OUR PRIVACY AGREEMENT
The Company has a reputation for – and a commitment to – superlative service to its customers and to integrity in everything we do. As part of this commitment, we respect the privacy of our customers by meeting or exceeding the standards set by law. Our privacy commitment is based on the ten principles of the Canadian Standards Association Model Code for the Protection of Personal Information, all of which are enshrined in law in the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
This privacy commitment adopts the definition of personal information from PIPEDA:
“personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
Principle 1 – Accountability
The Company is responsible for personal information under its control. As part of this accountability, the Company has designated an individual who is responsible for the Company’s compliance with this policy and applicable legislation. Any inquiry related to our privacy practices may be directed to any of our customer service representatives, or escalated to Amy Webber[firstname.lastname@example.org], Executive Assistant.
The Company is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. We seldom transfer personal information to third parties for processing, but when we do we obtain assurances from the third party that the personal information will be protected in the same manner as if the information was being processed by the Company directly and we also require that the third party abide by this policy.
Principle 2 – Identifying Purposes
At the time that any personal information is collected, the Company will take reasonable steps to inform the individual concerned of the purposes for which the information is being collected. In some cases, the purposes will be obvious from the circumstances. Individuals will be informed of the purposes in a manner that is clear, concise and comprehensible. Our employees are able to provide any further information on the purposes of collection, if such information is required. Depending upon the circumstances of the collection, this information may be provided orally or in writing.
The Company does not use any personal information for marketing purposes except with consent and will not sell, transfer or barter any customer personal information to any third parties, except in the event of a sale of all or substantially all of the business of the Company or as legally required.
At any time when it is proposed to use any personal information for a purposes that was not originally identified, the new purpose shall be identified prior to use and the consent of the individual will be obtained, unless such new consent is not required under law.
Principle 3 – Consent
The Company will obtain the informed consent of an individual for the collection, use, or disclosure of that individual’s personal information, except as may be allowed or required by law. The Company will try to obtain consent for all anticipated purposes at the time of the collection of the personal information. In some circumstances this may not be possible, so the Company will obtain the informed consent of the individual before using the personal information. Also, if the Company proposes to use an individual’s personal information for a purpose for which consent was not initially obtained, additional consent shall be required.
For all purposes, consent means informed consent, either expressed or implied. At the time that consent is sought, the Company will make reasonable efforts to bring to the attention of the individual all the purposes for which the personal information is being sought.
The Company shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the specified or obvious purposes. This means that where consent is being sought for information that is not essential to the provision of the service, providing that information will be voluntary.
There may be circumstances where the consent of an individual may be implied by the circumstances. In such cases, the purposes for the collection and use of personal information will be obvious and the Company may only use the personal information for the obvious purpose.
In general, where the information being collected would reasonably be considered sensitive, the Company will attempt to obtain written consent. Where the information is less sensitive, written consent will not be required, but is generally preferred. If the Company is seeking consent to acquire personal information from a third party (seeking a credit reference, for example), consent in writing will be required so that we can prove the consent of the individual when asked by the third-party information provider.
Despite the general presumption of this policy regarding consent, there are circumstances where the Company may collect, use and disclose personal information without consent, as allowed by law. For example, an organization may collect and use personal information in circumstances where the collection and/or use of such information is clearly in the interests of the individual and consent cannot be obtained in a timely way. Similarly, personal information may be collected and used without the consent of the individual if the information is reasonably required to investigate a breach of an agreement or a violation of the law and there is reason to believe that obtaining consent may compromise the availability or accuracy of such information. Front-line employees of the Company will not be given discretion to dispense with consent.
Principle 4 – Limiting Collection
The Company will not collect any personal information that is not reasonably necessary for the legitimate purposes identified and for which consent has been obtained. In addition, personal information shall be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
The Company will only use, disclose or retain personal information for the legitimate purposes identified to the individual concerned (or which are obvious from the circumstances) and for which consent has been obtained. Personal information shall be retained only as long as necessary for the fulfillment of those purposes, except where a longer retention period is required by law.
If the Company uses personal information to make a decision about an individual (for example, whether to grant credit), the Company will retain that information for a reasonable period of time to allow that individual access to the information.
Personal information that is no longer required to fulfil the identified purposes shall be destroyed, erased, or made anonymous.
Some personal information may be retained incidentally as a result of routine computer backup operations. When this is the case, the personal information is not available for routine use by the Company.
Principle 6 – Accuracy
Personal information collected, used and disclosed by the Company shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Information that will be used to make a decision about an individual should be as accurate as reasonably possible. If the Company does not have confidence in the accuracy of particular information, it shall not be used to make any decisions about the individual .
Nevertheless, the Company shall not routinely update personal information, unless the information needs updating to fulfil the purposes for which it was initially collected. Updating or confirming the reliability of personal information shall be done by communicating with the individual concerned, unless it is inappropriate in the circumstances.
Principle 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. All personal information shall be maintained on a “need to know” basis. All information shall be secured by physical, technical and policy measures as is prudent given the sensitivity of the personal information concerned, including secure destruction when the information is no longer needed.
Principle 8 – Openness
As part of the Company’s commitment to openness, it has made available resources such as this privacy statement. The Company’s privacy statement is made widely available and shall be provided to anybody upon request.
Principle 9 – Individual Access
Upon written request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended or annotated as appropriate.
An individual requesting access to his or her personal information, or who is inquiring whether the Company holds any personal information related to him or her, shall be required to provide sufficient identifying information and identification to allow the Company to search for his or her personal information and to confirm his or her identity. Such personal information provided to facilitate a search shall only be used for the purposes of a search and shall be destroyed as soon as practicable after conducting the search. The Company may charge a reasonable fee for photocopying costs, but will inform the individual of the fee, if any, soon after the request is made.
The Company shall respond to an individual’s request within a reasonable time and at no cost. The requested information, if available, shall be provided or made available in a form that is generally understandable.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Company shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the Company. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.
Principle 10 – Challenging Compliance
Any individual with concerns related to the Company’s personal information handling practices or the manner in which his or her personal information has been collected, used or disclosed, shall be able to address those concerns to a customer service representative. If the concerns are not promptly resolved to the satisfaction of the individual, it will be referred to the designated privacy officer for the Company. The privacy officer shall investigate the individual’s concerns and shall attempt to resolve any complaint as expeditiously and as fairly as possible. If a complaint is found to be justified, the Company shall take appropriate measures, including, if necessary, amending its policies and practices. If a complaint is not found to be justified, the individual will be informed of this conclusion and of his or her right to seek redress with the Office of the Privacy Commissioner.
The complaint procedure shall be made known to any individual expressing concerns and shall be personally explained to the individual if circumstances warrant.