DrLui.ca Privacy Policy

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE

Please refer to Appendix A for a glossary of defined terms.

INTRODUCTION

The Health Information Act (HIA) came into effect on April 25, 2001, and governs the
collection, use, and disclosure of Health Information within Alberta’s health care system.
The Personal Information Protection Act (PIPA) came into effect on January 1, 2004, and
governs the collection, use and disclosure of Personal Information within Alberta’s private
sector, including dental practices. other than Health Information. Federally, the Personal
Information Protection and Electronic Documents Act (PIPEDA), governs the collection, use
and disclosure of Personal Information. In addition, Canada’s anti-spam legislation (CASL)
came into effect on July 1, 2014. Canada’s anti-spam legislation regulates how businesses
and individuals communicate electronically.

This Office collects Personal Information about our patients directly from the patient or from
the person acting on their behalf. Occasionally, we collect Personal Information about a
patient from other sources if we have obtained the patient’s consent to do so or if the law
permits.

Privacy of Personal Information is an important principle in the provision of quality care to
our patients. We understand the importance of protecting your Personal Information. We
are committed to collecting, using and disclosing your Personal Information responsibly and
in accordance with the law. We also try to be as open and transparent as possible about
the way we handle your Personal Information.

This Office has developed this Privacy and Anti-Spam Code (this “Code”) to provide a
general description of our information and communication practices, how to obtain access
to your Personal Information, how to amend incorrect information, and how to make a
complaint to our Office or the Information and Privacy Commissioner. As the rules
governing the collection, use, and disclosure of Personal Information may change, our
practices will evolve and adapt in response to such changes and this Code may be
amended from time to time as a result thereof.

We ask that you contact our Privacy Officer in the event you have any questions or
concerns regarding this Code or its implementation.

ANTI-SPAM POLICY OVERVIEW

When we communicate with you, we may communicate via electronic means, such as
e-mail. We strive to ensure that our Commercial Electronic Messages (“CEMs”) are sent
with consent, identifying information and unsubscribe mechanisms. We require all CEMs
from our Office to be in compliance with the Privacy Laws. If and when we communicate
with you using CEMs, you can opt out of receiving such messages by following the
“Unsubscribe” link included at the bottom of such messages or by contacting Dr. Lui &
Associates (403 263-1346). Any questions or concerns with respect to CEMs from our
Office may be addressed to Dr. Lui & Associates (403 263-1346). In the event that our
Office inadvertently sends out a CEM without consent, we commit to investigating every
such instance and assisting the employee(s) or manager(s) involved with renewing their
understanding and awareness of our compliance responsibilities.

PERSONAL INFORMATION HANDLING PRINCIPLES

Accountability

Accountability for this Office’s compliance with Privacy Laws rests with our Privacy Officer
even though others in the Office may be responsible for the day-to-day collection and
processing of Personal Information.

Our staff are briefed on the importance of your privacy and receive training on the handling
of your Personal Information.

Our Office is comprised of many persons working together to ensure that our patients and
clients receive proper care. Some of our team members are Health Information Custodians
and some are not. We take this opportunity to describe the structure of our Office so that
you understand who may be handling your Personal Information and in what manner.

At our Office, professional dental or orthodontic services are performed by Service
Providers. All professionals performing these services at the Office are Members of the
College and are considered Health Information Custodians. All institutional health care
services performed at the Office are provided by our Affiliate. The individuals providing the
institutional health care services for our Affiliate may be Health Information Custodians
whereas our Affiliate may not. We have appointed our Affiliate as our “contact person”
pursuant to the Privacy Laws. To facilitate the ability of our Affiliate to carry out its
responsibilities to us, your Personal Information may be disclosed to, used by, and
collected by our Affiliate. All actions by our Affiliate in respect of your Personal Information
shall be in compliance with this Code and Privacy Laws.

Your Personal Information may also be disclosed to, used by or collected by the following
independent third parties for the purposes as described below:

– our third party contractors (who may be located outside Canada) for purposes related to
supporting our Office’s business (e.g., call centre activities, technical solutions and
support), in which case we will require such third parties to agree to treat your Personal
Information in accordance with this Code;

– third parties in connection with a sale, assignment, merger, amalgamation, plan of
arrangement or other transfer of the business of our Office or Affiliate, (including but not
limited to all pre-sale, assignment, merger, amalgamation, plan of arrangement or transfer
activities and all transaction negotiations and due diligence activities) to which the
information relates, in which case we will require any such buyer, assignee, successor
party, transferee or other party related to the transaction to agree to treat the information in
accordance with this Privacy Statement; and

– any governmental, administrative, judicial or regulatory authority for the purpose of
co-operating in proceedings, inquiries and investigations requested by such authorities or to
comply with any legal or regulatory requirements or to protect our rights, property or
interests, including to enforce this Code..

In addition, aggregated and anonymized information, which does not allow you to be
personally identified to third parties, may be disclosed to, used by or collected by third
parties.

By providing your Personal Information to this Office or by using our services, you are
consenting to its use by us, the third parties listed above, the Service Providers and our
Affiliate, as set out in this Code. We have permitted our Affiliate to collect, use, disclose,
retain, or dispose of our patients’ Personal Information which we ourselves may collect,
use, disclose, retain, or dispose of, provided that its actions are not contrary to the limits
imposed by Privacy Laws or such other applicable law. We have informed our Affiliate of its
duties under Privacy Laws and other applicable law.

This Office is responsible for Personal Information in our possession or custody, including
Personal Information that has been transferred to a third party for processing.
Our Office will implement policies and practices to give effect to the principles regarding the
collection, use and disclosure of Personal Information, including:

– implementing policies to protect Personal Information

– training staff about this Code and our practices;

– establishing procedures to receive and respond to complaints and inquiries regarding
Personal Information; and

– developing information to explain this Code and privacy procedures.

We have also appointed our Affiliate as our Information Manager pursuant to Section 66 of
HIA. Our Office has entered into a written agreement with our Affiliate as information
manager in accordance with the HIA and its regulations, for the provision of any or all of the
services in Subsection 66(1) under HIA.

Our Office will implement policies and practices to give effect to the principles of HIA and
PIPA and its regulations, and PIPEDA, when applicable.

Identifying Purposes for Collecting Information

The purposes for which Personal Information is collected in this Office will be identified
before or at the time it is collected.

When this Office collects Personal Information we will only collect Personal Information
necessary for the purpose we identify to you before or at the time of collection.
This Office collects Personal Information that is reasonably appropriate in the
circumstances in order to fulfill the purposes disclosed by our Office and those that are
otherwise permitted under applicable laws, including for the following purposes:

– to deliver safe and efficient patient care;

– to identify and to ensure continuous high quality service;

– to assess your health needs;

– to advise you of treatment options;

– to enable us to contact you;

– to provide health care;

– to establish and maintain communication with you, including to distribute health care
information and to book and confirm appointments;

– to offer and provide treatment, care and services in relationship to the oral and
maxillofacial complex and dental care generally;

– to communicate with other treating health care providers, including specialists and general
dentists, who are the referring dentists and/or peripheral dentists;

– for teaching and demonstrating purposes on an anonymous basis;

– to allow us to efficiently follow-up for treatment, care and billing;

– to complete and submit dental and health services claims for third party adjudication and
payment;

– to comply with agreements/undertakings entered into voluntarily by this Office or a Service
Provider with the College for regulatory and monitoring purposes;

– to conduct investigations, discipline proceedings, practice reviews or inspections relating
to the members of a health profession or health discipline;

– to permit potential purchasers, practice brokers or advisors to evaluate this Office,
including an audit, on a confidential basis;

– to conduct research or perform data matching or other services to facilitate another
person’s research in certain instances outlined in the HIA;

– to contact you regarding surveys relating to our business and services;
– to deliver your charts and records to insurance carriers to enable them to assess liability
and quantify damages;

– to manage patient and clients’ accounts, including invoicing, processing credit card
payments and collecting unpaid accounts;

– to communicate with insurance companies and to otherwise process requests by you;

– for internal management purposes, including planning, resource allocation, policy
development, quality improvement, monitoring, audit, evaluation, reporting, obtaining or
processing payment for health services and human resource management; and

– to comply generally with Privacy Laws and all other applicable regulatory requirements.

When Personal Information has been collected and is to be used or disclosed for a purpose
not previously identified, the new purpose will be identified prior to its use or disclosure.
Your consent will be obtained before the Personal Information will be used or disclosed for
any such new purpose.

When you sign the Patient Consent Form, you will be deemed to understand and accept
this Office’s collection, use and disclosure of your Personal Information for the specified
purposes, in each case subject to this Code and Privacy Laws.

Consent

Unless specifically permitted under the Privacy Laws, Consent is required when we are
disclosing your Personal Information to someone other than you.

Except as otherwise permitted at law, the Consent to disclose your Personal Information
must be either electronic or in writing, and must include:

– an authorization for the Custodian to disclose the Personal Information specified in the
Consent;

– the purpose for which the Personal Information may be disclosed;

– the identity of the person to whom the Personal Information may be disclosed;

– an acknowledgement that the individual providing the Consent has been made aware of
the reasons why the Personal Information is needed and the risks and benefits to the
individual of consenting or refusing to consent;

– the date the Consent is effective and the date, if any, on which the Consent expires; and

– a statement that the Consent may be revoked at any time by the individual providing in.

You may withdraw your consent upon reasonable notice to our Office.

A Consent or revocation of a Consent that is in writing must be signed by the person
providing the Consent.

A Consent or revocation of a Consent that is electronic is valid only if it is completed with
the requirements set out in the applicable Privacy Laws.

When our Office needs consent for the collection, use or disclosure of Personal Information
about a child less than 18 years of age, we may either obtain it from that child if capable, or
the parent or other lawful guardian (but not the access parent, unless such a parent has
been lawfully authorized in place of the custodial parent to make information decisions). If
there is a conflict in consent between the child, having capacity, and the parent, the capable
child’s decision prevails with respect to the consent.

Google Analytics

We use Google Analytics’ 3rd-party audience data such as age, gender, and interests to
better understanding the behaviour of our customers and work with companies that collect
information about your online activities to provide advertising targeted to suit your interests
and preferences. 

For example, you may see certain ads on this website or other websites because we contract with Google and other similar companies to target our ads based on

information we or they have collected, including information that was collected through
automated means (such as cookies and web beacons). 

These companies also use automated technologies to collect information when you click on our ads, which helps track
and manage the effectiveness of our marketing efforts.

You may opt out of the automated collection of information by third-party ad networks for
the purpose of delivering advertisements tailored to your interests, by visiting the consumer
opt-out page for the Self-Regulatory Principles for Online Behavioural Advertising at
http://www.aboutads.info/choices/ and edit or opt-out your Google Display Network ads’
preferences at http://www.google.com/ads/preferences/.

Remarketing

We use Remarketing to advertise our practice across the Internet.

Remarketing will display ads to you based on what parts of our website you have viewed by
placing a cookie on your web browser.

This cookie does not in any way identify you or give access to your computer or mobile
device.

The cookie is used to indicate to other websites that “This person visited a particular page,
so show them ads relating to that page.”

Remarketing allows us to tailor our marketing to better suit your needs and only display ads
that are relevant to you.

If you do not wish to see ads from us, you can opt out in several ways:

1. Opt out of Google’s use of cookies by visiting Google’s Ads Settings.

2. Opt out of a third-party vendor’s use of cookies by visiting the Network Advertising

Initiative opt-out page.
3. Opt out information for Facebook ads visit:
https://www.facebook.com/help/568137493302217

Limiting Use, Disclosure and Retention

Personal Information shall not be used or disclosed for purposes other than those for which
the information is collected, except with your Consent, or as required or permitted by law.

Our Office may disclose certain Personal Information in accordance with Privacy Laws.

This Office and our Affiliates may perform activities in other provinces and territories, and
outside of Canada through third party agents. You acknowledge and agree that as a result,
your Personal Information may be transferred to, processed, used, stored or accessed in
other provinces and territories, and in other countries and may be subject to the laws of
those jurisdictions. For example, Personal information may be disclosed in response to
valid demands or requests from government authorities, courts, or law enforcement in other
countries.

We will use contractual and/or other means to provide a comparable level of protection over
your Personal Information while it is being accessed and/or processed by any such third
party. However, contractual or other measures we may use to protect your Personal
Information are subject to the legal requirements of foreign jurisdictions where your
Personal Information may be transferred, processed, use, stored or accessed.

Our Office keeps Personal Information only as long as necessary to satisfy the purposes for
which it was collected, however, some Personal Information is kept for a number of years to
comply with legal requirements. Our Office has protocols in place for the retention of
Personal Information in accordance with applicable law and with the College’s guidelines on
dental recordkeeping.

In destroying Personal Information, our Office has developed guidelines to ensure its
secure destruction in accordance with applicable law and the College’s guidelines on dental
recordkeeping .

As discussed in this Code, Personal Information may be transferred and stored outside of
Canada. We encourage you to contact the Privacy Officer should you require further
information.

Accuracy of Personal Information

This Office endeavors to ensure that your Personal Information is as accurate, complete,
and as up-to-date as necessary for the purposes that it is to be used.

The extent to which your Personal Information is accurate, complete and up-to-date will
depend upon the use of the Personal Information, while at all times taking into account the
interest of our patients.

Your Personal Information needs to be sufficiently accurate, complete and up-to-date to
minimize the possibility that inaccurate, incomplete or out-of-date Personal Information is
used to make a decision about you as our patient.

If your Personal Information changes, or if you believe the Personal Information maintained
by our Office is inaccurate, we ask that you contact our Office to have the information
updated or corrected.

Safeguards for Personal Information

Our Office staff are aware of the importance of maintaining the security and confidentiality
of your Personal Information and we have taken appropriate measures to safeguard your
Personal Information.

These safeguards are in place to protect your Personal Information against loss or theft, as
well as unauthorized access, disclosure, copying, use or modification.

Your Personal Information is protected, whether recorded on paper or electronically, and
care is used in its retention and destruction to prevent unauthorized access at all times
while in our care and control.

Safeguards are in place for the proper disposal of records to prevent any reasonably
anticipated unauthorized use or disclosure of your Personal Information or unauthorized
access to your Health Information following its disposal.

Openness about Privacy

Our Office will make readily available to you specific information about our Office policies
and practices relating to the management of Personal Information.

This information includes:

– the individuals at this Office and the Privacy Officer to whom you can direct any questions
or complaints regarding your Personal Information;

– a copy of our Patient Consent Form that explains how this Office collects, uses and
discloses your Personal Information; and

– this Code.

Patient Access to Personal Information

You have a right of access to your Personal Information, subject to specific and limited
exceptions, and a right of correction or accurate amendment of your Personal Information.
Upon written request and with reasonable notice, our Office will make every reasonable
effort to assist you and to respond to you openly, accurately and completely. In accordance
with HIA and other applicable law, our Office may refuse to disclose Personal Information to
you in certain instances.

Within 30 days of your request for a record containing health information, our Office will
make every reasonable effort to advise you whether access to your record or part of it is
granted or refused.

If access to the record or part of it is granted, our Office will advise you of where, when and
how access will be given.

If your request is refused, our Office will advise you of the reasons for refusal and the
provisions of the applicable law on which the refusal is based and the contact information of
an Affiliate who can answer your questions about the refusal. You are free to ask for a
review of our decision by the Commissioner.

Challenging Compliance

You shall be able to challenge compliance with these principles with the Office’s Privacy
Officer who is accountable within the Office for the compliance with Privacy Laws, including
HIA and PIPA by each of our Custodians.

Our Office has in place procedures to receive and respond to your complaints or inquiries.
The procedures are easily accessible and simple to use.
The Privacy Officer in our Office will investigate each and every complaint made to the
Office in writing.

If a complaint is found to be justified, the Privacy Officer will take appropriate measures,
including, if necessary, amending any office policies and practices.

Updating this Privacy and Anti-Spam Code

Any changes to our privacy standards and information handling practices will be reflected in
this Code in a timely manner. Our Office reserves the right to change, modify, add, or
remove portions of this Code at any time.

Please check this page periodically for any modifications. To determine when this Code
was last updated, please refer to the modification date at the bottom of this Code. By
providing Personal Information to this Office and/or by using our services after changes to
this Code have been made, you accept and consent to those changes.

Last revised: March, 2018

APPENDIX –A
DEFINITIONS

Collection – The act of gathering, acquiring, receiving or obtaining personal information
from any source, including third party sources, by any means.

College – Alberta Dental Association and College

Commercial Electronic Message or CEM – is a message sent directly to an electronic
address (such as an email address, a phone number, an instant messaging account, or
social media account) with the purpose, or one of its purposes, of encouraging participation
in a commercial activity.

Commissioner – The Information and Privacy Commissioner of Alberta, or the Privacy
Commissioner of Canada, if applicable.

Consent – A voluntary agreement with what is being done or is being proposed to be done.
Consent can either be express or implied. Express consent may be given explicitly, either
orally or in writing.

Custodians – means a person or organization as listed in HIA that has custody or control
of Health Information

Disclosure – Making Personal Information available to other health information custodians
or other persons.

Health Information – Identifying information about an individual, that has been written,
photographed, recorded or stored in some manner in a record, if the information relates to
diagnostic treatment and care, registration information, the physical or mental health of the
individual, a health service provided to the individual including information respecting a
health care services provider who provides a health care service to that individual, the
provisions of health care to the individual, the donation made by the individual of a body
part or bodily substance, a drug provided to the individual, a health care aid, device,
product, equipment or other item provided to the individual pursuant to a prescription or
other authorization or the amount of any benefit paid or payable in respect of a health
services provided to the individual. Included in the definition of Health Information is
personal information such as demographic information, including the individual’s personal
health number, location information, telecommunications information, residency information,
health services eligibility information and billing information.

Information Manager – means a person or body that processes, stores, retrieves or
disposes of Health Information; in accordance with the HIA regulations, strips, encodes or
otherwise transforms Health Information to create non-identifying health information; or
provides information management or information technologies services.
Member – A member of the College and includes a health professional corporation
registered with the College to practice dentistry in Alberta.

Office – The dental office operated by A. Lui Professional Corporation which
provides professional dental services comprising of diagnosis, the interpretation of x-ray
radiographs produced by the Affiliate, treatment planning and intra-oral professional
services at Suite 200, 407 2nd St. SW, 2nd floor
Unit 200, Calgary, AB, T2P 2Y3

Patient – An individual about whom our Office collects Personal Information in order to
carry out prognosis, diagnosis, and treatment, including controlled acts.

Personal Information – Identifying information about an individual, and includes Health
Information. Personal Information excludes an individual’s business contact information
where the collection, use or disclosure if for the purposes of enabling the individual to be
contacted in relation to the individual’s business responsibilities and for no other purpose.

Patient – An individual about whom our Office collects Personal Information in order to
carry out prognosis, diagnosis, and treatment, including controlled acts

Privacy Laws – All applicable laws governing the collection, use, storage or disclosure of
personal information, including the Health Professions Act, Government Organization Act,
Regulations made under these Acts, and By-laws of the College, the Health Information Act
(HIA), the Personal Information Protection and Electronic Documents Act (if applicable), the
Personal Information Protection Act (PIPA) and An Act to promote the efficiency and
adaptability of the Canadian economy by regulating certain activities that discourage
reliance on electronic means of carrying out commercial activities, and to amend the
Canadian Radio-television and Telecommunications Commission Act, the Competition Act,
the Personal Information Protection and Electronic Documents Act and the
Telecommunications Act (CASL).

Privacy Officer – means the contact person designated in this Privacy and Anti-Spam
Code as the agent of our Office authorized on our behalf to, among other things, facilitate
our compliance with the Privacy Laws.

Service Providers – means dentists and dental professional corporations providing professional services at the Office.