Last updated October 19, 2023
Think Research Corporation and its subsidiaries (“TRC”, “Think Research”, “us”, “we” or “our”), provide knowledge-based digital health software solutions which support clinical decision-making processes, standardize care, and facilitate better health care outcomes. Our customers typically include enterprise clients, hospitals, regional health agencies, healthcare professionals, and/or governments. Primary care, acute care, and long-term care doctors, nurses and pharmacists rely on our solutions to support their practices.
In offering these various products and services to clients and end users in dozens of countries around the world, Think Research Collects, Uses, and Discloses Personally Identifiable Information (PII) through a variety of channels, and our conduct is governed by Privacy and/or data protection legislation in each of those regions. This is a complex set of obligations and Think Research takes individuals’ Privacy and the Security of their PII very seriously.
This policy establishes Think Research’s core commitments around the Collection, Use and Disclosure of PII, regardless of line of business or jurisdiction. Specific offerings or services may have additional requirements that apply in a particular context, but this policy establishes our baseline position. All Think Research employees, contractors and suppliers must comply with this policy. If this policy conflicts with another policy in the organization, this policy will prevail. If this policy conflicts with Applicable Legislation in a given circumstance, the legislation will prevail.
Anyone having questions or concerns about this policy or the compliance of our practices, is encouraged to contact us using the details provided in Section 4 below.
For the purposes of this policy, and the Privacy Program at Think Research, the following will be the standard definitions for the listed terms. Where defined terms are used in this policy, they are capitalized.
Applicable Legislation – means (all) Privacy and/or data protection legislation that may apply in a particular circumstance (e.g. PIPEDA within Canada, HIPAA within the United States, the GDPR within the UK/EU, etc.)
Collect – in this context, means to request and/or receive PII (whether from the data subject or a third party), other than as may be excepted under Applicable Legislation.
Confidential Information (CI) – means information that must be protected from unauthorized access, for any of a variety of reasons (e.g. trade secrets), and includes PII.
Consent – refers to an individual’s agreement (or that of their substitute decision-maker, if any) to a proposed course of action concerning the handling of their PII. Note that Consent may be explicit or implied, depending on the circumstance.
Controller – is an entity that has legal control (if not custody) of a quantity of PII, and determines the Purposes and means of its Processing.
Disclose – in this context, means to provide a quantity of PII to a third party (i.e. other than the data subject), other than as may be excepted under Applicable Legislation.
Employee Personal Information (EPI) – means employment-related information about an identifiable individual (e.g. a staff member’s salary).
Personal Health Information (PHI) – means healthcare-related information about an identifiable individual (e.g. a patient’s or study participant’s blood type).
Personally Identifiable Information (PII) – means information about an identifiable individual (e.g. a customer), and includes PHI, SPI and EPI.
(Data) Privacy – refers to an individual’s control over how PII about them may be Collected, Used, Disclosed, or otherwise handled.
Process(ing) – refers to the Collection, Use, Disclosure, and/or general handling of PII, whether by a Controller or a Processor.
Processor – a contracted third party, who Processes PII on behalf of, and in accordance with, the instructions of another party, whether that party is a Controller, or a Processor themselves.
Purposes – in this context, means the identified reasons for which some quantity of PII is being requested/Collected, including its intended Use(s); which inform an individual’s Consent decision(s).
Security – with regard to protecting valuable assets like electronic information systems or data, is the means of achieving an acceptable level of residual risk to those assets.
Sensitive Personal Information (SPI) – means information about an identifiable individual that is of an especially sensitive nature (e.g. PII relating to children, gender identity, sexuality, religious or philosophical beliefs, ethnicity, political affiliation, etc.), as may be defined in Applicable Legislation.
Sub-processor – see Processor.
Use – in this context, means to Process PII for some Purpose, other than as may be excepted under Applicable Legislation.
As a Canadian company, Think Research’s Privacy compliance practices are based on the Canadian Standards Association’s “ten fair information principles” (CAN/CSA-Q830-96). However, with operations, clients and end users in over fifty countries around the world, our framework has necessarily expanded to account for additional obligations in those other jurisdictions (e.g. under the General Data Protection Regulations [GDPR] of the European Union and the United Kingdom, or the Health Insurance Portability and Accountability Act [HIPAA] of the United States, etc.) as follows…
Think Research is accountable for the PII in its custody and/or control. It has appointed a Privacy Officer, who is accountable for the corporate compliance program and its alignment with all sources of Privacy-related obligations (e.g. legislation, business agreements, or applicable Consents).
Note that in providing its services and products, Think Research’s roles and obligations with respect to any involved PII may vary:
- In offering some of our services (e.g. MDBriefcase), where we may have a direct relationship with individuals, Think Research is directly accountable for the PII in our care. (i.e. we may be a Custodian, Trustee, Controller or Covered Entity, as those terms are defined in various laws); or
- In other circumstances (e.g. our Digital Front Door offering), Think Research may be responsible for Processing PII on behalf of, and at the direction of, a client organization (i.e. we may be the client’s Agent, Processor, Sub-processor, or Business Associate, as those terms are defined in various laws); and
- In some very specific circumstances, we may have additional roles and responsibilities under Applicable Legislation, given the nature of a service or product being offered (e.g. as an Electronic Service Provider, or Health Information Network Provider, as those terms are defined in various laws).
In Collecting, Using or Disclosing PII, Think Research does so under one or more legal bases, depending on the services, circumstances, and Applicable Legislation:
- Most often with the Consent of the individual, whether explicit or implied. Note that in some circumstances, where Think Research operates as a Sub-processor on behalf of our clients’ interests, the client may have Collected any required Consents;
- We may handle PII further to the terms of a business agreement with a client, who may have provided the PII, or authorized us to Collect it on their behalf;
- In some circumstances, we may have a legal obligation to Process PII in a particular way, including Disclosure to third parties (e.g. mandatory reporting of some diseases to public health authorities);
- In rare circumstances, to protect the vital interests of an individual or group of individuals (i.e. to mitigate a reasonable risk of harm);
- Further to our organization’s legitimate interests, related to our business and the Purposes for which PII was Collected, or for a consistent Purpose.
Data Collection Purposes and Limits
As mentioned above, Think Research offers several products and services to clients and individuals around the world. As a result, there are a variety of data flows, by which we acquire custody and/or control of PII:
- In some of our service facilities, we provide healthcare directly to patients, and so Collect or produce health-related details related to those individuals;
- During research studies, from the involved subjects/volunteers/participants;
- Several of our offerings are delivered via the Internet, so PII is regularly Collected via websites, and web or cloud-based platforms in various business units;
- Via similar web and software components that we run on behalf of our clients;
- Via e-mail, the telephone, secure document sharing, and during live video chats;
- In common circumstances, directly from our business clients.
Where Think Research Collects PII directly from individuals, it identifies the Purposes for the Collection, at or before the time of Collection, it does so by fair and lawful means, and limits the Collection to that data which is required for the Purposes identified by the organization or the involved client. In other circumstances, where we are acting on behalf of a client organization, the identification of Purposes for Collection, and the gathering of any required Consents, may be handled by the client.
In the course of providing our services (note: specific practices may vary by service and/or region), we may Collect and/or Use the following types of information for the following Purposes:
|A name, username, employee number or similar identifier, marital status, date of birth, race/ethnicity and gender.
|Billing addresses, postal addresses, email addresses and telephone numbers.
|Job Applicant Information
|Résumés, cover letters, reference letters, employment history and interests.
|Employee Personal Information
|Job title, place of work, hire date, employment history, salary, work address, SIN/SSN, family details, benefits-related information.
|Personal Interaction Information
|Telephone recordings and transcripts, records of communications (such as emails, letters, online chat, etc.).
|Digital Interaction Information
|Geolocation data, IP address, login data, platform access credentials (e.g. user ID’s, passwords, PIN’s), browser type and version, time zone setting and location, browser plug-in types and versions, operating system, type of device used and other technologies related to the devices used to access our websites and/or our apps.
|Banking information, email addresses linked to electronic transfers, employee salary and payment information.
|Details about payments to and from individuals, and other details of products and services that they have purchased from us, including customer account numbers.
|Details about completed online courses or test scores.
|Personal Health Information
Details about: patient demographics; health history; risk factors; medications and treatments; medication error data; laboratory results; health card number; health insurance information; clinical notes; care elements; photographs and other images; family history; problem lists; allergies and adverse reactions; immunizations; appointments; reports received; research study data; alerts and/or special needs; prescriptions.
Note that the list above is not exhaustive, but generally describes the sorts of Personal Health Information that we might Collect across our various service offerings.
Note: Personal Health Information (PHI) Collected for the Purpose of providing one service will not be Used or Disclosed for the Purpose of providing any other service. Although some PHI may be Used by Think Research in data analytics, it will not be Disclosed in a way that allows identification of any individual.
|Weight, height, body mass index, waist circumference, cholesterol, lipoprotein, triglycerides, glucose and blood pressure readings, sleep patterns or other similar information provided through connected devices or through completed assessments.
Note that Think Research operates several services and solutions that are typically integrated within a client’s web-based platform or program. In these cases, Think Research takes on the role of Processor to the clients’ Controller role (or equivalent terms, under the governing legislation), in which case, all Collection, Use or Disclosure of PII by Think Research is on behalf of, and at the direction of, the client, for their Purposes.
Limiting Use, Disclosure, and Retention
Unless an individual Consents otherwise, or as may be permitted or required by law, Think Research will only Use and Disclose PII for the Purposes for which it was Collected, and will only retain it for as long as required to serve those Purposes.
The specifics of any Collection and Use of individuals’ PII will vary somewhat, depending on which Think Research products or services are involved, and which details of PII are provided to us. In any case, we may Use PII in the following ways:
- For the Purposes that are identified to the individual before or at the time the information is Collected (e.g. as on a related Consent form);
- To provide services, whether directly to individuals or on behalf of a client;
- To verify or authenticate an individual’s identity (e.g. when visiting one of our websites);
- To manage accounts and provide support when an individual contacts our Service Centres;
- To plan, evaluate and monitor the services we provide;
- For research and quality improvement activities (such as sending patient satisfaction surveys), or statistical analysis;
- To generate de-identified, aggregated, or anonymized information that does not reveal anyone’s identity. Think Research Uses this information to conduct research, compile aggregate data sets, statistics, and reports, and to perform analytics on our services, service standards, business operations, and trends;
- To improve customer service – Information provided to us by individuals helps us respond to customer service requests and support their needs more efficiently;
- To personalize user experiences – We may Use aggregate information to better understand how our users as a group use the services and resources provided on our sites;
- To improve our websites – We may Use customer feedback to improve our products and services;
- As may be otherwise permitted or required by law.
Think Research may share PII:
- With other Think Research entities in order to effectively provide our services, including for internal management and administrative Purposes;
- With third party service providers who are required (by agreement) to keep PII confidential and secure, and are restricted from Using or Disclosing the information for reasons other than performing services on our behalf or to comply with legal requirements;
- With third parties and partners in the event of a potential merger or acquisition, transfer of assets, reorganization, or bankruptcy. These parties are also required to keep PII confidential and secure and are restricted in their Use of information to this Purpose;
- With government, regulatory and law enforcement agencies to meet our compliance, regulatory, and risk management obligations;
- With the general public and/or other users when an individual posts or shares comments, blog postings, testimonials, or other similar information in public or user discussion forums on our technology platforms;
- With sponsoring organizations, with express or implied Consent (where this is permitted by law) or if we are required to do so by law;
- With other parties to reduce or eliminate a reasonable risk of significant harm to a person or group of persons;
- For the Purpose of carrying out an investigation, or as a result of a court order, warrant, subpoena or summons; and/or
- As may be permitted or required by law.
Think Research does not sell, trade, lease or rent individuals’ PII to others. We may share aggregated information regarding visitors and users with our business partners, trusted affiliates and advertisers for the Purposes outlined above. We may use third party service providers to help us operate our business and our sites, or administer activities on our behalf, such as sending out newsletters or surveys. We may share PII with these third parties for those limited Purposes.
We may share de-identified and/or aggregated information with our clients for reporting Purposes, including usage of our services, and with third party service providers for use in creating marketing materials, case studies and statistical analyses. This allows Think Research, its clients and our respective third party service providers to understand how we are performing, or develop relevant products, services or offers.
Think Research only retains PII for as long as may be reasonably necessary to provide our services, meet our contractual obligations with clients, comply with legal requirements, and/or resolve disputes.
To determine the appropriate retention period for PII, we consider the amount, nature, and sensitivity of the PII, the Purposes for which it was Collected, whether we can achieve those Purposes through other means, and the applicable contractual, legal and/or regulatory requirements.
When we, or a client organization, no longer require a quantity of PII, it is either securely destroyed, deleted, or de-identified.
Think Research strives to keep PII in its custody and/or control as accurate, complete, and up-to-date as is necessary, in order to fulfill the Purposes for which it was originally Collected, and is to be Used.
Data Security and Safeguards
Think Research has implemented physical, technological, organizational, and contractual safeguards, appropriate to the sensitivity of PII in our custody and/or control, to protect it from unauthorized access, Use or Disclosure.
We employ industry-standard controls to protect PII, including physical access controls, internet firewalls, intrusion detection and network monitoring.
Think Research accepts and responds to questions, concerns or challenges about its policies and practices relating to the handling of PII. To submit a question or concern, please contact the Privacy Office using the details in Section 4 below.
Data Subject Rights
Upon request, an individual may exercise any of a number of “rights” regarding the existence, Use, and Disclosure of their PII. Individuals can gain access to records, challenge the accuracy and completeness of their information, have it amended as appropriate, and other options, as described below. Note that specific rights may vary from region to region, under Applicable Legislation.
Individuals seeking to exercise these rights should contact the program or service of interest, to initiate their request via the applicable process. If they cannot find the appropriate contact information for the program or service, they may contact the corporate Privacy Office using the details in Section 4 (below) to facilitate or redirect their request.
Accessing Your Information
When requested in writing, Think Research will inform individuals of the existence, Uses, and any Disclosures of records of their PII, that we maintain, and provide access to copies of the information, and/or disclose it in common, machine-readable formats. In some rare cases, Think Research may not be able to provide individuals with all of the information that they request, depending on prescribed circumstances. In producing copies of records for requesting individuals, some business units may charge a nominal fee.
Correcting Your Information
Think Research will make reasonable efforts to keep PII accurate and up to date. If a change or correction is required (e.g. a change of address), individuals should let us know right away. We will make appropriate updates needed to keep records accurate and individuals can review their PII by looking at the correspondence we send to them, through their online accounts with us, or by requesting access to their PII, as described above.
Note that the right to correction is not absolute, and practices will vary somewhat by context and business unit. Where a correction cannot be fully accommodated (e.g. changes to clinical notes), individuals can have a statement of disagreement about the data included in their files.
Other Data Subject Rights
Depending on the country or jurisdiction in which they live, individuals may have additional rights in relation to their PII, including:
- Right to delete. Individuals may have the right to request the deletion of their PII upon the withdrawal of their Consent for us to Process such information, or other circumstances provided under Applicable Legislation, provided that such data no longer needs to be Processed by us to fulfil our legal and regulatory obligations. Note that this “right to be forgotten”, is not absolute, as in some circumstances the retention of PII (particularly in a clinical context) is a legal requirement.
- Right to restrict, object to, or opt out of Processing. Individuals may have the right to specify that we restrict the Processing of their PII in various ways, or object to what may be seen as an excessive Collection of PII.
- Right to data portability. Individuals may have the right to request that we provide them with copies of their PII in a structured, commonly used, and machine-readable format and a right to request that we transfer such information to another party.
- Right to be free from automated decision-making or profiling. Individuals may have the right to request that we process their information manually, without any decision-making or profiling being conducted by automated, digital solutions.
- Right to lodge a complaint. Individuals may have the right to lodge a complaint with the relevant regulatory authority about the way that we have handled their PII (see Section 3.9 below).
Note for data subjects in France: under French law, individuals also have a right to define guidelines relating to the fate of their personal data in the event of their death.
Note for data subjects in the United States: under some states’ consumer privacy laws, individuals also have a private right of action and/or a right to opt in for sensitive data processing.
An individual is free to challenge Think Research’s compliance with these principles. Their challenge should be in writing, and addressed to our Privacy Office (see contact details in Section 4 below).
Please note that in responding to such communications, we may need to confirm the individual’s identity, request additional details about them, and/or work with other Think Research departments to respond to them fully, or to properly investigate their concern or complaint.
If our response to a challenge is not satisfactory, individuals in most jurisdictions have the option of escalating their concern to the local regulatory authority. If assistance is needed in identifying the correct oversight body, please send a request to our Privacy Office (see Section 4 below) and they will provide assistance.
Think Research is a global organization with affiliates, partners and subcontractors located in several countries around the world. To provide our services, Think Research may transfer PII across national or regional borders to other Think Research entities, affiliates or service providers working on our behalf in compliance with Applicable Legislation. For some services or platforms, we are able to accommodate client organizations’ data residency preferences, in that in-scope PII will not leave the country of origin, or be accessed from outside of that region.
Examples of countries that we may transfer PII to and/or exchange PII with, include, but are not limited to: Australia, Canada, New Zealand, the Republic of Ireland, the United Kingdom and the United States of America. When PII is transferred outside of a country, we take appropriate measures to ensure an equivalent standard of protection under Applicable Legislation. We will also obtain an individual’s Consent where this is required under Applicable Legislation, before such transfers occur.
In particular, for transfers of PII from the European Union (EU) or the United Kingdom (UK), we rely on adequacy decisions from the EU Commission, UK adequacy regulations, the use of standard contractual clauses approved by applicable supervisory bodies, or other appropriate transfer mechanisms.
Individuals that may have questions or concerns about this policy or Think Research’s handling of their PII, should contact our Privacy Office using the following details…
Contact us by regular mail at:
Think Research Corporation
Attn: Privacy Office
199 Bay Street, Suite 4000
Toronto, Ontario, Canada
or by electronic mail at:
With respect to the General Data Protection Regulations of the EU and the UK:
- Our Data Protection Officer is Patrick Kenny, in Toronto, Ontario, Canada, who can be reached using the contact details above;
- Our EU Representative is Chris Collenette, in Ireland, who can be reached by e-mail at the address above, or by regular mail at:
5th Floor Rear, Connaught House, 1 Burlington Road, Dublin 4
- Our UK Representative is Dr. Christine Smith, in England, who can be reached by e-mail at the address above, or by regular mail at:
Department 849, 196 High Road
London, England, N22 8HH
Please note that in responding to such communications, we may need to confirm the individual’s identity, request additional details about them, and/or work with other Think Research departments to respond to them fully, or to properly investigate their concern or complaint.
This Policy is subject to change, for example to comply with evolving legal requirements or to meet changing business needs. If we make any updates, we will post them on this page and revise the ‘Effective Date’. We encourage individuals to check this page from time to time, for any changes to our policy, so that they may stay informed about how we protect their Privacy and the PII in our custody and/or control.
Version Control Log
|Privacy, Security & Risk Committee
|May 15, 2023
|Updates and edits, to incorporate new regions and subsidiaries.
|Privacy, Security & Risk Committee
|October 19, 2023
BioPharma Cookies Policy
This Cookies Policy describes the different types of cookies and similar technologies that may be applied by BioPharma Services Inc. (BPSI).
We may change this Cookies Policy at any time in order to reflect, for example, changes to the cookies we use or for other operational, legal or regulatory reasons. If you have questions regarding this Cookies Policy should be sent by email or by writing to us using the contact details set out at the end of this policy.
What is a Cookie?
Cookies are a standard feature of websites that allow us to store small amounts of data on your computer about your visit to a Site. Cookies help us to learn which areas of a Site are useful and which areas need improvement. Cookies also improve your experience by, for example, remembering your preferences.
You can choose whether to accept cookies by changing the settings on your browser. However, if you disable this function, your experience on the site may be diminished and some features will not work as intended depending upon which cookies are disabled.
Our Sites uses both 1st party cookies (which are set by the Site being visited) and 3rd party cookies (which are set by a server located outside the domain of a Site). We use 1st party and 3rd party cookies for several reasons. Some cookies are required for technical reasons in order for the Sites to operate, and we refer to these as “strictly necessary” cookies. Some cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Sites, and we refer to these as “Performance” cookies. Some cookies enable us to provide enhanced functionality and personalization on the Sites and we refer to these as “Functional” cookies. Finally, some cookies enable us and our partners to serve targeted advertisements and we refer to these as “Targeting” cookies.
What Cookies Do We Use?
Strictly Necessary Cookies.
These cookies enable you to navigate the Sites and to use their services and features. These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Sites. They help us to know which pages are popular and see how visitors move around the Sites. If you do not allow these cookies, we will be less able to optimize the Sites’ performance. All information these cookies collect is aggregated and anonymous.
These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies some services may not function properly. These cookies do not directly store personal information, but are based on uniquely identifying your browser and internet device.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. If you do not allow these cookies, you will experience less targeted advertising. These cookies do not directly store personal information, but are based on uniquely identifying your browser and internet device.
Cookies are not the only way to recognize or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called “tracking pixels” or “clear gifs”). These are tiny graphics files that contain a unique identifier that enable us to recognize when someone has visited our Sites or opened an e-mail that we have sent them. This allows us, for example, to monitor the traffic patterns of users from one page within our Sites to another, to deliver or communicate with cookies, to understand whether you have come to our Sites from an online advertisement displayed on a third-party website, to improve site performance, and to measure the success of e-mail marketing campaigns. In many instances, these technologies are reliant on cookies to function properly, and so declining cookies will impair their functioning.
Social Media Features
Targeted Online and Mobile Advertising
How Do I Manage Cookies?
In addition to the options provided above, you have the right to refuse or accept cookies from the Sites at any time by activating settings on your browser. Information about the procedure to follow in order to enable or disable cookies can be found on your Internet browser provider’s website via your help screen. You may wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html for information on commonly used browsers. Please be aware that if cookies are disabled, not all features of the Sites may operate as intended.
If you want to clear all cookies left behind by the websites you have visited, here are links where you can download three programs that clean out tracking cookies: