Personal and Private Information Protection Policy
This personal and private information protection policy has been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), which sets out rules for the collection, use and disclosure of personal and private information in the course of commercial activity as defined in the Act.
We will inform our clients of why and how we collect, use and disclose their personal and private information, obtain their consent where required, and only handle their personal and private information in a manner that a reasonable person would consider appropriate in the circumstances.
This personal and private information protection policy outlines the principles and practices we will follow in protecting clients’ personal and private information. Our privacy and security commitment includes ensuring the confidentiality and security of our clients’ personal and private information and allowing our clients and customers to request access to and correction of their personal and private information.
Scope of this Policy
Personal and Private Information means information about identifiable individuals, including name, age, home address and phone number, social insurance number, marital status, religion, income, credit history, medical information, education, employment information etc., but it does not include contact information (described below). Private information includes financial data, investment plans or other
information about our clients’ assets or infrastructure considered confidential by our clients.
Contact information – means information that would enable an individual to be contacted at a place of business and includes name, position name or title, business telephone number, business address, business email or business fax number. Contact information is not covered by this policy or PIPA.
Privacy Officer – means the individual designated responsibility for ensuring that METSCO complies with this policy and PIPA. At METSCO, the company CEO has the obligation to serve as the Privacy Officer.
Policy 1 – Collecting Personal Information
1.1 Unless the purposes for collecting personal or private information are obvious and the client voluntarily provides the personal or private information for those purposes, we will communicate the purposes for which personal or private information is being collected, either orally or in writing, before or at the time of collection.
1.2 We will only collect clients’ personal or private information that is necessary for us to provide the services requested by the clients and customers, e.g. collection of personal information about our clients’ employees during provision of consulting services for an organization review, customer energy consumption records for small area load forecasts or fixed asset demographic data for
asset condition assessment, etc.
Policy 2 – Consent
2.1 We will obtain clients’ consent to collect, use or disclose personal or private information (except where, as noted below, we are authorized to do so without consent).
2.2 Consent can be provided orally, in writing, electronically, through an authorized representative or it can be implied where the purpose for collecting using or disclosing the personal or private information would be considered obvious and the client and customer voluntarily provides personal or private information for that purpose.
2.3 Consent may also be implied where a client or customer is given notice and a reasonable opportunity to opt-out of sharing the personal or private information being used for mail-outs, the marketing of new services or products etc. and the client does not opt-out.
2.4 Subject to certain exceptions (e.g., the personal or private information is necessary to provide the service or product, or the withdrawal of consent would frustrate the performance of a contractual obligation by METSCO, clients can withhold or withdraw their consent for METSCO to use their personal or private information in certain ways. A client’s decision to withhold or withdraw their consent to certain uses of personal and private information may restrict our ability to provide a particular service or product. If so, we will explain the situation to assist the client in making the decision.
2.5 We may collect, use or disclose personal or private information without the client’s knowledge or consent in the following limited circumstances:
- When the collection, use or disclosure of personal information is permitted or required by
- In an emergency that threatens an individual’s life, health, or personal security;
- When the personal or private information is available from a public source; and
- When we require legal advice from a lawyer.
Policy 3 – Using and Disclosing Personal and Private Information
3.1 We will only use or disclose clients’ personal and private information where necessary to fulfill the purposes identified at the time of collection.
3.2 We will not use or disclose clients’ personal and private information for any additional purpose unless we obtain consent to do so.
3.3 We will not sell clients’ personal or private information to other parties.
Policy 4 – Retaining Personal Information
4.1 If we use clients’ personal and private information to make a decision that directly affects the client we will retain that personal and private information for at least three months after acceptance of our final deliverables by the client for the consulting assignment.
4.2 Subject to policy 4.1, we will retain clients’ personal and private information only as long as necessary to fulfill the identified business purpose.
Policy 5 – Securing Personal and Private Information
5.1 We are committed to ensuring the security of clients’ personal and private information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
5.2 The following security measures will be followed to ensure that clients’ personal and private information is appropriately protected:
a) Hard copies of private and personal information, when not in use, will be kept inside locked filing cabinets and the main entrance doors to the office will be secured and locked when no employees are present in the office.
b) Soft copies of private and personal information kept on personal computers or laptops will be protected through password protected files.
c) Soft copies of private and personal information kept on central servers or cloud servers will be kept behind firewalls and protected with user IDs and passwords.
d) The access to personal and private information will be restricted to only those employees and contractors who need the information to prepare the deliverables for the client.
e) Access to the premises housing METSCO’s office is restricted to authorized employees, contractors and visitors. The access doors at METSCO office will be protected with automatically operated 24-hour surveillance cameras to detect unauthorized access to the
5.3 We will use appropriate security measures when destroying client’s personal and private information, such as shredding and deleting electronically stored personal and private information.
5.4 We will continually to review and update our security policies and controls as technology changes to ensure ongoing personal and private information security.
Policy 6 – Providing Clients Access to Personal Information
6.1 Clients have a right to access their personal information, subject to limited exceptions where such access would violate solicitor client privilege, or such disclosure would reveal personal or private information about another client.
6.2 A request to access personal information must be made in writing and provide sufficient detail to identify the personal and private information being sought. A request to access personal and private information should be forwarded to the Privacy Officer.
6.3 Upon request, we will also tell clients how we use their personal and private information and to whom it has been disclosed if applicable.
6.4 We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request.
6.5 A fee may be charged for providing access to personal information. Where a fee may apply, we will inform the client of the cost and request further direction from the client on whether we should proceed with the request.
6.6 If a request is refused in full or in part, we will notify the client in writing, providing the reasons for refusal and the recourse available to the client.
Policy 7 – Questions and Complaints: The Role of the Privacy Officer
7.1 The Privacy Officer is responsible for ensuring METSCO’s compliance with this policy and the Personal Information Protection Act.
7.2 Clients should direct any complaints, concerns or questions regarding METSCO’s compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the client may also write to the Information and Privacy Commissioner of Ontario.
7.3 Contact information for METSCO’s Privacy Officer is provided below:
Telephone: 905 232 7300 Ex 207