|
PRIVACY POLICY
PREFACE
Inland Metal MFG (1994) Ltd. (Inland) is committed to ensuring and protecting the privacy and confidentiality of its customers' personal information. By implementing recognized fair handling practices for personal information, Inland materially demonstrates its commitment to the protection of personal information.
1. INTRODUCTION
Inland is committed to the protection of personal information of its customers. This Code constitutes a set of principles to assist Inland in developing and implementing policies and practices to be used when managing personal information of customers (as defined in the Code).
The Code addresses two broad issues: the way Inland collects, uses, discloses and protects personal information; and the right of customers to have access to their personal information and, if necessary, to have the information corrected. Ten interrelated principles form the basis of the Code.
This Code describes the minimum requirements for the protection of personal information. Any applicable legislation must be considered in implementing these requirements.
2. PRINCIPLES IN SUMMARY
Ten interrelated principles form the basis of this Code.
• Accountability. Inland is responsible for personal information under its control and shall designate an individual or individuals who are accountable for Inland's compliance with the following principles.
• Identifying Purposes. The purpose(s) for which personal information is collected shall be identified by Inland at or before the time the information is collected.
• Consent. The knowledge and consent of the customer are required for the collection, use, or disclosure of personal information, except for legal or security reasons.
• Limiting Collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by Inland. Information shall be collected by fair and lawful means.
• Limiting Use, Disclosure and Retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the customer or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
• Accuracy. Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
• Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
• Openness. Inland shall make readily available to customers specific information about its policies and practices relating to the management of personal information.
• Customer Access. Upon request, a customer shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. A customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
• Challenging Compliance. A customer shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for Inland's compliance.
3. DEFINITIONS
The following definitions apply in this Code:
“business” – means the business of Inland.
“collection” – the act of gathering, acquiring or obtaining personal information from any source, including from third parties, by any means.
“consent” – voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of Inland seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the customer.
“control” – Inland controls personal information if the personal information is in the possession of Inland or a person to whom Inland has disclosed the personal information, excluding a person to whom such disclosure was required by law.
“customer” – persons about whom Inland collects personal information in carrying out its business; and includes persons who have dealt with Inland and any other person who has contracted Inland and provided his or her own personal information to Inland.
“disclosure” – making personal information available to others outside Inland's business, for which the personal information is collected.
“person” – shall be broadly interpreted and includes an individual, corporation, partnership, joint venture, trust, association, unincorporated organization, any governmental authority or any other entity recognized by law.
“personal information” – information about an identifiable customer.
“Inland” – refers to Inland Metal MFG (1994) Ltd. and its divisions.
“use” – treatment and handling of personal information within Inland's business for which the personal information is collected.
4. PRINCIPLES
Principle 1 – Accountability
Inland is responsible for personal information under its control and for establishing and implementing policies and practices for the appropriate collection, retention and use of the personal information.
• Inland shall designate one or more individuals who shall be accountable for Inland's compliance with the principles set out in the Code. The identity of the individual(s) designated by Inland shall be available upon request.
• Inland is responsible for personal information in its possession, custody or control, including information that has been transferred to a third party arising out of Inland's business. Prior to disclosing any personal information to any third party, Inland shall use contractual or other means to provide a comparable level of protection while the personal information is in the possession, custody or control of a third party.
• Inland shall implement policies and practices to give effect to the principles, including:
• implementing procedures to protect personal information;
• establishing procedures to receive and respond to complaints and inquiries;
• training staff and communicating to staff information about Inland's policies and practices; and
• developing information to explain Inland's policies and procedures.
Principle 2 – Identifying Purposes
The purpose(s) for which personal information is collected shall be identified to the client by Inland before or at the time the information is collected.
• Inland shall document the purpose(s) for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Client Access Principle (Clause 4.9).
• Identifying the purpose(s) for which personal information is collected at or before the time of collection allows Inland to determine the information it needs to collect and to fulfill these purpose(s). The Limiting Collection principle (Clause 4.4) requires Inland to collect only that information necessary for the purpose(s) that have been identified.
• The identified purpose(s) should be specified at or before the time of collection to the customer from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, pamphlet or other suitable media, for example, may give notice of the purpose(s) for which personal information is being collected.
• When personal information that has been collected is used for a purpose not previously identified, the new purpose shall be identified before use. Unless the new purpose is required by law, the consent of the customer is required before personal information can be used for that purpose.
• Persons collecting personal information should be able to explain to customers or other identifiable individuals, the purpose(s) for which the information is being collected.
Principle 3 – Consent
The knowledge and consent of the customer are required for the collection, use, or disclosure of personal information, except as provided in this principle.
• Consent is not required for the collection, use and disclosure of personal information for legal or security reasons such as the collection of personal information for the collection of personal information for the detection and prevention of fraud or compliance with subpoenas, search warrants and other court, regulatory or government orders, where obtaining consent might defeat the purpose of collecting the information.
• Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Inland must obtain consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when Inland wants to use information for a purpose not previously identified).
• The principle requires “knowledge and consent”. Inland shall make a reasonable effort to ensure that the customer is advised of the purpose(s) for which the personal information will be used. To make the consent meaningful, the purpose(s) must be stated in such a manner that the individual can reasonably understand how the personal information will be used or disclosed. In obtaining consent, the reasonable expectations of the client or other identifiable individual are also relevant.
• Inland shall not, as a condition of the supply of a product or service, require a customer to consent to the collection, use, or disclosure of personal information beyond that required to fulfill the explicitly specified purpose(s). Inland must explain to the customer the personal information requirements that are related to the product or service. In so doing, Inland provides a specified, explicit and legitimate purpose. Inland can then refuse to deal with a customer who will not consent to the collection, use and disclosure of the personal information for the specified, explicit and legitimate purpose. For example, Inland may be required by law to obtain certain personal information so as to carry out its responsibilities to its customers. Consent shall not be obtained through deception.
• The form of the consent sought by Inland may vary, depending upon the circumstances and the type of personal information. In determining the form of consent to use, Inland shall take into account the sensitivity of the personal information.
• Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
• Customers can give consent in many ways. For example:
• an application form may be used to seek consent, collect personal information and inform the customer of the use that will be made of the personal information. Be completing and signing the form, the customer is giving consent to the collection and the specified uses;
• a check-off box may be used to allow customers to request that certain or all personal information not be given to third parties. Customers who do not check the box are assumed to consent to the transfer of this personal information to third parties for specified purposes;
• consent may be given orally when personal information is collected over the telephone, provided that Inland reasonably verifies the identity of the person giving consent over the telephone;
(d) consent may be given at the time that customers request or use a product or service; or
(e) consent may be given electronically over the Internet or by other electronic means, if the customer can be reliably identified as the source of such consent.
• A customer may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Inland shall inform the customer of the implications of such withdrawal. Absent any such withdrawal, consent is valid for the length of time needed to achieve the identified purposes.
Principle 4 – Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purpose(s) identified by Inland. Information shall be collected by fair and lawful means.
• Inland shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purpose(s) identified. Inland may obtain personal information from customers through hard copy, electronic or other means, but also from other sources, including but not limited to credit bureaus, third party websites or other third parties who represent that they have the right to disclose the information. Inland shall collect personal information from third parties only with the consent of the customer or identifiable individual concerned, unless the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way, it is reasonable to expect that the collection with the knowledge of the customer or identifiable individual would compromise the availability or accuracy of the information and the collection is reasonable for purposes relating to investigating a breach of an agreement or a contravention of law, or the information is publicly available and is specified by the regulations to the PIPEDA. Inland shall specify the type of information collected as part of its information-handling policies and practices in accordance with the Openness principle (Clause 4.8).
• The requirement that personal information be collected by fair and lawful means is intended to prevent Inland from collecting information by misleading or deceiving customers about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
Principle 5 – Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purpose(s) other than those for which the information was collected, except with the consent of the customer or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purpose(s).
• There are situations specific to the Inland business where Inland will disclose personal information that is necessary in the course of providing their services to or on behalf of customers. Only the personal information necessary for these services will be provided by Inland. Every such disclosure shall be made subject to the protection measures specified below in clause 4.7.3 of this Code.
• In suing personal information for a new purpose, Inland shall document this purpose.
• Inland will, as an ongoing process, develop guidelines and implement procedures with respect to the retention of personal information. These guidelines will, if deemed appropriate, include minimum and maximum retention periods. In some instances, Inland may be subject to legislative requirements with respect to retention periods.
• Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased or made anonymous. Inland will, as an ongoing process, develop guidelines and implement procedures to govern the destruction of personal information, subject to legal and practical considerations relating to the destruction of archived information.
Principle 6 – Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose(s) for which it is to be used.
• The extent to which personal information shall be accurate, complete and up-to-date will depend upon the use of information, taking into account the interests of the customer. Information shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the customer.
• Inland shall not routinely update personal information, unless such a process is necessary to fulfill the purpose(s) for which it was collected.
• Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirements for accuracy are clearly set out.
Principle 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
• The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Inland shall protect personal information regardless of the format in which it is held.
• The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage. More sensitive information should be safeguarded by a higher level of protection.
• The methods of protection should include:
• physical measures, for example, locked filing cabinets and restricted access to offices;
• organizational measures, for example, security clearances and limiting access on a “need-to-know” basis;
• technological measures, for example, the use of passwords and encryption; and
• contractual measures, for example, the use of non-disclosure agreements with third parties to which Inland discloses personal information.
• Inland shall make the importance of maintaining the confidentiality of personal information known to its agents, employees and any third parties (for example, see clause 4.5.1).
• Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
Principle 8 – Openness
Inland shall make readily available to customers specific information about its policies and practices relating to the management of personal information.
• Inland shall be open about its policies and practices with respect to the management of personal information. Customers shall be able to acquire information about Inland's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
• The information made available shall include:
• the name or title and address of the person who is accountable for Inland's policies and practices and to whom complaints or inquiries can be forwarded;
• the means of gaining access to personal information held by Inland;
• a description of the type of personal information held by Inland, including a general account of its use;
• a cop of any brochures or other information that explains Inland's policies, standards or codes; and
• what specific personal information is made available to organizations related to Inland (e.g. subsidiaries).
• Inland will seek to make information on its policies and practices available in a variety of ways. For example, Inland may mail information to its customers, provide online access or include a statement on documentation executed by customers in the ordinary course of business.
Principle 9 – Customer Access
Upon request, a customer shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. A customer shall be able to assess the accuracy and completeness of the information and have it amended as appropriate.
• Inland responds to a written request for customer access with due diligence and in any case not later than 30 days after receipt of the request or any permitted extension by informing the customer whether or not Inland holds personal information about the customer. Inland will allow the customer access to this information unless to do so would (1) reveal personal information about a third party, or (2) breach a solicitor-client privilege, or (3) potentially threaten the life or security of another individual, or (4) disclose personal information collected to investigate a breach of an agreement or contravention of law, or (5) reveal information generated in the course of a dispute resolution process. If such a request is denied, Inland will provide to the customer the reasons for the denial.
• Before Inland provides an account of the existence, use and disclosure of personal information of a particular customer, the customer may be required to provide sufficient information to permit Inland to provide an account of the existence, use and disclosure of personal information. The information provided shall only be used for this purpose.
• In providing an account of third parties to which it has disclosed personal information about a customer, Inland will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about a customer, Inland will provide a list of organizations to which it may have disclosed information about the customer.
• Inland shall respond to a customer's request within a reasonable time and not later than 30 days after receipt of the request or any permitted extension and at minimal or no cost to the customer. The requested information is provided or made available in a form that is generally understandable. For example, if Inland uses abbreviations or codes to record information or other industry, or company-specific terminology, an explanation is provided.
• When a customer successfully demonstrates the inaccuracy or incompleteness of personal information, Inland will amend the information as required. Depending on the nature of information challenged, amendment could involve correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
• When a challenge is not resolved to the satisfaction of the customer, the substance of the unresolved challenge shall be recorded by Inland. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.
Principle 10 – Challenging Compliance
A customer shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for Inland's compliance.
• The individual accountable for Inland's compliance is discussed in Clause 4.1.1.
• Inland shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The objective of the complaint procedures is that they be easily accessible and simple to use.
• Inland shall inform customers who make inquiries or lodge complaints of the existence of relevant complaint procedures.
• Inland shall adopt procedures to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The objective of the complaint procedures is that they be easily accessible and simple to use. Those procedures shall include:
(a) receipt of complaints by telephone, mail, in person or by electronic mail;
(b) recording of the complaint;
(c) investigation of the complaint;
(d) recording of interviews, statements, and other details of the incident;
(e) determining a resolution;
(f) implementing a resolution;
(g) advising the complainant of the result of the investigation and resolution.
• Inland shall investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, Inland shall take appropriate measures, including amending its policies and practices if necessary.
• In addition to the remedies provided herein, customers have the remedies provided in PIPEDA.
|
