Why do we have such a policy?
The Personal Information and Electronic Documents Act (PIPEDA) regulates all organizations that collect, use or disclose personal information. In essence, this federal act (along with "substantially similar" legislation in some provinces) stipulates that no collection, use or disclosure of personal information be done without consent.
Personal information is defined as information about an identifiable individual but does not include the name, title or business address or telephone number of an employee of an organization.
How is DATA accountable?
We are responsible for the personal information in our possession or custody, including personal information that has been transferred to, or received from, a customer or third party in the course of commercial activities for processing or other purposes for which they have consented. We are responsible for ensuring that the information we receive is secured and protected, correctly utilized, and disposed of properly.
Consent
DATA does not collect and utilize personal information for its own purposes. We are a third party service provider that will utilize personal information provided to us by a customer for the sole purpose of producing and mailing specific documents such as invoices, statements or direct marketing pieces; and various other electronic communications, printed or otherwise. It is the customer's sole responsibility to ensure that the personal information provided is accurate and that they have appropriate consent to use it. By supplying this information to DATA, the customer authorizes that we use it to accomplish a specific mandate on their behalf but they will maintain full liability regarding the accuracy of information provided and individual consent.
What are the specific measures within the Information Security and Privacy Policy that support this new legislation?
1 - Identifying purposes
The purpose for which the information will be used will be clearly identified before it arrives. Specific protocols are defined for transmission and handling of this information and communicated to all relevant internal and external parties. Specific project identification and individual access codes are assigned.
2 - Limiting collection
When a customer requires that DATA collect third-party personal data on their behalf, it will be the customer's responsibility to ensure that the information collected is limited to what is necessary for the specific purposes identified for each project.
3 - Limited use, disclosure and retention
Personal information will not be used or disclosed for purposes other than those for which it was received. It will be retained only as long as necessary for the fulfillment of those purposes, unless special arrangements have been agreed upon or as required by law.
4 - Confidentiality
Privacy legislation and our policy prohibit unauthorized persons from viewing, copying, forwarding, altering or destroying information or data without explicit authorization. All employees must sign confidentiality agreements and contractors must sign a non-disclosure agreement along with proof of compliance to the PIPEDA. Information classification guidelines have been given to all personnel. Specific processes and procedures have been established and proper training is supplied to support this policy. All personal information is protected by security safeguards appropriate to the sensitivity of the information.
5 - Data/file transfers
Data transfers between DATA and its customers can be done using one or more of the following methods: FTP, EDI, XML, dedicated lines, VPN, email and magnetic/optical support via a transportation company. Specific protocols have been established for each and must be strictly applied.
6 - Access
Information access is controlled in a number of ways including hardware, software, password protection and restricted physical access. Only those employees directly involved are granted access to customer data. Information storage facilities, computing installations and supporting facilities are controlled with restricted physical access.
7 - Data protection
All personal information is stored on servers within restricted physical access areas. Only authorized personnel from IT can install hardware and software. Data to be transferred is encrypted and password protected. Once information has been used, it is destroyed according to a special protocol. Obsolete computer equipment and software are destroyed on site, regardless of data content, by a specialized team using a specific protocol.
8 - Reporting incidents
Every employee and contractor has specific responsibilities with regard to the information they have access to or utilize. Should an incident occur, they are obliged to report it to their immediate superior and to the Information Security and Privacy Officer so that the situation is properly controlled and corrective measures can be taken if required.
9 - Information accuracy
DATA will take appropriate measures to produce documents with accurate personal information.
The DATA Information Security and Privacy Policy is available. If you have any questions or comments, or wish to file a complaint regarding our policy, please contact our Chief Privacy Officer:
Mrs. Genevieve Goldie Pagnotta
Tel : (905) 791-3151
Fax : (905) 791-3277
Email: gpagnotta@datagroup.ca
Powered by Innovasium