PRIVACY POLICY

Last Updated: 25th May 2021

This Privacy Policy (“Policy”) governs your use of the ARiCa™ web application (the “ARiCa™ Web App”) and the ARiCa™ website www.arica.cancerresearch.my (the “ARiCa™ website”) (collectively, the “ARiCa™”) that is owned and operated by Cancer Research Malaysia (“CRMY” or “we” or “our” or “us”) with respects to the privacy of our users (“user” or “you” or “your”). This Policy applies to all of our Services unless specified otherwise. This Policy explains what information we collect, hold and store, how we collect, process, use, disclose and safeguard your information when you visit or use our ARiCa™. Please read this Policy carefully. IF YOU DO NOT AGREE WITH THE TERMS OF THIS PRIVACY POLICY, PLEASE DO NOT REGISTER TO USE OR ACCESS THE ARiCa™. 

Please also read the ARiCa™’s Terms and Conditions, which describes the terms under which you use our Services. 

1. Collection of Personal Information

a. We collect Personal Information from you as a Healthcare Specialist when you register an account with us either through the ARiCa™ Web App or through the ARiCa™ website. Registration with us is mandatory in order to be able to access and use the Services of the ARiCa™. The required registration information would include your name, medical qualifications, specialization, medical license number, place of work i.e. profiles of the hospital or clinic that you are attached to, contact details such as telephone number and email address (“Account Information”). 

b. We collect the Personal Information of other individuals that you provide when you use the ARiCa™ and our Services as listed below: 

i. Personal Information that relates directly or indirectly to an individual, who is identified or identifiable from that information, or from that and other information in your possession, such as personal details which include name, date of birth, age, ethnicity, gender; and 
ii. Sensitive personal data which includes the medical history, medical information and medical diagnosis of cancer (breast cancer, ovarian cancer and other cancers) of the individual and the individual’s family member(s), the clinical characteristics of the individual’s breast cancer diagnosis. 
As we collect Personal Information and sensitive personal data of individuals and their family members indirectly from you and not from the individuals themselves, we rely on your representations and warranties set out in our Terms and Conditions that you have procured the necessary written consent, authorization, release, waiver and/or permission of each and every identifiable individual for our collection, use and processing of the Personal Information (inclusive of sensitive personal data) in the manner as set forth herein. 

c. We collect Personal Information when you access the ARiCa™ through the ARiCa™ Web App or ARiCa™ website and use our Services. We may also from time to time request to collect certain other Personal Information which may be relevant for us to operate and provide our Services to you. For instance, we collect personal information when you participate in our surveys, or when you provide feedback to us and /or request for customer support or make enquiries or complaints related to your use of our Services, any performance or other issues through emails, letters, telephone calls and conversations that you have with our staff or through any permitted channels of communication. 

Provision of Personal Information such as your Account Information and other Personal Information indicated as mandatory is required in connection with the purposes in this Privacy Policy in order for us to provide the Services to you. Your failure to provide us with requested information may result in us being unable to carry out the purposes or provide the Services to you. 

2. Automatically Collected Information 

a. Usage and Log Information. We collect service-related, diagnostic, and performance information. This includes information about your activity (such as how you use our Services, how you interact with others using our Services, and the like), log files, diagnostic, crash, website, and performance logs and reports. This information is collected for analysis and evaluation in order to help us to improve the Services we provide. This information will not be used in association with your Account Information and the Personal Information of individuals. 

b. Device and Connection Information. We collect device-specific information when you install, access, or use our Services. This includes information such as hardware model, operating system information, browser information, IP address, mobile network information, and device identifiers. We collect device location information automatically when you register your workplace. You do not have a choice to opt out of the location features as it will be use to generate the identification numbers of your individuals. 

3. Purposes of Processing Personal Information

a. We may process your Personal Information for the following purposes: 

i. Providing the Services 
• To process the registration of your account with us; 
• To facilitate your use of the Services or access to the ARiCa™; 
• To administer your account with us; and 
• To respond to your feedback, enquiries and complaints 

ii. Analytics, Research and Business Development 
• To understand your user experience with the Services and the ARiCa™ by analyzing, evaluating and monitoring how you and other users use our Services and determining activity trends; 
• To help us operate, improve, customize, fix, and support the ARiCa™ and our Services whether in terms of layout, design, content or functionalities; 
• To develop, improve, extend and test the Services by further developing /adding and testing new services and features, and conducting troubleshooting activities; and 
• To evaluate the reliability of the ARiCa™ for stratifying BRCA risks based on patient demographic, histopathological and family history information for analysis and improvement of the ARiCa™. 

iii. Legal, Operational and Management

• To ascertain your identity for fraud detection purposes to prevent fake account creation; 
• To perform due diligence checks as part of our know your customer (KYC) procedures; 
• For the purpose of investigation if issues related to ethics, fraud or misconduct arise and/or if there are any alleged violations or actual or suspected violations of our Terms and Conditions, Privacy Policy and/or any unlawful /illegal activity in violation of any applicable laws and regulations; 
• To improve the security of Account Information and all Personal Information; 
• To store, host and back up all Personal Information; 
• To comply with legal and/or regulatory requirements connected with providing you the Services including any law enforcement requests from regulatory, enforcement and governmental authorities and legal proceedings; 
• To enforce our legal rights and/or to obtain legal and/or professional advice; 
• For any reporting and record-keeping and management requirements; and 
• For auditing and risk management 


iv. Educational, Informational and Training Purposes 

• To conduct research and prepare statistics; however, the resulting research and resulting statistics will be depersonalized and aggregated and shall not be made available in a form which identifies the individual; 
• To publish the resulting research and resulting statistics in studies, reports, conference papers, articles in journals of telemedicine and telecare and other health and scientific journals to raise awareness, improve knowledge and education on the risks of inheriting a BRCA genetic mutation which leads to breast cancer in individuals; 
• To broadcast, publicly disseminate /transmit, disclose, reproduce, distribute, sell, resell, retitle, archive, store, cache, reformat, translate, excerpt (in whole or in part) such publications; and 
• To prepare derivative works of such publications or incorporate such publications into other works 
v. Marketing, Advertising and Funding /Fund Raising Activities 
• To market, advertise or promote any additional products, services or platforms that we may develop in the future (provided you have opted to receive such information); and 

vi. To receive funding from our business partners and sponsors and for fund raising activities by way of publication of resulting research and resulting statistics. Other Purposes

• Any other purpose to which your consent has been obtained; and 
• Any other purpose which is not incompatible with the original purpose for which we obtained it. b. Nonetheless, per your representations and warranties set forth in our Terms and Conditions; you have the explicit consent, authorization, release and/or permission of all identifiable individuals for the processing of any sensitive personal data as required under the PDPA. c. No Third-Party Banner Ads. We do not allow third-party banner ads on ARiCa™. We have no intention to introduce them, but if we ever do, we will update this policy. 


4. Disclosure of Personal Information

a. In connection with the above purposes for the processing of your Personal Information, we may disclose such Personal Information to the following:

i. Our employees; 
ii. Healthcare professionals and service providers, agents, contractors, partners, third party service providers who provide various services or facilities to us in connection with the ARiCa™, our business or operations or who have contractual arrangements with us; 
iii. Any other person who may be a purchaser, an assignee, transferee or participant in some way in any proposed purchase, merger or acquisition of any part of our business (whether actual or proposed) provided that we satisfy the requirements of applicable data protection law when disclosing your personal data; 
iv. Other parties authorized or consented by you; 
v. Regulatory, enforcement and governmental authorities as permitted or any person as required by law or to comply with the directives of the authorities or any order of court or legal process; 
vi. Any other person to whom disclosure is required in order to protect or defend our rights and/or property; 
vii. Any other person to whom we (and our holding or affiliate companies or representatives) have a duty of disclosure under applicable law, regulations or guidelines; 
viii. Our legal, financial and professional advisors; 
ix. Research organizations, publishers of healthcare, medical, telemedicine and telecare journals, academic institutions. 

b. Third-Parties. We work with other third-parties including but not limited to software developers, persons from academia and any other third-party we may work with in the future to help us operate, provide, improve, understand, customize and support our Services as well as for the aforementioned purposes as stated above. When we share information with third-parties, we require them to use your information in accordance with our instructions and terms and only for the specific purposes as informed to you and for which you have authorized disclosure and/or procured the explicit consent or authorization of individuals for disclosure. For instance, you are required to and would have to procure the individual’s authorization through the individual’s consent /authorization form for the usage of the individual’s information and processing of the individual’s sensitive personal data for the aforementioned purposes and in the manner as communicated /informed to the individual (i.e. in a depersonalized, aggregated, statistical or de-identified form). 

c. Mandatory Disclosure /Legal Requirement. We may be required to disclose Personal Information, such as when there are grounds to believe that the disclosure is necessary to prevent a threat to life or health, or required by law. 

d. Subject to the Assignment, Change of Control and Transfer clause below, we shall not share your information with any other organization other than our organization and those other third parties as set forth in this Policy which are directly related and necessary for the provision of the Services. We are committed to complying with the Personal Data Protection Act 2013 (“PDPA”), in particular, its regulations, policies as well as corresponding guidelines and orders. 

e. No international transfers of Personal Information. At present, our activities and operations are local in nature and we do not need to transfer any Personal Information to any third parties (including but not limited to third party service providers) outside of Malaysia. In the event circumstances change in the future and we need to transfer Personal Information to places outside Malaysia, we will notify you accordingly, update this Privacy Policy and ensure that any such transfers shall be in accordance with this Privacy Policy, the PDPA and all applicable regulations, policies, guidelines and orders. 

5. Security of Personal Information

We ensure that all Personal Information collected will be safely and securely stored to protect the Personal Information from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. We protect your Personal Information and sensitive personal data by: 

a. Verifying accounts and activity such as conducting background checks on information provided i.e. medical licenses at the point of registration and promoting safety and security on and off our Services, such as by investigating suspicious activity or violations of our Terms and Conditions, and to ensure our Services are being used legally; 
b. Allowing access to Personal Information only by passwords; modification of viewing availability of certain information such as identification number, medical license, contact details of Healthcare Specialists by enabling configuration of account settings; 
c. Firewall to prevent unauthorized access to Personal Information. 

6. Retention of Personal Information

We will only retain your Personal Information for as long as is necessary to fulfill our obligations in providing our Services and we shall take all reasonable steps to ensure that all Personal Information is destroyed or permanently deleted or removed if it is no longer required for provision of our Services (for example if your participation in the ARiCa™ or account with us has been terminated or suspended for any reason whatsoever in accordance with the Terms and Conditions) and /or for so long as retention of Personal Information is necessary to comply with legal and regulatory requirements on retention periods and internal requirements. If at all we retain and use your Personal Information, we shall do so only in a de-personalized, aggregated, statistical or de-identified form. 

7. Accessing and Requesting Correction of Personal Information

You have the right to request access and to request correction of your Personal Information. You are responsible for informing us if you need any changes to your Personal Information in the event you believe that the Personal Information we have about you is inaccurate, incorrect, incomplete, misleading or not up-to-date so we can make the changes for you. As part of our security procedures, we may request proof of identity before we reveal any information or carry out the requests. This proof of identity may take the form of your usernames and password submitted upon registration or ARiCa ID and date of birth (so far as applicable). 
In accordance with the PDPA, we may charge a small fee as stipulated in the First Schedule (Regulation 2) of the Personal Data Protection (Fees) Regulations 2013 for processing your request for access depending on the information requested. Subject to the provisions of the PDPA on circumstances permitting refusal to comply, we may also refuse to comply with your request to access or make a correction and shall, by notice in writing, inform you of our refusal and the reasons of our refusal. For example, we may refuse to comply with your request to make corrections to any information processed in relation to the physical or mental health of a data subject if it would likely cause serious harm to the physical or mental health of the data subject or any other individuals. 

8. Limiting and/or Withdrawing Consent for Continued Use, Disclosure, Retention and Processing of Personal Information

You also have the right to contact us to exercise your choice, at any time, to limit or to withdraw your consent to our continued use, disclosure, retention and processing of some or all of your Personal Information which includes requiring us to close your account by emailing to us directly at arica@cancerresearch.my. However, it will result in us not being able to continuously provide you with the Services through the ARiCa™ which in turn would result in the termination of any contractual relationship with us. Our legal rights and remedies in such event are reserved. 

9. Opting out of Direct Marketing

You have the option of opting out of receiving marketing, advertising or promotional communications from us on any new products and services that we may have. You can do so by contacting us at arica@cancerresearch.my, accessing your account with us or clicking on the “unsubscribe” link in certain electronic communications we may send to you. 

10. Assignment, Change of Control and Transfer

All of our rights and obligations under our Policy are freely assignable by us to any of our affiliates, in connection with a merger, acquisition, restructuring, or sale of assets, or by operation of law or otherwise, and we may transfer your information to any of our affiliates, successor entities, or new owner. In the event of any such assignment or transfer, the affiliate, successor entity or new owner as the case may be, will have all the rights and be subject to all of the obligations of this Privacy Policy and the PDPA including, without limitation, the right to modify or replace this Privacy Policy.

11. Links to Third Party Sites or Providers

The ARiCa™ and/or our Services may from time to time contain links to other third-party websites or services. These third-party websites or services will collect information from you which shall be subject to their own privacy policies/data protection notices and terms of use which you should review. Your access and use of these third-party websites or services is at your own risk and we do not accept any responsibility or liability. 

12. Updates to Our Policy

We may amend or update our Policy. We will provide you with notice of amendments to this Policy, as appropriate, and update the “Last Modified” date at the top of this Policy. You are encouraged to periodically review this Policy to stay informed of the updates. You will be deemed to have been made aware of, will be subject to, and will be deemed to have accepted our Policy, as amended by your continued use of our Services after the date such revised Policy is posted. If you do not agree to our Policy, as amended, you must stop using our Services. Please review our Policy from time to time. 


CONTACT US 
If you have questions about our Privacy Policy or any complaints regarding the ARiCa™, please contact us at: 

Cancer Research Malaysia 
Subang Jaya Medical Centre South Tower, 
No.1, Jalan SS12/1A, 
47500 Subang Jaya, 
Selangor 

Contact:  +603-5650 9795
Email:  arica@cancerresearch.my