By Using the I’m Ready to Know website at http://www.readytoknow.ca website (the “Site”), the I’m Ready, Test mobile app and web app at imready.ca (the “I’m Ready, Test Apps”) and the I’m Ready, Talk telehealth services platform at https://www.readytoknow.ca/testing-support/connect-with-peer-navigators/ or mobile app (the “I’m Ready, Talk App”), (together the “Apps”), you agree to be bound by the terms of this Privacy and Data Security Notice (“Privacy Notice”).

This Privacy Notice helps Users of our Site and Apps to better understand how we collect, use, and store Personal Information (“PI”) and Personal Health Information (“PHI”) in providing the Services offered though the Apps, and is part of the Terms and Conditions and End User License Agreement (the “Terms”).

The Site, the I’m Ready, Test Apps and their associated Services, are owned and operated by St. Michael’s Hospital, Unity Health Toronto (“UNITY”). UNITY licenses the the I’m Ready, Talk app from OnCall.

2. Definitions

Capitalized words used in this Policy Notice are defined in Section 1, this Section 2, elsewhere in this Privacy Notice, or in the Terms.

“Account” means an account created by a User to Use the Platform and includes the Account Record.

“Account Record” means Information associated with your Account profile that is needed to provide the Services and includes your year of birth, your province, the first three letters of your postal code, unique participant ID, and your Test Results (for the I’m Ready, Test Apps) and a name and a valid email address (for the I’m Ready, Talk Apps). If you use the I’m Ready, Talk Services, your account record will include any notes from your Peer Navigator.

“Information” means PI we collect or receive from you and includes the PI and PHI that you enter into the Site to receive information or into the Apps to Use the Services.

“Personal Information” or “PI” means information that identifies you or could be combined with other information to identify you and includes home mailing address, home telephone number, personal cellphone number, personal e-mail address, internet provider (IP) address, date of birth, the number of any government issued identification and may also include information about how you use the Site, the Apps, and the Services if we can associate that PI with you.

“Personal Health Information” or “PHI” means information about you that relates to physical or mental health and includes Samples and Test Results.

“Samples” means pseudonymized blood samples you collected from yourself using the testing kit(s) you ordered though the I’m Ready, Test Apps to self-test for HIV.

“Test Results” means HIV testing results from your Sample(s).

“we“, “us” or “our” means UNITY and any of our Affiliates.

“you” or “your” mean UNITY and the terms “you” and “your” mean Users of the Site, the Apps, and the Services.

3. Accountability

We take the privacy of your Information seriously and are committed to safeguarding it. We developed and implemented policies, practices, and procedures to protect your Information and we train our staff in our Information handling practices.

We comply with privacy and data security legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Personal Health Information Protection Act (Ontario) (“PHIPA”) and are compliant with ISO/IEC 27002:2013 Code of practice for information security controls: 15.1: Information security in supplier relationships.

We have appointed a Chief Privacy and Security Officer (“CPSO”) who is responsible for enforcing compliance with our privacy program including by adopting new policies and procedures or amending existing policies and procedures.

If you have a question or complaint about our information handling practices, please contact us at reachnexus@unityhealth.to.

4. Limiting Collection: What Information Do We Collect?

It is our policy to collect only Information necessary to allow Users to interact with us and to receive the Services.

The ways we collect Information can be broadly categorized into:

Information you provide to us directly: When you Use parts of our Site or our Apps we might ask you to provide your PI. For example, we may ask for a name and a functioning email address to schedule an appointment with a peer navigator on the I’m Ready, Talk App. We may also receive your contact information when you contact us directly at the contact email provided on the Site. If you order test kits and wish to have them delivered to you, we will ask you for a mailing address. Your Peer Navigator may make general notes during your appointment in the I’m Ready, Talk Apps to help them remember what you talked about to support your ongoing conversations if you connect with a different Peer Navigator later. When you participate in in-App surveys, we collect information about how we can improve our Apps and Services.

Information from other Sources: We may receive your Information from other sources, such as sources you authorized to provide such information to us. The unique participant ID on the I’m Ready, Test Apps will be associated with your survey and test results conducted by our service providers.

Information we collect automatically: We may automatically collect some technical information when you visit our Site or Use the Apps that platforms like Google Analytics may collect about your interactions with the Site and the Apps. This includes the geographic location of your IP address, the IP address itself, device type, what pages you looked at, what links you clicked on, your browser type and configuration, the date and time of use, and language preferences. Other than the IP address, this type of information does not give us access to any information that can identify you. We use this information to detect problems, improve the navigation of our Site and Apps so they are easier to use and to see what features of our Services may interest you.

If you consented to receive these types of communications from us, we may track whether you opened certain types of promotional e-mails, whether you looked for information about a particular topic or service, or to consider other products and services that may be useful for you.

5. Limiting Use: How Do We Use Your Information?

We use Information and non-personal information for the following purposes:

To communicate with you. This may include: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications, like information regarding your Account, or our Services; (iii) changes to our Site or Apps, or changes to this Privacy Notice, or our Terms ; (iv) any questions, reminders, notifications related to your Account or your use of your Account or addressing customer service issues and troubleshooting problems with your Account; (v) to notify and alert you about data breaches, actual or potential fraud, identity theft and other fraud or security-related activities; and (vi) legal disclosures, communications about and related to any legal action, or otherwise required under our legal obligations; and any other reason notifications and alerts may be required by law.

To provide Services. We use Information to deliver the Services, manage our business operations such as to register your Account, to authenticate you when you log into your Account. TheI’m Ready, Test Apps use push notifications to remind you to order and use your kit, connect with a Peer Navigator, and complete surveys. You may disable push notifications through the Apps in your device settings, but note that keeping your notifications on will help you to get the most out of the Services. We use the name and the functional email address you provided to schedule appointments, share appointment information, and connect you with our peer navigators on the I’m Ready, Talk App.

To improve our Site, Apps, and Service and develop new ones: We monitor how you Use the Site, the Apps, and the Services, and we may use information you provide to us though our surveys to improve our offerings, user experience, and design new features.

To detect and prevent any fraudulent or malicious activity and to make sure that our Site, Apps, Content, and Services are Used according to our Terms and to protect the security or integrity of our Site, Apps, our Services, and our business.

With your consent, to send you targeted advertisement such as general or personalized notices and promotional messages, or to send news about us; and

To comply with any laws and regulations.

6. Disclosure: When Do We Disclose Your Information to Others?

We do not disclose or share your Information except as allowed by law and as outlined in this Privacy Notice.

The information related to ordering your kit is not stored in the I’m Ready, Test Apps. UNITY securely collects and stores your name, user ID, delivery address, and number of kits ordered on its restricted access server. We securely provide this information to our service provider who fulfills the order and ships the kits.

The Information on the I’m Ready, Test Apps remains in those Apps until you click on the “remove data from this device” tab in the menu page of the App and delete the Apps from your device or close your web app account. You can manage any Information you provide though the I’m Ready, Talk Apps to make appointments with Peer Navigators though the emails you receive to confirm your appointments. Your appointment confirmation email includes a link though which you can create a password and login for I’m Ready, Talk.

Messages and Peer Navigator notes in the I’m Ready, Talk App are not shared with us and will be deleted from OnCall’s secure system every 8 months. OnCall shares basic information with us about your use of the I’m Ready, Talk App, such as frequency, type, and length of appointments. This information will help us improve our Services.

If you mention causing harm to yourself or others, the Peer Navigators will use your ID to do what they can to ensure that you or others receive help and are safe.

By giving an email address to access the I’m Ready, Talk App you may receive emails that identify you as a user of the app. Anyone who sees these emails could know that you are a client of the I’m Ready program because emails are not secure in the way a phone call or regular mail would be. Copies of an email may continue to exist, even after efforts to delete the email have been made. Please note: you must not use email for medical emergencies. If you require immediate help, call your clinic or care provider or seek emergency services.

We run the Apps and provide our Services with the assistance of third-party service providers who assist us with business operations, marketing, and promotional services. We engage our service providers on separate terms, either their own terms of service or separate agreements, as explained in Section 9. Those terms ensure the security of your Information that we share and limit the service providers’ use and disclosure of that Information to the strict purpose for which we engaged each service provider. If we or our service providers need to use your Information for any unrelated purposes, we or they must ask you for your consent.

If you consented to receive marketing and promotional emails from us, we may share select PI with service providers who help us with marketing and promotional services.

We will not rent the Information we collect directly from you or as part of our Services. Other than as identified in this Privacy Notice, we will not disclose, transfer, or sell your Information; however, you acknowledge and agree that we may disclose, transfer, or sell (as applicable) your Information and your Account Record, without your explicit consent under the following limited circumstances:

i) Transfer and/or disclose relevant pieces of your Information that our service providers need to assist us to provide the Services and run our business;

ii) Disclose your necessary Information to prevent or investigate fraudulent or illegal activity on your Account;

iii) Disclose your necessary Information to comply with an order, subpoena, warrant or other legal requirement issued by a court, tribunal, regulator or government body with competent jurisdiction that requires disclosure of Information, including to meet national security or law enforcement requirements, to prevent, investigate, or take action against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms, this Privacy Notice, to protect the security of the Site, the Apps, our Services, and the security of your Account, or as otherwise required by law.

iv) Disclose your necessary Information to establish or defend our legal rights. Where possible and appropriate, we will notify you.

v) Disclose and transfer your Information to an actual or potential buyer of UNITY (and its agents and advisers) in connection with an actual or proposed corporate reorganization, assignment, merger, or sale of any part of our business, including as part of insolvency or bankruptcy proceedings. In such case, the Information will be disclosed solely for the purposes related to the transaction, including during due diligence or to fulfill any audit requirements, and will be protected by security safeguards appropriate to the sensitivity of the Information and contractual confidentiality obligations, including the return or destruction of confidential information (including PI and PHI) if the transaction fails to close. Your Account record may be transferred upon a change of corporate control.

If you do not wish to continue to receive services through the entity that acquires or with whom we may merge our business, you may click on the “remove data from this device” tab in the menu page of the I’m Ready, Test Apps and I’m Ready, Talk web-App to close your Account.

7. Consent

When you provide Information to open an Account and receive Services you consent to our collecting your Information required to complete these activities only.

You acknowledge and agree that by Using the Apps we may contact you though the Apps by email without your explicit consent for any purpose directly related to our legal rights, our obligations, and our ability to provide our Service to you such as: (i) providing you with information you requested from us or information we must send to you; (ii) operational communications about your Account or the Service; (iii) changes to our Site, Apps, changes to this Privacy Notice or the Terms; (iv) matters related to your Account; (v) to notify and alert you about data breaches, and other fraud or security-related activities; and (vi) legal disclosures, communications about and arising from any manner of legal action; and any other reason notifications and alerts may be required by law.

YOU CAN WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR INFORMATION IN FUTURE USES WITHIN THE SCOPE OF YOUR CONSENT BUT YOU CANNOT WITHDRAW YOUR CONSENT FOR OUR USE OF YOUR INFORMATION FOR USES THAT BEGAN BEFORE THE DATE ON WHICH YOU WITHDREW YOUR CONSENT. YOU WILL ALSO NOT BE ABLE TO WITHDRAW YOUR CONSENT WHERE OUR USE OR DISCLOSURE OF YOUR INFORMATION IS AUTHORIZED OR REQUIRED BY LAW.

8. Safeguards: How Do We Protect Your Information?

We are committed to protecting your Information. Our staff understand the importance of keeping your Information confidential and are expected to maintain the confidentiality of your Information.

We take reasonable administrative, technical and physical measures to safeguard your Information against unauthorized access or disclosure, theft, and misuse. This includes limiting access to your Information by our staff with passwords and graduated levels of clearance. We do not publish all of our security measures online because this may reduce their effectiveness. We take reasonable precautions against breaches of our security systems; however, no company can fully eliminate the risks of unauthorized access to your Information and no website or app is completely secure.
Although we cannot guarantee that unauthorized access, hacking, data loss or breaches of our security systems will never occur, we try to minimize these risks by: (1) active monitoring: monitoring Account activity and our system activity through activity logs and regular audits to ensure that no unauthorized access attempts have been made, (2) secure storage: we store your Information over which we have custody and control in Canada in reputable data centers that are ISO 27001 and ISO Standard 27018:2019 (Code of Practice for personal identifiable information (PI) protection in public clouds acting as PI processors) certified and adhere to global privacy and data protection best practices, (3) network security: we implemented controls to protect against unauthorized access, including segregating our internal systems from our publicly-accessible systems, (4) end-to-end encryption: we encrypt all data transmissions and communications on the Site, Apps, and as part of our Services from end-to-end using industry-standard transport layer security (“TLS”) or secure socket layer (“SSL”) encryption technology, and (4) training: we implemented policies, procedures, and training for our staff that address the handling of PI and PHI. All our staff members and service providers are legally bound to confidentiality obligations.
We expect our service providers to protect your Information that they collect from you directly as well as the portion of your Information we provide to them so we can receive the service for which we engaged them. If our service provider’s data collection and security practices are inferior to ours, we may enter into separate Data Protection Agreements to ensure that any Information we many need to share with them is protected.

9. Data Breach

We take precautions against breaches of our security systems, but you acknowledge and agree that no company can eliminate the risks of unauthorized access to data or your Information and no transmission over the internet is 100% secure. Therefore, you provide data and your Information to us at your own risk.

Despite our rigorous precautions against data breaches, the risk of a data breach remains. In the event of a data breach, we will comply with the breach notification requirements outlined in PIPEDA.

10. Data Storage and Transfer

While, as custodians, we remain responsible for the security and privacy of your Information at all times, our service providers may use or store the portion of your Information that they require to provide their services to us outside of Canada. In that case your Information will be subject to the laws of the country in which the Information is used or stored. The rigor of those laws may differ from Canadian laws.

We expect our third-party service providers who are not bound by the same laws we are to provide comparable levels of data protection and security. We may enter into Data Protection Agreements with service providers whose data protection and security practices are inferior to those we outlined in this Privacy Notice.

11. Data Retention: How Long Do We Keep your PI and PHI?

We collect only Information that we need to allow you to Use the Site and the Apps and to provide the Services.

We maintain a records retention and destruction policy to destroy your Information when we no longer have a need for it and are not required by law to keep it. Information collected with your consent directly by our service providers and that is under their custody and control is subject to their data destruction policies and the data retention laws applicable in that provider’s jurisdiction.

We retain your Account Record in active use until you close your Account. We employ an automatic data backup and archiving system and a data retention and destruction schedule to ensure data security.

Once you close your Account, your Information and Account Record in active use will be deleted within 30 days but Information automatically saved as part of rolling backups will be stored until it is overwritten in accordance with our data retention and destruction schedule. We will keep limited pieces of your Information for as long as we have a legal or legitimate need to keep it, such as to comply with data retention laws, enforce our Terms, comply with audit requirements, and take other actions permitted by law.

12. Accounts and Credentials

The security of your Account depends on you keeping your Account login credential safe and not sharing them with anyone else. If you believe that any of your login credentials have been compromised or misused, you must contact us immediately at reachnexus@unityhealth.to.

13. Accuracy: How Do You Modify Your Information?

We want to ensure that the Information you provide to us is accurate, complete, and up-to-date for the purpose of providing the Services. Be sure to enter accurate Information in the Apps and update any inaccurate or outdated information as soon as possible.

14. Access: Right to Your Information

We maintain anonymity for our Users. The Information required to provide the Services is limited and is available in your Account Record of your I’m Ready, Test Apps, together with your Test Results, if you choose to upload them.

Survey results are not part of your Account Record. If you wish to gain access to your survey results, you must provide your unique participant ID so we can identify and retrieve your surveys.

15. Account Closure: Data Deletion

To close your Account, you may delete your Account Record by clicking on the “remove data from this device” tab in the menu page of the Apps. Once you remove your Information from your Account Record, delete or log out of the Apps, the Information is no longer available to us. If you use the I’m Ready, Test Apps and the I’m Ready, Talk web app, we store a copy of your unique participant ID (which is not connected to your name or any of your PI so we cannot identify you), your year of birth, home province, the first three letters of your postal code and anonymized test results on secure cloud servers. If you wish to have this information deleted, you can contact us at reachnexus@unityhealth.to and we will delete it within 30 days of your written request, but we will continue to keep some Information, as described in Section 12.

16. Third-Party Services and Links

We may provide links to third-party websites on our Site or the Apps. These links are provided for convenience only. We do not have control over those third-party websites, and they are not subject to this Privacy Notice or our Terms. You use of hyperlinked websites is at your own risk and subject to the privacy notices of those websites. You acknowledge that these links may lead you to third-parties that may operate in a different jurisdiction than either yours or ours. If you provide Information to these entities, then your information may become subject to the laws of the jurisdiction(s) in which that site operates or where its facilities are located.

17. Challenge Compliance

If you believe that we have not adhered to this Privacy Notice you may challenge our compliance with this Privacy Notice and our compliance with applicable privacy laws.

Please notify our Chief Privacy and Security Officer of your complaint by email at Paula.Kocsis@unityhealth.to. You can also reach us at:

UNITY HEALTH TORONTO

30 Bond St. Toronto, ON M5B 1W8

We pledge to address your complaint promptly. If you are dissatisfied with the response you receive from us, we hope you would contact us to resolve the issue. If we cannot resolve your complaint to your satisfaction you can file a complaint with the Office of the Privacy Commissioner of Ontario.

18. Changes to This Privacy Notice

We reserve the right to update or change this Privacy Notice. All updates to this Privacy Notice will be highlighted in the Change Log below. A banner on the Site and Apps will notify User of updates or changes to the Privacy Notice.

Changes to the Privacy Notice take effect on the date on which they were made or on the effective date indicated in the notice we post about such changes.

By continuing to use the Site, the Apps, and the Service after you receive the notice you IMPLICITLY CONSENT TO BE BOUND BY THE PRIVACY NOTICE TERMS IN EFFECT ON THE DATE ON WHICH YOU VISIT THE SITE OR USE THE APPS AND THE SERVICES (as listed at the top of this Privacy Notice).

DETAILED PRIVACY AND DATA SECURITY NOTICE