Description

 This privacy policy has been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA sets out rules for the collection, use and disclosure of personal information in the course of commercial activity as defined in the Act.

 

1.     Revision History

Rev Revised By Date Sections(s): Nature of Revision
01 A Haines 11/5/2012 11 Updated email address for sending in privacy concerns
02 A Haines 11/30/2012 8 Updated section on safeguards
02 A Haines 11/30/2012 10 Updated formatting, minor spelling corrections

 

2.     Overview

 

2.1.   Purpose

Industrial Audit, IA, provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets.

2.2.   Ten Principles of PIPEDA

The ten principles of PIPEDA that form the basis of this Privacy Policy are as follows:

  1. Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
  2. Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;
  3. Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;
  4. Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
  5. Limiting Use, Disclosure and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;
  6. Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;
  7. Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.
  8. Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;
  9. Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and
  10. Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.

2.3.   Definitions

The ten principles of PIPEDA that form the basis of this Privacy Policy are as follows:

Personal information means any information about an identifiable individual. It includes, without limitation, information relating to identity, nationality, age, gender, address, telephone number, e-mail address, Social Insurance Number, date of birth, marital status, education, employment health history, assets, liabilities, payment records, credit records, loan records, income and information relating to financial transactions as well as certain personal opinions or views of an Individual.

Business information means business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions), financial status. Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by IA staff, members and Board members, as is required for individual personal information under PIPEDA.

“Data base” means the list of names, addresses and telephone numbers of clients and individuals held by IA in the forms of, but not limited to, computer files, paper files, and files on computer hard-drives.

File” means the information collected in the course of processing an application, as well as information collected/updated to maintain /service the account.

Express consent means the individual signs the application, or other forms containing personal information, authorizing IA to collect, use, and disclose the individual’s personal information for the purposes set out in the application and/or forms.

Implied Consent” means the organization may assume that the individual consents to the information being used, retained and disclosed for the original purposes, unless notified by the individual.

“Third Party” means a person or company that provides services to IA in support of the services offered by IA.


3.     Purpose of Collecting Personal Information

 

IA collects personal information about clients to enable us to serve them better and to develop our business and operations. More specifically, we collect, use and disclose personal information for the following purposes:

  • To establish, maintain and manage our client relationships in order to provide products and services that have been requested
  • To be able to inform clients of our products other than those that have been specifically requested, including sending information promoting other Industrial Audit services.
  • To be able to comply with client requests or inquiries
  • To establish and maintain commercial relationships including to issue invoices, administer accounts, collect and process payments, and to fulfill contractual obligations
  • To understand and respond to client needs and preferences, including to contact and communicate with clients and to conduct surveys, research and evaluations
  • To monitor quality control and respond to questions and concerns through correspondence with clients
  • As permitted by and to comply with any legal or regulatory requirements or provisions, including in relation to adverse event reporting
  • For any other purpose to which clients give consent

 

4.     Consent

 

It is important that where we collect, use or disclose your personal information we have your consent to do so. In general, we seek to obtain your express informed consent before collecting your information.

Express consent can be given orally, electronically or in writing.

Subject to legal or contractual restrictions and reasonable notice, you may change or withdraw your consent at any time by contacting us at the address indicated below.

In some circumstances, a change in or withdrawal of consent may severely limit our ability to provide products, services or information that you requested or that could be offered to you. All communications with respect to such withdrawal or variation of consent should be in writing and addressed to us.

This Privacy Policy does not cover statistical data from which the identity of individuals cannot be determined. IA retains the right to use and disclose statistical data as it determines appropriate.

5.     Limited Collection of Personal Information

 

Personal information collected will be limited to the purposes set out in this Privacy Policy, IA applications, and/or other forms.

6.     Limiting Use, Disclosure and Retention

6.1.   Use of Personal Information

Personal information will be used for only those purposes to which the individual has consented with the following exceptions, as permitted under PIPEDA:

  • The organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
  • An emergency exists that threatens an individual’s life, health or security;
  • The information is for statistical study or research;
  • The information is publicly available;
  • The use is clearly in the individual’s interest, and consent is not available in a timely way;
  • Knowledge and consent would compromise the availability or accuracy of the information; and
  • Collection is required to investigate a breach of an agreement.

6.2.   Use of Personal Information

From time to time, we may use and disclose your personal information: for the purposes described in this Policy or for any additional purposes for which we have obtained your consent. We may share your personal information with our employees, contractors, consultants and other parties who require such information to assist us with establishing, maintaining and managing our relationship with you. We will never disclose your personal information for 3rd party purposes.

In particular, we may disclose your personal information to:

  • Service providers, including an organization or individual retained by Industrial Audit to perform functions on its behalf, such as marketing, data processing, document management and office services

IA will ensure, by contractual or other means that the third party protects the information and uses it only for the purposes for which it was transferred.

6.3.   Retention of Personal Information

Personal information will be retained in client files as long as the file is active and for such periods of time as may be prescribed by applicable laws and regulations.

7.     Consent

 

IA endeavours to ensure that any personal information provided by the individual in his or her active file(s) is accurate, current and complete as is necessary to fulfill the purposes for which the information has been collected, used, retained and disclosed.

Individuals are requested to notify IA of any change in personal or business information.

Information contained in inactive files is not updated.

8.     Safeguards

 

IA will use physical, organizational, and technological measures to safeguard personal information to only those IA employees, volunteers, or third parties who need to know this information for the purposes set out in this Privacy Policy.

Physical Safeguards:  All personnel handling personal information will take reasonable steps to ensure the confidentiality and privilege of the physical information being handled.

Organizational Safeguards:  Access to personal information will be limited to approved personnel.  Members of IA are not permitted to copy or retain any personal information on individuals or clients and must return for destruction all such information given to them to review once the purpose for being provided with this information has been fulfilled.

All employee contracts contain confidentiality clauses binding them to maintaining the confidentiality of all personal information to which they have access.

Technological Safeguards: Personal information contained in IA computers and electronic databases are password protected in accordance with IA’s Information Security Policy.  Information sent to Industrial Audit via email is considered unsecure and the individual sending the information should take proper precautions to protect the data prior to sending.  Any information sent in error will be destroyed or deleted at the request of the sender.  Access to any of the IA’s computers also is password protected.  IA’s Internet router or server has firewall protection sufficient to protect personal and confidential business information against virus attacks and “sniffer” software arising from Internet activity.

9.     Safeguards

 

Upon written request, subject to certain exceptions, IA will inform our clients of the existence, use, and disclosure of their personal information and will give clients access to that information.

Access requests should be sent to IA, using the contact information in the “Contact us” section of this Policy.

When requesting access to personal information, we will request specific information from the client to enable us to confirm their identity and right to access, as well as to search for and provide the personal information that we hold about the client.

IA reserves the right to charge a fee to access a client’s personal information to cover IA’s costs; we will advise clients of this fee in advance.

A client’s right to access personal information is not absolute. Applicable law or regulatory requirements may allow or require IA to deny a client access where access would inhibit the ability of Industrial Audit to comply with a legal obligation; where it has already been destroyed due to legal requirements or because we no longer need it for our business purposes and where access would reveal personal information about a third party.

In the event that IA cannot provide a client with access to their personal information, the client will be informed of the reasons, subject to any legal or regulatory restrictions.

 

10.  Complaints / Recourse

 

Clients are to advise Industrial Audit if they believe that their personal information is inaccurate.  Clients have the right to ask for it to be corrected or updated. IA will ask clients to provide documentation to support their request for correction or updating.

An individual who has a concern about IA’s personal information handling practices may issue a complaint, in writing, directed to IA’s Security & Privacy Officer.

Upon verification of the individual’s identity, IA’s Security & Privacy Officer will act promptly to investigate the complaint and provide a written report of the investigation’s findings to the individual.

Where IA’s Security & Privacy Officer makes a determination that the individual’s complaint is well founded, IA’s SPO Officer will take the necessary steps to correct the offending information handling practice and/or revise IA’s privacy policies and procedures.

Where IA’s Security & Privacy Officer determines that the individual’s complaint is not well founded, the individual will be notified in writing.


11.  Changes to This Policy; Interpretations

 

Industrial Audit reserves the right to modify or supplement this Policy at any time.

If any changes are made to Industrial Audit use, collection or disclosure of your personal information that require your consent, we will not implement such changes until your consent has been obtained. This Policy does not create or confer upon any individual any rights, or impose upon Industrial Audit any rights or obligations outside of, or in addition to, any rights or obligations imposed by Canada’s federal and provincial privacy laws, as applicable.

Should there be, in a specific case, any inconsistency between this Policy and Canada’s federal and provincial privacy laws, as applicable, this Policy shall be interpreted, in respect of that case, to give effect to, and comply with, such privacy laws.

12.  Contact Us

 

Industrial Audit has a responsible compliance with this Policy. Should you have questions about this Policy or collection, use and disclosure practices of IA, you may contact:

Industrial Audit

Att: Privacy Officer

Address:

2100 Bloor Street West, Suite 6114

Toronto, ON

M6S 5A5

Canada

ia-privacy@industrialaudit.com