Privacy policy.
Ontario does not have its own privacy legislation (other than for health care information) and therefore defaults to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to the commercial information of an Ontario firm, but not too personal employee information unless the employee works for a federally governed organization (banks, railroads, etc.).
Protecting the privacy and confidentiality of personal information is an important aspect of the way the firm conducts its business. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner is fundamental to the firm’s daily operations.
The firm strives to protect and respect the personal information of its customers, employees, business partners, and so on in accordance with all applicable provincial and federal laws. Each staff member of the firm must abide by this organization's procedures and practices when handling personal information.
This Privacy Policy informs everyone of the firm’s commitment to privacy and establishes the methods by which privacy is ensured. This Privacy Policy applies to all personal information within the firm’s possession and control.
Personal information is defined as any identifying information about an individual or group of individuals, including name, date of birth, address, phone number, e-mail address, social insurance/security number, nationality, gender, health history, financial data, credit card numbers, bank account numbers, assets, debts, liabilities, payment records, credit records, loan records, opinions, and personal views.
Business information is defined as the firm’s business address, business telephone number, name(s) of the owner, executive officer(s), and Partner(s), job titles, business registration numbers, and financial status. Business information is treated and handled with the same level of confidentiality, privacy, and respect as personal information.
Consent occurs and is obtained when an individual signs an application or other form containing personal information, thereby authorizing the firm to collect, use, and disclose the individual's personal information for the purposes stated on the form or in the Appropriate Use section of this policy.
Implied consent is granted by the individual when he/she signs the application or form. This allows the firm to obtain or verify information from third parties (such as banks, credit bureaus, lenders, or insurance companies) in the process of assessing the eligibility of an individual, customer, client, job applicant, or business partner.
Appropriate Use
The firm collects and uses personal information solely for the purpose of conducting business and developing an understanding of its customers.
The firm gathers and records employee information required for "legitimate purposes" (that is, "purposes that a reasonable person would consider are appropriate in the circumstances". Employees must give informed consent to the use of such information where the need for employee information is not driven by a legal requirement (e.g., the SIN number for statutory deduction of income at source). "Informed consent" means employees must be told the purpose for which the employer is recording, using, and distributing the information. Employees have a right of access to the personal information in their files.
The firm assumes full accountability for the personal information within its possession and control. The Chief Operating Officer, Firas Jundi, is the custodian of all privacy matters and legal compliance with privacy laws.
The firm obtains personal information directly from the individual to which the information belongs. Individuals are entitled to know how the firm uses personal information, and this organization will limit the use of any personal information collected only to what is needed for those stated purposes. The firm will obtain individual consent if personal information is to be used for any other purpose. The firm will not use that information without the consent of the individual.
Under no circumstances will the firm sell, distribute, or otherwise disclose personal information or contact lists to third parties. However, limited disclosure may be required as part of the firm fulfilling its stated business duties and day-to-day operations. This may include consultants, suppliers, or business partners of the firm, but only with the understanding that these parties obey and abide by this Privacy Policy, to the extent necessary of fulfilling their own business duties and day-to-day operations.
The firm will retain personal information only for the duration it is needed for conducting business. Once personal information is no longer required, it will be destroyed in a safe and secure manner. However, certain laws may require that certain personal information be kept for a specified amount of time. Where this is the case, the law will supersede this policy.
The firm vows to protect personal information with the appropriate security measures, physical safeguards, and electronic precautions. The firm maintains personal information through a combination of paper and electronic files. Where required by law or disaster recovery/business continuity policies, older records may be stored in a secure, offsite location.
Access to personal information will be authorized only for the employees and other agents of the firm who require the information to perform their job duties, and to those otherwise authorized by law.
The firm’s computer and network systems are secured by complex passwords. Only authorized individuals may access secure systems and databases.
Active files are kept in locked filing cabinets.
Routers and servers connected to the Internet are protected by a firewall and are further protected by virus attacks or "snooping" by sufficient software solutions.
Personal information is not transferred to volunteers, summer students, interns, or other non-paid staff by e-mail or any other electronic format.
In most instances, the firm will grant individuals access to their personal information upon presentation of a written request and satisfactory identification. If an individual finds errors of fact with his/her personal information, please notify the firm as soon as possible to make the appropriate corrections. Should the firm deny an individual's request for access to his/her personal information, the firm will advise in writing of the reason for such a refusal. The individual may then challenge the decision.
The firm may use personal information without the individual's consent under particular circumstances. These situations include, but are not limited to:
The firm is under obligation by law to disclose personal information in order to adhere to the requirements of an investigation of the contravention of a regional or federal, under the purview of the appropriate authorities.
An emergency exists that threatens an individual's life, health, or personal security.
The personal information is for in-house statistical study or research.
The personal information is already publicly available.
Disclosure is required to investigate a breach of contract.
The Office Manager can address any questions or concerns regarding this Privacy Policy. The firm will investigate and respond to concerns about any aspect of the handling of personal information. The firm will address concerns to the best of its abilities.