Last updated October 19, 2023
Table of Contents
Introduction
Think Research Corporation and its subsidiaries (“TRC”, “Think Research”, “us”, “we” or “our”), provide knowledge-based digital health software solutions which support clinical decision-making processes, standardize care, and facilitate better health care outcomes. Our customers typically include enterprise clients, hospitals, regional health agencies, healthcare professionals, and/or governments. Primary care, acute care, and long-term care doctors, nurses and pharmacists rely on our solutions to support their practices.
In offering these various products and services to clients and end users in dozens of countries around the world, Think Research Collects, Uses, and Discloses Personally Identifiable Information (PII) through a variety of channels, and our conduct is governed by Privacy and/or data protection legislation in each of those regions. This is a complex set of obligations and Think Research takes individuals’ Privacy and the Security of their PII very seriously.
This policy establishes Think Research’s core commitments around the Collection, Use and Disclosure of PII, regardless of line of business or jurisdiction. Specific offerings or services may have additional requirements that apply in a particular context, but this policy establishes our baseline position. All Think Research employees, contractors and suppliers must comply with this policy. If this policy conflicts with another policy in the organization, this policy will prevail. If this policy conflicts with Applicable Legislation in a given circumstance, the legislation will prevail.
Anyone having questions or concerns about this policy or the compliance of our practices, is encouraged to contact us using the details provided in Section 4 below.
Definitions
For the purposes of this policy, and the Privacy Program at Think Research, the following will be the standard definitions for the listed terms. Where defined terms are used in this policy, they are capitalized.
Applicable Legislation – means (all) Privacy and/or data protection legislation that may apply in a particular circumstance (e.g. PIPEDA within Canada, HIPAA within the United States, the GDPR within the UK/EU, etc.)
Collect – in this context, means to request and/or receive PII (whether from the data subject or a third party), other than as may be excepted under Applicable Legislation.
Confidential Information (CI) – means information that must be protected from unauthorized access, for any of a variety of reasons (e.g. trade secrets), and includes PII.
Consent – refers to an individual’s agreement (or that of their substitute decision-maker, if any) to a proposed course of action concerning the handling of their PII. Note that Consent may be explicit or implied, depending on the circumstance.
Controller – is an entity that has legal control (if not custody) of a quantity of PII, and determines the Purposes and means of its Processing.
Disclose – in this context, means to provide a quantity of PII to a third party (i.e. other than the data subject), other than as may be excepted under Applicable Legislation.
Employee Personal Information (EPI) – means employment-related information about an identifiable individual (e.g. a staff member’s salary).
Personal Health Information (PHI) – means healthcare-related information about an identifiable individual (e.g. a patient’s or study participant’s blood type).
Personally Identifiable Information (PII) – means information about an identifiable individual (e.g. a customer), and includes PHI, SPI and EPI.
(Data) Privacy – refers to an individual’s control over how PII about them may be Collected, Used, Disclosed, or otherwise handled.
Process(ing) – refers to the Collection, Use, Disclosure, and/or general handling of PII, whether by a Controller or a Processor.
Processor – a contracted third party, who Processes PII on behalf of, and in accordance with, the instructions of another party, whether that party is a Controller, or a Processor themselves.
Purposes – in this context, means the identified reasons for which some quantity of PII is being requested/Collected, including its intended Use(s); which inform an individual’s Consent decision(s).
Security – with regard to protecting valuable assets like electronic information systems or data, is the means of achieving an acceptable level of residual risk to those assets.
Sensitive Personal Information (SPI) – means information about an identifiable individual that is of an especially sensitive nature (e.g. PII relating to children, gender identity, sexuality, religious or philosophical beliefs, ethnicity, political affiliation, etc.), as may be defined in Applicable Legislation.
Sub-processor – see Processor.
Use – in this context, means to Process PII for some Purpose, other than as may be excepted under Applicable Legislation.
Core Principles
As a Canadian company, Think Research’s Privacy compliance practices are based on the Canadian Standards Association’s “ten fair information principles” (CAN/CSA-Q830-96). However, with operations, clients and end users in over fifty countries around the world, our framework has necessarily expanded to account for additional obligations in those other jurisdictions (e.g. under the General Data Protection Regulations [GDPR] of the European Union and the United Kingdom, or the Health Insurance Portability and Accountability Act [HIPAA] of the United States, etc.) as follows…
Accountability
Think Research is accountable for the PII in its custody and/or control. It has appointed a Privacy Officer, who is accountable for the corporate compliance program and its alignment with all sources of Privacy-related obligations (e.g. legislation, business agreements, or applicable Consents).
Note that in providing its services and products, Think Research’s roles and obligations with respect to any involved PII may vary:
- In offering some of our services (e.g. MDBriefcase), where we may have a direct relationship with individuals, Think Research is directly accountable for the PII in our care. (i.e. we may be a Custodian, Trustee, Controller or Covered Entity, as those terms are defined in various laws); or
- In other circumstances (e.g. our Digital Front Door offering), Think Research may be responsible for Processing PII on behalf of, and at the direction of, a client organization (i.e. we may be the client’s Agent, Processor, Sub-processor, or Business Associate, as those terms are defined in various laws); and
- In some very specific circumstances, we may have additional roles and responsibilities under Applicable Legislation, given the nature of a service or product being offered (e.g. as an Electronic Service Provider, or Health Information Network Provider, as those terms are defined in various laws).
Legal Bases
In Collecting, Using or Disclosing PII, Think Research does so under one or more legal bases, depending on the services, circumstances, and Applicable Legislation:
- Most often with the Consent of the individual, whether explicit or implied. Note that in some circumstances, where Think Research operates as a Sub-processor on behalf of our clients’ interests, the client may have Collected any required Consents;
- We may handle PII further to the terms of a business agreement with a client, who may have provided the PII, or authorized us to Collect it on their behalf;
- In some circumstances, we may have a legal obligation to Process PII in a particular way, including Disclosure to third parties (e.g. mandatory reporting of some diseases to public health authorities);
- In rare circumstances, to protect the vital interests of an individual or group of individuals (i.e. to mitigate a reasonable risk of harm);
- Further to our organization’s legitimate interests, related to our business and the Purposes for which PII was Collected, or for a consistent Purpose.
Data Collection Purposes and Limits
As mentioned above, Think Research offers several products and services to clients and individuals around the world. As a result, there are a variety of data flows, by which we acquire custody and/or control of PII:
- In some of our service facilities, we provide healthcare directly to patients, and so Collect or produce health-related details related to those individuals;
- During research studies, from the involved subjects/volunteers/participants;
- Several of our offerings are delivered via the Internet, so PII is regularly Collected via websites, and web or cloud-based platforms in various business units;
- Via similar web and software components that we run on behalf of our clients;
- Via e-mail, the telephone, secure document sharing, and during live video chats;
- In common circumstances, directly from our business clients.
Where Think Research Collects PII directly from individuals, it identifies the Purposes for the Collection, at or before the time of Collection, it does so by fair and lawful means, and limits the Collection to that data which is required for the Purposes identified by the organization or the involved client. In other circumstances, where we are acting on behalf of a client organization, the identification of Purposes for Collection, and the gathering of any required Consents, may be handled by the client.
In the course of providing our services (note: specific practices may vary by service and/or region), we may Collect and/or Use the following types of information for the following Purposes:
Category | Examples | Purposes |
Identity Information | A name, username, employee number or similar identifier, marital status, date of birth, race/ethnicity and gender. |
|
Contact Information | Billing addresses, postal addresses, email addresses and telephone numbers. |
|
Job Applicant Information | Résumés, cover letters, reference letters, employment history and interests. |
|
Employee Personal Information | Job title, place of work, hire date, employment history, salary, work address, SIN/SSN, family details, benefits-related information. |
|
Personal Interaction Information | Telephone recordings and transcripts, records of communications (such as emails, letters, online chat, etc.). |
|
Digital Interaction Information | Geolocation data, IP address, login data, platform access credentials (e.g. user ID’s, passwords, PIN’s), browser type and version, time zone setting and location, browser plug-in types and versions, operating system, type of device used and other technologies related to the devices used to access our websites and/or our apps. |
Note: For more information relating to our use of cookies, Google Analytics, and related technologies, please refer to this webpage’s Cookies Policy. |
Financial Information | Banking information, email addresses linked to electronic transfers, employee salary and payment information. |
|
Transaction Information | Details about payments to and from individuals, and other details of products and services that they have purchased from us, including customer account numbers. |
|
Training Information | Details about completed online courses or test scores. |
|
Personal Health Information | Details about: patient demographics; health history; risk factors; medications and treatments; medication error data; laboratory results; health card number; health insurance information; clinical notes; care elements; photographs and other images; family history; problem lists; allergies and adverse reactions; immunizations; appointments; reports received; research study data; alerts and/or special needs; prescriptions. Note that the list above is not exhaustive, but generally describes the sorts of Personal Health Information that we might Collect across our various service offerings. |
Note: Personal Health Information (PHI) Collected for the Purpose of providing one service will not be Used or Disclosed for the Purpose of providing any other service. Although some PHI may be Used by Think Research in data analytics, it will not be Disclosed in a way that allows identification of any individual. |
Biometric Information | Weight, height, body mass index, waist circumference, cholesterol, lipoprotein, triglycerides, glucose and blood pressure readings, sleep patterns or other similar information provided through connected devices or through completed assessments. |
|
Note that Think Research operates several services and solutions that are typically integrated within a client’s web-based platform or program. In these cases, Think Research takes on the role of Processor to the clients’ Controller role (or equivalent terms, under the governing legislation), in which case, all Collection, Use or Disclosure of PII by Think Research is on behalf of, and at the direction of, the client, for their Purposes.
Limiting Use, Disclosure, and Retention
Unless an individual Consents otherwise, or as may be permitted or required by law, Think Research will only Use and Disclose PII for the Purposes for which it was Collected, and will only retain it for as long as required to serve those Purposes.
Use
The specifics of any Collection and Use of individuals’ PII will vary somewhat, depending on which Think Research products or services are involved, and which details of PII are provided to us. In any case, we may Use PII in the following ways:
- As explained in this policy, or as further explained in our platforms’ Terms of Use, Consent statements, and/or Notices of Privacy Practices;
- For the Purposes that are identified to the individual before or at the time the information is Collected (e.g. as on a related Consent form);
- To provide services, whether directly to individuals or on behalf of a client;
- To verify or authenticate an individual’s identity (e.g. when visiting one of our websites);
- To manage accounts and provide support when an individual contacts our Service Centres;
- To plan, evaluate and monitor the services we provide;
- For research and quality improvement activities (such as sending patient satisfaction surveys), or statistical analysis;
- To generate de-identified, aggregated, or anonymized information that does not reveal anyone’s identity. Think Research Uses this information to conduct research, compile aggregate data sets, statistics, and reports, and to perform analytics on our services, service standards, business operations, and trends;
- To improve customer service – Information provided to us by individuals helps us respond to customer service requests and support their needs more efficiently;
- To personalize user experiences – We may Use aggregate information to better understand how our users as a group use the services and resources provided on our sites;
- To improve our websites – We may Use customer feedback to improve our products and services;
- As may be otherwise permitted or required by law.
Disclosure
Think Research may share PII:
- With other Think Research entities in order to effectively provide our services, including for internal management and administrative Purposes;
- With third party service providers who are required (by agreement) to keep PII confidential and secure, and are restricted from Using or Disclosing the information for reasons other than performing services on our behalf or to comply with legal requirements;
- With third parties and partners in the event of a potential merger or acquisition, transfer of assets, reorganization, or bankruptcy. These parties are also required to keep PII confidential and secure and are restricted in their Use of information to this Purpose;
- With government, regulatory and law enforcement agencies to meet our compliance, regulatory, and risk management obligations;
- With the general public and/or other users when an individual posts or shares comments, blog postings, testimonials, or other similar information in public or user discussion forums on our technology platforms;
- With sponsoring organizations, with express or implied Consent (where this is permitted by law) or if we are required to do so by law;
- With other parties to reduce or eliminate a reasonable risk of significant harm to a person or group of persons;
- For the Purpose of carrying out an investigation, or as a result of a court order, warrant, subpoena or summons; and/or
- As may be permitted or required by law.
Think Research does not sell, trade, lease or rent individuals’ PII to others. We may share aggregated information regarding visitors and users with our business partners, trusted affiliates and advertisers for the Purposes outlined above. We may use third party service providers to help us operate our business and our sites, or administer activities on our behalf, such as sending out newsletters or surveys. We may share PII with these third parties for those limited Purposes.
We may share de-identified and/or aggregated information with our clients for reporting Purposes, including usage of our services, and with third party service providers for use in creating marketing materials, case studies and statistical analyses. This allows Think Research, its clients and our respective third party service providers to understand how we are performing, or develop relevant products, services or offers.
Retention
Think Research only retains PII for as long as may be reasonably necessary to provide our services, meet our contractual obligations with clients, comply with legal requirements, and/or resolve disputes.
To determine the appropriate retention period for PII, we consider the amount, nature, and sensitivity of the PII, the Purposes for which it was Collected, whether we can achieve those Purposes through other means, and the applicable contractual, legal and/or regulatory requirements.
When we, or a client organization, no longer require a quantity of PII, it is either securely destroyed, deleted, or de-identified.
Data Accuracy
Think Research strives to keep PII in its custody and/or control as accurate, complete, and up-to-date as is necessary, in order to fulfill the Purposes for which it was originally Collected, and is to be Used.
Data Security and Safeguards
Think Research has implemented physical, technological, organizational, and contractual safeguards, appropriate to the sensitivity of PII in our custody and/or control, to protect it from unauthorized access, Use or Disclosure.
We employ industry-standard controls to protect PII, including physical access controls, internet firewalls, intrusion detection and network monitoring.
Openness
Think Research accepts and responds to questions, concerns or challenges about its policies and practices relating to the handling of PII. To submit a question or concern, please contact the Privacy Office using the details in Section 4 below.
Data Subject Rights
Upon request, an individual may exercise any of a number of “rights” regarding the existence, Use, and Disclosure of their PII. Individuals can gain access to records, challenge the accuracy and completeness of their information, have it amended as appropriate, and other options, as described below. Note that specific rights may vary from region to region, under Applicable Legislation.
Individuals seeking to exercise these rights should contact the program or service of interest, to initiate their request via the applicable process. If they cannot find the appropriate contact information for the program or service, they may contact the corporate Privacy Office using the details in Section 4 (below) to facilitate or redirect their request.
Accessing Your Information
When requested in writing, Think Research will inform individuals of the existence, Uses, and any Disclosures of records of their PII, that we maintain, and provide access to copies of the information, and/or disclose it in common, machine-readable formats. In some rare cases, Think Research may not be able to provide individuals with all of the information that they request, depending on prescribed circumstances. In producing copies of records for requesting individuals, some business units may charge a nominal fee.
Correcting Your Information
Think Research will make reasonable efforts to keep PII accurate and up to date. If a change or correction is required (e.g. a change of address), individuals should let us know right away. We will make appropriate updates needed to keep records accurate and individuals can review their PII by looking at the correspondence we send to them, through their online accounts with us, or by requesting access to their PII, as described above.
Note that the right to correction is not absolute, and practices will vary somewhat by context and business unit. Where a correction cannot be fully accommodated (e.g. changes to clinical notes), individuals can have a statement of disagreement about the data included in their files.
Other Data Subject Rights
Depending on the country or jurisdiction in which they live, individuals may have additional rights in relation to their PII, including:
- Right to delete. Individuals may have the right to request the deletion of their PII upon the withdrawal of their Consent for us to Process such information, or other circumstances provided under Applicable Legislation, provided that such data no longer needs to be Processed by us to fulfil our legal and regulatory obligations. Note that this “right to be forgotten”, is not absolute, as in some circumstances the retention of PII (particularly in a clinical context) is a legal requirement.
- Right to restrict, object to, or opt out of Processing. Individuals may have the right to specify that we restrict the Processing of their PII in various ways, or object to what may be seen as an excessive Collection of PII.
- Right to data portability. Individuals may have the right to request that we provide them with copies of their PII in a structured, commonly used, and machine-readable format and a right to request that we transfer such information to another party.
- Right to be free from automated decision-making or profiling. Individuals may have the right to request that we process their information manually, without any decision-making or profiling being conducted by automated, digital solutions.
- Right to lodge a complaint. Individuals may have the right to lodge a complaint with the relevant regulatory authority about the way that we have handled their PII (see Section 3.9 below).
Note for data subjects in France: under French law, individuals also have a right to define guidelines relating to the fate of their personal data in the event of their death.
Note for data subjects in the United States: under some states’ consumer privacy laws, individuals also have a private right of action and/or a right to opt in for sensitive data processing.
Challenging Compliance
An individual is free to challenge Think Research’s compliance with these principles. Their challenge should be in writing, and addressed to our Privacy Office (see contact details in Section 4 below).
Please note that in responding to such communications, we may need to confirm the individual’s identity, request additional details about them, and/or work with other Think Research departments to respond to them fully, or to properly investigate their concern or complaint.
If our response to a challenge is not satisfactory, individuals in most jurisdictions have the option of escalating their concern to the local regulatory authority. If assistance is needed in identifying the correct oversight body, please send a request to our Privacy Office (see Section 4 below) and they will provide assistance.
Data Residency
Think Research is a global organization with affiliates, partners and subcontractors located in several countries around the world. To provide our services, Think Research may transfer PII across national or regional borders to other Think Research entities, affiliates or service providers working on our behalf in compliance with Applicable Legislation. For some services or platforms, we are able to accommodate client organizations’ data residency preferences, in that in-scope PII will not leave the country of origin, or be accessed from outside of that region.
Examples of countries that we may transfer PII to and/or exchange PII with, include, but are not limited to: Australia, Canada, New Zealand, the Republic of Ireland, the United Kingdom and the United States of America. When PII is transferred outside of a country, we take appropriate measures to ensure an equivalent standard of protection under Applicable Legislation. We will also obtain an individual’s Consent where this is required under Applicable Legislation, before such transfers occur.
In particular, for transfers of PII from the European Union (EU) or the United Kingdom (UK), we rely on adequacy decisions from the EU Commission, UK adequacy regulations, the use of standard contractual clauses approved by applicable supervisory bodies, or other appropriate transfer mechanisms.
Contact Us
Individuals that may have questions or concerns about this policy or Think Research’s handling of their PII, should contact our Privacy Office using the following details…
Contact us by regular mail at:
Think Research Corporation
Attn: Privacy Office
199 Bay Street, Suite 4000
Toronto, Ontario, Canada
M5L 1A9
or by electronic mail at:
privacy@thinkresearch.com
With respect to the General Data Protection Regulations of the EU and the UK:
- Our Data Protection Officer is Patrick Kenny, in Toronto, Ontario, Canada, who can be reached using the contact details above;
- Our EU Representative is Chris Collenette, in Ireland, who can be reached by e-mail at the address above, or by regular mail at:
5th Floor Rear, Connaught House, 1 Burlington Road, Dublin 4
Dublin, Ireland
D04 C5Y6 - Our UK Representative is Dr. Christine Smith, in England, who can be reached by e-mail at the address above, or by regular mail at:
Department 849, 196 High Road
Wood Green
London, England, N22 8HH
Please note that in responding to such communications, we may need to confirm the individual’s identity, request additional details about them, and/or work with other Think Research departments to respond to them fully, or to properly investigate their concern or complaint.
Revision History
This Policy is subject to change, for example to comply with evolving legal requirements or to meet changing business needs. If we make any updates, we will post them on this page and revise the ‘Effective Date’. We encourage individuals to check this page from time to time, for any changes to our policy, so that they may stay informed about how we protect their Privacy and the PII in our custody and/or control.
Version Control Log
Effective Date | Change History | Approved by… | Version |
September 2020 | Original TRC Privacy Policy, for US/CAN, posted to website. | Privacy, Security & Risk Committee | n/a |
May 15, 2023 | Updates and edits, to incorporate new regions and subsidiaries. | Privacy, Security & Risk Committee | 1.3 |
October 19, 2023 | Consolidated corporate privacy policy for all regions and all subsidiaries. | Patrick Kenny Privacy Officer | 2.0 |
Annual Review
This policy will be reviewed on an (at least) annual basis, to help ensure that it remains valid, effective, and relevant.