Wesley Jackson Professional Corporation
Privacy Policy
Introduction
In 2000, the federal government of Canada enacted The Protection of Personal Information and Electronic Documents Act (“PIPEDA”). Effective January 1, 2004, all organizations that collect, use or disclose personal information in the course of their commercial activities will be subject to PIPEDA or substantially similar provincial legislation (collectively, “privacy legislation”). Briefly stated, privacy legislation requires that the consent of an individual be obtained for the collection and use of his or her personal information, that steps be taken to protect personal information and that one or more individuals be appointed to monitor compliance with the provisions of applicable privacy legislation.
The term “personal information” means information about an identifiable individual recorded in any form and includes, but is not limited to, such things as race, ethnic origin, nationality, colour, age, gender, marital status, religion, education, medical information, criminal information, performance reviews, trade union membership, employment and financial history, income, address and telephone number, e-mail address, numerical identifiers such as Social Insurance Number, and views and personal opinions. In the case of a customer, personal information also includes information about a customer’s purchasing history, credit information, billing records, service and any recorded complaints and, in the case of an employee, includes information found in personnel files, employment history, performance reviews and medical and benefits information. Publicly available information, such as a public directory listing of names, addresses, telephone numbers and electronic addresses, however, is not considered personal information.
Application
This Privacy Policy applies to personal information which
the Company collects, uses or discloses in respect of any of its customers or
employees in the course of its commercial activities. The application of this
Privacy Policy is subject to the requirements or provisions of any applicable
legislation, regulations, tariffs or agreements (such as collective
agreements), or the order of any court or other lawful authority. Various legal
criteria independent of this Privacy Policy will determine whether federal or
provincial privacy legislation applies to the personal information that the
Company collects, uses or discloses in respect of its customers or employees.
This Privacy Policy does not replace those criteria and nothing in this Privacy
Policy should be construed as indicating which privacy legislation, if any,
applies to the collection, use and disclosure of personal information.
The Ten Privacy Principles
This Privacy Policy has been developed in accordance with the standards set out in PIPEDA and is modeled after the Canadian Standards Association Model Code for the Protection of Personal Information (the “CSA Code”) Accordingly, the ten principles of fair information practices, as identified by the CSA, have been adopted by the Company and represent a formal statement of the minimum requirements to be adhered to for the protection of personal information collected from the customers and employees of the Company.
Principle 1. Accountability
The Company is responsible for the personal information under its control and shall designate one or more individuals who shall be accountable for the Company’s compliance with the procedures and principles set out in this Privacy Policy.
1.1 Accountability for the Company’s compliance with the principles rests with the Privacy Compliance Officer even though other individuals may be responsible for the day-to-day collection and processing of personal information. The Privacy Compliance Officer may from time to time designate one or more individuals within the Company to act on his or her behalf.
1.2 The name and contact information of the Privacy Compliance Officer shall be made available upon request.
1.3 The Company is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The Company shall use contractual or other appropriate means to provide a comparable level of protection while the information is being processed by a third party.
1.4 All personal information collected by the Company or by its agents, contractors, partners, or affiliates shall be protected through physical or electronic measures in order to reduce risk of its unauthorized collection, use, disclosure, or destruction. Such protections shall be appropriate to the sensitivity and may include, by way of example:
- passwords;
- locked cabinets;
- restricted access;
- file write-protection;
- encryption;
1.5 All complaints or inquiries should be directed to:
Wesley Jackson Professional Corporation
12 Rutherford Road South, Unit 8
Brampton, Ontario, L6W 3J1
ATTENTION: Wesley Jackson
Fax No.: 905-487-4825
The Privacy Compliance Officer shall respond in a timely manner to the individual making the complaint or inquiry in compliance with all applicable privacy legislation.
1.6 The Company shall incorporate materials outlining and explaining this Policy and its related procedures into its existing employee training, communications, and resource programs. Such materials may include but shall not be limited to:
- provision of this Policy to the employee at time of hire
- ongoing review of this Policy in customer service training programs
- awareness of the policy’s posting to company websites
- invitation of ongoing employee comment and review of this Policy
- applicable signage in employee rest areas
- regular summaries of this Policy and location of further resources in Company newsletters; and
- ongoing employee information seminars.
Principle 2. Identifying Purposes
The Company will identify the purpose for which personal information is collected at or before the time the information is collected. The purposes for which information is collected, used or disclosed by the Company must be those that a reasonable person would consider are appropriate in the circumstances.
2.1 The Company shall document the purposes for which personal information is collected in order to comply with the Openness and Individual Access Principles (Principles 8 and 9, respectively).
2.2 Identifying the purposes for which personal information is collected at or before the time of collection allows the Company to determine the information it needs to collect to fulfill these purposes. The Limiting Collection Principle (Principle 4) requires the Company to collect only that information necessary for the purposes identified.
2.3 The Company shall identify purposes at or before the time of collection to the individual from whom the personal information is collected. The Company will endeavour to identify purposes in writing wherever possible. In certain circumstances identification may also be provided orally. For example, forms may provide information on purposes in writing. Collection of personal information through personal interviews or surveys may be better suited to identifying purposes orally.
2.4 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use of such information. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. For an elaboration on consent, please refer to the Consent Principle (Principle 3).
2.5 Company employees collecting personal information from customers or other employees will accurately explain to such individuals the purposes for which the information is being collected, including any purposes that may not be immediately obvious to the individual.
2.6 The purposes for which the personal information of employees is collected may include, but is not limited to:
- administering payroll and employee benefit programs;
- conducting performance evaluations and discipline;
- effecting employee training;
- conducting internal reviews, investigations and complaint resolution processes;
- participating in union negotiations and labour arbitrations;
- facilitating transactional due diligence reviews;
- complying with legal and regulatory obligations.
2.7 The purposes for which the personal information of customers is collected may include, but is not limited to:
- processing commercial transactions;
- communicating with customers;
- establishing and maintaining commercial relations;
- developing, marketing or providing products and services;
- recommending particular products and services;
- conducting market research and surveys;
- managing and developing business opportunities;
- conducting investigations and complaint resolution processes;
- facilitating transactional due diligence reviews;
- complying with legal and regulatory obligations.
2.8 Anonymous or “non-personal” information gathered by the Company through its website may be used for technical, research and analytical purposes. Information collected through surveys, existing files and public archives may be used by the Company to analyze its markets and to develop or enhance service offerings.
Principle 3. Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where consent is not required by privacy legislation.
3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Generally, the Company will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when the Company wants to use information for a purpose not previously identified).
3.2 The Consent Principle requires “knowledge and consent”. The Company shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
3.3 In certain circumstances personal information may be collected, used or disclosed without the knowledge and consent of the individual. For example, the Company may collect or use personal information without the knowledge or consent of its employees and/or customers if the collection or use of personal information is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a minor, seriously ill or mentally incapacitated or if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law. Personal information may also be used or disclosed without the knowledge or consent of the individual in the case of an emergency where the life, health or security of an individual is threatened. The Company may disclose personal information without knowledge or consent to a lawyer representing the Company, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.
3.4 The Company will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
3.5 In obtaining consent, the Company will take into account the sensitivity of the personal information and the reasonable expectations of its customers and employees. Consent will not be obtained through deception. For example, an individual filing an application for employment with the Company would reasonably expect that his or her age and marital status would be used for the purposes of administering benefit plans. As a further example, an individual requesting to join a the Company mailing list should reasonably expect that the Company, in addition to using the individual’s name and address for a single mailing, would also use that information to send subsequent mailing to the person. In this case, the Company can assume that the individual’s request constitutes consent for the specific purposes of sending out a series of mailings. On the other hand, an individual would not reasonably expect that personal information given to the Company for a mailing list would be used for any other purpose or given to a company selling merchandise or services unless further consent were obtained.
3.6 The manner in which the Company seeks consent may vary, depending on the circumstances and the type of information collected. The Company will generally seek express written consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive, or in the case where collection and use of the personal information is directly related to a transaction or exchange of information in which the individual is directly participating. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
3.7 Individuals can give consent in many ways. For example:
- an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- a check box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
- consent may be given orally when information is collected over the telephone; or
- consent may be given at the time that individuals use a product or service.
3.8 Generally, the use of products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for the Company to collect, use and disclose personal information for all identified purposes.
3.9 An individual may withdraw consent at any time, subject to legal or contractual restrictions and with reasonable notice. At the time that an individual requests withdrawal, the Company shall inform the individual of the implications of such withdrawal.
PRINCIPLE 4. Limiting Collection
The Company shall limit the collection of personal information to that which is necessary for the purposes identified by the Company. Personal information shall be collected by fair and lawful means.
4.1 The Company shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified. The Company shall specify the type of information collected as part of its information-handling policies and practices, in accordance with the Openness principle (Principle 8).
4.2 The Company shall collect personal information only by fair and lawful means and shall not collect information by misleading or deceiving individuals about the purpose for which information is being collected. Consent to the collection of personal information must not be obtained through deception.
PRINCIPLE 5 LIMITING USE, DISCLOSURE AND RETENTION
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected.
5.1 In the case where the Company intends to use personal information for a purpose not previously identified, the Company shall document this purpose and shall obtain the consent of the individual prior to using the information for a new purpose.
5.2 The Company may disclose the personal information of its employees:
- to human resources, payroll, benefits, information management, medical and security personnel;
- to third party service providers for the purposes of administering payroll and benefits programs;
- to union representatives and labour arbitrators;
- to the Company’s affiliates and/or subsidiaries;
- to internal or external legal counsel and auditors;
- to the Privacy Compliance Officer;
- to the management personnel of the Company;
- in the context of providing references regarding current or former employees in response to requests from prospective employers and/or financial institutions;
- to prospective parties in the context of a transactional due diligence review; and
- whenever disclosure is required by law.
5.3 The Company may disclose the personal information of its customers:
- to third party service providers;
- to the Company’s affiliates and/or subsidiaries;
- to internal or external legal counsel and auditors;
- to the Privacy Compliance Officer;
- to the management personnel of the Company;
- to third parties for the development, enhancement or marketing of Company products or services;
- to an agent retained by the Company in connection with the collection of the customer’s account;
- to credit grantors and reporting agencies;
- to a third party or parties, where the customer consents to such disclosure;
- to prospective parties in the context of a transactional due diligence review; and
- where disclosure is required by law.
5.4 Except as required or permitted by law, when disclosure is made to a party other than the Company or a third party provider of services, the consent of the individual shall be obtained and reasonable steps shall be taken to ensure that any such third party has personal information privacy procedures and policies in place that are at least comparable to those implemented by the Company.
5.5 Unless authorized by the customer, the Company will not sell, lease or trade the personal information of their employees or customers to other parties.
5.6 The Company shall develop guidelines and implement procedures with respect to the retention of personal information. These guidelines shall include both minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. The Company may be subject to legislative requirements with respect to retention periods and shall recognize the development and implementation of sound records management practices.
5.7 Personal information that is no longer relevant or required to fulfill the identified purposes shall be destroyed, erased, or made anonymous. The Company shall develop guidelines and implement procedures to govern the destruction of personal information.
PRINCIPLE 6. Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
6.1 Personal information used by the Company shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual customer or employee. The extent to which personal information will be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the individual.
6.2 The Company will not, however, routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected. Personal information about customers and employees shall be updated only as and when necessary to fulfill the identified purposes or upon notification by the individual.
6.3 The Company shall ensure that personal information that is used on an ongoing basis, including information that is disclosed to third parties, is generally accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
PRINCIPLE 7. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
7.1 The Company [has implemented / will implement] security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The Company shall protect personal information regardless of the format or storage media in which it is held.
7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage. More sensitive information shall be safeguarded by a higher level of protection.
7.3 The methods of protection should include:
- physical measures, such as locked filing cabinets and restricted access to offices;
- organizational measures, such as security clearances and limiting access on a “need-to-know” basis; and
- technological measures, such as the use of passwords and encryption.
7.4 The Company shall make its employees aware of the importance of maintaining the confidentiality of personal information.
7.5 Personal information disclosed to third parties shall be protected by contractual agreement stipulating the confidentiality of the information and the purposes for which it is to be used.
7.6 The Company shall employ due care and diligence in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. Disposal or destruction of personal information shall not be undertaken by any employee without the prior written authorization of the Privacy Compliance Officer outlining the preferred method of destruction, the specific information authorized for destruction, and date of destruction. Upon destruction of personal information, the employee(s) who carried out the destruction shall complete a Certificate of Destruction and return same to the Privacy Compliance Officer.
PRINCIPLE 8. Openness
The Company shall make readily available to its customers and employees specific information about its policies and practices relating to the management of personal information.
8.1 The Company shall be open about its policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about the Company’s policies and practices without unreasonable effort. This information shall be made available in a form that is easily understandable.
8.2 The information made available shall include:
- the name, title, and address of the Privacy Compliance Officer who is accountable for the Company’s policies and practices and to whom complaints or inquiries can be forwarded;
- the means of gaining access to personal information held by the Company;
- a description of the type of personal information held by the Company, including a general account of its use;
- a copy of brochures or other information that explain the Company’s policies, standards and/or codes with respect to personal information; and
- a description of the type of personal information made available to related organizations, such as subsidiaries or affiliates of the Company.
8.3 The Company shall make information on its policies and practices available in a variety of ways, such as brochures, a toll-free telephone number, emails, newsletters, and information posted on the Company’s website.
Principle 9. Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information except where the Company is permitted or required by law not to disclose personal information to the individual customer or employee. An individual customer or employee shall be able to challenge the accuracy and completeness of the information disclosed to him or her and have it amended as appropriate.
9.1 Upon request, the Company shall inform an individual whether or not the Company has in its possession personal information about the individual (except where permitted or required by law not to disclose personal information) and shall afford the individual a reasonable opportunity to review the personal information in his or her file at minimal or no cost to the individual. In addition, the Company shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed. Where reasonably possible, the Company shall indicate the source of the personal information.
9.2 In order to safeguard personal information, a customer or employee may be required to provide sufficient identification information to permit the Company to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.
9.3 In certain situations, the Company may not be able to provide access to all of the personal information that it holds about a customer or employee. For example, the Company is not required to provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Similarly, the Company may not be required to provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, the Company shall provide the reasons for denying access upon request.
9.4 In providing an account of third parties to which it has disclosed personal information about an individual, the Company shall attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the Company shall provide a list of organizations to which it may have disclosed information about the individual.
9.5 The Company will respond to an individual’s request within a reasonable time and in any event within thirty (30) days of the request. The time for responding to a request may be extended for up to an additional thirty (30) days if meeting the time limit would unreasonably interfere with the activities of the Company, or if the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet. The Company may also extend the time for responding for such period of time as is necessary to be able to convert the personal information into an alternative format. The Company will provide notice to the individual of any extension taken within thirty (30) days of the individual’s request and will advise the individual of the right to make a complaint to the Privacy Commissioner about the extension. The Company will provide the requested information or make it available in a form that is generally understandable. For example, if abbreviations or codes are used to record information, the Company will provide a corresponding explanation.
9.6 Upon request by an individual with sensory disabilities, the Company will give access to personal information about the individual in an alternative format if a version of the information already exists in that format or if its conversion to an alternative format is necessary to allow the individual to exercise rights to request correction, challenge compliance of the Company under Principle 10 or file a formal complaint pursuant to applicable privacy legislation.
9.7 When an individual informs the Company of the inaccuracy or incompleteness of personal information, the Company shall amend the information as required or may delete the record of personal information in its entirety but only with the prior written authorization of the Privacy Compliance Officer. Depending upon the nature of the information challenged, amendment may involve the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
9.8 A customer can obtain information or seek access to his or her individual file by contacting the Privacy Compliance Officer. An employee can obtain information or seek access to his or her individual file by contacting his or her immediate supervisor within the Company.
Principle 10. Challenging Compliance
An individual customer or employee shall be able to address a challenge concerning compliance with the principles in this Privacy Policy to the Privacy Compliance Officer.
10.1 The Company shall maintain procedures for addressing and responding to all inquiries or complaints from its customers and employees about the companies’ handling of personal information.
10.2 The Company will inform their customers and employees about the existence of these procedures as well as the availability of complaint procedures.
10.3 The Company shall investigate all complaints concerning compliance with this Privacy Policy. If a complaint is found to be justified, the Company shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A customer or employee shall be informed of the outcome of the investigation regarding his or her complaint.
10.4 If an individual is not satisfied with the response from the Privacy Compliance Officer, he or she may have recourse to additional remedies under applicable privacy legislation. For further information, contact the applicable governmental agency listed in the attached Schedule A.
Effective Date
This policy is effective as of January 1, 2004.
SCHEDULE A
FEDERAL
Federal Privacy Commissioner
112 Kent Street
Ottawa, ON K1A 1H3
Phone: (613) 995-8210
Toll Free: (800) 282-1376
Fax: (613) 947-6850
Website: www.privcom.gc.ca
ALBERTA
Information Management, Access and
Privacy Division
Alberta Government Services
16th Floor, 10155 – 102 Street
Edmonton, AB T5J 4L4
Office Phone: (780) 422-2657
Help Desk Phone: (780) 427-5848
Fax: (780) 427-1120
Website: www.gov.ab.ca/foip/
BRITISH COLUMBIA
Corporate Privacy and Information Access Branch
Information, Science and Technology Agency
Government of British Columbia
Victoria, BC
Phone: (604) 660-2421
Website: www.mser.gov.bc.ca/FOI_POP/
MANITOBA
Minister of Culture, Heritage and Tourism
Information Resources Division
3 – 200 Vaughan Street
Winnipeg, MB R3C 1T5
Phone: (204) 945-2142
Fax: (204) 948-2008
Website: www.gov.mb.ca/chc/fippa/index.html
NEW BRUNSWICK
Ombudsman
Province of New Brunswick
767 Brunswick Street
P.O. Box 6000
Fredericton, NB E3B 5H1
Phone: (506) 453-2789
Fax: (506) 453-5599
NEWFOUNDLAND
Director of Legal Services
Department of Justice of Newfoundland
Confederation Building
P.O. Box 8700
St. John’s, NL A1B 4J6
Phone: (709) 729-2893
Fax: (709) 729-2129
Website: www.gov.nf.ca/just/
NORTHWEST TERRITORIES
Department of Justice
Policy and Planning Division
Government of Northwest Territories
P.O. Box 1320
Yellowknife, NT X1A 2L9
Phone: (867) 873-7015
Fax: (867) 873-0307
Website: www.justice.gov.nt.ca/publicservices/atipp.htm
NOVA SCOTIA
Nova Scotia Department of Justice
General Information
5151 Terminal Road
P.O. Box 7
Halifax, NS B3J 2L6
Phone: (902) 424-4030
Website: www.gov.ns.ca/just/foi/foisvcs.htm
NUNAVUT
Information and Privacy Commissioner
of Nunavut
5018, 47th Street
Yellowknife, NT X1A 2N2
Phone: (867) 669-0976
Fax: (867) 920-2511
ONTARIO
Information and Privacy Office
Office of the Corporate Chief Strategist
Management Board Secretariat
8th Floor, Ferguson Block
77 Wellesley Street West
Toronto, ON M7A 1N3
Phone: (416) 327-2187
Fax: (416) 327-2190
Website: www.gov.on.ca/mbs/english/fip
PRINCE EDWARD ISLAND
Office of the Attorney General
Fourth Floor, Shaw Building
95 Rochford Street
P.O. Box 2000
Charlottetown, PE C1A 7N8
Phone: (902) 368-4550
Fax: (902) 368-5283
Website: www.gov.pe.ca/foipp/index.php3
QUEBEC
Ministère des relations avec les citoyens
et de l’immigration
Director of Communications
Gérald-Godin Building
360, rue McGill, 2nd Floor
Montréal, QC H2Y 2E9
Phone: (514) 873-4546
Fax: (514) 873-7349
SASKATCHEWAN
Saskatchewan Justice
11th Floor, 1874 Scarth Street
Regina, SK S4P 3V7
Phone: (306) 787-5473
Fax: (306) 787-5830
Website: www.saskjustice.gov.sk.ca/legislation/summaries/freedomofinfoact.shtml
YUKON
ATIPP Office
Information & Communications
Technology Division
Department of Infrastructure
Government of Yukon
2071 – 2nd Avenue
Box 2703
Whitehorse, YT Y1A 2C6
Phone: (867) 393-7048
Fax: (867) 393-6916
Website: www.atipp.gov.yk.ca