Primary is committed to protecting personal and private information. This policy outlines the principles and practices we will follow in protecting our clients and our employee’s personal and private information. We will ensure the confidentiality and security of our client’s and employee’s personal and private information and allowing our clients, employees, and customers to request access to and correction of their personal and private information. This policy has been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), which sets out rules for the collection, use and disclosure of personal and private information during commercial activity as defined in the Act.
Personal and Private Information – means information about identifiable individuals, including name, age, home address and phone number, social insurance number, marital status, religion, income, credit history, medical information, education, employment information etc., but it does not include contact information (described below). Private information includes financial data, or other
information about our clients’ assets or infrastructure considered confidential by our clients.
Contact information – means information that would enable an individual to be contacted at a place of business and includes name, position name or title, business telephone number, business address, business email or business fax number. Contact information is not covered by this policy or PIPA.
Privacy Officer – means the individual designated responsible for ensuring that Primary complies with this policy and PIPA. At Primary, the company CEO has the obligation to serve as the Privacy Officer. If a situation should arise where the CEO cannot serve as the Privacy Officer, The Board of Directors shall select a person to replace the CEO as the Privacy Officer.
1. Collecting Personal Information
Unless the purposes for collecting personal or private information are obvious and the client or the employee voluntarily provides the personal or private information for those purposes, we will communicate the purposes for which personal or private information is being collected, either orally or in writing, before or at the time of collection.
We will only collect client’s and employee’s personal or private information that is necessary by law and for us to provide the services requested by the clients and customers. Every attempt will be made to collect and maintain accurate information.
We will obtain the client’s or the employee’s consent to collect, use or disclose personal or private information (except where, as noted below, we are authorized to do so without consent).
Consent can be provided orally, in writing, electronically, through an authorized representative or it can be implied where the purpose for collecting using or disclosing the personal or private information would be considered obvious and the client or employee voluntarily provides personal or private information for that purpose.
Consent may also be implied where a client, an employee, or customer is given notice and a reasonable opportunity to opt-out of sharing the personal or private information being used for mail-outs, the marketing of new services or products etc. and the client or employee does not opt-out.
A client’s or an employee’s decision to withhold or withdraw their consent to certain uses of personal and private information may restrict our ability to provide a particular service or product. If so, we will explain the situation to assist the client or employee in making the decision.
We may collect, use, or disclose personal or private information without the client’s and employee’s knowledge or consent in the following limited circumstances:
- When the collection, use or disclosure of personal information is permitted or required by law.
- In an emergency that threatens an individual’s life, health, or personal security.
- When the personal or private information is available from a public source; and
- When we require legal advice from a lawyer.
3. Using and Disclosing Personal and Private Information
We will only use or disclose a client’s or an employee’s personal and private information where necessary to fulfill the purposes identified at the time of collection.
We will not use or disclose a client’s or an employee’s personal and private information for any additional purpose unless we obtain consent to do so.
We will not sell a client’s or an employee’s personal or private information to other parties.
4. Retaining Personal Information
We will retain clients’ personal and private information only if necessary, to fulfill the identified business purpose.
We will only keep employee’s personal information if required by law.
5. Securing Personal and Private Information
We are committed to ensuring the security of client’s and employee’s personal and private information to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
The following security measures will be followed to ensure that client’s and employee’s personal and private information is appropriately protected:
a) Hard copies of private and personal information, when not in use, will be kept inside locked filing cabinets and the main entrance doors to the office will be secured and locked when no employees are present in the office.
b) Soft copies of private and personal information kept on employee computers or laptops will be protected through password protection.
c) Soft copies of private and personal information kept on central servers or cloud servers will be kept behind firewalls and protected with user IDs and passwords.
d) The access to personal and private information will be restricted to only those employees and contractors who need the information.
e) Access to Primary’s offices is restricted to authorized employees, contractors, and visitors.
f) We will use appropriate security measures when destroying client’s and employee’s personal and private information, such as shredding and deleting electronically stored personal and private information.
We will continually review and update our security policies and controls as technology changes to ensure ongoing security personal and private information.
6. Providing Clients Access to Personal Information
Clients and employees have a right to access their personal information, subject to limited exceptions or such disclosure would reveal personal or private information about another client or employee.
A request to access personal information must be made in writing and provide sufficient detail to identify the personal and private information being sought. A request to access personal and private information should be forwarded to the Privacy Officer.
Upon request, we will also tell clients and employees how we use their personal and private information and to whom it has been disclosed if applicable.
We will make the requested information available within 30 business days or provide written notice of an extension where additional time is required to fulfill the request.
If a request is refused in full or in part, we will notify the client or employee in writing, providing the reasons for refusal and the recourse available to the client or employee.
7. The Role of the Privacy Officer
The Privacy Officer is responsible for ensuring Primary’s compliance with this policy and the Personal Information Protection Act.
Clients and employees should direct any complaints, concerns or questions regarding Primary’s compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the client or employee may also write to the Information and Privacy Commissioner of the applicable Province.