Personal Information Protection and Electronic Documents Act (PIPEDA)
Author: Direct Focus (August 16, 2019)
Document version 2.0
Purpose of the Policy
The Ten Principles of PIPEDA
Here is a summary of the ten principles of PIPEDA that form the basis of this Policy.
- Accountability: Organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities. This includes but isn’t limited to the appointment of a Chief Privacy Officer.
- Identifying Purposes: Organizations must explain how and why information will be used at the time it is collected. Collected information may be used for only those purposes.
- Consent: Organizations must obtain the Individual’s express or implied consent when they collect, use or disclose that Individual’s personal information.
- Limiting Collection: The personal information collected must be limited to only the amount and type that is reasonably necessary for the purposes identified.
- Limiting Use, Disclosure and Retention: Personal information may be used only for the purposes identified and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure.
- Accuracy: Organizations are required to keep personal information in active files that are accurate and up to date.
- Safeguards: Organizations must use physical, organizational and technological safeguards to protect personal information from unauthorized access or disclosure.
- Openness: Organizations must inform users about their privacy policies and procedures.
- Individual Access: An Individual has a right to access personal information held by an organization and to challenge its accuracy if necessary.
- Challenging Compliance: The Principle of Challenging Compliance states that Individuals are able to challenge an organization’s compliance on any of the Privacy Principles of PIPEDA. This means organizations must have simple, easy-to-use procedures in place to receive and respond to complaints and inquiries.
PIPEDA The following is a list of basic terms used in this Policy and the PIPEDA definitions of them.
Any information about an identifiable Individual, including without limitation information relating to identity, nationality, age, gender, address, telephone number, e-mail address, Social Insurance Number, date of birth, marital status, education, employment health history, assets, liabilities, payment records, credit records, loan records, income and information relating to financial transactions as well as certain personal opinions or views.
The business name, business address, business telephone number, name(s) of owner(s),officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions) and financial status. Although business information is not subject to PIPEDA, confidentiality of business information is treated with the same security measures by Direct Focus staff, users, management and the Board of Directors as for the personal information of Individuals under PIPEDA.
The business that is considering or already receiving services from Direct Focus, including sole proprietorships and individuals carrying on business in a partnership.
The client’s owner(s) or shareholders, co-signors, and/or any guarantor associated with a client and/or site user.
The list of names, addresses and telephone numbers of site users, clients, and individuals held by Direct Focus in computer files, paper files, computer hard drives, tablets, devices, etc.
Any information collected/updated to service/maintain site users or clients.
An assumption by the organization that the Individual consents to the information being used, retained and disclosed for the original purposes stated, unless notified by the Individual.
A person or company who provides services to Direct Focus, to support services already offered by Direct Focus, with whom an Individual does business.
Why Collect Personal Information?
Personal information is collected in order to assess the needs and requirements of clients and site users in order to properly service them. The clients and site users are the main source of information, but Direct Focus will also ask to obtain information directly from a third source where the individual does not have the required information.
Limiting Use, Disclosure and Retention
Use of Personal Information
Personal information will only be used for the purposes to which you have given consent, with the following exceptions as permitted under PIPEDA:
Direct Focus may use personal information without your consent, when
- We have reasonable grounds to believe the information could be useful when investigating the contravention of a federal, provincial or foreign law and the information is used for that investigation
- An emergency exists that threatens an individual’s life, health or security
- The information is for statistical study or research
- The information is publicly available
- The use is clearly in the individual’s interest, and consent is not available in a timely manner
- Knowledge and consent would compromise the availability or accuracy of the information, and collection is required to investigate a breach of an agreement.
Disclosure and Transfer of Personal Information
Personal information will be disclosed only to Direct Focus for work-related purposes. Personal information will be disclosed to third parties only with the Individual’s knowledge and consent.
PIPEDA permits Direct Focus to disclose personal information to third parties without an individual’s knowledge and consent for specific reasons:
- If requested by a lawyer representing Direct Focus
- To collect a debt owed to Direct Focus by the Individual or Client
- To comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction
- If requested by a law enforcement agency during a civil or criminal investigation
- If requested by a government agency or department
- When required by law
PIPEDA permits Direct Focus to transfer personal information to a third party, without the Individual’s knowledge or consent, if the transfer is simply for processing purposes and the third party uses the information only for the purposes for which it was transferred. Direct Focus ensures, by contractual or other means, that the third party will protect the information and use it only for the purposes for which it was transferred.
Retention of Personal Information
Personal information will be retained as long as the individual is active and for such periods of time as may be prescribed by applicable laws and regulations. Information contained in an inactive file will be retained for a period of ten (10) years.
Definitions – Direct Focus
We endeavor to ensure that any personal information provided by the Individual is accurate, current and as complete as necessary to fulfill the purposes for which the information has been collected, used, retained and disclosed. If there is a change to an individual’s personal or business Information, please notify Direct Focus immediately. We will not update information contained in inactive files.
Focus’s internal firewall has protection sufficient to protect personal and confidential business information against virus attacks and “sniffer” software arising from Internet activity.
If you wish to learn to whom your information has been disclosed (as permitted by PIPEDA), you may make a request for access in writing to our Chief Privacy Officer. Once we’ve verified your identity, the Chief Privacy Officer will respond within 60 days. If you find that the information held by Direct Focus is inaccurate or incomplete and can provide documentary evidence to verify correct information, we will make the required changes to your active file(s) promptly.
Complaints & Recourse:
If you have a concern about any of our personal information handling practices, you may make a complaint in writing to the attention of our Chief Privacy Officer. Once we’ve verified your identity, the Chief Privacy Officer will act promptly to investigate your complaint and provide a written report of the investigation’s findings to you. If our Chief Privacy Officer determines that your complaint is well founded, he or she will take the necessary steps to correct the offending information handling practice and/or revise our privacy policies and procedures. If our Chief Privacy Officer determines that your complaint is not well founded, you will be notified in writing. If you are dissatisfied with the decision and action taken by the Chief Privacy Officer, you may send a complaint to the Federal Privacy Commissioner at this address:
The Privacy Commissioner of Canada
112 Kent Street, Ottawa,
Ontario K1A 1H3
E-mail address: www.privcom.gc.ca
Questions, Access Request & Complaint:
Chief Privacy Officer
Direct Focus Marketing Communications
315 Pacific Avenue
E-mail address: firstname.lastname@example.org