Personal Information Protection and Electronic Documents Act

(Statutes of Canada 2000, Chapter 5)

Includes: CSA Model Code for the Protection of Personal Information (CAN/CSA-Q830-96)

The Uniserve Privacy Code has been published to reflect the changes associated with the implementation of the new legislation referred to above.

Table of Contents

Introduction
Summary of Principles
Scope and Application
Principle 1 : Accountability
Principle 2 : Identifying Purposes
Principle 3 : Consent
Principle 4 : Limiting Collection
Principle 5 : Limiting Use, Disclosure, and Retention
Principle 6 : Accuracy
Principle 7 : Safeguards
Principle 8 : Openness
Principle 9 : Customer and Employee Access
Principle 10 : Challenging ComplianceThe Uniserve Privacy Code in Detail

The Uniserve Privacy Code in Detail

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection 6
  5. Limiting Use, Disclosure, and Retention 7
  6. Accuracy 7
  7. Safeguards 8
  8. Openness 8
  9. Customer and Employee Access 9
  10. Challenging Compliance 10

Introduction

Uniserve is an Internet Service Provider providing a full range of Internet services primarily to British Columbia and other provinces in Canada. For Uniserve, customer and employee privacy is a high priority. We have a long-standing policy of protecting the privacy of customers in all of our business operations. Federal Government Statute dictates that private sector organizations must follow a standardized code for the protection of personal information. Businesses, consumers, academics and government under the auspices of the Canadian Standards Association developed the code – the Personal Information Protection and Electronic Documents Act (“the Act”). It lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector. Uniserve is a strong believer in the objectives and goals of the Code and this policy paper sets out how we will adhere to the principles set down in the Code.

We believe that an organization is responsible for the protection of personal information and the fair handling of it at all times, throughout the organization and in dealings with third parties. Care in collecting, using and disclosing personal information is essential to continued employee and consumer confidence and good will.

This website uses Google AdWords

This website uses the Google AdWords remarketing service to advertise on third party websites (including Google) to previous visitors to our site. It could mean that we advertise to previous visitors who haven’t completed a task on our site, for example using the contact form to make an enquiry. This could be in the form of an advertisement on the Google search results page, or a site in the Google Display Network. Third-party vendors, including Google, use cookies to serve ads based on someone’s past visits to the Uniserve Communications website. Of course, any data collected will be used in accordance with our own privacy policy and Google’s privacy policy.

You can set preferences for how Google advertises to you using the Google Ad Preferences page, and if you want to you can opt out of interest-based advertising entirely by cookie settings or permanently using a browser plugin.

The 10 principles that businesses must follow are:

  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting collection
  5. Limiting use, disclosure, and retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Customer and employee access
  10. Challenging compliance

Scope and Application

The ten principles, which form the basis of the Uniserve Privacy Code, are interrelated and Uniserve adheres to the ten principles as a whole. Each principle must be read in conjunction with the accompanying commentary. As permitted by the Act, the commentary in the Uniserve Privacy Code has been tailored to reflect personal information issues specific to Uniserve.

The scope and application of the Uniserve Privacy Code are as follows:

  1. The Code applies to personal information about Uniserve’s customers and employees that is collected, used, or disclosed by Uniserve.
  2. The Code applies to the management of personal information in any form whether oral, electronic or written.
  3. The Code does not impose any limits on the collection, use or disclosure of the following information by Uniserve:a. A customer’s name, address, telephone number and e-mail address, when listed in a directory or available through directory assistance;b. An employee’s name, title, business address (including e-mail address) or business telephone or fax number; orc. Other information about the customer or employee that is publicly available and is specified by regulation pursuant to the Personal Information Protection and Electronic Documents Act.
  4. The Code does not apply to information regarding Uniserve’s corporate customers. However, such information is protected by other Uniserve policies and practices and through contractual arrangements.
  5. The application of the Uniserve Privacy Code is subject to the requirements and provisions of Part 1 of the Act, the regulations enacted thereunder, and any other applicable legislation or regulations, including any applicable regulations of the Canadian Radio-television and Telecommunications Commission.

The Uniserve Privacy Code in Detail

1. Be accountable.

Our responsibilities include:

  1. Complying with all 10 of the above principles.
  2. Appointing an individual (or individuals) to be responsible for our organization’s compliance with the Code.
  3. Protecting all personal information in our possession or transferred to a third party for processing.
  4. Developing and implementing personal information policies and practices.

We will fulfill these responsibilities by:

  • A. Giving our designated privacy official senior management support and the authority to intervene on privacy issues relating to any of our organization’s operations.
  • B. Communicating the name or title of this individual internally and externally (e.g. on our web sites and in our publications).
  • C. Analyzing all personal information handling practices including ongoing activities and new initiatives, using the following checklist to ensure that they meet fair information practices: –
    • (a) What personal information do we collect?
    • (b) Why do we collect it?
    • (c) How do we collect it?
    • (d) What do we use it for?
    • (e) Where do we keep it?
    • (f) How is it secured?
    • (g) Who has access to or uses it?
    • (h) To whom is it disclosed?
    • (i) When is it disposed of?
  • D. Developing and implementing policies and procedures to protect personal information by: –
    • (a) Defining the purposes of its collection,
    • (b) Obtaining consent,
    • (c) Limiting its collection, use and disclosure,
    • (d) Ensuring information is correct, complete and current,
    • (e) Ensuring adequate security measures,
    • (f) Developing and updating retention and destruction timetables,
    • (g) Processing access requests, and
    • (h) Responding to inquiries and complaints.
  • E. Including a privacy protection clause in contracts to guarantee that the third party provides the same level of protection as your organization does.
  • F. Informing and training staff on privacy policies and procedures.
  • G. Making information explaining these policies and procedures available to clients and customers (e.g. in brochures and on web sites).

2. Identify the purpose.

Our responsibilities include:

  1. Before or when any personal information is collected, identifying why it is needed and how it will be used.
  2. Documenting why the information is collected.
  3. Informing the individual from whom the information is collected why it is needed.
  4. Identifying any new purpose for the information and obtaining the individual’s consent before using it.

We will fulfil these responsibilities by:

  • A. Reviewing personal information holdings to ensure they are all required for a specific purpose.
  • B. Notifying the individual, either orally or in writing, of these purposes which could include:
    • (a) Opening an account
    • (b) Verifying creditworthiness
    • (c) Providing benefits to employees
    • (d) Identifying customer preferences
  • C. Establishing customer eligibility for special offers or discounts
  • D. Recording all identified purposes and obtained consents for easy reference in case an individual requests an account of such information.
  • E. Ensuring that these purposes are limited to what a reasonable person would expect under the circumstances.

3. Obtain consent.

Our responsibilities include:

  1. Informing the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data.
  2. Obtaining the individual’s consent before or at the time of collection, as well as when a new use is identified.

We will fulfil these responsibilities by:

  • A. Obtaining consent from the individual whose personal information is collected, used or disclosed.
  • B. Communicating in a manner that is clear and can be reasonably understood.
  • C. Record the consent received (e.g. note to file, copy of e-mail, copy of check-off box).
  • D. Never obtaining consent by deceptive means.
  • E. By not making consent a condition for supplying a product or a service, unless the information requested is required to fulfil an explicitly specified and legitimate purpose.
  • F. Explaining to individuals the implications of withdrawing their consent.
  • G. Ensuring that employees collecting personal information are able to answer an individual’s questions about the purposes of the collection.

4. Limit collection.

Our responsibilities include:

  1. Not collecting personal information indiscriminately.
  2. Not deceiving or misleading individuals about the reasons for collecting personal information.

We will fulfil these responsibilities by:

  • A. Limiting the amount and type of the information gathered to what is necessary for the identified purposes such as those set out in 2(B) above. Uniserve would ordinarily collect personal information only from its customers or employees, but it may also include other sources such as Credit Bureaus, employers, or personal references.
  • B. Identifying the kind of personal information collected in our information-handling policies and practices.
  • C. Ensuring that staff members can explain why the information is needed.

5. Limit use, disclosure and retention.

Our responsibilities include:

  1. Using or disclosing personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act. This would include disclosing personal information about employees in the context of providing references in response to requests from prospective employers.
  2. Keeping personal information only as long as necessary to satisfy the purposes.
  3. Putting guidelines and procedures in place for retaining and destroying personal information.
  4. Keeping personal information used to make a decision about a person only for a reasonable time period.
  5. Destroying, erasing, or rendering anonymous information that is no longer required for an identified purpose or a legal requirement.

We will fulfil these responsibilities by:

  • A. Documenting any new purpose for the use of personal information.
  • B. Instituting maximum and minimum retention periods that take into account any legal requirements or restrictions and redress mechanisms.
  • C. Disposing of information that does not have a specific purpose or that no longer fulfils its intended purpose.
  • D. Disposing of personal information in a way that prevents improper access such as shredding paper files or deleting electronic records.
  • E. Establishing policies setting out the types of information that need to be updated such as addresses or telephone numbers.

6. Be accurate.

Our responsibilities include:

  1. Minimizing the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.

We will fulfil these responsibilities by:

  • A. Keeping personal information as accurate, complete and up to date as necessary, taking into account its use and the interests of the individual. In most cases there is a reliance on the customer or employee to provide updated personal information.
  • B. Updating personal information only when necessary to fulfil the specified purposes.
  • C. Keeping frequently used information accurate and up to date unless there are clearly set out limits to this requirement.

7. Use appropriate safeguards.

Our responsibilities include:

  1. Protecting personal information against loss or theft regardless of the format in which it is held.
  2. Safeguarding the information from unauthorized access, disclosure, copying, use or modification.

We will fulfil these responsibilities by:

  • A. Developing and implementing a security policy to protect personal information.
  • B. Using appropriate security safeguards to provide necessary protection such as:
    • a. Physical measures (locked filing cabinets, restricting access to offices, alarm systems)
    • b. Technological tools (passwords, encryption, firewalls, anonymizing software)
    • c. Organizational controls (limiting access on a “need-to-know” basis, staff training, confidentiality agreements)
  • C. Making our employees aware of the importance of maintaining the security and confidentiality of personal information.
  • D. Ensuring staff awareness by holding regular staff training on security safeguards.
  • E. Reviewing and updating security measures regularly.

8. Be open.

Our responsibilities include:

  1. Informing customers and employees that we have policies and practices for the management of personal information.
  2. Making these policies and practices understandable and easily available.

We will fulfil these responsibilities by:

  • A. Ensuring front-line staff is familiar with the procedures for responding to individual inquiries.
  • B. Making the following available:
    • a. Name, title, and address of the person who is accountable for our organization’s privacy policies and practices.
    • b. Name, title, and address of the person to who access requests should be sent.
    • c. Procedures allowing an individual to gain access to his or her personal information.
    • d. Information as to how an individual can complain to our organization.
    • e. Brochures or other information that explain our organization’s policies, standards or codes.
    • f.  A description of what personal information is made available to other organizations (including subsidiaries) and why it is disclosed.

9. Give individuals access.

Our responsibilities include:

  1. When requested, informing individuals if we have any personal information about them.
  2. Explaining how it is or has been used and providing a list of the sort of organizations to which it might have been disclosed.
  3. Giving individuals access to their information.
  4. Correcting or amending any personal information if its accuracy and completeness is challenged and found to be deficient.
  5. Providing a copy of the information requested, or reasons for not providing access, including the following exceptions:a. If disclosure would reveal confidential information about a third party.b. If disclosure could reasonably be expected to threaten the life or security of another individual.c. If disclosure would reveal confidential commercial information.d. If the information is protected solicitor – client privilege.e. If the information was generated in the course of a formal dispute resolution process.f.  If the information was collected in relation to an investigation of a breach of an agreement or a contravention of a Federal or Provincial law.

We will fulfil these responsibilities by:

  • A. Providing any help the individual needs to prepare a request for access to personal information
  • B. Asking the individual to supply enough information to enable us to account for the existence, use and disclosure of personal information.
  • C. Responding to the request as quickly as possible and no later than 30 days after receipt of the request – 60 days under some circumstances including:-
    • a. If responding to the request within the original 30 days would unreasonably interfere with activities of our organization.
    • b. If additional time is necessary to conduct consultations.
    • c. If additional time is necessary to convert personal information to an alternate format
  • D. Giving access at minimal or no cost to the individual.
  • E. Notifying the individual of the approximate costs before processing the request.
  • F. Making sure the requested information is understandable including an explanation of acronyms, abbreviations and codes.
  • G. Sending any information that has been amended, where appropriate, to any third parties that have access to the information.
  • H. Informing the individual in writing when refusing to give access, setting out the reasons and any recourse available.

10. Challenging compliance.

Our responsibilities include:

  1. Developing simple and easily accessible complaint procedures.
  2. Informing complainants of avenues of recourse. These include our organization’s own complaint procedures, those of industry associations, regulatory bodies, and the Privacy Commissioner of Canada.
  3. Investigating all complaints received.
  4. Taking appropriate measures to correct information handling practices and policies.

We will fulfil these responsibilities by:

  • A. Recording the date a complaint is received and the nature of the complaint including such things as: –
    • a. Delays in responding to a request.
    • b. Incomplete or inaccurate responses, or
    • c. Improper collection, use, disclosure or retention of personal information.
  • B. Acknowledging receipt of a complaint promptly.
  • C. Contacting the individual to clarify the complaint, if necessary.
  • D. Assigning the investigation to a person with the skills necessary to conduct it fairly and impartially.
  • E. Giving the investigator access to all relevant records, employees or others who handled the personal information or access request.
  • F. Notifying customers. employees, and others of the outcome of investigations clearly and promptly, informing them of any relevant steps taken.
  • G. Correcting any inaccurate personal information or modify policies and procedures based on the outcome of complaints.

For more information on the Uniserve privacy practices contact 1.877.864.7378. For a copy of the Personal Information Protection and Electronic Documents Act, please access the Privacy Commissioner of Canada web site at https://www.priv.gc.ca/en/.