{"id":23408,"date":"2021-11-18T12:16:34","date_gmt":"2021-11-18T16:16:34","guid":{"rendered":"https:\/\/www.thinkresearch.com\/ca\/?page_id=23408"},"modified":"2026-05-12T15:47:52","modified_gmt":"2026-05-12T19:47:52","slug":"privacy-and-security-practices","status":"publish","type":"page","link":"https:\/\/www.thinkresearch.com\/ca\/privacy-policy\/privacy-and-security-practices\/","title":{"rendered":"Privacy and Security Practices Schedule"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Privacy and Security Practices Schedule<\/b><\/span><\/p>

The following terms outline the privacy and security practices that support Think Research\u2019s privacy and security policies. Think Research reserves the right to modify and\/or update these terms from time to time.<\/span><\/p>

The terms \u201cagent\u201d, \u201ccollect\u201d, \u201cdisclose\u201d, \u201cde-identify\u201d \u201chealth information custodian\u201d, \u201cpersonal health information\u201d, \u201cuse\u201d, \u201chealth care\u201d, \u201cindividual\u201d, \u201cinformation practices\u201d and \u201crecord\u201d shall have the respective meanings ascribed thereto by PHIPA.<\/span><\/p>

\u201cApplicable Privacy Laws\u201d \u00a0<\/b>means\u00a0 Canada\u2019s Personal Information Protection and Electronic Documents Act (\u201cPIPEDA\u201d) and substantially similar provincial legislation, provincial health information legislation and the directives in Canada, U.S. Health Insurance Portability and Accountability Act of 1996 and codified at 45 C.F.R. Parts 160 & 164, (\u201cHIPAA\u201d), European Union\u2019s General Data Protection Regulation 2016\/679 (\u201cGDPR\u201d) as it relates to the processing of personal data of citizens of the European Union, as the same may be amended, reenacted, consolidated and\/or replaced, from time to time, and any successor to any of the foregoing.<\/span><\/p>

\u201cAuthorized User\u201d means any employee, agent or Representative of Customer who accesses or uses the Services.<\/span><\/p>

\u201cBusiness Day\u201d means Monday to Friday from 9:00 a.m. to 5:00 p.m. exclusive of statutory holidays in Ontario.<\/span><\/p>

\u201cESP\u201d means a person who supplies services for the purpose of enabling a Customer to use electronic means to collect, use, modify, disclose, retain or dispose of PHI, and to the extent that the services are provided to a Customer that is a HIC, who is not an Agent of the Customer.<\/span><\/p>

\u201cGDPR\u201d means the European Union\u2019s General Data Protection Regulation 2016\/679 as it relates to the processing of personal data of citizens of the European Union.<\/span><\/p>

\u201cHIA\u201d means the Health Information Protection Act, 2000 (Alberta) and the regulations made under HIA<\/span><\/p>

\u201cHIC\u201d has the same meaning as \u201cHealth Information Custodian\u201d in PHIPA.<\/span><\/p>

\u201cHINP\u201d has the same meaning as \u201chealth information network provider\u201d in the regulations made under PHIPA.<\/span><\/p>

\u201cPatients\u201d means the individuals to whom Customer provides health care.<\/span><\/p>

\u201cPHI\u201d means information that is defined as \u201cpersonal health information\u201d in PHIPA that is processed, transferred and\/or stored by means of the Services.<\/span><\/p>

\u201cPHIPA\u201d means the Personal Health Information Protection Act, 2004 (Ontario) and the regulations made under PHIPA.<\/span><\/p>

\u201cRepresentative(s)\u201d means an individual or individuals with adequate authority and appropriate qualifications, skills and competence, designated by a Party, to manage matters relating to the Services, on behalf of the Party.<\/span><\/p>

\u201cThird Party Providers\u201d means vendors that provide and\/or license hardware, software and services to Think Research to support the provision of Services.\u00a0<\/span><\/p>

    1. <\/b>Privacy and Security<\/b>. Think Research and Customer have designated a person responsible for the protection of PHI and for coordinating and overseeing timely compliance with these requirements (\u201cPrivacy Representative<\/b>\u201d). Either Party may at any time change its designated Privacy Representative upon written notice in accordance with the terms of this Schedule. \u00a0<\/b>The Parties will comply with the privacy and information security provisions herein.<\/span><\/li>
    2. <\/b>Roles of the Parties. <\/b>Customer may be a HIC or a recipient of PHI from a HIC, required to manage PHI in compliance with PHIPA or not a HIC. Notwithstanding whether Customer is a HIC, Customer will comply with the provisions of PHIPA applicable to HICs. In regard to the Services and regardless of whether Customer is a HIC, Think Research and\/or its Third Party Providers will be:<\/span>
      1. an ESP where the Services enable Customer to use electronic means to collect, use and disclose PHI (\u201cESP Services<\/b>\u201d);<\/span><\/li>
      2. a HINP where the Services enable Customer and one or more other Customers to disclose PHI to one another (\u201cHINP Services<\/b>\u201d); and<\/span><\/li>
      3. an Agent on behalf of the Customer where it collects, uses or discloses PHI to: undertake activities requiring the collection, use or disclosure of PHI on behalf of Customer\u00a0 including auditing and managing actual or suspected contraventions of PHIPA, if any (collectively, \u201cPrivacy\u00a0 Operations<\/b>\u201d).<\/span><\/li><\/ol><\/li>
      4. The role of Customer and of Think Research under PHIPA may change depending on the Service or product being provided.<\/span><\/span>Think Research Obligations as ESP or HINP. <\/b>Regardless of whether it is providing ESP Services or HINP Services, or is acting as an Agent, Think Research will:
        1. not use any PHI to which it has access in the course of providing specific Services except as necessary in the course of providing those Services or directed by Customer where Think Research is acting as an Agent;<\/span><\/li>
        2. not disclose any PHI to which it has access in the course of providing ESP Services or HINP Services;<\/span><\/li>
        3. not permit Think Research Personnel to be able to have access to PHI, or collect, use or disclose the PHI, unless Think Research Personnel agrees to comply with the restrictions that apply to Think Research under this Schedule, and such access is necessary to fulfill Think Research\u2019s obligations under this Schedule ; and<\/span><\/li>
        4. implement administrative, technical and physical safeguards, practices and procedures to protect the privacy of the individuals whose PHI it uses to provide the Services.<\/span><\/li><\/ol><\/li>
        5. <\/b>Think Research Obligations as HINP.<\/b> When providing HINP Services, Think Research will:<\/span>
          1. upon becoming aware of, notify the Customer at the first reasonable opportunity, if Think Research Personnel accessed, used, disclosed or disposed of PHI other than in accordance with this Schedule or an unauthorized person accessed PHI;<\/span><\/li>
          2. provide Customer with a plain language description of the HINP Services that is appropriate for sharing with Patients, including a general description of the safeguards in place to protect against unauthorized use and disclosure, and to protect the integrity of PHI;<\/span>
            1. make available to the public, the description referred to in paragraph (b) above;<\/span><\/li>
            2. any Think Research guidelines\/or and policies that apply to the HINP Services to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information, and<\/span><\/li>
            3. a general description of the safeguards implemented by Think Research in relation to the security and confidentiality of PHI;<\/span><\/li><\/ol><\/li>
            4. to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to a Customer on its request, an electronic record of,<\/span>
              1. accesses to PHI associated with the Customer being held in the Services controlled by Think Research, which record shall identify the person(s) who accessed the PHI and the date and time of the access, and<\/span><\/li>
              2. transfers of PHI associated with the Customer by means of the Services controlled by Think Research, which record shall identify the person who transferred the PHI and the person or address to whom it was sent, and the date and time it was sent;<\/span><\/li><\/ol><\/li>
              3. perform, and provide to Customer a written summary copy of the results of, an assessment of the HINP Services, with respect to, threats, vulnerabilities and risks to the security and integrity of PHI, and how the HINP Services may affect the privacy of the individuals to whom PHI being disclosed through the HINP Services relates;<\/span><\/li>
              4. ensure that any subcontractor or Third Party Provider it retains to provide the HINP Services agrees to comply with the restrictions and conditions that are necessary to enable Think Research to comply with this Section 4; and<\/span><\/li>
              5. comply with the applicable provisions of PHIPA and the regulations made under PHIPA.<\/span><\/li><\/ol><\/li>
              6. <\/b>Think Research Obligations as Agent. <\/b>Think Research, as Customer\u2019s Agent, may: use, disclose or de-identify PHI as required for privacy operations.<\/span><\/li>
              7. <\/b>Disclaimer. <\/b>\u00a0\u00a0The use of the Services is at the sole risk of Customer. Customer is required to apply the same scrutiny to PHI as Customer would to PHI received in another format or through other means, including paper records.\u00a0 Think Research is not responsible or liable for:<\/span>