Background and policy
The Ten Principles of PIPEDA Summarized
- Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
- Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;
- Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;
- Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
- Limiting Use, Disclosure and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the individual consents to the alternative use or disclosure;
- Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;
- Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.
- Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;
- Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and
- Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.
“Business contact information” means information that would enable an individual to be contacted at a place of business and includes name, position name or title, business telephone number, business address, business email or business fax number. Business contact information is not covered by this policy or PIPEDA.
“Chief Privacy Officer” means the individual designated responsibility for ensuring that GPC complies with this Policy and PIPEDA. This person is the CCO who is Marc-Antoine Caya-Bissonnette.
“Database” means the list of names, addresses and telephone numbers of clients and individuals held by GPC in the forms of, but not limited to, computer files, paper files, and files on computer hard-drives.
“Express consent” means the individual signs the contract, or other forms containing personal information, authorizing GPC to collect, use, and disclose the individual’s personal information for the purposes set out in the contract.
“Implied Consent” means the organization may assume that the individual consents to the information being used, retained and disclosed for the original purposes, unless notified by the individual.
“Personal Information” means information about an identifiable individual including name, age, home address and phone number, social insurance number, marital status, religion, income, credit history, medical information, education, employment information. Personal information does not include contact information (described below).
“Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
“Third Party” means a person or company that provides services to GPC in support of the programs, benefits, and other services offered by GPC.
Purposes of collecting personal information
Unless the purposes for collecting personal information are obvious and the client voluntarily provides his or her personal information for those purposes, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of collection.
We will only collect client, customer, member information that is necessary to fulfill the following purposes:
- To verify identity;
- To identify client preferences;
- To understand the financial needs of our clients;
- To open and manage an account;
- To deliver requested products and services;
- To deliver a high standard of service to our clients; and
- To meet regulatory requirements.
GPC will obtain client consent to collect, use or disclose personal information (except where, as noted below, we are authorized to do so without consent).
Consent can be provided orally, in writing, electronically, through an authorized representative or it can be implied where the purpose for collecting using or disclosing the personal information would be considered obvious and the client voluntarily provides personal information for that purpose.
Subject to certain exceptions (e.g., the personal information is necessary to provide the service or product, or the withdrawal of consent would frustrate the performance of a legal obligation), clients can withhold or withdraw their consent for GPC to use their personal information in certain ways. A client’s decision to withhold or withdraw their consent to certain uses of personal information may restrict our ability to provide our services. If so, we will explain the situation to assist the client in making the decision.
Use of Personal Information
Personal information will be used for only those purposes to which the individual has consented with the following exceptions, as permitted under PIPEDA:
- the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
- an emergency exists that threatens an individual’s life, health or security;
- the information is for statistical study or research;
- the information is publicly available;
- the use is clearly in the individual’s interest, and consent is not available in a timely way;
- knowledge and consent would compromise the availability or accuracy of the information, and
- collection is required to investigate a breach of an agreement.
Disclosure and transfer of personal information
We will only use or disclose client personal information where necessary to fulfill the purposes identified at the time of collection (or for a purpose reasonably related to those purposes such as to contact our clients directly about products and services that may be of interest).
We will not use or disclose client, customer, member personal information for any additional purpose unless we obtain consent to do so.
We will not sell client, customer, member lists or personal information to other parties.
PIPEDA permits GPC to disclose personal information to third parties, without an individual’s knowledge and consent, to:
- a lawyer representing GPC;
- collect a debt owed to GPC by the individual or client;
- comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
- a law enforcement agency in the process of a civil or criminal investigation;
- a government agency or department requesting the information; or
- as required by law.
PIPEDA permits GPC to transfer personal information to a third party, without the individual’s knowledge or consent, if the transfer is simply for processing purposes and the third party only uses the information for the purposes for which it was transferred. GPC will take measures to provide, by contractual or other means, that the third party protects the information and uses it only for the purposes for which it was transferred.
Retention of personal information
If we use client, customer, member personal information to make a decision that directly affects the client, customer, member, we will retain that personal information for at least one year so that the client, customer, member has a reasonable opportunity to request access to it.
We will retain client, customer, member personal information only as long as necessary to fulfill the identified purposes or a legal or business purpose.
We will make reasonable efforts to provide that client personal information is accurate and complete where it may be used to make a decision about the client or disclosed to another organization.
Clients may request correction to their personal information for accuracy and completeness clarifications. A request to correct personal information must be made in writing and provide sufficient detail to identify the personal information and the correction being sought.
If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information in the previous year. If the correction is not made, we will note the clients’ correction request in the file.
Use of safeguards
We are committed to ensuring the security of client personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
The following security measures will be followed so that client personal information is appropriately protected:
- the use of locked filing cabinets;
- physically securing offices where personal information is held;
- the use of user IDs, passwords, encryption, firewalls;
- restricting employee access to personal information as appropriate (i.e. only those that need to know will have access);
- contractually requiring any service providers to provide comparable security measures; and
- employees and/or Board of Directors are required to sign a confidentiality agreement binding them to maintaining the confidentiality of all personal information to which they have access.
We will use appropriate security measures when destroying client’s personal information such as shredding documents and deleting electronically stored information. We will continually review and update our security policies and controls as technology changes regarding ongoing personal information security.
Breaches of security safeguards
Under PIPEDA, GPC is required to report to the Office of the Privacy Commissioner (“OPC”) and the individual whose information has been breached, any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. The report is accessible here:
The individual’s notification will be conspicuous and shall contain sufficient information to allow the individual to understand the significance of the breach and any steps they can take to mitigate/reduce harm among other prescribed information. The notification shall be given directly to the individual as soon as feasibly possible.
In determining the real risk of significant harm GPC will consider:
- the sensitivity of the personal information involved in the breach;
- the probability that the personal information has been, is being or will be misused; and
- any other prescribed factor.
See Appendix 1 for further detail.
If a breach occurs, GPC will also notify any other organization or government institution of the breach if GPC believes that the other party may be able to reduce the risk of harm that could result from it.
Record keeping of breaches
GPC will keep and maintain a record of every breach involving personal information under its control, even if there is no obligation to report or give notice of the breach (i.e. the breach does not create a “real risk of significant harm” to an individual).
The record will contain any information that enables the Commissioner to verify the firm’s compliance with the breach reporting and notification obligations. The firm will maintain the record for 24 months after the day on which it determines that the breach has occurred (and may retain same longer to comply with other legal requirements) and will provide the record to the Commissioner on request.
Records must contain any information that enables the OPC to verify compliance with breach of security safeguards reporting and notification requirements in sections 10.1(1) and (3) of PIPEDA, including requirements to assess real risk of significant harm.
Records, at minimum, will include:
- date or estimated date of the breach;
- general description of the circumstances of the breach;
- nature of information involved in the breach;
- whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified; and
- sufficient details for the OPC to assess whether the firm has correctly applied the real risk of significant harm standard and otherwise met its obligations to report and notify in respect of breaches that pose a real risk of significant harm
Clients have a right to access their personal information, subject to limited exceptions. Exceptions to access that might apply include:
- information that is prohibitively costly to provide;
- information that contains references to other individuals;
- information that cannot be disclosed for legal, security, or commercial proprietary reasons, and
- information that is subject to solicitor-client or litigation privilege.
A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought. A request to access personal information should be forwarded to the Chief Privacy Officer.
Upon request, we will also tell clients how we use their personal information and to whom it has been disclosed if applicable.
We will make the requested information available within 30 business days or provide written notice of an extension where additional time is required to fulfill the request.
A minimal fee may be charged for providing access to personal information. Where a fee may apply, we will inform the client of the cost and request further direction from the client on whether or not we should proceed with the request.
If a request is refused in full or in part, we will notify the client in writing, providing the reasons for refusal and the recourse available to the client.
If an individual has a concern about GPC’ personal information handling practices, a complaint, in writing, may be directed to the Chief Privacy Officer.
Upon verification of the individual’s identity, the Chief Privacy Officer will act promptly to investigate the complaint and provide a written report of the investigation’s findings to the individual. Where the Chief Privacy Officer makes a determination that the individual’s complaint is well founded, the Chief Privacy Officer will take the necessary steps to correct the offending information handling practice and/or revise GPC’ privacy policies and procedures. Where the Chief Privacy Officer determines that the individual’s complaint is not well founded, the individual will be notified in writing.
If the individual is dissatisfied with the finding and corresponding action taken by GPC’ Chief Privacy Officer, the individual may bring a complaint to the Office of the Privacy Commissioner.