Last Updated: June 27, 2023
Collection and Use of Personal Information
The following table describes the personal information we collect, the purpose and lawful basis for processing it, and whether you can opt out of its processing.
Type of information
Lawful basis for processing
Can you opt out?
Enable you to create a Portal account and access the Portal
Email address and password or authentication via existing platform
This information is collected when you create a Portal account and when you log in.
If the user leverages an existing single sign on account, the originating site will log the user’s initial account activity but cannot view or track information entered into the Portal.
You can opt out of these activities, although You will have access to the areas of the Portal that do not require an account. Without an account, you cannot complete self-assessments and track your progress, or access self-directed courses.
Report and optimize user experience based on demographic data
Province/territory of residence, age range, ethnicity and gender. This information is optional.
This information is only collected if you choose to provide it to POP.
You are not required to provide age category, ethnicity, gender province/territory of residence, and can opt out of this activity.
Enable you to track your pain, mood, well-being, functioning and substance use through self-assessment.
Self-assessment responses and scores
Your consent. This information is only collected if you decide to complete the self-assessment and is only collected and maintained on the Portal for your own use. POP does not use or disclose this information for any other purpose.
You are not required to complete the self-assessment and can opt out of this activity.
Your email address is collected when you create a Portal account.
You may opt out of most communications by configuring the preferences in your account. You cannot opt out of communications we are obligated to send.
Send you reminders to complete self-assessments.
Your consent. Your email is only collected if you choose to provide so that you can receive self-assessment reminders by email.
You may opt out of receiving reminders by email.
Administer and protect POP and the Portal, including troubleshooting, data analysis and system testing
IP address, device information.
This information is necessary to protect and ensure the Portal operates as intended.
This information is collected when you access the Portal.
You cannot opt out of these activities, otherwise we will be unable to provide the services to you.
Analyze Website and Portal usage to identify trends, identify location of users, troubleshoot issues and make improvements.
IP address, device and browser type, referring website, website activity such as click rate and bounce rate
Adresse IP, type d'appareil et de navigateur, site Web de référence, activité du site Web telle que le taux de clics et le taux de rebond
This information is automatically collected when you use the Portal.
You cannot opt out of the collection of web log files.
Quality improvements and for any Research Ethics Board (“REB”) approved studies
Any personal information provided for the purposes identified above.
REB-approval is required for any REB-approved studies
You cannot opt out of these activities.
In accordance with the principle of data minimization, we only collect the personal information we actually need. We will only use your personal information for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal information for that purpose. We will inform you and obtain your express consent for any changes in the processing of your personal information if required.
We may also collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal information but is not itself considered personal information if it is not reasonable to expect that you could be identified using that information alone or in combination with other available information. For example, we are required to provide reports to Health Canada about how the Portal used to maintain our funding for the Portal. However, these reports only include only Aggregated Data that is not used to identify people. Identifiable information about individual users is not shared in the report.
In some circumstances, where permitted or required by law, we may process your personal information without your knowledge or consent. For example, we may be required to use your personal information to protect the security or availability of POP, to protect or enforce our legal rights, or to protect the health and safety of individuals.
In the case that your personal information is used for an REB-approved research study, the study will first have to be approved by a duly authorized REB in accordance with Ontario laws. Any personal information shared with third parties for the purposes of such a research study will only be shared with external parties exclusively as permitted by the REB, and all direct identifiers (such as your name and email address) will be removed. In no case will POP attempt to link your information with any other information in an attempt to re-identify you.
Disclosures of Personal Information
We keep your personal information confidential, unless you have asked us to share it, or we are required to by law, including the following circumstances:
- If you choose to use the POP ‘single sign-on’ to access services from a service provider. We will share your email address only;
- A lawful court demand or other legally binding demand has been made for details related to your use of the Portal;
- To protect the security of the Portal; or
- To protect the health or safety of individuals.
In each instance we will share the minimum amount of personal information required for the purpose.
As explained above, we are required to provide certain Aggregated Data to Health Canada. However, we do not share personal information with Health Canada.
POP Service Providers
We use service providers to assist in delivering and supporting the Portal. There are also several service providers who provide pain management, mental health and substance use support services accessible through the Portal.
Mental Health and Substance Use Support Providers
The Portal provides access to self-guided tools, peer-to-peer support and coaching, and one-to-one counselling to provide pain management, promote and support mental health and substance use. The Portal is not a health care provider. Some of the providers of self-guided tools, peer-to-peer support and coaching, and one-to-one counselling available through the Portal may need to collect and use your personal information to provide services. For example, some providers may require you to create an account on their website. Other services, such as coaching, counselling, and crisis support require you to share more information about yourself.
Ottawa Hospital Research Institute ("OHRI")
OHRI provides the technology that powers the Portal. OHRI collects, manages, and protects personal information of Portal users on behalf of POP, and OHRI is only legally authorized to process your personal information as authorized herein and as required to operate the Portal.
OHRI has arrangements with certain technology-related service providers who may process personal information on behalf of TOH in order to help deliver the Portal. These service providers are given access to the least amount of information they need solely for the purpose of performing their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. For example, OHRI may use service providers to host its Portal, operate certain Portal features, send email or other communications, and manage and analyze data.
Single Sign On Providers
Certain providers, such as Thinkific, Pain+, may allow you to log on to their website using your Portal log on credentials to provide for a simpler, “single sign-on” experience. If you choose to use your Portal log on credentials to access those sites, The Portal will share your email address with the provider. The Portal does not share any other personal information with any of the service providers accessible through the Portal.
Other Service Providers
The Portal uses other service providers who may also require access to your personal information. These providers may assist with such things as conducting surveys and research on how the Portal is used, communicating with Portal users, and providing guidance on how to improve the services.
Analytics and Other Technologies
Web log files, analytics tools, web beacons and similar technologies are used to deliver the Portal, remember user preferences and obtain information about how the Portal is used.
Web Log Files
Log files are automatically generated records of all visits to the Website that are used report on website trends and identify and troubleshoot issues. Log files include the following information:
- The user’s operating system (example: iOS 12),
- IP address,
- The date and time,
- Length of the website visit,
- The pages and documents accessed, and
- Previous site accessed (for example, the search engine that referred the user to the Website).
We use analytics tools, which means we use programs to help us identify patterns and make the Website better and troubleshoot technical issues if necessary. Some of the tools we use include Google Analytics and Microsoft Clarity. These tools help us to learn about how the Website are used in order to improve the website. These tools use similar technologies to collect certain information, which are listed below:
- IP address,
- Device or browser type, and
- Activity on the Website such as click rates and bounce rates
This information is used to measure and report statistics about how users interact with the Website. The tools allow us to make reports and identify trends. We do not use this information to identify you.
Find out more information about analytic tools at the links below.
We may run ads on services such as Facebook and additional social media platforms in order to expose the application to more people. By clicking on the ads within the social media platforms, you will be bound by their privacy policies. The Portal does not share usage or personal information with these platforms once the user.
We also use pixel tags, web beacons, clear GIFs or similar tools to run or manage some of our Website pages and HTML-formatted email messages. These tools do the following:
- Track the actions of users and email recipients,
- Measure the success of marketing campaigns, and
- Compile statistics about Website usage and email response rates.
We use reasonable administrative, technical and physical safeguards to protect personal information against theft, loss, and unauthorized access, use, modification and disclosure in accordance with our institutional policies. This includes the following measures:
- Data is encrypted at rest and in transit with at least AES 256-bit encryption. Transport Layer Security (TLS) 1.2 or higher is used for information transmitted over the internet;
- Employee access to data is logged and restricted on a need-to-know basis; and
- Network monitoring and intrusion detection are used to prevent unauthorized access to systems containing personal information.
- TFA verification is enforced by default for all accounts.
Despite our efforts, no safeguards can eliminate all security risks. Please take the following steps to help secure your personal information:
- Install the latest security updates and anti-virus software on your device to help prevent malware and viruses;
- Make sure your browser is up to date;
- Use complex passwords to lock your device and mobile applications;
- Do not use the same password for multiple sites; and
- Never share your password with others
In case there is a privacy or security breach, we will address the breach in accordance with our internal procedures and we will inform you of such breach as required under Ontario law.
We will retain your personal information for only as long as necessary to fulfil the purposes for which it was collected, and as may be required to comply with applicable law. When your personal information is no longer required, we will make reasonable efforts to ensure all electronic and hard copies of such information are securely destroyed and irreversibly deleted from our systems in accordance with industry standards. However, if your information has been disclosed to third parties for the purposes described above, they may retain the information according to their own retention policies.
If your personal information is used in an REB-approved research project, then your personal information will be kept for the retention period required by the REB.
Storage of Personal Information
Most of the information processed on the Portal is stored on secure servers in Canada provided by Amazon Web Services (AWS). Most of your personal information, including your profile and self-assessment results, is therefore stored in Canada. However, some service providers who assist in providing the Portal may process certain personal information, but never information related to the state of your mental health and personal quality of life, outside of Canada, and, as a result, your personal information may be subject to the laws of those jurisdictions and could be accessible without notice to you by the courts, law enforcement and national security authorities of those jurisdictions.
Accessing Your Personal Information
Most of the personal information we have about you can be accessed in your Portal account on the Website. You also have the ability to edit personal information in your account. However, if you believe we have personal information not available in your account, and would like to request access or make corrections to that personal information please contact the POP Personnel.
Deleting Your Account
You may delete your Portal account at any time. To delete your account please contact the POP Personnel.
- We may ask for personal information to verify who you are before deleting an account.
- We will make sure that all electronic and hard copies of your information are securely destroyed. This means your personal information is permanently deleted from our live systems as soon as possible. Any back-up copies of your personal information will be deleted within 90 days in accordance with our retention policies.
Sometimes we have legal obligations that require us to keep some of your personal information, such as if your personal information has been previously used in an REB-approved study. In such a case, we would only keep your personal information for as long as necessary. Note that the Portal does not manage any personal information collected by pain management, mental health or substance use service providers. If you want to delete all your information you will have to connect with each service provider, you have used.
For Further Information
If you have any complaints or questions about this Privacy Statement or our personal information handling practices, please contact the POP Personnel.