ASTRAZENECA CANADA’S PERSONAL INFORMATION MANAGEMENT PRACTICES
AstraZeneca Canada Inc. (“AstraZeneca Canada”) is committed to controlling the collection, use and disclosure of personal information.
AstraZeneca Canada collects, uses and discloses various types of personal information in carrying on business, including information about health care professionals (including physicians, pharmacists and other health care workers), patients, participants in clinical studies, customers and employees.
AstraZeneca Canada collects, uses and discloses personal information in accordance with the following ten fair information principles.
Principle 1 – Accountability
1.1 The contact information for AstraZeneca Canada’s Privacy Compliance Officer is:
Privacy Compliance Officer
1004 Middlegate Road
Canada L4Y 1M4
Tel: 905-803-4883 (ext. 4883)
1.2 Accountability for compliance by AstraZeneca Canada with these policies and procedures rests with the Privacy Compliance Officer, even though other individuals within the company may be responsible for the day to day collection and processing of personal information. In addition, the Privacy Compliance Officer may, from time to time, designate one or more other individuals within the company to act on his or her behalf, including representatives from all areas of the business.
1.3 AstraZeneca Canada is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. AstraZeneca Canada transfers personal information to third parties for reasons such as data processing, data warehousing, administrative services, and conducting programs on our behalf, where the third parties do not make any independent use of the personal information. AstraZeneca Canada uses contractual or other means to require third parties to commit to protecting personal information to a level comparable to that provided by AstraZeneca Canada. Some of these third parties may be located outside of Canada and, as such, they are subject to foreign laws including laws that may require disclosure of personal information to foreign government authorities.
- procedures to protect personal information;
- procedures to receive and respond to complaints and inquiries;
- training and information for staff about AstraZeneca Canada’s policies and practices; and
- information and tools to explain AstraZeneca Canada’s policies and procedures.
Principle 2 – Identifying Purposes
2.1 AstraZeneca Canada collects, uses and discloses personal information for a range of purposes.
2.2 AstraZeneca Canada may from time to time collect, use and disclose personal information about health care professionals for legitimate business purposes that include satisfying regulatory requirements, conducting clinical studies in which health care professionals have agreed to participate, establishing and managing a customer relationship profile, marketing AstraZeneca Canada products and services, responding to requests about AstraZeneca Canada products, recommending particular products to meet health care professional needs, providing health care professionals with clinical evaluation packages, and establishing and sponsoring educational or other programs. To carry out these legitimate business purposes, AstraZeneca Canada may from time to time disclose the personal information of health care professionals to regulatory agencies (e.g., Health Canada), companies affiliated with AstraZeneca Canada, and other third parties to perform services on behalf of AstraZeneca Canada for the purposes explained in this section.
2.3 AstraZeneca Canada may from time to time collect, use and disclose personal information about individuals that use or may use AstraZeneca Canada products for legitimate business purposes that include receiving and/or responding to requests, complaints or adverse event reports about AstraZeneca Canada products or services, administering health condition awareness/management or similar programs sponsored by AstraZeneca Canada, satisfying regulatory requirements, notifying individuals about product-related matters where prudent to do so, and marketing AstraZeneca products and services. To carry out these legitimate business purposes, AstraZeneca Canada may from time to time disclose the personal information of these individuals to regulatory agencies (e.g., Health Canada), companies affiliated with AstraZeneca Canada, and other third parties to perform services on behalf of AstraZeneca Canada for the purposes explained in this section.
2.4 AstraZeneca Canada may from time to time collect, use and disclose personal information about individuals that participate in clinical studies sponsored by AstraZeneca Canada for legitimate research and business purposes that include research and development, satisfying regulatory requirements, notifying individuals about research-related matters where prudent to do so, and receiving and/or responding to requests, complaints or adverse event reports about AstraZeneca Canada products. To carry out these legitimate research and business purposes, AstraZeneca Canada may from time to time disclose the personal information of these individuals to regulatory agencies (e.g., Health Canada), companies affiliated with AstraZeneca Canada, and other third parties to perform services on behalf of AstraZeneca Canada for the purposes explained in this section.
2.5 AstraZeneca Canada may from time to time collect, use and disclose personal information about employees and potential employees for legitimate business purposes that include evaluating employment applications, hiring, evaluating and managing performance and administering employment-related services such as payroll, benefits, making travel arrangements, satisfying regulatory requirements (including compliance with Health Canada Regulations on Good Manufacturing Practices (GMP)) and corporate compliance to policies. To carry out these legitimate business purposes, AstraZeneca Canada may from time to time disclose employees’ personal information to benefits providers, regulatory agencies (e.g., Canada Revenue Agency), companies affiliated with AstraZeneca Canada, and other third parties to perform services on behalf of AstraZeneca Canada for the purposes explained in this section.
2.6 AstraZeneca Canada will make reasonable efforts to identify the purposes for which personal information is collected to the individual from whom the personal information is collected at or before the time of collection. Depending upon the way in which the information is collected, AstraZeneca Canada will identify these purposes verbally or in writing. For example, subjects participating in studies sponsored by AstraZeneca Canada are presented with written consents specifying that their doctor will collect their personal information such as date of birth and gender for purposes relating to administering and conducting the study, research and statistical analysis.
2.7 When AstraZeneca Canada uses or discloses personal information that has been collected for a purpose not previously identified, it will identify and obtain consent to the new purpose prior to use or disclosure, except as permitted or required by law.
2.8 People collecting personal information will explain to individuals the purposes for which the information is being collected, including any purposes that may not be immediately obvious to the individual. For example, AstraZeneca Canada will make clear to individuals who provide testimonials regarding AstraZeneca Canada products for distribution to the public that their personal information may be shared with other companies affiliated with AstraZeneca Canada.
Principle 3 – Consent
3.1 Generally, AstraZeneca Canada will seek consent for the collection, use or disclosure of personal information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when AstraZeneca Canada wants to use information for a purpose not previously identified).
3.2 The form of the consent sought by AstraZeneca Canada, including whether this consent is express or implied, may vary depending upon the circumstances and the type of information. In determining the form of consent to use, AstraZeneca Canada will take into account the sensitivity of the information and the reasonable expectations of the individual. For example:
- An employee filing an application for AstraZeneca Canada’s dental, health, life insurance and long-term disability coverage plan would reasonably expect that the relevant information (employee identification number, name, date of birth) would be collected, used and communicated to third parties in accordance with the dental, health, life insurance, long-term disability coverage, and for as long as the coverage was in effect.
- When submitting a resume or application for employment with AstraZeneca Canada, an individual may implicitly be consenting to the collection of the information he or she discloses on the form. AstraZeneca Canada may also bring to the applicant’s attention the use that will be made of the information on the form. Consent in such cases is indicated by the applicant completing and signing the relevant forms.
3.3 An individual may withdraw consent at any time, subject to legal or other contractual obligations and restrictions. AstraZeneca Canada must also be provided with reasonable notice that an individual wishes to withdraw consent. The period of reasonable notice will vary depending on the nature of the information and the uses to which it is being put by AstraZeneca Canada. AstraZeneca Canada will inform the individual of the implications of withdrawing consent.
3.4 AstraZeneca Canada will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. For example, employee contact information is required for employment purposes, AstraZeneca Canada’s customers’ contact information is required for billing purposes and consent to the collection, use and disclosure of certain information will be required from participants in clinical studies in order to facilitate the research purposes for which the study is being conducted.
3.5 There may be some circumstances where AstraZeneca Canada will collect, use or disclose personal information without consent where permitted or required by law. For example, when information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill or mentally incapacitated, in which case consent must be obtained from parents, guardians or legal representatives of such individuals.
Principle 4 – Limiting Collection
4.1 AstraZeneca Canada will limit the amount and the type of information it collects to that which is necessary to fulfill the purposes identified.
4.2 When possible, AstraZeneca will collect personal information from the individual directly. However, with your consent or where permitted or required by law, AstraZeneca Canada may also collect personal information from outside sources such as companies that sell health care professionals’ personal information, credit bureaux, professional references, marketing agencies and public relations agencies.
Principle 5 – Limiting Use, Disclosure and Retention
5.1 AstraZeneca Canada limits the use and disclosure of personal information to what is necessary for the identified purposes or as required or permitted by law.
5.2 AstraZeneca Canada will retain information, including personal information that has been used to make a decision about an individual long enough to allow the individual access to the information after the decision has been made.
5.3 AstraZeneca Canada will destroy, erase or make anonymous personal information that is no longer required to fulfill the identified purposes, legislative requirements or legitimate business purposes.
Principle 6 – Accuracy
6.1 AstraZeneca Canada will take reasonable steps to ensure the accuracy and completeness of the personal information it uses or discloses. Please make a written request to the AstraZeneca Canada Privacy Compliance Officer if you wish to request correction of any of your personal information.
Principle 7 – Safeguards
7.1 AstraZeneca Canada has security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the information is held.
7.2 The nature of these safeguards vary depending on the sensitivity of the information that has been collected; the amount, distribution and format of the information; and the method of storage. More sensitive information is safeguarded by a higher level of protection.
7.3 The methods of protection include
- physical measures (e.g., locked filing cabinets and restricted access to desks);
- organizational measures (e.g., security clearances and limiting access on a “need to know” basis); and
- technological measures (e.g., the use of passwords and encryption).
7.4 AstraZeneca Canada has made its employees aware of the importance of maintaining the confidentiality of personal information.
Principle 8 – Openness
8.2 Individuals are able to acquire further information about AstraZeneca Canada’s policies and practices without unreasonable effort by contacting AstraZeneca Canada’s Privacy Compliance Officer. The information that AstraZeneca Canada will make available upon request includes:
- the name or title and the address of the Privacy Compliance Officer;
- the means of gaining access to personal information held by AstraZeneca Canada;
- a description of the type of personal information held by AstraZeneca Canada, including a general account of its use;
- a description of what personal information is made available to related organizations (e.g., subsidiaries) or other third parties.
Principle 9 – Individual Access
9.1 AstraZeneca Canada may establish a file of personal information for individuals, for the purposes described above, which will be accessible at 1004 Middlegate Road, Mississauga, Ontario, Canada L4Y 1M4. If an individual wishes to request access to, or correction of, his/her personal information in our custody or control, he/she must write to the above address, attention: Privacy Compliance Officer. We will provide an individual with access to his/her personal information in accordance with applicable law, except where permitted or required by law not to disclose personal information to the individual.
Principle 10 – Challenging Compliance
10.1 AstraZeneca Canada has put simple and easily accessible procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information.
10.2 AstraZeneca Canada will inform individuals who make inquiries or lodge complaints about its complaint procedures.
10.3 AstraZeneca Canada will investigate all complaints. If a complaint is found to be justified, AstraZeneca Canada will take appropriate measures, including, if necessary, amending its policies and practices.
10.4 If an individual is not satisfied with the response from the Privacy Compliance Officer, he or she may have recourse to the Office of the Privacy Commissioner at:
Federal Privacy Commissioner
112 Kent Street
Phone: (613) 995-8210
Toll-Free: (800) 282-1376
Fax: (613) 947-6850