Safe Harbor Policy

Sunquest Information Systems, Inc. and our wholly-owned subsidiaries (“Sunquest”) are dedicated to safeguarding the personal and private information of our clients, clients’ patients, partners and employees.

In association with these practices, Sunquest complies with the U.S. – EU Safe Harbor Framework and Safe Harbor Privacy Principles established by The United States Department of Commerce, in agreement with the European Commission, for the treatment and care of personal data transferred from the European Union (EU) to the United States (http://export.gov/safeharbor/).

In providing a variety of services under contract to our clients including application support, system implementation and consultation, Sunquest acts as a data processor on behalf of our client (the data controller).  In operating as a data processor, Sunquest does not own or control personal data, rather such responsibility lies with the data controller.  As a data processor, Sunquest is required to provide services to our clients in accordance with our contractual arrangement with our client and any requirements, instructions or provisions regarding data handling or privacy within such contracts.

In the limited circumstances where Sunquest acts as a data controller (i.e., personal data collected for Sunquest employment matters or in collection of data from Sunquest website visitors), Sunquest is subject to and complies with the Safe Harbor Privacy Principles.  

This Safe Harbor Policy (“Policy”) is to be read subject to the above distinction.


The following definitions will apply to the Policy:

“Agent” means any third party that collects or uses personal data under the instructions of, and solely for, Sunquest or to which Sunquest discloses personal data for use on our behalf.

“Data controller” means the person or body who determines the purposes and means of processing and retains responsibility for the data.

“Data processor” means the person or body which processes personal data on behalf of the data controller.

“Personal data” means information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.  Personal data does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

“Sensitive personal data” means information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex of individuals.


When acting as a data processor, Sunquest may receive, hold and process personal data (including sensitive personal data) from our EU clients.  Where such personal data is collected by the data controller, Sunquest requires the data controller to comply with the Safe Harbor Privacy Principles and any other laws, regulations or standards applicable to the client.

Where Sunquest directly collects personal data from individuals in the EU it is acting in the role of data controller.  As data controller, Sunquest will inform individuals about the type of personal data collected, the purposes for which it collects and uses the personal data, the types of non-agent third parties to which Sunquest may disclose personal data, and the choices and means Sunquest offers individuals for limiting the use and disclosure of their personal data.


Where Sunquest acts as data controller, Sunquest will offer  individuals the opportunity to choose (opt out) whether their personal data will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.  Where Sunquest acts as a data controller of  sensitive personal data, Sunquest will require individuals to provide affirmative or explicit (opt in) choice if such sensitive personal data is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Sunquest will provide individuals with reasonable mechanisms to exercise their choices.

Onward Transfer (Transfers to Third Parties)

Sunquest will obtain assurances from its agents to safeguard personal data in conformance with this Policy.  Such assurances may be in the form of the agent’s certification to the Safe Harbor Privacy Principles or a written agreement between Sunquest and the agent requiring that the third party provide at least the same level of privacy protection as is required by the Safe Harbor Privacy Principles.


Where Sunquest acts as data controller, Sunquest will grant individuals reasonable access to the personal data that we hold about them, and Sunquest will take reasonable steps to permit individuals to correct, amend, and/or delete personal data that is demonstrated to be inaccurate, except where the rights of persons other than the individual would be violated.


Sunquest will take reasonable precautions to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction where any such precautions are within Sunquest’s control.

Data integrity

Regardless whether Sunquest acts as data processor or data controller, Sunquest will use personal data only for the purposes compatible with its original collection or as subsequently authorized for use by the individual. When specifically acting as data controller, Sunquest will take reasonable steps to ensure that personal data is pertinent to its intended use, accurate, complete, and current.


Sunquest will conduct audits of our relevant privacy practices to verify adherence to this Policy.  Any Sunquest employee found to be in violation of this Policy will be subject to disciplinary action as determined by Sunquest, up to and including termination of employment.


Questions, comments or complaints regarding this Policy may be directed to:

Privacy Officer                                      
Sunquest Information Systems, Inc.                                 
3300 E Sunrise Dr                                                     
Tucson, Arizona 85718 USA                                             
e-mail: privacy@sunquestinfo.com  


Privacy Officer
Sunquest Information Systems (Europe) Ltd
Parkview House
82 Oxford Road
United Kingdom
e-mail: privacy@sunquestinfo.com
Dispute Resolution

Sunquest will refer unresolved privacy complaints under this Policy to an independent dispute resolution mechanism, the Direct Marketing Association.  If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily  addressed by Sunquest, please visit the Direct Marketing Association website at http://www.dmaresponsibility.org/SafeHarbor/consumers.shtml for more information and to file a complaint.  The Direct Marketing Association may also be contacted as follows:

Direct Marketing Association
Attn: Safe Harbor Program
1615 L St, NW Ste 1100
Washington, DC  20036-5624