GE HEALTHCARE’S Ecommerce Privacy Statement
This Privacy Statement is specific to the Ecommerce offering of the GE Healthcare VSCAN product and related services and is in addition to all other GE Healthcare privacy policies and procedures.
Policy Statement
As a major supplier of diagnostics, equipment, information technology and service solutions to the Canadian healthcare marketplace, General Electric Canada, operating as GE Healthcare, (“GE Healthcare”) is committed to handling Personal Information and Personal Health Information responsibly and in compliance with applicable privacy laws and regulations and to working with our customers to facilitate adherence to all such laws and regulations. For purposes of this Statement, “Personal Information” and “Personal Health Information” have the meanings given to such terms in the Personal Information Protection and Electronic Documents Act and the Personal Health Information Protection Act, 2004 (Ontario) and other similar provincial privacy legislation, as applicable, (hereinafter collectively referred to as “Personal Information”).
The Spirit & The Letter
GE Healthcare’s commitment to privacy starts with General Electric’s statement of integrity, known as “The Spirit & The Letter”, which includes among its policies Privacy. All GE Healthcare employees are required to acknowledge, on an annual basis, their understanding and personal adherence to The Spirit and The Letter. Any GE Healthcare representative, including but not limited to officers, employees, sub-contractors, agents, etc., who suspect any violation of The Spirit & The Letter must report their concerns to the Manager Risk & Compliance and General Counsel of GE Healthcare immediately. GE Healthcare acknowledges that it will not dismiss, suspend, demote, discipline, harass or otherwise disadvantage a representative who reports a concern.
1. Privacy Obligations
1.1 Privacy Agreement
Where appropriate, GE Healthcare is committed to entering into good faith negotiations with any customer wishing to execute a mutually acceptable privacy agreement. All such agreements will be executed between GE Healthcare, as an entity, and the customer and not between any one representative of GE Healthcare and the customer.
1.2 Collection
GE Healthcare may collect Personal Information (such as a customer’s name, telephone number, address, physician number, health related data, email address and credit card information) when an Ecommerce customer orders products or services from GE Healthcare or if GE Healthcare is providing products or services to a customer. GE Healthcare will only request or collect Personal Information to the extent required to fulfill a customer’s online order, to support GE Healthcare’s products and/or to communicate with its customers.
Except as otherwise set forth herein, as a service provider, GE Healthcare does not collect Personal Information nor will GE Healthcare correct, change or modify such information that it may have in its possession. If requested in writing by the customer, GE Healthcare will return the Personal Information to the customer for the required corrections and or modifications.
1.3 Limited Access and Use
GE Healthcare will generally use Personal Information for the purposes of performing its contractual commitments (including fulfillment of customers’ orders), managing, administering and collecting customer accounts, providing product support, communicating with customers regarding use of GE Healthcare products and any product-related notices and announcements, and generally managing and administering its business and meeting all applicable regulatory, legal, insurance, audit, security and processing requirements.
GE Healthcare will only request access to data containing Personal Health Information to the extent required to fulfill the obligations it has been contracted by the customer to provide, such as product support and service. This information will only be kept for as long as it is reasonably needed to fulfill the contracted obligations.
In addition, GE Healthcare may require remote access to Personal Information in order to provide the contracted obligations it has with the customer. In such cases access will be done through GE Healthcare’s Virtual Private Network (“VPN”) connection only. This VPN is based on a static IP connection from the customer’s firewall to GE Healthcare’s firewall. The VPN tunnel is encrypted. Furthermore, GE Healthcare will authorize access to Personal Information only to those representatives who require access for a legitimate business purpose.
1.4 Disclosures
Personal information may be processed, used, retained, disclosed, and stored outside of the province or territory in which customer resides and/or in the United States by GE Healthcare, an affiliate and/or their third party service providers for the purposes set out in this Statement. Under the laws of these other jurisdictions, in certain circumstances foreign courts, law enforcement agencies or regulatory agencies may be entitled to access Personal Information. Customers who have questions about GE Healthcare’s practices should contact the Manager Risk & Compliance or General Counsel for GE Healthcare at the contact details given below.
GE Healthcare does not sell Personal Information. GE Healthcare does not disclose Personal Information, except as described in this Statement. GE Healthcare may share Personal Information with service providers GE Healthcare has retained to perform services on its behalf. These service providers are contractually restricted from using or disclosing the information except as necessary to perform services on GE Healthcare’s behalf or to comply with legal requirements. In addition, GE Healthcare may disclose Personal Information (i) if it is required to do so by law or legal process, (ii) to law enforcement authorities or other government officials, or (iii) when it believes disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity. GE Healthcare reserves the right to transfer any Personal Information in the event it sells or transfers all or a portion of its business or assets. Should such a sale or transfer occur, GE Healthcare will use reasonable efforts to direct the transferee to use the Personal Information in a manner that is consistent with this Statement.
1.5 Return or Destruction
Personal Information will only be kept by GE Healthcare for as long as it is reasonably needed to fulfill the contracted obligations or legitimate business purposes, or to comply with applicable laws and regulations.
GE Healthcare acknowledges that all Personal Health Information that may be in its possession remains the sole property of the customer. Subject to applicable laws, upon written direction from the customer, GE Healthcare will use commercially reasonably efforts to either a) return the Personal Health Information to the customer or b) destroy it as per the customer’s written instructions. If requested to destroy the Personal Health Information, upon written request from the customer, GE Healthcare will notify the customer in writing when the destruction is completed.
1.6 Safeguards
GE Healthcare maintains administrative, technical and physical safeguards to protect against unauthorized access to, loss of or destruction of Personal Information in its possession.
The Manager Risk & Compliance and/or General Counsel of GE Healthcare or their designate will promptly notify the customer of any known unauthorized access to, loss of or destruction of Personal Information in its possession.
1.7 Request for Access or Disclosure
Requests for access to or disclosure of your Personal Information should be sent to the Manager Risk & Compliance or General Counsel for GE Healthcare.
2. Questions or Concerns
All questions or concerns about this policy Statement should be directed to either the Manager Risk & Compliance (Ed Rowland, (905) 567-2148 or email ed.rowland@med.ge.com) or the General Counsel for GE Healthcare (Kristen Rogers, (905) 934-3462 or email KristenRogers@ge.com).