Respecting the Protection of Personal Information in the Private Sector, the Act Respecting the Sharing of Certain Health Information, and in expectation of the in-force requirements of Bill 3, An Act Respecting Health and Social Services Information. The language and reporting process, however, have been written with CDL’s national privacy obligations in mind. The legislative authorities for this policy may extend to the Government of Canada’s Personal Information Protection and Electronic Documents Act, 2000, the Government of Ontario’s Personal Health Information Protection Act, 2004, and the Government of Alberta’s Health Information Act, 2000.
Definitions
Personal Information:
Personal Information is any information which relates to a natural person, allowing that person to be identified. All Personal Information is considered confidential information and must be handled in accordance with relevant legislation.
Personal Health Information:
Personal health information is a form of Personal Information and includes all registration, diagnostic, treatment, health service, and care information, obtained in any format (oral or recorded) that allows an individual, living or deceased, to be identified either directly or indirectly. Personal health information is highly confidential information and can include, but is not limited to:
- Any information relating to the physical or mental health of the individual, including the health history of an individual’s family.
- Any Personal Information that is contained in a file with health information is considered personal health information.
- Records of any form pertaining to any aspect of a health service program for the individual.
- Any material, biological or otherwise, taken from the individual.
- Individual identifiers including a health card number, payments coverage, or substitute decision-makers.
Information Life Cycle:
Information life cycle (“life cycle”) refers to any aspect of the collection, use, storage, retention, transfer, disclosure, accuracy, correction, disposal, or destruction of Personal Information and personal health information.
Aggregated / De-Identified / Anonymized Information
“Aggregated” information is when your information is grouped with a collection of other information large enough that it is virtually impossible for you to be identified. Aggregated data is commonly referred to as statistical data.
Information is “de-identified” if it no longer allows the person concerned to be directly identified.
Information is “anonymized” if, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly. Steps must be taken in the case of both de-identified/anonymized data to follow best practices and to take reasonable steps to ensure no re-identification takes place.
Profiling
“Profiling” is the use of technology allowing a person to be identified, located or profiled. “Profiling” means the collection and use of Personal Information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests, or behaviour.
Policy Rules and Guidelines
1. Collection and Consent
CDL may only collect, use, or communicate your Personal Information and Personal Health Information with your consent. CDL must ensure that the consent you provide is clear, free and informed, and given for specific purposes. Specific purposes are purposes necessary for CDL to fulfil its mission, carry out our activities, provide you services, or create new programs. Your consent must be sought for each specific purpose and presented in simple and plain language. Consent is only valid for the time necessary to achieve the purposes for which the consent was requested.
Your consent may be obtained, subject to legislative requirements, either implicitly or expressly. There are exceptions when consent is not required. CDL will be transparent and demonstrate to you why such an exception may be invoked. You may withdraw your consent at any time, subject to legal and contractual restrictions and reasonable notice.
This Policy applies to information we collect, use, or disclose about our clients, visitors, and Website users as follows:
- On the Website, including when you interact with us through opt-in or booking forms, and newsletter sign-up forms;
- Through virtual care services such as those listed under the “Services” tab on the Website;
- On the Patient Portal;
- In email, text and other electronic messages between you and CDL;
- When you choose to participate in activities related to the Website, such as message boards, surveys, subscribing to our newsletter and marketing or promotional materials, you understand that you are under no obligation to provide us with Personal Information; however, that may limit your ability to use certain functions or request certain services or information from us; and
- When you interact with our advertising and applications on third-party websites and services if those applications or advertising include links to this Policy.
For greater certainty, this Policy does not apply in the following circumstances:
- When you use our virtual care services and input Personal Information, including Personal Health Information, we will ask for your express consent for us to collect, use and disclose such information for the purpose of providing you access to such services.
- Your use of our virtual care services is subject to the terms of use and privacy policy of such platform or website to which you may be redirected. We encourage you to carefully read the terms of use and privacy policy of each platform prior to use or registration; and
- When you register for a Patient account under the “Patient portal” tab on our Website, you will be directed to our trusted electronic medical record providers who have privacy policies CDL has vetted to ensure the provider policies you agree to are substantially similar, but not subject to, this Privacy Policy or other CDL policies.
- When you click on an icon or link on our Website such as “ → ”, you will be redirected to external sites. The external sites that are not represented in this Policy’s meaning of our “Website” are responsible for their own privacy policies. When you are redirected from our Website, this Privacy Policy is not in effect.
2. Information We Collect About You
When you use our Services or Website, we may collect Personal Information about you directly from you, including, but not limited to, surveys, search queries, or fillable forms you submit on the Website, or when you communicate with us through any medium.
The Personal Information that may be collected about you includes:
- Identifiers, such as name, initials, and date of birth;
- Contact information, such as your email address, phone number or residential address;
- Demographic information, including your gender and age;
- Payment information, such bank account numbers, credit cards, etc.;
- Your areas of interest in our activities;
- Publicly available information, including Personal Information that appears in a publication such as a magazine or newspaper, where such collection is permitted by law;
- Personal Health Information, as defined in this policy such as your medical records, personal and family health history, health card information, payment information, health insurance information, records of your visits to the Company and the care that you received; and
- Application information, if you choose to apply for a position at the Company, including the information contained in your resume and cover letter as well as any information you decide to share with us as part of the application process;
Additionally, we obtain certain information about you automatically when you sign up to use our Wi-Fi or use our Website, through automated technologies, including cookies or other tracking technologies deployed by our third party advertisers. This information includes:
- Technical information such as login information, hardware and software you use to interact with our Website, device identifiers, language, your mobile network information, the settings you use on our Website, your network location, and your IP address and location; and
- Website usage information such as searches conducted on the Website, the services you choose, links accessed, referring page, pages visited, and time spent on each page;
When CDL collects your Personal Information, you will be informed of
- The purposes, means, and right of access or rectification to the information collected; and
- Your rights pertaining to the withdrawal of your Personal Information.
and you have the right to further request
- The Personal Information we have collected on you; and
- The categories of persons who have access to your Personal Information.
The information we collect automatically is used to help us improve our Website and to deliver better and more personalized services across the ELNA ecosystem. Our technological products are subject to CDL’s Confidentiality Policy and we ensure those product settings provide the highest level of confidentiality by default.
Information collected in the Province of Québec has the possibility of being held, communicated, or used outside of the Province of Québec. The collection of information in Québec that is subsequently held, communicated, or used outside Québec by CDL business partners, third party affiliates, and subsidiaries is subject to mandatory Privacy Impact Assessments (PIA).
Each PIA will assess whether the information will receive “adequate protection” to that which it would receive if the data was maintained within Québec. Should such due diligence result in CDL not being satisfied that the adequate protection standard is upheld, we must and will refuse to release the information.
3. How We Use Your Information
We may use your Personal Information for the following purposes:
- Communication. We use your identifiers and contact information to communicate with you, including providing notices for upcoming appointments, provide you with information that you request from us, notify you of changes to our Website or services, or keep you informed about Company activities. We also use aggregated demographic information to help us communicate more effectively;
- Payment Processing. We use your payment information to process payment for your treatment and virtual care;
- Delivering the Website. We use technical information to present the Website and its contents to you, including interactive features, questionnaires, social media or similar features of the Website;
- Delivering Care and Services. We use your Personal Information to deliver virtual care and administrative services;
- Improving our Website. We may use your Website usage information to improve our Website or services
- Improving our Services. We may use your identifiers, demographic information, and areas of interest to improve our marketing, or customer relationships and experiences;
- Analysis. We may use your Personal Information for internal analysis to assist in the execution ELNA and CDL’s strategic vision of creating a seamlessly integrated care ecosystem for our clients.
- Research purposes. We may use your Personal Information to generate de-identified, aggregated, or anonymized data. The de-identification/anonymization process will be conducted according to industry recognized best practices to minimize any risk of re-identification. We may then use and disclose these de-identified or anonymized data for research purposes, activities to improve the quality of care, or to evaluate our services, to the extent permitted by applicable laws and in compliance with the applicable privacy laws. We may also seek your interest and consent to participate in research projects and activities;
- Strategic Data Utilization. We may use your Personal Information to generate aggregated, de-identified, or anonymized data. The de-identification or anonymization process will be conducted according to industry recognized best practices with the goal of eliminating the risk of re-identification. We may then use, internally or with third parties, these transformed data to support the expansion and improvement of telehealth or digital health initiatives, to refine the services CDL offers to you, or to contribute to the development and expansion of the ethical, responsible, and evidence-based application of artificial intelligence technologies in the healthcare domain.
- Where permitted or required by law. We may use your Personal Information to meet legal requirements, carry out and enforce our rights, fulfill other purposes permitted or required by law.
CDL shall inform you of any usage of your Personal Information that renders a decision regarding your care or services based exclusively on the automated processing of information. You have the right to submit observations regarding the automated processing decision.
4. Sharing of Your Information
Your Personal Information or Personal Health Information may be disclosed to physicians, health care professionals, and staff directly involved in your health care with your consent. In addition, the Company may disclose your Personal Information under the following circumstances:
- To payment collection service providers, where necessary to establish and collect payment;
- To detect, prevent or otherwise address fraud, security or technical issues;
- To facilitate a merger, acquisition, reorganization or sale of all or a portion or Company assets;
- When you have expressly consented to the disclosure;
- When your PI or PHI is fully transformed into anonymized data and is no longer considered Personal Information; or
- As required or authorized by law to do so without your consent.
We may also engage certain third-party service providers or agents to provide services to us, including information technology services. To the extent that these service providers have access to your Personal Information, they are obligated by us to protect your Personal Information to a level of security similar to that which we provide.
Québec Residents: Before sharing your Personal Information outside of Québec, CDL is obligated to conduct a privacy impact assessment to ensure your information will receive adequate protection in the province or state in which the information will be shared.
All CDL clients may contact our Privacy Officer at the contact information [set out below] [hyperlink to section 10] in order to obtain written information about our policies and practices with respect to service providers and affiliates outside Canada, or to ask questions about the use, disclosure or storage of Personal Information by such service providers and affiliates outside Canada.
5. Securing Your Personal Information
It is CDL’s ethical and legal responsibility to ensure the adequate handling, protection, usage, retention, disposal, and safeguarding of all Personal Information and personal health information in its custody. CDL’s privacy governance program establishes an accountability framework encompassing the entire life cycle of data collected by us.
We have also established appropriate physical, technical, organizational, and administrative safeguards to protect the Personal Information we collect from or about our users, such as facility access control and workstation security. In addition, our patient information system uses passwords and firewalls to protect from inappropriate access, our Patient Portal accounts are password-protected and sensitive information is secured, whenever possible or practical, through encryption technologies. CDL monitors, logs, notifies relevant authorities, and makes every effort to rectify and suspected or discovered compromise of information. We conduct privacy impact assessments, when required by law, for new projects and partnerships.
You understand that no method of communication of Personal Information, in-person or technological, can be guaranteed to be 100% secure. CDL’s information system safeguards, however, are structured with privacy by design as a central tenet to ensure we have taken all adequate and reasonable steps to protect your Personal Information.
If you have any questions about security or have reason to believe your interaction with us is no longer secure, we encourage you to notify us immediately at our contact information below.
6. Retention
We will retain your Personal Information to meet our contractual and care obligations to you, while any account you activate on or through the Website is operational, and for the length of time necessary to comply with our legal and ethical obligations, resolve disputes, and enforce our agreements. We retain Personal Health Information for at least the minimum retention period required by applicable provincial medical regulators. When the purposes of collecting your Personal Information is achieved, it will be securely destroyed, permanently anonymized, or de-identified as required or permitted by applicable privacy laws.
7. Exercising Your Data Protection Rights
Access and Rectification Rights
You have the right to know of the existence of the Personal Information we hold about you, the right to have that information communicated to you in a structured and intelligible format, the right to challenge the accuracy of the information about you, and the right to have inaccuracies rectified.
Please contact us at the contact information below (10. Contact Us) to request access to your Personal Information or change your preferences.
We will request documentation to confirm your identity prior to providing access to Personal Information, and we may not grant access in all circumstances (for example, where granting access would likely reveal the Personal Information of another party and the record is not severable). If the Personal Information is of a sensitive medical nature, we may grant access through a medical practitioner. If you have made a request and are not satisfied with our decision, you may submit a formal complaint to your relevant privacy commissioner, who may be able to review our decision.
Withdrawing Consent
Where you have provided your consent to us processing your Personal Information, you may have the legal right to withdraw your consent, subject to reasonable notice and certain restrictions. Certain personal health information cannot be withdrawn as it is essential for the provision of care services to you.
To withdraw your consent, if applicable, contact us at our contact information below. Please note that if you withdraw your consent, we may not be able to provide you with a particular product or service. We will explain the impact to you at the time to help you with your decision.
Do Not Track
Some web browsers have a “Do Not Track” feature. This feature allows you to tell websites you visit that you do not want to have your online activity tracked over time and across websites. These features are not yet uniform across browsers. The Website is not currently set up to respond to those signals.
Other Rights
Depending on your jurisdiction, you may also have other rights, which can be exercised by contacting the relevant contact information set out below. These rights may include,
- The right to make a complaint to us;
- The right to make a complaint to a privacy commissioner;
- The right to request deletion of your Personal Information;
- The right to opt out of marketing communications; and
- The right to request a portable copy of your Personal Information.
8. Links to Other Websites
The Website may include links to third-party websites or resources, or third-party information referencing or linking to third-party websites or resources. Clicking on those links or enabling those connections may allow the third party to collect or share information about you. If you follow a link to a third-party website or engage a third-party plugin, please note that these third parties have their own privacy policies and the Company does not accept any responsibility or liability for these policies. We do not control these third-party websites, and we encourage you to read the privacy policy of every website you visit.
9. Changes to this Privacy Policy
We reserve the right to change this Policy from time to time in our sole discretion. When we do, we will also revise the “last updated” date at the top of this Policy. We encourage you to periodically review this Policy in order to ensure that you are familiar with our data protection practices.
10. Contact Us
If you have questions or concerns about this Policy, our information handling practices, or any other aspect of privacy and security of your Personal Information, or if you would like to make a complaint in relation to the protection of your Personal Information, please contact us at:
[ATTN: PRIVACY OFFICER
CDL Laboratoires
5990 Ch. de la Côte-des-Neiges
Montréal, QC H3S 1Z6
[email protected]
For more information on your privacy rights, you may contact the Commission d’accès à l’information du Québec: https://www.cai.gouv.qc.ca/.