CDR ascribes to the following Privacy Principles, that are inline with the Privacy Shield and the General Data Protection Regulation (GDPR).
1) Right to be informed
All people assessed with the CDR DataPool have a right to know that the software holds TCOM assessment data that was administered by a certified rater of the TCOM tool they are administering. This assessment is done as a part of the clinical workflow and is used to help assess your clinical needs, track your clinical progress, and help guide optimal treatment. The DataPool is a communication vehicle for participating providers to collaborate on cases. With your authorization, the data in the DataPool can be shared with another registered provider to communicate about cases.
You have a right to access any of your personal data in the DataPool, by simply emailing firstname.lastname@example.org. This would also be where to contact CDR if you have any complaints about the use of your personal data. CDR does not use personal data in any materially different way than the one described herein. The user should know, however, that it is possible that CDR will have to respond to lawful requests from U.S. public authorities to disclose information about you.
In Italy, the independent dispute resolution body to bring your case if you have concerns on the use of this data ishttps://www.garanteprivacy.it/.
2) Limitations on the use of your data for different purposes
Personal data maintained in the DataPool is only used for the explicit purpose of assessment, treatment planning, referral, and outcomes tracking. Any use of the data that would be materially different would first need direct consent from you to be used in this new way. CDR does not sell your personal data to third party merchants for any reason.
3) Data Minimization and obligation to keep your data only for the time needed
CDR only receives and processes personal data to the extent that it is relevant for the purpose of processing. CDR does its best to ensure it is accurate, reliable, complete and up to date. CDR only keeps personal data for as long as necessary for the purpose of completing its clinical role.
4) Obligation to secure your data
CDR ensures that personal data is kept in a safe environment and secured against loss, misuse, unauthorized access, disclosure, alteration or destruction.
5) Obligation unauthorized to protect your data if transferred to another company
In our regular operations, CDR does not transfer its data to any other entities. CDR data is only transferred to another entity when the person explicitly consents for the data transfer, and as a part of the normal functioning of the CDR application in facilitating treatment communication. Any company to which the data is transferred will have a signed Business Associates Agreement/Contract (BAA/C) with CDR, ensuring the same level of protection of your personal data as guaranteed by CDR.
6) Your right to access and correct your data
You have the right to receive access to your personal data by writing to email@example.com at any time. You may also ask about the purpose for which the data are processed, the categories of personal data concerned and the recipients to whom the data are disclosed. You do not need to ever give any reason for wanting to see the data, just asking is sufficient.
7) Your right to lodge a complaint and obtain a remedy
You have the right to complain and obtain a remedy free of cost, if you feel your data has been mishandled. The first place to lodge a complaint is with CDR itself, through firstname.lastname@example.org. Then, if there is a need to escalate, you can contact the Data Protection Authority in Italy (AKA, Guarantee Privacy) at https://www.garanteprivacy.it/.
8) Redress in case of access by U.S. public authorities
The protection of your personal data may also be affected by US Public authorities when they access your data. CDR ensures this only occurs to the extend necessary for pursuing the public interest objective such as national security or law enforcement.