General
Personal Health Information Data Protection Agreement
DATA PROTECTION AGREEMENT
Last Updated: September 8, 2022
This Data Protection Agreement is applicable to healthcare providers operating in all provinces and territories, excluding Alberta and the Yukon Territories. For healthcare providers residing in Alberta or the Yukon Territories, please refer to the Information Manager Agreement below.
This Data Protection Agreement (“DPA”) is a binding legal agreement between Block, Inc. and its affiliates (“Square”) and you, the Square customer, (“Customer”) for the purpose of implementing the requirements of PIPEDA and any similar law of any Canadian province governing the collection, use, disclosure or protection of Protected Health Information (“PHI,” defined below), as applicable. Together with the General Terms of Service entered into between you and Square governing your use of Square’s mobile applications, websites, software, hardware, and other products and services this DPA will govern each party’s respective obligations regarding PHI.
You represent and warrant that: (i) you have full legal authority to enter into this DPA, (ii) you have read and understand this DPA, and (iii) you agree to the terms of this DPA.
1. DEFINITIONS
“Applicable Privacy Laws” means the Personal Information Protection and Electronic Documents Act (Canada) and any similar law of any Canadian province governing the collection, use, disclosure or protection of PHI.
“PHI” means information about an identifiable individual, including any such information that relates to an individual’s health or receipt of or payment for health care services.
2. PROTECTION OF PHI
Square agrees that in respect of the PHI, it shall:
-
Not use the PHI for any purpose other than as necessary to perform the Services except that Square may de-identify the PHI (such that there is no serious possibility that the patient could be identified from the information alone or in combination with other information) and may use and disclose the deidentified information for any lawful purpose; for the avoidance of doubt, de-identified information does not constitute PHI within the meaning of this DPA or the Agreement;
-
Not disclose the PHI to any person except:
- as expressly permitted or instructed by Customer; or
- as required to comply with applicable laws or regulations;
- use reasonable physical, organizational and technological security measures that are appropriate having regard to the sensitivity of the information, and that meet requirements of Applicable Privacy Laws, to protect such PHI against loss, theft and unauthorized access, disclosure, copying, use, modification or disposal;
- restrict access to PHI to only those authorized employees and permitted agents and subcontractors that require access to such information to fulfil their job requirements and that are subject to obligations of confidentiality and data protection consistent with those of this DPA; and
- inform Customer at the first reasonable opportunity after becoming aware of any unauthorized access to, use, disclosure, destruction or alteration of PHI (“Incident”).
3. DATA SUBJECT REQUESTS AND INQUIRIES
If Square receives a request from a patient of the Customer for access to their PHI, or to make corrections or amendments to their PHI, or if Square receives an express wish from a patient of Customer relating to disclosure of their PHI, Square shall inform the patient that they must make such request or express wish to the Customer and shall provide the patient with contact information for the Customer that the patient may use to make such request or express wish. Square and Customer shall work together to respond to such request or express wish in accordance with the requirements of privacy laws.
4. GENERAL
Customer acknowledges and agrees that Square and its subcontractors may process and store PHI outside of Canada, including in the United States.
Square will retain PHI in accordance with its record retention policies and procedures. Once PHI is no longer required, it will be securely erased or destroyed. Square shall comply with Applicable Privacy Laws in providing the Services.
INFORMATION MANAGER AGREEMENT
This Information Manager Agreement is applicable to healthcare providers operating in Alberta or the Yukon Territories.
This Information Manager Agreement (“IMA”) is a binding legal agreement between Block, Inc. and its affiliates (“Square”) and you, the Square customer, (“Customer”) for the purpose of implementing the requirements of PIPEDA, the Alberta Health Information Act, and/or the Yukon Health Information Privacy and Management Act, as applicable. Together with the General Terms of Service entered into between you and Square governing your use of Square’s mobile applications, websites, software, hardware, and other products and services this IMA will govern each party’s respective obligations regarding Protected Health Information (defined below).
You represent and warrant that: (i) you have full legal authority to enter into this IMA, (ii) you have read and understand this IMA, and (iii) you agree to the terms of this IMA.
1. DEFINITIONS
“Applicable Privacy Laws” means the Personal Information Protection and Electronic Documents Act (Canada) and the Health Information Act (Alberta), or the Health Information Privacy and Management Act (Yukon), as applicable.
“PHI” means information about an identifiable individual, including any such information that relates to an individual’s health or receipt of or payment for health care services.
2. OBJECTIVES AND GUIDING PRINCIPLES
The objective of this IMA is to set out Square’s obligations with respect to the processing of PHI on behalf of the Customer in the course of performing the services described in the Agreement (“Services”). The guiding principles of this IMA are those found in Applicable Privacy Laws including the collection, use and disclosure of the least amount of PHI necessary to achieve the purposes set out in the Agreement.
3. APPOINTMENT AND DUTIES OF SQUARE
The Customer hereby appoints Square as its information manager for the purposes of providing the Customer with the Services in accordance with the Agreement and this IMA, and Square hereby accepts such appointment.
Square may collect PHI from Customer’s employees and independent contractors, and may use, store and disclose such PHI as necessary for the purposes of providing the Services in accordance with the Agreement and this IMA, as otherwise instructed by the Customer, or as required by law.
Customer acknowledges and agrees that Square and its subcontractors may process and store PHI outside of Canada, including in the United States. Square acknowledges and agrees that PHI shall at all times remain in the control of Customer and that Square acquires no independent right to the PHI except with respect to PHI that has been de-identified in accordance with section 4 of this IMA.
Subject to any service levels set out in the Agreement, Square agrees to provide Customer with unfettered access to PHI.
4. PROTECTION OF PHI
Square agrees that in respect of the PHI, it shall:
- not use the PHI for any purpose other than as necessary to perform the Services except that Square may de-identify the PHI (such that there is no serious possibility that the patient could be identified from the information alone or in combination with other information) and may use and disclose the deidentified information for any lawful purpose; for the avoidance of doubt, de-identified information does not constitute PHI within the meaning of this IMA or the Agreement;
- not disclose the PHI to any person except:
- as expressly permitted or instructed by Customer; or
- as required to comply with applicable laws or regulations or a valid court order or other binding requirement of a competent governmental authority provided that in any such case:
(i) Square notifies Customer without delay in writing of any such
requirement (and in any event prior to disclosure of the PHI); and
(ii) Square provides all reasonable assistance to Customer in any attempt by Customer to limit or prevent the disclosure of the PHI;
- use reasonable physical, organizational and technological security measures that are appropriate having regard to the sensitivity of the information, and that meet requirements of Applicable Privacy Laws, to protect such PHI against loss, theft and unauthorized access, disclosure, copying, use, modification or disposal;
- restrict access to PHI to only those authorized employees and permitted agents and subcontractors that require access to such information to fulfil their job requirements and that are subject to obligations of confidentiality and data protection consistent with those of this DPA;
- not subcontract any of the services to which the agreement relates without the written consent of the Customer; and
- inform Customer at the first reasonable opportunity after becoming aware of any unauthorized access to, use, disclosure, destruction or alteration of PHI (“Incident”).
5. DATA SUBJECT REQUESTS AND INQUIRIES
If Square receives a request from a patient of the Customer for access to their PHI, or to make corrections or amendments to their PHI, or if Square receives an express wish from a patient of Customer relating to disclosure of their PHI, Square shall inform the patient that they must make such request or express wish to the Customer and shall provide the patient with contact information for the Customer that the patient may use to make such request or express wish. Square and Customer shall work together to respond to such request or express wish in accordance with the requirements of privacy laws.
6. GENERAL
Square will retain PHI in accordance with its record retention policies and procedures. Once PHI is no longer required, it will be securely erased or destroyed. Square shall make available reasonable and necessary information and documentation to Customer to allow Customer to verify Square’s compliance with this IMA. Square shall comply with Applicable Privacy Laws in providing the Services. Customer may terminate the Agreement if the Customer determines that Square has breached a material term of this IMA. This IMA shall terminate upon termination of the Agreement.