Scope & Interpretation
This policy applies to QHR and its affiliates and subsidiaries. It also applies to websites operated by QHR and such affiliates and subsidiaries.
All references in this policy to “QHR” and to “us”, “we”, or “our” refer to all or any of the foregoing. This policy does not apply to certain related companies of QHR, such as Shoppers Drug Mart Inc. and Loblaw Companies Limited, Personal Information held by them is governed by separate privacy policies.
In this policy, we explain what Personal Information we collect, and how we use, share and manage it.
Please note that when you visit one of our websites, sign up for, participate in or purchase a specific product, service, program, contest, promotion or event available through QHR, additional terms and conditions may be provided regarding the collection, use or sharing of Personal Information in connection with that product, service, program, contest, promotion or event. Those terms and conditions will apply together with this policy.
Personal Information and Personal Health Information
"Personal Information" as used in this policy means information about an identifiable individual, such as the name and date of birth of that individual and includes non-personal information that we link to Personal Information.
"Personal Health Information" is information relating to the state of a person’s health (e.g. your health and prescription history including diagnostic, health history and treatment information, as well as, drug benefit and provincial health card numbers, etc.).
What Personal Information is Not
This policy does not cover non-personal information, which is information that does not identify you. However, as stated above, when we collect non-personal information and link that non-personal information to an identifiable individual, then that information will become Personal Information and become subject to this policy.
Unless permitted or required by law, QHR will not collect, use or share Personal Information without first obtaining consent. We will obtain consent when we want to use Personal Information for a new purpose or for a purpose other than those stated at the time of collection, in this policy or in the terms and conditions of a specific product, service, program, contest, promotion or event you signed up for, participated in or purchased.
Consent can be “express” through words or by specific acts or “implied” by the conduct of the individual whose Personal Information is being collected, used or shared. By agreeing to this policy, you agree and consent that as a provider of Personal Information, we may collect, use, share or otherwise process your Personal Information in accordance with this policy. We may require an additional consent for specific products, services, programs, contests, promotions or events in the future.
You may withdraw your consent for certain purposes. For example, you may choose not to receive:
However, because of legal or regulatory requirements that we have or contractual obligations you have with us, there are limited circumstances where you may not withdraw your consent to the collection, use or sharing of your Personal Information. If you choose not to provide us with certain Personal Information or if you withdraw your consent, where such withdrawal is available, we may not be able to offer you the products, services, programs, contests, promotions, events or information that you requested or that could be offered to you.
Please also be aware that, even if you have withdrawn your consent to receive marketing communications from us, we may continue to contact you for certain non-marketing purposes necessary for the management of our businesses, as required by law or related to products, services, programs, contests, promotions or events that you had signed up for, agreed to participate in or purchased.
To withdraw or limit your consent, you can contact us as described below in “Answering Your Privacy Questions”. If you have a product, service, program, or are participating in a contest, promotion, or event that is offered by a third party together with QHR or under a QHR brand, you may also have to provide your consent preferences or withdraw your consent with that third party separately.
Please note that it may take some time for all of our records to reflect changes in your preferences. For example, if you request that you not receive personalized marketing communications from QHR, your preference may not be captured for a promotion already in progress.
How We Collect Personal Information
QHR collects Personal Information in a variety of ways such as during the course of your purchase of, or application or request for a quote for, our products and services or your participation in or use of one or more of our products, programs, contests, promotions or events. QHR limits the collection of Personal Information to what is reasonably required.
QHR collects Personal Information in the following ways:
Directly From You. You may provide Personal Information to us in person, by mail, over the telephone, through our websites or in any other direct manner. For example, Personal Information may be collected through our monitoring and recording of communications, such as telephone calls to our call centres.
From Third Parties. Occasionally, we may receive Personal Information from other sources if we have obtained your consent to do so or if the law permits us to do so.
Through Technology. We may collect Personal Information and non-personal information through various technologies directly from you or from third parties.
Websites, Social Media, Applications and other electronic means: We may collect Personal Information and non-personal information electronically, directly from you or through third parties. For instance, we may access Personal Information about you when you share information about yourself on social media networks and also when you interact with us electronically such as through our information technology systems, websites, email, mobile applications, social media properties or online advertising. For example, when you visit one of our social media sites, we may collect Personal Information that you choose to submit to us such as your name, contact information, opinions or any other information you choose to provide for the purposes of responding to an enquiry you have made, or for any other purpose disclosed to you at the time of the collection. Third parties may provide information about you to us, such as search terms you used, or refer you to us as a result of a search you conducted.
When you interact with us, such as when you visit our websites or click on our ads, we may use, and send to your device or computer, cookies, web beacons, single-pixel gifs and other technologies to help us collect and store Personal Information or non-personal information about you or to enable us to present offers to you, including interest-based ads. These technologies are used to help us understand what actions you take on our own and on third parties’ websites and applications. For instance, we may store Personal Information and non-personal information, such as your name, email address, province and language preference, on one of these technologies to enable us to populate entry fields that you have previously completed or present you with content specific to your region and language preference.
We may also collect, or allow authorized third parties to collect, information about users’ web browsers to monitor the security of our products, including to help you detect fraudulent authentications, and to ensure that our products function properly and securely.
We may also record user and usage data, such as where users click on a page, the internet protocol (“IP”) address, operating system, which website or ad the user clicked on to reach our website and which search terms were used, to help us optimize our websites, generate reports, display interest-based advertisements, or understand which key words result in visits to our websites. You may delete or disable certain of these technologies, such as cookies, at any time via your browser. However, if you do so, you may not be able to use some of the features of our websites.
When you visit our websites, we may place, or we may allow third party companies (such as advertising networks) to place cookies or web beacons on your computer or device to collect information (not including your name, address, email address or telephone number) about your visits to our websites, as well as your other online activity, which may be tracked and used, in combination with other information about you, by us or these third party companies to provide advertisements on our websites and other websites about goods or services that may be of interest to you. You may delete or disable certain of these technologies, such as cookies, at any time via your browser.
If you choose to download or use a mobile or location-based application (“app”) created by or for QHR, we may receive Personal Information and non-personal information about your current location and about your mobile device, tablet, or browser, such as a unique identifier for your device. Most devices, tablets and browsers allow you to turn off the tracking of your location. However, if you do so, you may not be able to use some or all of our apps.
How We Use Personal Information - Purposes
We identify the purpose for which Personal Information will be used typically at or before the time the Personal Information is collected. Our use of Personal Information is limited to the purposes described in this policy, the purposes set out in the terms and conditions of any product, service, program, contest, promotion or event in connection with which Personal Information was collected, purposes required by law and purposes consistent with any of those purposes. As new purposes may develop over time, we may update this policy so we encourage, you to review this policy periodically online.
QHR collects, uses and shares Personal Information for the following purposes, which involve, among other things, the activities described for each:
Provision of Products, Services, Programs, Contests, Promotions or Events
To provide products, services, programs, contests, promotions or events, which includes:
In order to manage our businesses, which includes:
In order to communicate with you, which includes:
Unless you tell us otherwise or consent is required by law, we may contact you by any means for which you have provided contact information.
If you no longer wish to receive commercial electronic messages from us please follow the unsubscribe directions provided in every commercial electronic message we send, or you can send an email to email@example.com for assistance.
In order to understand current and future consumer interests, which includes:
Please note that Personal Health Information, as that term is defined in law, such as medical or prescription information, is not shared for market research purposes among QHR, its affiliates, subsidiaries or related companies.
How We Share Personal Information
Where permitted by law, we share Personal Information within QHR for the purposes described in this policy. Please note, however, that Personal Health Information or financial information is only shared within QHR on a limited basis, such as to provide support, process a claim or a credit card transaction and is not shared for marketing purposes (although may be used by the company to which it was provided for some marketing purposes).
Subject to the provisions of this policy, we may also share Personal Information and non-personal information, for the purposes described in this statement, with related companies. These related companies are not governed by this policy, but have in place their own policy or policies as well as appropriate safeguards for the protection of Personal Information. For example, we may share your purchase history and other information about you with Loblaw Companies Limited and its affiliates and subsidiaries, current and future, and our other affiliates to help improve our respective products and services, better understand your information needs and communicate with you.
We may also share Personal Information about you with other organizations outside of QHR that help QHR provide products, services, programs, promotions, contests or events or help us with our business operations. These other organizations may include sub-contractors, third party service providers, third parties that offer products, services, programs, promotions, contests or events under one of our brands, or organizations that help us improve our products, services, programs, promotions, contests or events as well as our business and technology systems, procedures and infrastructure. When QHR shares Personal Information with any such party, we limit the use of such Personal Information to those purposes requested by us and we require the party to have appropriate safeguards for the protection of that Personal Information.
Other sharing. Canadian law permits or requires the use or sharing of Personal Information without consent in specific circumstances. These circumstances include situations when permitted or required by law or when necessary to protect QHR, employees, customers, or others. Should this occur, QHR will not share more Personal Information than is required to fulfill that particular purpose.
Sale or transfer of business. From time to time, we may decide to sell or transfer all or part of our business to a related company or to a third party, to merge with another entity, to insure or securitize its assets, or to engage in another form of corporate or financing transaction (including transfers made as part of insolvency or bankruptcy proceedings or as part of a corporate reorganization or stock sale or other change in corporate control). In addition, the manner in which products, services, programs, contests, promotions and events are provided to you, and the organization providing those products, services, programs, contests, promotions or events, may also change. If your Personal Information is required in connection with any such transactions, we will require that the parties involved, including affiliates, advisors or other service providers, agree to protect your Personal Information with policies meeting standards equivalent to those set out in this policy both during and after completion of the transaction.
Other than as stated in this policy or as stated in terms and conditions or as part of a consent in relation to a product, service, program, contest, promotion or event, QHR does not sell, trade or share for financial or other benefit any Personal Information with third parties.
How We Protect Personal Information
QHR strives to maintain appropriate physical, procedural and technical safeguards with respect to the offices, websites and information storage facilities so as to prevent loss, misuse, unauthorized access, disclosure, or modification of Personal Information. These safeguards also apply to the disposal or destruction of Personal Information.
QHR has taken steps to ensure that everyone who works for QHR, and the third parties with which we contract, understand the sensitivity of Personal Information and are required to adhere to the protection of Personal Information as set out in this Policy. We educate and train our staff on the importance of protecting Personal Information and ensure that access is provided only on a “need-to-know” basis. We use roles-based access to ensure that only those who are authorized to access your Personal Information can access it.
We also seek to ensure that any Personal Information in our custody is as accurate, current and complete as necessary for the purposes for which we use that Personal Information.
QHR uses various security safeguards to protect Personal Information, which include but are not limited to multi-factor authentication, proactive penetration tests, encryption of data in transit and at rest, active logging, intrusion detection and prevention systems, unique user accounts, role-based access based on need to know policies and ensuring that third parties have similar or better privacy practices than QHR. QHR applies a risk-based approach to determining which controls are required for each instance of Personal Information.
In addition to the safeguards, we regularly monitor our systems for possible vulnerabilities and attacks.
Storage, Use And Disposal Of Personal Information
How Long We Keep Personal Information
We actively retain Personal Information only as long as it is required for our relationship and a certain period of time afterwards to respond to queries or as required by federal and provincial laws. When this period ends, Personal Information is scheduled for destruction according to our record retention policies. Depending on the nature of the Personal Information and the purpose for which it was collected, this schedule may vary.
Where We Keep, Use Personal Information
In general, we store, access and use Personal Information in Canada. Unless there is a legal or regulatory requirement to keep such information in Canada, Personal Information may also be stored, accessed, or used outside of Canada. For instance, when we engage a service provider outside of Canada, Personal Information may be stored, accessed or used in any country where the service provider is located, or from which it provides services, including the United States. Personal Health Information that is stored within our products and hosted by us is stored within Canada. We may engage service providers outside of Canada to process Personal Health Information for the purposes of improving data security, connecting peer-to-peer connections, or streaming video. Peer-to-peer connections and video streaming are supported from within Canada, with fail-over servers located in the United States. The contents of video streams cannot be viewed by service providers. Where Personal Information is located outside of Canada, it is subject to the laws of that jurisdiction.
How We Dispose of Personal Information
Once Personal Information is no longer required for the purposes it was collected or to meet other regulatory requirements it will be scheduled for deletion. Where the Personal Information is stored in an electronic format, it will be deleted from the application or systems which it is retained. Any backups of the Personal Information will exist until rotated out of the backup archives. Physical storage which is retired is put through a deep data wipe, degaussing and/or physical destruction to ensure there is no risk of Personal Information being recovered. Personal Information which is recorded on paper is shredded to ensure that the Personal Information cannot be recovered.
Access And Dispute Resolution
QHR provides a right of access and review of your Personal Information in accordance with applicable laws and will endeavor to provide the Personal Information in question within a reasonable time. You will be asked for identification so that we may verify your identity before providing you with your Personal Information. If you require the documents in an alternative format, we will make reasonable efforts to provide you with your Personal Information in that format. If there will be charges for us to retrieve or provide you with specific information that you have requested, we will advise you of the charges that you would be responsible for and obtain your authorization before proceeding.
Our policy is to respond to access requests as required by applicable laws. QHR may decline access to Personal Information in certain circumstances. These include where the information requested would reveal confidential information or Personal Information about someone else, or if legal or regulatory requirements prohibit providing access or permit not providing access to such information. To access your Personal Health Information, a written request should be sent to the Provider from which you received Services.
If you are concerned about how we treat your Personal Information, please contact the Privacy Officer using the contact information set out below in “Answering Your Privacy Questions”.
If the Privacy Officer is unable to address your concern to your satisfaction, arbitration may be an option recommended to you to settle the dispute. Arbitration is a form of dispute resolution. If the parties decide to pursue arbitration, then the parties would refer the dispute to an arbitrator who would take into account the evidence of each of the parties and render a decision.
Answering Your Privacy Questions
QHR encourages you to review this policy periodically. If you have any questions about how we treat your Personal Information or wish to know what information we have in our files about you, ask a question about the information in your file or request a change to the information in your file, please contact the Privacy Officer at firstname.lastname@example.org.
For inquiries that relate to personal health information, please contact the Provider from which you received Services.
If you have a product, service, program, or are participating in a promotion, contest or event that is offered by a third party under a QHR brand, the third party may hold certain of your Personal Information. Should you have any questions or concerns, we will direct you to the appropriate contact so that you may make enquiries as to that party’s privacy policies and practices.
At QHR, we understand the responsibility that comes along with collecting, using and sharing Personal Information. In adopting and adhering to this policy, we assure you that the Personal Information we collect will be used in an appropriate and responsible manner.
LAST UPDATED: 13 SEPTEMBER 2019