1. GENERAL PRINCIPLE
- Definitions and Interpretation
- Collection and Use of Personal Information
- Sharing of Personal Information Collected
- Accessing, Correcting and Deleting Personal Information
- Security Measures Implemented
- Storage of Personal Information
- Third-Party Websites
- Contacting PREHOS
- Application means PREHOS’ mobile application compatible with various electronic devices, such as smartphones and tablets.
- Authorized User means the entities offering prehospital care to Patients and which have concluded a software as a service subscription agreement with PREHOS, including any of their respective directors, officers, employees, agents and other representative having access to the Services such as authorized administrative staff.
- Authorized User Website Access means PREHOS’ web interface available at a specific URL created for and to the exclusive use of any Authorized User and each of its own user.
- Cookies designates the small text files that are placed on the hard disk of devices as applicable when someone uses the Services or accesses the Public Website, which may either be temporary and disappear when such devices are turned off or be permanent and stay even after such devices are turned off.
- De-Identified Information means Personal Information from which the name or other identifier has been removed, so that it can no longer be linked to an individual.
- Other Forms of Technologies means web storage supporting persistent data storage and behaving similarly to persistent cookies and session cookies respectively.
- Patients means the individuals to whom the Authorized User provide prehospital care.
- Personal Information means any information about an identifiable individual, including but not limited to contact information, address, e-mail address, photo or video and Internet Protocol address, as well as Patients’ health information as may be collected by any Authorized User.
- PREHOS designates Prehos inc., a corporation dully constituted under the Business Corporations Act (Quebec), CQLR c. S-31.1.
- PREHOS Partners designates the business partners involved in, collaborating with or otherwise assisting PREHOS in the development or provision of the Services, such as, but not limited to: (i) universities, governments, ambulance services and other businesses in the field of prehospital care, (ii) Google Maps and its road data, which enable PREHOS to offer and optimize its dispatching operations, and (iii) cloud providers such as Google Cloud and Microsoft Azure, providing servers location and cloud computing platforms for the storage of various information (including Personal Information).
- Services means PREHOS’ e-services, namely: (i) the intelligent technological dispatch, fleet and material solutions; (ii) the fleet and material equipment management solutions; (iii) the electronic health record solutions; and (iv) the analytics management solutions, all of which are provided via the Authorized User Website Access or via the Application, both accessible after the conclusion of a software as a service agreement with PREHOS.
- Visitor means any person browsing on the Public Website.
- Public Website means PREHOS’ website available at https://prehos.com/ or any other URL, as may be applicable from time to time.
2.2 Unless the context requires otherwise: (i) grammatical variations of any term defined herein have a similar meaning; and (ii) words importing the singular number shall include the plural and words importing the masculine gender shall include the feminine and neutral genders and vice versa.
3.1 Information obtained directly from the Authorized User
3.1.1 Request a free demo
Should a new Authorized User wish to request a demo of the Services via the Public Website, the designated representative of the Authorized User (the “Super User”) will be required to disclose his/her first and last name, profession, organization, organization address and e-mail address. Such information is required to allow PREHOS to authenticate that Super User and to contact him/her to eventually create temporary accounts accessible via the Authorized User Website Access or the Application and provide the new Authorized User with such demo. The application form also includes a section where the Super User could disclose any additional information as he/she deems desirable.
3.1.2 Purchase of Services
In order to subscribe to the Services online, the Authorized User could:
- contact PREHOS via the Public Website, in which case the Super User will be required to disclose his/her first and last name, profession, organization, organization address, phone number and e-mail address. Such information is required to allow PREHOS to authenticate the Super User, proceed with the registration process and contact the Super User to eventually create accounts accessible via the Authorized User Website Access and provide the Authorized User with the requested Services. During that process, the Super User could also disclose any additional information, including personal information for review by PREHOS, he/she wishes to submit to PREHOS; or
- download the Application via PREHOS mobile device management system in accordance with the instructions given by PREHOS in this regard.
Once the Services are purchased or the Application downloaded, the user accounts of the Authorized User will need to be created.
3.1.3 Creation of online accounts
User accounts will need to be created in order for the Authorized User to use the Services. In this regard, PREHOS will configure and open the number of accounts required by the Super User.
In order to create such user accounts, the Super User will be required to disclose to PREHOS the following Personal Information: name and surname of each user of the Authorized User, their e-mail address and staff unique identifier (such as OASIS unique identifier or certificate number). The foregoing information is required to create users’ unique account and to authenticate such users every time they sign in to the Authorized User Website Access or the Application.
The Super User will also be required to disclose to PREHOS the type of account needed (e.g. administrative, paramedic, etc.) for each user to ensure that such user be provided with the proper rights, levels and types of access to the Services, including as applicable the right to upload, edit, approve or delete files and edit records, or to review and consult information and records created or uploaded. As such, the users of the Authorized User will be given access only to the information including Personal Information they are entitled to consult, all in accordance with the instructions received from the Super User.
Users are responsible for changing their temporary password the first time they login (for another strong password). Note that such Personal Information will be linked to the Authorized User’s business to ensure that such accounts are created properly and interconnected with relevant information.
Should any user of the Authorized User have difficulty logging in or need to reset his/her password, then he/she may either contact PREHOS as provided for below or reset such password online. In both cases, some information will be required to be disclosed (e.g. full name and login name if applicable and different) to ascertain the user’s identity and provide the Authorized User with a new password for this particular user account.
3.1.4 Services Electronic health record features
Various features are available on the Services through the use of PREHOS’ electronic health record, which will give the Authorized User the possibility to collect and store, and to access to some Personal Information (including Patients’ Personal Information) as stated below:
- Patients’ medical health record: In order to use this feature, the Authorized User will first be required to create a specific e-record for each Patient. As such, the Authorized User will need to collect and upload some Patients’ Personal Information, namely: the name, surname, birthday, care center, notice, phone numbers, e-mail, address, living status, marital status, do not resuscitate order if applicable, referral number and reason, identifiers, medical and personal contacts. The Authorized User can then upload or keep on that record any additional information, including Patients’ Personal Information. Such information should be added at the Authorized Users’ discretion in accordance with Patients’ needs and ethical and legal obligations of the Authorized User. Once created, these records could be used to keep track of Patients’ medical history and preconditions, medical issues, medication, and other critical data, and of the urgent medical interventions performed.
Once created, Patients’ medical record can be accessed, completed, updated and reconfigured by the users of the Authorized User. Such records could also be synchronized with or uploaded (in whole or in part) in the records maintained by other medical facilities to share information to healthcare institutions as may be required and in accordance with the legal, ethical and professional obligations of the users.
- Hospital dashboard: This feature sends alerts to emergency departments to enable optimal preparation prior to a Patient’s arrival. Critical data transmitted to emergency departments include Personal Information, such as Patients’ medication list, allergies and medical history, etc., or some of the information downloaded on that record, such as photos or videos taken in the course of prehospital interventions and Patients’ geolocalisation and vital signs.
- Other features: Other features of Patients’ health records as selected or used by the Authorized Users may request or lead to the collection or disclosure of Personal Information. For instance, the “Siri speech to text feature” would record the voice of users such as paramedics when recording information in Patients’ records. Likewise, the “digital signature feature” will record paramedics’ signature on relevant files.
The features and functions to which users have access may vary depending on their type of account. Furthermore, Authorized Users’ administrative staff may have access to some sections of Patients’ medical records: (i) to edit any basic Patients’ Personal Information, (ii) to add information to the record as instructed by paramedics; and (iii) otherwise to use the Services as required and allowed. The triage staff of applicable healthcare institutions may also have access to the information sent to emergency departments to prioritize emergencies.
3.1.5 Intelligent dispatch feature
This feature will allow the collection by the Authorized Users of various information, including some Personal Information (namely, the addresses where medical interventions are required) to enable the Authorized Users to optimize emergency call reception and personnel dispatching while reducing response delays.
3.1.6 Trends features
The following features will either require the collection by the Authorized Users of various information, including some Personal Information or will need to robotically process such information to enable the Authorized User to obtain meaningful data:
- Record details: This feature will allow the Authorized User to compile Patients’ record details, including general information on the ambulance call report and Patients, pickup destination address, details as to any status change and revision and feedback reports. This information is required to provide the Authorized User wishing to use that feature with an overview of each intervention.
- Intervention record listings: In order to use that feature, the Authorized User will be required to sync its interventions records lists to the Services. The information contained in those lists is required to provide the Authorized User with a relevant registry for it to easily retrieve general information about each intervention using the advance search and filtering options.
- Intervention record details: To run properly, this feature will require the compilation and synchronization of all general information on the intervention, audio recording (when allowed under applicable laws), Patients’ lists and other information contained in the record details feature to enable any Authorized User to retrieve detailed information about each intervention using the advance search and filtering options.
- Trend analysis: The Patients’ Personal Information downloaded, obtained or otherwise added to Patients’ records will be analyzed robotically using automated algorithms. Such analysis will only occur after the Authorized User setup specifics data rules; further to that algorithm analysis, the Authorized User will be provided with statistics and other data generated allowing the Authorized User to explore trends and analysis revealed by the De-Identified Information used on an aggregated basis. Note that the purpose of the trends features is not to learn or collect Personal Information about Patients, but rather to allow an Authorized User to learn more about and analyse the use made of its paramedics services and to improve such provision of services.
The features and functions to which users have access may vary depending on the type of account that such users have.
3.1.7 Financial features
This feature will require the use of some information, including some Personal Information, to be able to process payments properly and expeditiously:
- Barre code reader: This feature will read health card barre codes to expedite the collection of Patients’ information required for medical intervention and, as applicable, to expedite the billing process; and
- Automated billing: This feature will allow the Authorized User to invoice relevant persons for each reimbursable service. As such, only the information required to process payment of each reimbursable service, including the information collected by the barre code reader feature will be collected and sent to the relevant governmental body or other relevant entity.
The features and functions to which users have access may vary depending on the type of account that such users have.
3.1.8 Comments, requests for information and referrals
Should any person contact PREHOS to obtain information about the Services or about any other matter, then such person will be required to provide his/her contact information (including names and e-mail address). This information is required by PREHOS in order to communicate with such person, determine whether the Services are available in a geographic area and respond to his/her enquiries, comments or requests for information. Such person may also provide additional Personal Information, including when making comments, enquiries or suggestions.
Furthermore, should any person recommend that PREHOS communicate with any other Authorized Users’ representatives to provide him/her with information about the Services, then PREHOS will need the contact information of that individual for the above-mentioned purpose; such communication will thereafter be made in compliance with applicable laws.
3.1.9 Customer support
Customer support is provided via a service desk application for the regular Authorized Users or is ensured directly by PREHOS’ representatives and employees for Visitors and new Authorized Users that requested a free demo.
PREHOS may wish to provide information about its Services. In this regard, PREHOS may use the e-mail address or other contact information any person may provide from time to time to PREHOS to communicate information about new features or services or to send news and information regarding the Services. Such communications will be sent in accordance with applicable laws, and any recipient may withdraw his/her consent at any time as set forth below.Note that PREHOS does not sell or share Personal Information to third parties for marketing purposes and that no marketing initiative is intended for, concerns or targets Patients.
3.1.11 Social media
Any person shall review the privacy settings applicable to these accounts/pages to see the information to which his/her contacts have access and limit such access if required. Should PREHOS collect information available on social media accounts or pages, it shall do so on an aggregate and de-identified basis and for lawful purposes only. Note that the PREHOS intended use of social media is not to learn, be added by or to follow Patients, but rather to learn more about its current and potential Authorized Users.
3.1.12 Testimonials and promotional materials
Should an Authorized User and/or any other person wish (or agree) to render any testimonial, opinion, photo or any other material available online regarding their appreciation of the Services, then PREHOS will post such promotional materials on its Pubic Website or any other social media, and may include their name or nickname and any other information the they agreed to disclose. The Authorized User and/or such other person can thereafter request, at all times that such materials or other Personal Information be removed from the Public Website and any other social media. PREHOS does not however control the communications – if any – that such Authorized User and/or other person may receive in connection with any promotional materials. Should the Authorized User and/or any person wish to report any communication received regarding such promotional materials or other information, then the Authorized User or such person should contact PREHOS as described below.
3.1.13 Job applications
PREHOS collects Personal Information that is voluntarily provided to it when any person applies for a job position via PREHOS’ Public Website pageJobs. Such application is voluntary, and job applicants choose the information they wish to submit to PREHOS. The Personal Information submitted will be shared only with those people in PREHOS’ organization who need the information: (i) to assess and verify job applicants’ qualifications, knowledge, skills and experience; (ii) to conduct reference and background checks and otherwise to verify the information submitted to PREHOS; (iii) to communicate with job applicants; and (iv) to improve the recruitment process. In addition to the Personal Information obtained from job applications, PREHOS may also conduct its own verification and obtain additional Personal Information.
3.2 Information obtained from PREHOS Partners
Google Analytics can collect data about the interactions of any Visitor with the Public Website. Such information will then be processed and be updated every time a Visitor interacts with the Public Website. order to do so, Google Analytics will place codes on the Public Website, which will allow Google Analytics to see which information was consulted, the browser used, device and operating device. The information so collected may be shared (in whole or in part) with PREHOS in order for PREHOS to update, upgrade or otherwise improve the Public Website, or to develop new services.
3.3 Information collected using Cookies and similar technologies
When the Authorized User uses the Services or any Visitors navigates the Public Website, certain information, including Personal Information (such as general browser information, Internet Protocol addresses, the interactions with the Services and/or Public Website and any other information described below) may be collected by automated means, such as through the following types of Cookies and Other Forms of Technologies:
- Process Cookies: allow the Services and the Public Website to work properly in keeping track of requests, ensuring the integrity of web pages and allowing the Authorized User and Visitors to browse from one page to the other.
- Security Cookies: are used each time Services are purchased or an account is opened. These Cookies contain an encrypted, unique identifier that is tied to each account and placed in the browser, allowing PREHOS to identify the users of the Authorized User when they are logged in to their account.
- Statistical Cookies: collect data, such as the date and time when the Services, and/or the Public Website were last used and the frequency of such uses, the pages or content consulted and the manner the Services and/or the Public Website were used, the information provided and the features of their operating systems and connection information (e.g. Internet Protocol address). This information is collected for analytical and statistical purposes, such as to determine how often the Services, and/or the Public Website or certain specific pages are visited, and what kinds of features and content seem to be most interesting. This information helps PREHOS to improve its Services and/or Public Website, according to the needs and interests identified.
Other Forms of Technologies can also be used for similar purposes. Cookies and Other Forms of Technologies can be blocked unless they are required to allow the Services and/or the Public Website to run properly. For instance, while statistical Cookies can be blocked, the situation is different for process and security Cookies, as they are essential for ensuring that the Services function properly. However, even if they cannot be blocked without affecting one’s ability to use the Services, these Cookies are of a temporary nature and accordingly, they will disappear when the browser software is closed or the device is turned off. Anyone experiencing problems with the functionalities of the Services and/or the Public Website should contact PREHOS.
PREHOS does not sell, trade or rent Personal Information. Furthermore, Personal Information is not shared, used or disclosed to third parties for purposes other than those for which it was collected as described herein, unless required or authorized by law or unless proper consent was obtained, as applicable.
4.1 Personal Information
4.1.1 Sharing made in connection with the provision of Services
Personal Information (other than Patients’ Personal Information) may be disclosed to PREHOS Partners that facilitate the provision of any Service, such as by providing assistance to PREHOS with respect to the maintenance and development of its Services. Disclosure will be made on a “need-to-know” basis, and after ensuring that proper contractual and other measures are in place.
4.1.2 Business transaction
4.1.4 Law enforcement
Personal Information may be used and disclosed if PREHOS, acting reasonably, believes that such use or disclosure is necessary to comply with any applicable laws, legal process or governmental request, or is otherwise required to protect its rights or to fulfil any other purpose set forth in the applicable law allowing or requiring the disclosure of Personal Information.
4.2 De-Identified Information used on an aggregated basis
Once uploaded and saved on the Services, Authorized Users’ data (including any Personal Information uploaded by these Authorized Users) will be accessible to them on the Services. Further to their upload, such data will also be automatically and robotically anonymized and then added to a consolidated dataset. PREHOS may thereafter have access to such dataset and use any De-Identified Information on an aggregated basis: (i) in order to conduct research; (ii) to identify pandemic or other emergency situations; or (iii) to improve the Services, and/or the Public Website. De-Identified Information may also be used for training, promotion and statistical purposes and any other purposes set forth in the software as a service subscription agreement concluded with Authorized Users, as such information does not constitute Personal Information. In any event, note that such information could not and will not be used to re-identify any individual.
5.1 Requests from the Authorized User
In accordance with applicable laws, the Authorized User may make requests for access or for corrections of Personal Information by contacting The Super User and any other users may also update or change the basic information available on their user account by editing their account profile. In order to do so, they will need to sign in to the Application or the Authorized User Website Access and enter the profile section.
Some user accounts are also attributed the right to delete any information uploaded, received, saved or stored on their accounts. Such deletion shall take place via a “soft deletion process” pursuant to which the deleted data will transition to a recoverable state for a certain period of time instead of being permanently erase to allow erroneously modified, deleted or overwritten data to be retrieved. Users may also shut down their accounts in which case all information so uploaded, received or stored (including any Patients’ Personal Information) will only be temporarily deleted, further to said mechanism. Note that a very limited number of PREHOS’ employees may have access to such information when such access is specifically requested and authorized by the Authorized User.
Furthermore, any Super User shall ensure to shut down the account of any other user who left Authorized User’s business or otherwise, stopped being employed by the Authorized User, used his/her account for improper purposes, etc. Each Authorized User is responsible for ensuring that all measures as may be required including to withdraw access to that account, be implemented by its Super User as PREHOS has no right and no access to features allowing the deletion of the information on any user account.
Following the termination of a software as a service agreement with an Authorized User, PREHOS will shut down all user accounts of the Authorized User and all the information stored on user accounts will then be permanently deleted following reasonable transition period. In this regard and as needed, the Authorized User is responsible to ensure that proper copy of Patients’ Personal Information (and any other information as applicable) be saved. PREHOS will, upon request, generate a backup file of the database and provide reasonable assistance to allow the migration of Personal Information to another service provider’s server.
5.2 Requests from Patients
Patients’ e-records are not readily accessible to Patients as they may be governed by and subject to specific set of laws. Should a Patient wish to have access to his/her medical information, then such request for access shall be made in accordance with the laws governing access to that type of records. Patients’ requests shall be solely directed to and dealt by applicable Authorized User. Should any Patients contact PREHOS, PREHOS will categorize the type of communication to redirect that Patient to the Authorized User, as applicable.
6.1 PREHOS uses measures as may be reasonably required to preserve the security and privacy of Personal Information. In this regard, PREHOS has notably put in place or currently implements the following measures:
6.1.1 Authorized User Website Access:
Each Authorized User has its own Authorized User Website Access and encryption key, thereby allowing Personal Information collected by its users to be segregated from Personal Information collected by the users of any other Authorized Users.
6.1.2 Securing data in transit:
Each time the Services are accessed via the Application or the Authorized User Website Access, an HTTPS protocol is used to transit information from servers to mobile devices. Also, every time the Public Website is consulted, Secure Sockets Layer (SSL) technology protects Personal Information by using server authentication and data encryption. No Personal Information will be communicated prior to such technology being activated, which can be confirmed by looking (i) at the address bar which will, depending on the browser, have a lock to the left of the website address (URL), and (ii) at the URL or the address bar of the browser, where the first characters of the address in that line should change from “http” to “https”.
6.1.3 Securing data at rest:
Personal Information is encrypted by Google cloud Engine and Microsoft Azure when at rest. Patient’s Personal Information is also encrypted by PREHOS when at rest.
6.1.4 Role-based security measures:
The Services allow for the creation of various types of accounts each of which has its own access limitations and restrictions. This offers reliable means to ensure that administrative staff, paramedics, etc. only access, review, process, share, edit, etc. the information they are entitled to access, review, process, edit, share, etc.
6.1.5 Limited access:
Access to any Personal Information is granted to PREHOS’ employees, representatives and as applicable sub-contractors on a “need-to-know” basis only, and is given through access credentials which are kept confidential.
6.1.6 Secured datacenters:
6.1.7 Protocol and other security strategies:
PREHOS has a data breach protocol and also implements a disaster recovery strategy which is tested regularly Likewise, PREHOS implements a network security strategy to protect network and servers access by segregating each application of an electronic device within its own network.
6.1.8 Secure authentication process:
A response timeis imposed between each failed login attempt. The authentication process enables real-time monitoring of invalid authentications by PREHOS.
PREHOS’ platform and servers are hosted by cloud providers which use an Internet Protocol-based firewall to control who can connect to these datacenters.
6.1.10 Mobile management:
Personal Information uploaded, stored or saved via the Services is protected by several measures and restrictions imposed to access such Services, such as the attribution of a unique encryption key for each device, the possibility for PREHOS to remotely lock and wiped the mobile device, etc.
6.1.11 Signature of reports:
To preserve data integrity, every report prepared by a user and added to Patients’ e-record needs to be uniquely signed by such user using his/her personal identification number.
6.1.12 Backup strategy:
Information is backed-up automatically by Google on a daily basis and backed up manually by PREHOS prior to any update of the Services and this backup strategy is tested regularly. In addition, Personal Information which has been erroneously modified, deleted or overwritten can be easily retrieved because it cannot be permanently erased by a user of the Authorized User.
6.1.13 Audit trail/logs:
Users’ activities such as: (i) successful and failed login requests; (ii) access to the Services to consult information; and (iii) access to the Services to add or edit information on any user accounts are tracked and logged. If for any reason the secure server cannot be accessed or the use of the Services does not provide the assurance required, the Authorized User or any person shall feel free to contact PREHOS.
6.2 Despite the foregoing, the Authorized User and any other person shall be aware of the following:
6.2.1 GENERAL CONSIDERATIONS:
EVEN IF PREHOS USES TECHNOLOGIES, WHICH ARE OF MERCHANTABLE QUALITY SUITABLE FOR THE PROVISIONS OF SERVICES, ANY ELECTRONIC PLATFORMS AND SERVERS – AS with ANY OTHER FORM OF file – IS NOT INFALLIBLE AND FULLY SHELTERED FROM UNFORESEEABLE OR FORCE MAJEURE EVENTS, CYBERATTACKS OR UNAUTHORIZED USES AND ACCESS, AND the authorized users AND any OTHER PERSON shall BE AWARE THAT THERE IS A RISK IN TRANSMITTING ANY DATA ELECTRONICALLY. THIS RISK IS INHERENT IN ALL ELECTRONIC DEALINGS, AS WELL AS TO ALL OTHER FORMS OF COMMUNICATIONS. CONSEQUENTLY, PREHOS CANNOT GUARANTEE THAT INFORMATION WILL NEVER BE INTERCEPTED OR VIEWED OR SUBJECT TO OTHER INCIDENTS. such events may occur, pursuant to which devices or systems can be accessed or controlled by unauthorized persons, and undesirable COMMUNICATIONS AND invitations may be received. Should the Authorized User or any PERSON receive a communication that looks like it is from PREHOS asking for Personal Information, the Authorized User or such person shall avoid responding to such communications. PREHOS will never request financial and other sensitive information that way. If the Authorized User or any PERSON have communicated Personal Information in response to a suspicious e-mail, pop-up or phony website claiming to be affiliated with PREHOS or if any of the foregoing events takes place, please contact PREHOS immediately.
6.2.2 Measures to be implemented:
The Authorized Users acknowledge and agree in their name and on behalf of their respective users that said Authorized Users and their respective users are responsible for implementing and strictly adhering to all physical, electronic, technological, organizational, contractual and other security measures, process and safeguards to ensure that the confidentiality of the files and information they sent or received is preserved. In this regard, the Authorized Users shall notably ensure that their respective users: (i) choose strong accounts passwords meeting platform’s minimal criteria, (ii) change their passwords regularly; (iii) maintain the security and confidentiality of their usernames/personal identification numbers; and (iv) carefully consider enabling the two-factor authentication process, by which an e-mail or SMS validation code is required in addition to the password to connect to the Services.
9.1 Questions, comments and requests
Requests and demands made will be dealt with as soon as possible.
9.2 Withdrawal of consent
PREHOS may communicate with the Authorized User or with any Visitor for promotional and marketing purposes. PREHOS will generally use the same means of communication the Authorized User or such Visitor chose to contact PREHOS or the preferred means specified by the Authorized User or that Visitor. Should any recipient wish to be removed from one or more of PREHOS’ promotional mailing lists, then such recipient should click on the ready-to-use “unsubscribe” mechanism provided at the bottom of each e-mail or simply reply to that e-mail with the word “STOP” or “Unsubscribe”.