Privacy of Personal Information
Policy and Procedures
Privacy is the ability of an individual to exercise a substantial degree of control over the collection, use and disclosure of their personal information. Good Driver respects individual’s rights to privacy, and has adopted the following standards to ensure that our policy and procedure practises are complied with.
Good Driver is committed to ensuring that personal information about clients, employees and business partners is collected, stored, retained and disclosed in a way that allows people to be informed about the use of their information and have confidence in the processes we employ to safeguard the confidentiality of that information.
Good Driver’s policy reflects the 10 principles of privacy set out in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). While other jurisdictions have privacy legislation, the principles set out in the federal act are ones that cover all aspects of privacy, and are the underlying principles of legislation currently used in many jurisdictions.
These principles are:
- Identifying purpose
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
Principle 1 – Accountability
Accountability for compliance with the principles outlined in this document rests with the Director of Compliance.
- The individual appointed to be accountable for each location’s compliance will be known as the VP of Compliance. This individual shall have sufficient authority within the organization to ensure compliance.
- Our commitment is to:
- protect personal information;
- allow individuals to request information, seek amendments to their personal information;
- train and educate staff; and
- develop information that explains those procedures to clients and staff.
- We will use reasonable means to ensure that personal information is given a comparable level of protection while being processed by a third party.
Principle 2 – Identifying Purpose
We will identify the purposes for which we collect personal information at or before the time the information is collected.
- We will identify the purposes for which we collect personal information to affected individuals at or before the time of collection.
- We may choose to identify such purposes orally or in writing. Written notification will be used whenever practical to do so.
- We will identify any new purposes that arise during the course of dealing with personal information – and obtain prior consent for this new use – even if we have already identified certain initial purposes. However, we will only do this when the intended new purpose truly constitutes a “new” use, i.e. when the purpose now being proposed is sufficiently different from the purpose initially identified.
Principle 3 – Consent
We will obtain the appropriate consent from individuals for the collection, use and disclosure of their personal information, except where the law provides an exception.
- We may obtain express consent for the collection, use or disclosure of personal information or we may determine that consent has been implied by the circumstances.
- Express consent is a specific authorization given by the individual to Good Driver, either orally or in writing. Implied consent is one in which Good Driver has not received a specific authorization but the circumstances allow us to collect, use or disclose personal information.
- Express oral consent can be given in person or over the telephone. If we obtain an express oral consent, we will make a note of that consent in the file.
- Consent may be withdrawn at any time.
- Exceptions: there are circumstances in which we are not required to obtain an individual’s consent or explain purposes for the collection, use or disclosure of their personal information. This includes, but is not limited to:
- Collection: we may collect personal information without consent where it is in the individual’s interest and timely consent is unavailable, or to investigate a breach of an agreement or a contravention of law.
- Use: we may use personal information without consent for similar reasons to those listed beside “collection” above, and also in an emergency situation in which an individual’s life, health or security is threatened.
- Disclosure: we may disclose personal information without consent for law enforcement and national security purposes, for debt collection, to a lawyer representing our organization, and in an emergency situation in which an individual’s life, health or security is threatened.
Principle 4 – Limiting Collection
The personal information we collect will be limited to what is necessary for the purposes we have identified.
- We will only collect personal information for specific, legitimate purposes. We will not collect personal information indiscriminately.
- We will only collect information by fair and lawful means and not by misleading or deceiving individuals about the purposes for which the information is being collected.
- Our policies and procedures relating to the limitation on collection of personal information will be regularly communicated to our staff members who deal with personal information.
- Staff may need to obtain personal information about clients from third parties, for example, those parties identified in the Personal Information Consent.
Principle 5 – Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. We will only retain personal information as long as necessary for the fulfillment of those purposes.
- We will only use or disclose personal information for legitimate, identified purposes.
- We will retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected. We will abide by applicable legislation in the province(s) in which we operate regarding retention periods of personal information.
- Personal information that has been used to make a decision about an individual will only be retained long enough to allow the individual access to the information after the decision has been made. This period will not exceed applicable legislated retention periods.
- Personal information that is no longer required to fulfill identified purposes will be destroyed, erased or made anonymous.
Principle 6 – Accuracy
The personal information we collect will be as accurate and up-to-date as necessary for the purposes for which it is collected.
- Our organization will, on an on-going basis, ensure the accuracy and completeness of personal information under our care and control.
- Individuals who provide their personal information to us are expected to do so in an accurate and complete manner.
- As more particularly described in Principle 9 – Individual Access, we will provide recourse to individuals who appear to have legitimate corrections to make to their information on file. Once significant errors or omissions have been identified, we will correct or amend the information to third parties who have had access to the information in question (such as insurance carriers).
Principle 7 – Safeguards
We will safeguard the security of personal information under our control in a manner that is appropriate with the sensitivity of the information.
- We will protect the security of personal information, regardless of the format in which it is held, against loss or theft, and against unauthorized access, disclosure, copying, use or modification.
- A higher level of protection will safeguard more sensitive information. However, we will generally seek to achieve the highest level of security.
- In determining what safeguards are appropriate, we will consider the following factors:
- the sensitivity of the information;
- the amount of information held;
- the parties to whom information will be disclosed;
- the format in which the information is held; and
- the way in which the information is physically stored.
- Our methods of protection include:
- physical measures, such as locked filing cabinets and restricted areas;
- technological measures, such as the use of passwords and encryption.
- We will ensure that our policies and procedures on safeguarding personal information are clearly communicated and accessible to our employees by:
- training staff on the subject of personal information protection, and
- having regular staff meetings in which we will review our procedures and revise when appropriate.
- We will take precautions in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information. These measures include:
- ensuring that no one may retrieve personal information after it has been disposed of;
- shredding documents before recycling them; and
- deleting electronically stored information.
Principle 8 – Openness
We will make readily available to individuals specific information about our policies and procedures relating to the management of personal information under our control.
- Individuals will be able to inquire about our policies and procedures without unreasonable effort.
- We will tell our receptionist and other staff members who our Privacy Officer is so that members of the public can easily be informed.
- We may choose to make information about our policies and procedures available in a variety of ways, including putting the information on our website
- The information will make publicly available will include:
- the name, title and address of our Privacy Officer;
- means of gaining access to personal information held by the organization; and
- the description of the type of information held by the organization and a general description of its use
Principle 9 – Individual Access
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information which is under our control, and may be given access to, and challenge the accuracy and completeness of that information.
- Upon written request, an individual will be informed as to whether or not we hold personal information about him or her. If we do hold such personal information, upon written request, we will provide access to the information, as well as a general account of its use.
- The manner in which access will be given may vary, depending on the format in which the information is held (i.e. hard copy or electronic), the amount of information held and other factors.
- Upon written request, we will provide a list of third parties to whom we may have disclosed an individual’s personal information. If we are unsure exactly which third parties may have received the information, we will provide a list of third parties likely to have received the information.
- The procedure for making a request is as follows:
- All requests must be made in writing, stating as specifically as possible which personal information you are requesting.
- We will respond to a request within 30 days of receipt of the request, unless we first advise you that we need a longer period to respond.
- Reasons – if we refuse a request, we will inform the individual in writing of the refusal, explaining the reasons and any recourse the individual may have, including the possibility that they may file a complaint with the Privacy Commissioner of their respective jurisdiction.
- Deemed refusal – notwithstanding sub-paragraphs (b) and (c), if we do not respond within the above time limit, we will be deemed to have refused the request.
- There are also exceptions which will prevent us from providing access, including where:
- personal information about another person might be revealed;
- commercially confidential information might be revealed;
- someone’s life or security might be threatened
- the information was collected with consent for the purposes related to an investigation of a breach of an agreement or a contravention of the law; or
- the information was generated during the course of a formal dispute resolution process.
Principle 10 – Challenging Compliance
An individual may address a challenge concerning compliance with the above policies and procedures to our VP of Compliance.
- Upon request, individuals who wish to inquire or file a complaint about the manner in which we handled their personal information – or about our personal information policies and procedures – will be informed of our applicable complaint procedure.
- To file a complaint, an individual must submit a written request outlining the basic information and a description of the nature of the complaint.
- The procedure for filing a complaint about our organization is as follows:
- a written request must be made to the VP of Compliance;
- we will acknowledge the complaint right away;
- we will assign someone to investigate;
- we will give the investigator unfettered access to files and personnel;
- we will clarify facts directly with the complainant, where appropriate; and
- we will advise the complainant in writing of the outcome of the investigation, including any steps taken to rectify the problem, if applicable.
- We will document any complaints made by clients, as well as our actions in response to complaints, by noting these details in the individual’s file and also in a master privacy file.
Our VP of Compliance can be contacted at:
NAL Administrative Services
2-361 Dufferin Ave.
London, ON N6B 1Z5
Toll Free: 1-800-265-1657