Personal information must be:
- Collected with consent and for a reasonable purpose,
- Used and disclosed for the limited purpose for which it was collected,
- Accessible for inspection and correction, and stored securely.
Sensitive personal information is obviously protected by this legislation, such as
- Health and medical history,
- Racial or ethnic origin,
- Sexual preference,
- Political opinions,
- Religious beliefs,
- Trade union membership,
- Financial information, including personal account information and credit card information, the latter being automatically masked immediately after entry and unavailable to anyone reviewing the customer’s account,
- Subscribers/Users IP addresses,
- MAC addresses,
- User IDs.
Personal information does not include the name, business title, business address or business telephone of any employee. This is information which would reasonably be expected to appear on a business card or letterhead.
Also, a customer who directly discloses personal information through chat rooms, bulletin boards or other public online forums, must take responsibility for reviewing the privacy statements of the Web sites chosen to link to or from Novus’ Internet services.
These Principles are based upon the Model Code for the Protection of Personal Information
1.1 Accountability for Novus’ compliance with this Policy rests with the designated individual, even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. Other individuals within the organization may be delegated to act on behalf of the designated individual.
1.2 The identity of the individual designated to oversee Novus’ compliance with this Policy shall be made known to employees and shall be made available to customers upon request.
1.3 Novus shall use contractual or other means to provide comparable protection of personal information that has been provided to third parties for processing.
1.4 Novus shall implement policies and practices to give effect to this Policy, including:
- implementing procedures to protect personal information
- establishing procedures to receive and respond to complaints and inquiries
- training staff and providing staff information about Novus’ policies and practices, and
- developing information to explain Novus’ policies and procedures.
2. Identifying the Purposes for Personal Information Collection
The purposes for which personal information is collected shall be identified by Novus at or before the time the information is collected.
2.1 Novus collects personal information only for the following purposes:
- To establish an account and maintain relations with customers in order to provide service to them
- To understand a customer’s needs and determine eligibility for products and services
- To be able to recommend products and services to customers
- To establish creditworthiness of customers
- To develop new products and services or enhance and market available products and services
- To manage and develop Novus’ business and operation, including personnel and employment matters, and
- To meet legal and regulatory requirements.
Personal information of customers and employees will not be used for any other purpose without their consent.
2.2 The purposes for which Novus collects personal information will be specified and Novus will state these purposes in a way to allow an individual to understand how the information will be used or disclosed in order that the consent provided is meaningful.
2.3 Should Novus propose to use personal information for a purpose not previously identified, the new purpose shall be identified and documented prior to the new use. Unless the new purpose is required by law, the consent of the customer or employee is required before the information can be used for that purpose.
2.4 Persons collecting personal information shall, if requested to do so, explain to customers and employees the purposes for which the information is being collected.
The knowledge and consent of customers and employees are required before or when Novus collects, uses or discloses personal information, except where inappropriate. Novus shall make reasonable efforts when obtaining consent to ensure that customers and employees understand how personal information will be used and disclosed by Novus.
3.1 Typically, Novus will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected, but before use.
3.2 Personal information may be collected by Novus without a customer’s or employee’s knowledge or consent in instances where legal, medical or security reasons might make it impossible or impractical to seek consent. For example, when personal information is being collected for the detection or prevention of fraud, seeking consent might defeat the purpose of collecting the information.
3.3 Novus shall ensure that individuals will be advised of the purposes for which the personal information will be used. To make the consent informed, the purposes must be stated so that an individual can reasonably understand how the information will be used or disclosed.
3.4 Novus shall not, as a condition of providing service, require a customer to consent to the collection, use or disclosure of personal information beyond that necessary to provide the service.
3.5 In obtaining consent, the reasonable expectations of the individual are also relevant. Consent can be implied as given at the time customers request services and use products and services or, in the case of employees, by the acceptance of employment or benefits, allowing Novus to collect, use and disclose personal information for all identified purposes.
3.6 The way in which Novus seeks consent may vary, depending upon the circumstances and the type of information. In determining the form of consent required, Novus shall take into account the sensitivity of the information. Novus will generally seek express consent when the information is likely to be considered sensitive. Implied consent is generally appropriate when the information is less sensitive.
3.7 Customers may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting Novus at email@example.com. Novus shall inform the customer of the implications of such withdrawal.
4. Limiting the Collection of Personal Information
The collection of personal information by Novus shall be limited to that which is necessary for the purposes identified by Novus. Information shall be collected by fair and lawful means.
4.1 Novus shall collect only the amount and type of personal information necessary to fulfill the purposes identified by Novus to customers and employees.
4.2 Novus shall not mislead or deceive customers or employees about the purposes for which personal information is being collected.
5. Limiting use, Disclosure and Retention of Personal Information
Personal information shall not be used or disclosed by Novus for purposes other than those for which it was collected except with the consent of the customer or employee, or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
5.1 If personal information is to be used for a new purpose, Novus shall document this purpose.
5.2 Novus shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Personal information that has been used to make a decision about a customer or an employee shall be retained long enough to allow the individual access to the information after the decision has been made and to permit any recourse under this Policy and applicable privacy legislation and any other legislative requirements with respect to retention periods. Customer and employee information will be retained for at least six years after parties have ceased to be customers and employees to fulfill legal limitations.
5.3 Personal information that is no longer required to fulfill the identified purposes shall be destroyed, erased, or made anonymous. Novus shall develop guidelines and implement procedures to govern the destruction of personal information.
5.4 Novus may disclose a customer’s personal information to:
- Another company or individual for the development, enhancement, marketing or provision of any of Novus’ products or services;
- An agent used by Novus to evaluate the customer’s creditworthiness or to collect the customer’s account;
- A credit reporting agency;
- A public authority or agent of a public authority, if in the reasonable judgment of Novus, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information; and
- A third party or parties, where the customer consents to such disclosure or disclosure is required by law.
5.5 Novus may disclose personal information about its employees:
- For normal personnel and benefits administration;
- In the context of providing references regarding current or former employees in response to requests from prospective employers; or
- Where disclosure is required by law.
5.6 Only those employees or agents of Novus with a need to know for business purposes or whose duties reasonably so require, are granted access to personal information about customers and employees.
5.7 Novus is obligated under Canada’s Copyright Modernization Act to accept notice of copyright infringement from a rights holder (for example, a movie studio, a gaming company or a music producer) that the products of the copyright holder have been illegally accessed or downloaded. Novus is then obligated to send the notice to the Internet address identified on the notice and to confirm to the copyright holder that the notice has been sent to the alleged offender and a log or history of these notifications must be maintained. The identity of the person with the Internet address is not disclosed to the copyright holder when a confirmation is sent and the Internet service provider is not obligated to terminate its service; however, if a copyright holder believes that one party may be responsible for many infringements, it may take legal action which would require the identity of the infringer to be disclosed. In other words, if Novus is served with a warrant for disclosure of the name of the alleged infringer, Novus will be obligated to disclose the identity of the person with the Internet address which has been connected to the offence. If infringement is proven, the copyright holder may seek damages of up to $5,000.
5.8 Requests from law enforcement agencies for disclosure of identity of the user of an Internet address must be made pursuant to a warrant before Novus will disclose the information. Whether or not the user is informed of such request will depend entirely on the terms of the warrant.
6. Accuracy of Personal Information
Novus shall, to the best of its ability, ensure that personal information in its possession is as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
6.1 The extent to which the personal information shall be accurate, complete and up-to-date will depend upon use of the information by Novus, taking into account the interests of the customer or employee. Information shall be sufficiently accurate, complete, and up-to-date so as to minimize the possibility that inappropriate information may be used to make a decision about the customer or employee.
6.2 Novus shall not routinely update personal information where such updated information is not needed to fulfill the purposes for which it is collected.
6.3 Personal information that is used on an on-going basis, including information that is disclosed to third parties, shall be updated by Novus to ensure accuracy unless limits to the requirements for accuracy are clearly set out.
Novus shall protect personal information with security safeguards appropriate to the sensitivity of the information.
7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the information is held.
7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage. More sensitive information will be safeguarded by a higher level of protection.
7.3 The methods of protection include:
- physical measures, for example, locked filing cabinets and restricted access to offices;
- organizational measures, for example, security clearances and limiting access on a “need to know” basis; and
- technological measures, for example, the use of passwords and encryption.
7.4 Novus shall make its employees aware of the importance of maintaining the confidentiality of personal information.
7.5 Novus shall take care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
7.6 All personal information in digital format is stored and/ or processed in servers located in Canada and is retained there, and is routed only to those companies and/or institutions that have a legal right to receive such personal information. An example would be employee health information provided to Novus’ extended health insurance provider or Internet user identification information provided to a law enforcement agency pursuant to a warrant.
8. Openness about Policies and Practices
Novus shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
8.1 Novus shall be open about its policies and practices with respect to the management of personal information. Customers and employees shall be able to acquire information about Novus’ policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. This information is available by writing to Novus to the attention of the Privacy Officer. Contact details are available online at www.novusnow.ca.
8.2 The information made available by Novus shall include:
- the name, title and address of the individual who is accountable for Novus’ policies and practices and to whom complaints or inquiries can be forwarded;
- the means of gaining access to personal information held by Novus;
- a description of the type of personal information held by Novus, including a general account of its use;
- a copy of any documents that describe Novus’ policies, standards or practices; and
- what personal information is made available to related organizations, including subsidiaries, affiliates or agents.
9. Individual Access to Personal Information
Upon request, and unless prohibited by law, Novus shall inform customers and employees of the existence, use and disclosure of their personal information and provide access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
9.1 Upon request, Novus shall inform a customer of employee whether or not the company holds personal information about them, and should indicate the source of this information. Novus shall allow an individual access to this information. Novus may, however, choose to make sensitive medical information available through a medical practitioner. In addition, Novus shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.
9.2 A customer or employee may be required to provide sufficient information to Novus to permit it to provide an account of the existence, use and disclosure of personal information. The information provided to Novus shall only be used for this purpose.
9.3 In providing an account of third parties to which it has disclosed personal information, Novus shall attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has disclosed information, Novus shall provide a list of organizations to which it may have disclosed information.
9.4 Novus shall respond to an individual’s request within a reasonable time and at minimal or no cost. The requested information shall be provided or made available in a form that is generally understandable.
9.5 When a customer or employee successfully demonstrates the inaccuracy or incompleteness of personal information, Novus shall amend the information as required. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
9.6 When a challenge is not resolved to the satisfaction of the customer or employee, Novus shall record the substance of the unresolved challenge in the personal information relating to the customer or employee. Where appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.
10. Challenging Compliance
A Novus customer or employee shall be able to address a challenge concerning compliance with the above principles to the designated individual accountable for Novus’ compliance.
10.1 Novus shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint process should be easily accessible and simple to use.
10.2 Novus shall investigate all complaints. If a complaint is found to be justified, it shall take appropriate measures, including amending its policies and practices, if necessary.
10.3 Complainants also have recourse to the Office of the Privacy Commissioner if they consider Novus has not responded satisfactorily to their complaint or inquiry.
To contact the Office of the Privacy Commissioner of Canada
Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON K1A 1H3
Updated: February 18, 2015