Scope
The present document presents Canadadirect Database Marketing Privacy policy which applies to all personal and operational information and data held on Canadadirect employees, clients and sub-contractors.
Personal information includes information about an identifiable individual, presented in any form, such as: age, name, ID number(s), income, ethnic origin, opinions, evaluations, social status, disciplinary actions, credit records, loan records, medical records.
All Canadadirect employees must read, understand and apply it.
Purpose
While exercising its right to collect, use and disclose personal information or data for legitimate business purposes, Canadadirect is committed to protect, in all Canada provinces and countries where it does business, the personal and operational information and data concerning
- Canadadirect employees
- Canadadirect clients and their operations
- Sub-contractors
in order to maintain strict rules of conduct to lower the risk of:
- Confidentiality breaches
- Loss of privacy
- Loss of trust
- Legal liability
Overview
Canadadirect principles for information handling practices are based on the Personal Information Protection and Electronic Documents Act (PIPEDA) and are the following:
Accountability
Canadadirect is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles. Identifying Purposes.Canadadirect shall identify the purposes for which personal information is collected at or before the time the information is collected.
Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by Canadadirect. Information shall be collected by fair and lawful means.Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only as long as necessary for the fulfillment of those purposes.Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.Openness
Canadadirect shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
1. Accountability
1.1 The IT director and the managers responsible for each division of Canadadirect oversee the application of this policy and take corrective action on violations and on non-compliance. The IT director is responsible of the development and implementation of specific privacy policies and procedures.
1.2 Canadadirect employees who have concerns regarding the privacy of their own, sub-contractor or client should report their concerns as well as any weakness in the measures protecting such information.
Divisions who manage client personal or operational information and data, as a result of providing services to these clients, must protect such information and data. Any violation of client personal or operational information or data, in the context of providing services to these clients, should be reported directly to the IT director or division manager.
Attention: Privacy Officer
Canadadirect Database Marketing Inc.
743 Renaud, QC, H9P 2N1
Fax: (514) 422 8835
Email : privacyofficer@canadadirect.ca1.3 Contracts or other means must be used to ensure that when third parties process personal information on the behalf of CanadaDirect, they maintain a comparable level of privacy protection.
1.4 Canadadirect will implement policies and practices to give effect to the privacy principles, including:
- Implementing procedures to protect personal information
- Establishing procedures to receive and respond to complaints and inquiries
- Training staff and communicating information about Canadadirect policies and practices
- Developing information to explain Canadadirect policies and procedures
2 Identifying Purpose of Collection
2.1 CanadaDirect must identify the purposes for which personal information is collected at or before the time of collection. This will allow CanadaDirect to determine the information it needs to collect to fulfill these purposes. CanadaDirect shall examine opportunities for using non-identifiable information (i.e., coded or anonymous data) rather that personal information to meet the purposes.
2.2 CanadaDirect shall document the purposes for which personal information is collected in order to comply with the Openness principle and the Individual Access principle.
2.3 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
2.4 Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.
3 Consent
3.1 CanadaDirect must obtain consent for the collection, use and disclosure of personal information, at or before the time of collection, except where not appropriate (e.g., exchange of information with credit agency for a loan).
3.2 CanadaDirect should seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Individuals can give consent in many ways. For example:
- An application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- A check-off box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
- Consent may be given orally when information is collected over the telephone; or
- Consent may be given at the time that individuals use a product or service.
3.3 CanadaDirect shall make reasonable efforts to advise the individual of the purposes for which the information will be used.
3.4 CanadaDirect must inform individuals that they may withdraw consent at any time, and explain the implications of their withdrawal to them.
4 Limiting Collection
4.1 CanadaDirect shall collect only the type and amount of personal information necessary for the identified purpose. This has to be done in a fair and lawful way, and not deceive or mislead individuals.
4.2 CanadaDirect shall specify the type of information collected as part of its information-handling policies and practices.
5 Limiting Use, Disclosure, and Retention
5.1 CanadaDirect must use and disclose personal information in its control only for the purpose for which it was collected unless consent is obtained, or the use or disclosure are required by law.
5.2 Certain CanadaDirect employees may be given access to customer and/or employee information in so far as their duties require access for business purposes. CanadaDirect employees are governed by a confidentiality agreement prohibiting disclosure or use of any confidential or personal information for any purposes other than the stated business purposes.
5.3 CanadaDirect shall document the use of personal information for any new purpose not initially communicated to customers when receiving their consent.
5.4 CanadaDirect must retain information only as long as necessary and dispose of all sensitive information in a secure manner according to the CanadaDirect Data Security Policy and Procedures.
5.5 Personal information used to make a decision about an individual should be retained long enough to allow the individual to access that data and challenge its accuracy.
6 Accuracy
6.1 The extent to which personal information will be accurate, complete, and up-to-date depends upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
6.2 CanadaDirect shall not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
6.3 Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
7 Safeguards
7.1 Canadadirect will implement security safeguards to protect personal information in its control against loss or theft, and unauthorized access, disclosure, copying, use, or modification.
7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.
7.3 Canadadirect protects all personal information regardless of the format in which it is held. The methods of protection include:
- Physical measures, such as locked filing cabinets and restricted access to offices;
- Organizational measures, such as security clearances and limiting access on a “need to know” basis;
- Technological measures, such as the use of passwords and encryption.
7.4 CanadaDirect makes their employees aware of the importance of maintaining the confidentiality of personal information. CanadaDirect employees are governed by a confidential agreement prohibiting disclosure or use of any confidential or personal information for any purposes other than the stated business purposes.
7.5 CanadaDirect will use care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
8 Openness
8.1 CanadaDirect will make its policies and practices with respect to the management of personal information easily comprehensible and accessible, by providing upon request:
- The name, title, and address of the Privacy Officer accountable for CanadaDirect’s policies and practices and to whom complaints or inquiries can be forwarded;
- The means of gaining access to personal information held by CanadaDirect
- A description of the type of information held by CanadaDirect and/or its subsidiaries, including a general account of its use.
8.2 CanadaDirect will make this Privacy Policy available online or by mail.
9 Individual Access
9.1 Upon request, CanadaDirect will inform individuals whether or not the organization holds personal information about them and provide access to that data in a reasonable time, and at minimal, or preferably no cost. The requested information will be provided or made available in a form that is generally understandable.
9.2 CanadaDirect will allow an individual access to his or her personal information once the individual has provided CanadaDirect with a written request. The request will include sufficient information to permit CanadaDirect to provide an account of the existence, use, and disclosure to any third parties of this personal information.
9.3 When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, CanadaDirect will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
9.4 When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge will be recorded. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
10 Challenging Compliance
10.1 CanadaDirect will maintain procedures to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information.
10.2 CanadaDirect will make every effort to explain its inquiry and complaint procedures to individuals.
10.3 CanadaDirect will investigate all complaints. If a complaint is found to be justified, CanadaDirect will take appropriate measures, including, if necessary, amending its policies and practices.