English
Español
DeutschThe Atlantis Healthcare Group Privacy Policy
Updated January 2012
Data protection policy
Given the significant sensitivities of the information Atlantis Healthcare Group (AHG) hold as an organisation, this Data Protection Policy has been developed to ensure our commitment to information privacy is maintained to an extremely high standard, and that both national and international requirements for the privacy of information are met. Additionally, AHG has appointed Privacy Officers globally to ensure our ongoing commitment to data protection and privacy compliance issues.
AHG designs and manages patient support programmes and delivers healthcare communication services for the world’s leading pharmaceutical and wellness companies, and government public health agencies. The main business purposes for the collection of personal data in line with healthcare data protection policies include; research, care and treatment, and administration. AHG’s proprietary framework for delivering patient support programmes uncovers the drivers behind compliance and loyalty and tailors support programmes to suit different patient needs.
The service begins with patient research and encompasses all aspects of programme creation and fulfilment. Given the information held is of a sensitive nature AHG has committed to an internal programme of data protection compliance audits combined with external audits by independent data privacy specialists. AHG are deemed to be a “health service/health agency/ data controller” and are as such bound by the EU Data Protection Directive 95/46/EC and the privacy legislation of the countries in which Atlantis Healthcare operates, specifically as they relate to health or sensitive information. AHG data processing takes into consideration the rights of all data subjects (individuals concerned) managed by the organisation as data controller.
The rights of data subjects are managed to prevent damage or distress, to prevent processing for purposes of direct marketing upon the data subjects request, to prevent automated decision making of which the decision significantly affects the individual, and to ensure the data subject has the ability to rectify, block, erase or destruct personal data held. The requirements of all relevant pieces of legislation and best practice guidelines have been referenced in formulating this Data Protection Policy.
Collection, Source, Manner, Fairness and Lawful Processing
Three key personal information categories sources exist within AHG. The first being a database of the names and contact details of the medical/health professionals working within the markets in which we operate. The purpose for the collection of this information is for government agencies, pharmaceutical or wellness product communication and research.
This information is sourced either through publicly available sources or directly from the individual concerned.
The second category is; patient and/or other consumer information collected for the purpose of enrolment in a particular patient support or loyalty programme, personal data related to a contracted service for healthcare companies; or for the purpose of carrying out research studies by AHG Health Psychologists. In these cases the information is collected directly from the patient or consumer by way of completion of a detailed opt-in patient support, the enrolment/loyalty application form, or over the phone whereby scripting follows privacy collection legislation. All research conducted follows the appropriate guidelines and approval processes developed for health and medical research in New Zealand, Australia or the United Kingdom.
The third category is employee information collected from the employee over the course of their employment with AHG.
AHG policies ensure all information is collected lawfully, professionally and as unobtrusively as possible.
Use and Disclosure
All information held by AHG is collected for the purpose disclosed at the time of collection.
It is used solely for that purpose and is not disclosed to anyone externally except in the restricted circumstances covered by the relevant legislation in each specific country.
Accuracy – Data Quality and Integrity
All AHG offices are required to implement Data Quality Assurance Programmes which have a cross check measure in place to validate accuracy. Quality Assurance reports detailing any discrepancies and/or error rates are reported on monthly by each applicable business unit.
Access, Correction and Deletion
Any individual included on an AHG or AHG client hosted database has the right to access, correct, and suppress any information that is included on the database.
To ensure that individuals have access to information hosted, AHG provides communication channels to a senior team member via telephony, post or email services to confirm whether details are included on a database, request copies of the information held, or request that the information be corrected or suppressed.
Information disclosed to the data subject is in accordance with the EU Data Protection Directive 95/46/EC and the relevant country privacy legislation, whichever is applicable.
AHG as an organisation is committed to ensuring that data subject queries are responded to in a prompt and efficient manner. AHG target a maximum of 5 working days turnaround. Where a response is not readily available, an AHG representative will inform the inquirer of its availability.
Storage, Security and Retention
Technology and operational security is in place to protect personally identifiable information from loss, misuse, alteration, or destruction. Access to the servers hosting the sensitive information, is restricted from external tampering through a firewall application provided by an external supplier.
Internal access to the AHG computer network is restricted to those employees and/or contractors who require access for the information’s intended purpose through logon and password access. Access is monitored through AHG’s software and access register.
Full information security procedures are documented in AHG's Information Security Policy.
The physical security of the premises where the databases are hosted, are restricted via measures such as swipe key entry where applicable, visitor badges , and tightly managed approved and authorised access levels to the AHG computer network.
To secure and maintain internal commitment to the data protection policy, all employees are required to complete the AHG internal privacy training programme, and all Employment and Independent Contractor Agreements include a mandatory clause specifying an obligatory and contractual understanding of and adherence to the requirements of the relevant privacy legislation.
Retention
Information no longer required for its original purpose is managed in line with internal procedures and as contractually specified by our clients. Storage requirements vary from three months to seven years depending on the classification of the information and the requirements of our clients. Confidential information specialists handle information requiring destruction. Further details are outlined in AHG’s Information Security Policy.
Openness
The law requires Health service providers to be open about how they handle health information. However, unique indentifiers are only assigned to an individual if absolutely necessary in fulfilment of AHG's functions. AHG’s Data Protection policy is readily and openly available, its purpose being to provide a clear explanation as to how the organisation collects and processes health information.
Unique Identifiers
AHG may use unique identifiers to assist in the management and maintenance of the databases held. Under no circumstances is one unique identifier assigned across multiple databases allowing a comprehensive and sensitive data profile to be built.
Anonymity
Whereby privacy law states that it is lawful and practicable, consumers must be given the option to use health services without identifying themselves. Where possible AHG has systems allowing for patients to enrol into a patient support programme anonymously.
Transborder Data Flows
In some circumstances patient information is transferred between AHG offices to effectively utilize the available skills and expertise of the global team. International data transfer policy is engaged in each country of operation to ensure adherence to data protection legislation.
Where necessary the specifics of the data transfer process are discussed with and approved by the client organisation and / or the Information Asset owner. AHNZ as a data processor holds the legal data transfer agreement to be compliant with international policy whenever necessary.
Any AHG data transferred externally between offices must follow the strict data transmission procedures detailed in the group’s Information Security Policy.
Notifications of data controllers
Any AHG data transferred externally between offices must follow the strict data transmission procedures detailed in the group’s information Security Policy.
Privacy Statement
This Privacy Policy has been developed by AHG in consultation with external consultants, and in adherence to the requirements of the EU Data Protection Directive 95/46/EC and the privacy legislation of the countries in which Atlantis Healthcare operates.
Where there is a conflict between this Privacy Policy and the applicable legislation then the applicable legislation shall prevail.
It has been developed to assist the organisation in ensuring that full and auditable processes are in place to comply with privacy requirements. As part of the organisation’s on-going commitment to the privacy of information, AHG reserves the right to modify or amend this Privacy Policy at any time.
This Privacy Policy is not intended to create a contract or agreement between AHG and any client,individual, or organisation.
Technology Statement
Atlantis Healthcare utilises a range of enterprise class security systems and policies to protect the company’s information, computing assets and its customers.
Our data and web-based systems are hosted on secure server environments that include advanced technologies to prevent interference or access from outside intruders.
These security systems are supported by comprehensive policies and procedures to produce an infrastructure that complies with the EU Data Protection Directive 95/46/EC and the specific country privacy legislation. These enterprise level security principles safeguard the following:
- Availability; to ensure that the information and related computing assets are available to users when required.
- Integrity; to safeguard the accuracy and completeness of authorised information and computer software.
- Confidentiality; to prevent the unauthorised disclosure or distribution of sensitive information.
Atlantis Healthcare implements a comprehensive set of “data transmission” policies and infrastructure.
To prevent the risk of intercepted data being compromised, to remove the risk of unauthorised modification of data, and to ensure access to information, we have put in place appropriate physical, electronic, and managerial procedures to protect the information we transmit online.
Our policies and technologies cover the secure transmission of data via:
- 3rd party integration with Atlantis Healthcare system
- Online data storage
- Global transmission between Atlantis Healthcare offices.
Privacy Contacts
AHG has appointed Privacy Officers/Officials in each location to ensure that all relevant privacy requirements, for example, the EU Data Protection Directive 95/46/EC, the NZ Privacy Act 1993 and Health Information Privacy Code 1994, the Australian Federal Privacy Act 1988, the UK Data Protection Act 1998, the German Bundesdatenschutzgesetz (BDSG), Spanish Law 15/1999 on the Protection of Personal Data (LOPD: Ley Organica 15/99 de 13 de Diciembre 1999 de Proteccion de Datos de Caracter Personal), and the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) are met. Requests for information should be sent to the following contacts:
New Zealand
Rowhan Kelly
The Privacy Officer
Atlantis Healthcare
7 St Benedicts Street
Newton
Auckland 1001
New Zealand
Telephone +64 9 363 4838
Facsimile +64 9 363 4898
Email
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
Australia
Paul Harris
The Privacy Officer
Atlantis Healthcare Australia Pty Ltd
A10/20 McEvoy Street
Waterloo
Sydney NSW 2017
Australia
Telephone +61 2 8396 9200
Facsimile +61 2 8396 9201
Email
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
United Kingdom
Andrew Clement
The Privacy Officer
Atlantis Healthcare UK Limited
2nd Floor Building 5 Chiswick Park
556 Chiswick High Road
London W4 5YA
United Kingdom
Telephone + 44 208 7476761
Facsimile + 44 207 1173827
Email
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
United States
Anna Calvert
The Privacy Official
Atlantis Healthcare US
15 Maple Street
Summit
NJ 07901
United States
Telephone + 01 877 859 2515
Email
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
Germany
Marianne Gries
The Privacy Officer
Atlantis Healthcare Deutschland GmbH
Liebigstrasse 53
60323 Frankfurt-Main
Germany
Telephone +49 69 2197 660
Email
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
Spain
Ana Maria Arboleda
The Privacy Officer
Atlantis Healthcare ES
Calle Musgo 2
28230 Aravaca, Madrid
Spain
Email
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
Group Privacy Officer
Dirk Henning Lenz
Atlantis Healthcare Deutschland GmbH
Liebigstrasse 53
60323 Frankfurt-Main
Germany
Telephone +49 69 2197 66350
Email
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
To contact the relevant Information Privacy Authority, the details are:
New Zealand
The Privacy Commissioner
PO Box 10-094
The Terrace
Wellington 6143
Enquiries:
+64 4 474 7595 or 0800 803 909
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
Australia
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
OR
GPO Box 2999
Canberra ACT 2601
Enquiries:
+61 1300 363992
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
United Kingdom
The Information Commissioner’s Office
Wycliffe House
Water Lane Wilmslow
Cheshire SK9 5AF
Enquiries:
+44 303 123 1113 or +44 1625 54 57 45
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
Spain
Agencia Espanola de Proteccion de Datos
C/ Jorge Juan, 6
28001-Madrid
Enquiries:
+34 901 100 099 or +34 91.266.35.17
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
United States
Headquarters
Leon Rodriguez, Director
Office for Civil Rights (OCR)
U.S Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
[Please select one of the 10 responsible Regional Offices under http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html]
Enquiries:
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
Germany
Datenschutzbeauftragter
Datenshutz und IT-Sicherheit
Lutherstrasse 36
63329 Egelsbach
Enquiries:
Herr Michael Stalla
+49 6103 733 4417, Mobile + 49 178 693 2351
Esta dirección electrónica esta protegida contra spambots. Es necesario activar Javascript para visualizarla
www.stalla-datenshutz.de
AHG’s policy states that a privacy-related information inquiry must be actioned within five days. This is extended for requests across regional boundaries. Should there be delays in the request being processed, AHG will notify the inquirer (via email) of the request status, action taken and expected time delay.
Individual Details Amendment/ Suppression Request
1. Ask individual to confirm identity by asking for a minimum of four identifying details, eg, Name, Address, Date of Birth and a contact number.
2. Capture individual information on Customer Database Details Amendment / Suppression Request Form.
3. Read this information back to individual to get verbal confirmation that details are correct.
4. These details must match information held on Connect to proceed.
5. Pass individual request form to appropriate internal resource for identification and amendment or suppression.
6. Archive individual request form for a 12-month period.
7. Send confirmation of action letter to customer.
Individual Information Only Request
1. Ask individual to confirm identity by asking for a minimum of four identifying details, eg, Name, Address, Date of Birth and a contact number.
2. Read this information back to individual to get verbal confirmation details are correct.
3. These details must match information held on Connect to proceed.
4. Pass individual request form to appropriate internal resource to access customer file.
5. Produce report on requested information details held by Atlantis Healthcare.
6. Send confirmation of action letter to individual with copy of personal information report.