You are here

Home
Privacy Policy

Privacy Policy

Purpose:

The purpose of this policy is to ensure that all associates, partner organizations, consultants and suppliers recognize that AmerisourceBergen Canada company information and its clients' information is held in the strictest of confidence.

Procedure:

Commitment to Privacy:  AmerisourceBergen Canada (“ABCC”) is a leading supplier of premier health service delivery in Canada. Core services include pharmaceutical distribution and wholesale, pharmaceutical technology products and services,  specialty business services that are focused on various pharmaceutical and pharmacy supply specialties such as specialty programs, clinic& nursing services, specialty pharmacy, specialty distribution,& 3PL, strategic consulting, market access and reimbursement.

In providing these services, ABCC is responsible for protecting the privacy, confidentiality and security of personal information in its custody and control.  ABCC is committed to a high standard of privacy for its information practices and complies with all applicable privacy legislation.  The company adopts the 10 privacy principles set out in the National Standard of Canada Model Code for the Protection of Personal Information, which is Schedule 1 of the Protection of Personal Information and Electronic Documents Act (Canada) (PIPEDA).

These principles include:

  • Accountability
  • Identifying Purposes
  • Consent Limiting Collection
  • Limiting Use
  • Disclosure and Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance

Compliance with Federal and Provincial Privacy Laws:  In addition to complying with PIPEDA, where applicable, AmerisourceBergen Canada will ensure that its information practices comply with any relevant provincial privacy legislation.  

Scope:

  • This policy applies to personal information and the personal health information of individuals, patients and associates that is collected, used or disclosed by ABCC and its associates, contractors and agents during the course of providing services.  This privacy policy is the foundation for the company’s information practices and sets out the principles upon which ABCC collects, uses and discloses personal information and personal health information. 

Definitions:

  • Agent is any person who acts, with the authorization of the organization, for or on behalf of the organization in exercising powers or performing duties with respect to personal information for the purposes of the organization, and not the agent’s own purposes, whether or not employed by the organization or remunerated.  Agents may include volunteers, students, consultants, associates, vendors and contractors.
  • Collection involves the act of gathering, acquiring or obtaining personal information from any source, including from third parties, by any means. 
  • Consent means the voluntary agreement with what is being done or proposed.  Consent can be either express or implied.  Express consent is given explicitly, either orally or in writing.  Express consent is unequivocal and does not require any inference on the part of the persons seeking the consent.  Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. 
  • Disclose is to release or make personal information available to another person, organization or information custodian; it does not mean to use the information.  Disclosure is to be distinguished from the “transfer” of information to agents or third parties who are simply processing the information on the organization’s behalf. 
  • Information practices refers to an information custodian’s policies concerning when, how, and why the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal information, and the administrative, technological and physical safeguards and practices maintained to protect personal information. 
  • Personal health information means any factual or subjective information, recorded or not, with respect to an individual, whether living or deceased, concerning the physical or mental health of the individual, any health service provided to the individual or information collected in the course of or incidentally for the provision of health services to that individual.  Personal health information is a sub-set of personal information. All references to personal information include personal health information. 
  • Personal information means any factual or subjective information, recorded or not, about an identifiable individual, but does not include the name, title or business address or telephone number of an associate of an organization.  Personal information includes, but is not limited to: age, name, address, date of birth, social insurance number, ID numbers, income, gender, ethnic origin, personal health information, opinions, evaluations, comments, social status, medical records, credit records, property ownership information, income records and debt load information.  
  • Record is an information record in any form or media, including written, printed, photographic or electronic form, but excluding computer programs and other mechanisms that produce a record. 
  • Security is the physical, technological and administrative protective measures and techniques that are designed to ensure that personal information remains confidential, available and uncompromised.  This includes measures such as encryption, passwords, and firewalls designed to prevent unauthorized access to information, to protect the integrity of computing resources and to limit the potential damage that can be caused by unauthorized access. 
  • Use is to handle or deal with personal information within AmerisourceBergen Canada or by its agents, but does not mean to disclose personal information.

Privacy principles:

AmerisourceBergen Canada has implemented a privacy program to meet the following privacy goals:

Principle 1—Accountability for Personal Information
ABCC is responsible for protecting personal information in its custody or under its control and has designated a primary Privacy Officer and secondary Privacy Officer to be responsible for implementing ABCC’s privacy program.  The Privacy Officers are accountable for facilitating compliance with applicable federal and provincial legislation and the 10 privacy principles set out in this document.  

  • The company is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.  ABCC will use contractual or other means to provide at least an equal level of protection while the information is being processed by a third party.
  • The name and contact information for the Privacy Officers will be made publicly available, upon request.  The name and contact information for the Privacy Officers is as follows:

    The Privacy Officers acting for AmerisourceBergen Canada Corporation and its Canadian affiliates (including but without limitation to ABCC, ABSGC, Innomar Strategies Inc.) are:

    Primary Privacy officer is: Cynthia Siksay, Director Corporate Services
    Secondary privacy officer is: Amélie Basque-Chapman, Senior Manager, Internal Operations

    The contact information for these individuals is as follows:
    3450 Harvester Road, Burlington, Ontario L7N 3M7, Canada
    Tel: 905-681-6551
    Fax: 905-681-6090
    Toll free: 1-888-420-5457
    Email: privacy@amerisourcebergen.ca
  • The Privacy Officer is responsible for:
    1. Implementing information practices to protect personal information, including information relating to individuals, patients, associates and agents;
    2. Identifying and addressing any potential privacy compliance issues;
    3. Establishing policies and procedures to receive and respond to complaints, privacy breaches, including loss of personal information or inappropriate use of personal information and inquiries;
    4. Training and communicating to staff and agents information about ABCC's information practices; and
    5. Developing plans and communicating to the public and key stakeholders information to explain ABCC’s information practices. 
  • ABCC’s senior management is ultimately responsible for privacy compliance on behalf of the organization.  In the implementation of the services, initiatives, patient programs, compliance programs, market research initiatives or any other type of program, the company must at all times ensure that its privacy policies are understood, known, updated, communicated and implemented by all ABCC personnel and in the implementation of all ABCC projects or associated undertakings.
  • All ABCC associates and agents are responsible for individual compliance with ABCC’s information practices for personal information that they collect, use and disclose in the course of their duties.
  • All ongoing projects or programs must have a project protocol or Standard Operating Procedure (SOP) that addresses the handling of personal information.  The Director and Senior Manager overseeing the project or activity are responsible for ensuring that:
    1. the project/program privacy SOP has been developed;
    2. a copy of the project/program privacy SOP has been submitted to, and approved by, the Privacy Officer; and
    3. ongoing monitoring, at a minimum of once per quarter, will be undertaken and documented on a General Privacy Compliance Monitoring Form. The completed General Privacy Compliance Monitoring Form should be filed in the project/program protocol binder and the summary General Privacy Compliance Monitoring Form should be submitted to the Privacy Officer.
  • In the event of a conflict with a project/program specific protocol or standard operating procedure, the project/program specific protocol or standard operating procedure takes precedence over a general protocol or procedure.
  • The Privacy Officer is responsible for reviewing and updating the Privacy Policy as required to ensure compliance with PIPEDA and good privacy management policies.

Principle 2—Identifying Purposes for the Collection of Personal Information
At or before the time personal information is collected, ABCC will identify and inform individuals of the purposes for which the personal information is being collected.  The least amount of information is collected, with the highest degree of anonymity to fulfill the specified purpose. 

  • Identifying the purposes for which personal information is collected at or before the time of collection allows the company to determine the information it needs to collect to fulfill these purposes. 
  • Personal information may be used in a variety of initiatives, programs or projects.  The method of collection must be specified in the individual project protocol.  Personal information may only be used for the expressed purposes (i.e., specific program or initiative) for which it was collected.  Depending upon the way in which the information is collected, an explanation of the purposes can be given orally or in writing to the individual whose personal information is being collected.  ABCC will also provide the position, name or title of the person who is able to answer on behalf of ABCC the individual’s questions about the collection.  
  • When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use.  New purposes will be reviewed by the Privacy Officers to determine if they are appropriate and to consider and mitigate any potential privacy risks stemming from the new uses. Consent from the individual is required before personal information can be used for a new purpose, unless not required by law.
  • Unless the individual has consented to the collection of his/her personal information from third parties or as permitted by law, all personal information will be collected directly from the individual to whom the information pertains.
  • If information is provided to an ABCC associate by a third party, the source of the information must be identified in the record.  The associate must confirm that he or she has the individual’s consent in order to collect the information and where possible, confirmation or proof of consent should be requested.  Health care professionals must use their professional discretion in determining if an emergency or clinical situation warrants action to be taken without proof or notification of consent.
  • All communication in which personal information is collected, used or disclosed must be recorded in accordance with professional standards. 
  • Records must indicate why and when the information was collected, by whom, from whom and the date, time and method of information exchange.

Principle 3—Consent for the Collection, Use, and Disclosure of Personal Information
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except as permitted by law.  ABCC will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.  The purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.  When it may be appropriate or required by applicable privacy legislation, the written consent of the individual shall be obtained.  Sometimes, an individual’s consent may be obtained verbally or implied through his/her conduct with ABCC. 

  • Prior to the collection, use and disclosure of personal information, individuals will be informed of the type of information that will be collected, the intended purposes of the collection, uses or disclosures for the information, the categories of persons who will have access to the information, the place where the information will be stored, the rights of access and correction to the information, and that the individual may give or withhold consent.  Consent is required from the individual providing the personal information will be documented.
  • ABCC will identify the potential for further use or disclosure of personal information and will obtain consent at the time of collection, where possible. The steps for obtaining consent are:
    1. identify the individual or authorized representative (such as a legal guardian or a person having power of attorney where the individual is incapable of giving consent);
    2. identify the information to be collected, used or disclosed;
    3. identify the purposes for the collection, use or disclosure;
    4. if the information given is not required in order to provide required services, the individual will be informed that he/she is not obliged to provide the personal information and the information will not be collected;
    5. if the information is required, the individual will be informed that he/she is not obliged to provide the personal information, or may give consent subject to any reasonable terms, conditions or qualifications established, set, approved by or otherwise acceptable to the individual, however, an explanation will be provided about the risks and consequences of consenting or not consenting. 
    6. ABCC will not collect, use or disclose personal health information about an individual for the purpose of market research unless the individual expressly consents and ABCC will only collect, use or disclose the information as permitted by law.
  • Where it is inappropriate to obtain consent (e.g., legal, medical or security reasons), the rationale for such an exception will be documented.
  • Personal information will not be disclosed to a third party without the express consent of the individual, unless permitted by law.  Without limiting the generality of the foregoing, at the time personal information is obtained, ABCC will obtain the consent of the individual to disclose such personal information to purchasers of the assets or shares of ABCC.
  • If ABCC will disclose or transfer personal information outside of Canada, it will obtain consent to do so, and will advise individuals that the laws of those countries with respect to personal information may be less stringent than the laws of Canada and its provinces.  Furthermore, individuals will be advised that personal information disclosed or transferred outside of Canada may be subject to foreign laws, regulations and/or court orders and may be disclosed to third parties or foreign authorities in compliance with foreign laws, regulations and/or court orders.
  • ABCC will document the consent process.  ABCC will use its General Consent Form if no formal project specific database or electronic or paper consent form has been developed.  Project-specific protocols and forms shall be used where applicable.
  • An individual can withdraw his/her consent at any time, with certain exceptions noted herein. ABCC can, however, collect, use or disclose personal information without the individual’s knowledge or consent in exceptional circumstances where such collection, use or disclosure is permitted or required by law.  Subject to legal and contractual requirements, an individual may withdraw his/her consent to ABCC's further collection, use or disclosure of personal information at any time in the future by giving ABCC reasonable notice, unless the consent is otherwise required by law or the use or disclosure is permitted by law.  If an individual refuses or withdraws his/her consent, ABCC may not be able to provide the individual or continue to provide the individual with certain products, services or information which may be of value to the individual.
  • Before or at the time any individual requests withdrawal of consent, ABCC will inform the individual of the implications of such withdrawal.  Withdrawal of consent for secondary purposes should not entail serious implications relating to the provision of products or services.

Principle 4—Limiting Collection of Personal Information
The collection of personal information will be limited to that which is necessary for the purposes identified by ABCC.  Information will be collected by fair, open and lawful means.

  • ABCC will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified.
  • The requirement that personal information should be collected by fair and lawful means is intended to prevent ABCC from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
  • For any information collected solely for secondary purposes (i.e., that cannot be reasonably considered strictly necessary for fulfilling a certain purpose), ABCC will notify individuals at the time of collection that the information is optional.

Principle 5—Limiting Use, Disclosure, and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as permitted or required by law.  Personal information will be retained only as long as necessary for the fulfillment of those purposes. ABCC will not disclose personal information to third parties unless specifically authorized by the individual or where such disclosure is permitted by law.

  • If using personal information for a new purpose, ABCC will document this purpose and obtain the individual’s consent.
  • ABCC has developed guidelines and implemented procedures with respect to the retention of personal information.  These guidelines include minimum retention periods.  Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made. The minimum retention period for personal information that has been used to make a decision directly affecting an individual is at least one (1) year after using the information.
  • Where the retention of personal information is no longer required to fulfill the identified purposes and is no longer necessary for legal or business purposes, the personal information will be destroyed, erased, or made anonymous, as permitted by law.  ABCC has developed guidelines and implemented procedures to govern the destruction of personal information.

Principle 6—Ensuring Accuracy of Personal Information
ABCC will make all reasonable effort to ensure that personal information collected, used or disclosed by or on its behalf is accurate, complete and up to date as is necessary for the purposes for which it is to be used. If an individual has questions about the accuracy of the factual information that ABCC has collected about that individual, he/she may access that information in order to verify and update it, subject to specified expectations.

  • The extent to which personal information will be accurate, complete and up to date will depend upon the use of the information, taking into account the interests of the individual.  Information will be sufficiently accurate, complete and up to date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
  • ABCC will not routinely update personal information, unless this process is necessary to fulfill the purposes for which the information was collected.
  • Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up to date, unless there are clearly established limits to the requirement for accuracy.
    1. For call centre programs, personal information is only collected in order to provide assistance and report to ABCC’s client(s) on the use of the program.  As such, personal information must only be kept up to date until no longer needed for its intended use.  Individuals who require ongoing follow-up and medical information, or who subsequently call for additional assistance will need to confirm the accuracy of the information in their file.
    2. For programs involving ongoing clinical follow-up and support:  At each contact with an ABCC health care professional, the health care professional will ask a list of questions designed specifically to ensure the accuracy of information necessary for the program.  This process will be program-specific.
  • Any information which an individual, authorized representative or healthcare professional provides to ABCC in order to update his/her file must be entered in all appropriate files.

Principle 7—Ensuring Safeguards for Personal Information
ABCC has developed appropriate security safeguards and information practices due to the sensitivity of the information in order to protect personal information.

  • The security safeguards protect personal information against loss, theft, unauthorized access, disclosure, copying, use or modification.  ABCC protects personal information regardless of the format in which it is stored. ABCC will make associates aware of the importance of maintaining the confidentiality of personal information.  ABCC will make sure to prevent unauthorized access when destroying or disposing of personal information.
  • The nature of the safeguards varies depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage. A higher level of protection safeguards more sensitive information, such as records of personal health information.
  • The methods of protection include:
    1. Physical measures, for example, safe storage of records, locked filing cabinets and restricted access to offices;
    2. Organizational measures, for example, limiting access on a “need-to-know” basis, and
    3. Technological measures, for example, the use of passwords, encryption and audits.
  • All personal information held by ABCC is stored in one of two formats: 
    1. electronic databases or spreadsheets with restricted access located on servers and password protection; or
    2. hardcopy records that are kept in locked filing cabinets.
  • In the event that personal information about an individual is stolen, lost or accessed by unauthorized persons, ABCC will notify the individual at the first reasonable opportunity and without unreasonable delay send a notice to the office of the Privacy Commissioner indicating any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there is a real existing risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.

Principle 8—Openness about Personal Information Policies and Practices
ABCC will make readily available to individuals specific information about its policies and practices relating to the management of personal information.

  • ABCC will provide information about its information practices with respect to the management of personal information without unreasonable effort and in a form that is generally understandable.
  • The information made available includes:
    1. The contact information to reach the Privacy Officers and to whom complaints or inquiries can be forwarded;
    2. The means of gaining access and how to request the correction of personal information held by ABCC;
    3. A description of the type of personal information held by ABCC, including a general account of its use; and
    4. What personal information is made available to related organizations.

Principle 9—Individual Access to Personal Information
Upon request, an individual will be informed of the existence, use and disclosure of his/her personal information and will be given access to that information.  ABCC will seek to identify the source of this information and will allow the individual access to this information subject to specified exceptions.  An individual will be able to challenge the accuracy and completeness of the information and have it amended, as appropriate.  If an individual has questions about whether ABCC has his/her personal information on file or about the use or disclosure of such personal information by ABCC, he/she may contact the Privacy Officers.  ABCC reserves the right to confirm the identity of the person seeking access to personal information before complying with any access requests.

  • All requests for access to personal information shall be made in writing and shall be processed in accordance with ABCC’s information practices relating to access to personal information.
  • ABCC will respond to an individual's request within a reasonable period or as otherwise required by law, and at minimal or no cost to the individual.  Where a fee is charged for the cost of producing a copy of the record, as permitted by law, ABCC will provide the individual with a written estimate of the total fee before ABCC processes the request for access. The requested information will be provided or made available in a form that is generally understandable.  Where information cannot be provided within 30 days, ABCC will send a notice of extension of the time limit, the new time limit, the reasons for the extension and the right of the individual to complain to the office of the Privacy Commissioner.
  • In certain situations, ABCC may not be able to provide access to all of the personal information it holds about an individual.  Exceptions to the access requirement will be limited and specific. The reasons for denying access to all or part of the record will be provided to the individual in writing.  Exceptions may include information that contains references to other individuals, information that cannot be disclosed for legal, security or proprietary reasons, or information that is subject to solicitor-client or litigation privilege.
  • Where ABCC receives a request to access personal information that is maintained by a third party or the third party was the first to collect the personal information, ABCC should seek the consent of the individual making the request to transfer the request to the third party.
  • If a request for access to all or part of the individual’s record is refused, ABCC will inform the individual in writing, along with the reasons for the refusal, the section of the relevant legislation on which the refusal is based (where required by law), the name of someone who can answer on behalf of ABCC the individual’s questions about the refusal and any recourse available to the individual under PIPEDA or any other relevant privacy legislation.
  • When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, ABCC will amend the information as required, in accordance with professional standards of practice for correcting records of personal information.
    1. Within 30 days after receiving a request for correction, ABCC will, by written notice to the individual requesting the correction, grant or refuse the individual’s request. Where a reply to the request for a correction cannot be provided within 30 days, ABCC will send the individual a notice of extension of the time limit, the new time limit, the reasons for the extension, and the right of the individual to complain to the Office of the Privacy Commissioner.
    2. Depending upon the nature of the information challenged, an amendment may involve the correction, deletion or addition of information.  Information contained within records of personal health information will not be deleted, but rather, the original must be maintained, with any amendments or corrections made in a transparent manner.  Where appropriate, the amended information will be transmitted to third parties having access to the information in question or to whom that information has been disclosed.
    3. When a challenge is not resolved to the satisfaction of the individual, ABCC will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
    4. Where ABCC itself receives notification of corrected personal information from another organization, ABCC will correct the personal information in its custody or under its control within 30 days.
    5. If ABCC makes a determination not to make a requested correction, ABCC will annotate the personal information under its control with the correction that was requested but not made and inform the individual of the individual’s right to submit a statement of disagreement to be attached to their record and the individual’s right to complain to the Office of the Privacy Commissioner.

Principle 10—Challenging Compliance with ABCC's Privacy Policies and Practices
An individual may bring a challenge concerning compliance with this policy to either of the Privacy Officers.

  • ABCC has procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. 
  • ABCC informs individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures, including complaints to federal or provincial privacy oversight bodies.  
  • ABCC investigates all complaints.  If a complaint is found to be justified, ABCC will take appropriate measures, including, if necessary, amending its policies and practices.
  • ABCC interprets this policy and may amend or update any or all parts as necessary to meet the changing needs of ABCC and/or applicable legislation.  ABCC will notify individuals of significant changes in the way it treats personal information by sending a notice to the contact information provided or by placing a prominent notice on ABCC’s website.

Storage of Personal Information

ABCC will inform individuals of the location where an individual’s personal information will be stored at the time of collection and that this location may change from time to time.  Upon request in writing to the Privacy Officer, an individual can request up-to-date information regarding the location of the storage of personal information.

Related Documents:
- Protection of Personal Information and Electronic Documents Act (Canada) (PIPEDA)