In accordance with PIPEDA & https://www.priv.gc.ca/en/privacy-topics/business-privacy/gd_phl_201106/
In carrying out our business under both the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), we (TSF Law) collect personal information as defined by section 3 of the Privacy Act. As the guardian of Canadians’ privacy rights, we are committed to respecting the privacy rights of everyone whose personal information we have collected. Please also see our Website terms and conditions of use to see how this policy applies to our website. This Policy does not apply to our employees’ personal information.
This Policy is designed to comply with the Privacy Act and the principles of natural justice.
Why we collect personal information
We collect personal information for various reasons. Usually, it relates to the investigations that we conduct or the enquiries that we receive. We may also collect personal information for administrative reasons such as providing individuals with publications or other information that they ask for. We may also, for example, collect it for the purposes of holding a public consultation.
We can only use your personal information for the purpose for which it was obtained or for a use consistent with that purpose, or for a purpose listed in Section 8 of the Privacy Act.
What personal information do we collect?
We only collect personal information that is directly related to one of our programs or activities. Wherever possible, such information will be collected directly from the individual about whom it pertains. The amount and the type of the information collected will be limited to that which is needed to fulfil the identified purpose(s). We only collect what we need.
We may for example, collect your name, contact information, and views in connection with an investigation or a consultation. We may also collect your IP address if you visit our website.
Sometimes we receive more personal information than is needed. For example, we sometimes receive a social insurance number on someone’s general information enquiry. We strongly encourage you not to provide us with information beyond that which is necessary.
We may also collect personal information from other sources, as appropriate, including witnesses, employers, government, or corporate files and records.
Who sees your personal information?
We will not disclose your personal information without your consent unless it is allowed under section 8(2) of the Privacy Act. In this case, we will aim to disclose only the specific information that is needed under the circumstances and, wherever possible, will inform you about the disclosure.
Access to personal information within our organization will be restricted to those staff members who need the information in order to carry out their job duties. Those employees will maintain the information in the strictest of confidence and will not provide access to the information to anyone who is not authorized. The level of staff access to personal information will be granted on a need-to-know basis.
All individuals we hire under contract or other means to conduct business on our behalf will be required to respect the provisions of the Privacy Act as well as this Policy and related internal procedures. Violations of any part of the contractual agreement may result in termination of the contract.
How we protect your personal information
In any organization, failure to protect personal information can increase the risk of a privacy breach. These privacy breaches can lead to things such as reputational harm, fraud or identity theft.
We will protect personal information from loss or theft, unauthorized access, use or disclosure, modification or destruction through appropriate administrative, technical and physical security measures and safeguards.
The level of safeguards used to protect personal information will depend on the:
- sensitivity of the personal information;
- amount, distribution and format of the information;
- method of storage.
We follow direction or guidance on information technology security received from the relevant federal agencies.
Wherever possible, we seek a person’s consent before we collect their personal information. The form of consent may vary depending on the circumstances and the type of information being requested. Consent can be express or implied, and can be provided directly by the individual or by an authorized representative.
Express consent is preferred. Express consent can be given orally, electronically or in writing. Implied consent may be reasonably inferred from a person’s action or inaction. For example, providing a name and address to receive a publication or providing a name and telephone number to receive a response to a question. When determining the appropriate form of consent, we take into account the sensitivity of the personal information, the reasons we are collecting it, and the reasonable expectations of the person. When using personal information for a new purpose, we will document that new purpose and ask for consent again.
During our investigations, it may not always be possible to obtain a person’s consent to collect, use, or disclose their personal information. Both the Privacy Actand PIPEDA allow for the disclosure of personal information during the course of an investigation if it is necessary to carry out that investigation.
We will not use your personal information without your consent unless it is either:
- for the same purpose for which the information was originally collected or compiled,
- consistent with that purpose,
- for a purpose that may be disclosed under section 8(2) of the Privacy Act.
Retention and destruction of personal information
We are responsible for ensuring that all personal information is managed within a set life cycle. According to the Privacy Act, the Privacy Regulations and the Library and Archives of Canada Act, personal information we use to make a decision about an individual may be retained for at least two years after that decision was made. This allows the person time to exercise legal recourse and provides them with a chance to exercise all their rights under the Privacy Act.
We will retain personal information in accordance with the maximum retention periods set out under the Library and Archives of Canada Act.
Access or corrections to personal information
Individuals do not always need to use the Privacy Act to access to or correct their personal information (e.g. informal request). However, they do have the right to formally request access or corrections to their personal information under the Privacy Act. People also have the right under the Access to Information Act to formally request access to information in our files which may contain their personal information.
You can only request a correction of your personal information if it has been provided under an official access request pursuant to the Privacy Act. Moreover, only formal access requests for information under the Access to Information Act provide you with the right to complain to the Information Commissioner should you be unsatisfied with the result of your request.
Once we receive a formal request under the Privacy Act or the Access to Information Act, we will respond accordingly.
We make every effort to ensure that information we use to make a decision that directly affects someone is as accurate, up-to-date and complete as possible. This also applies to personal information disclosed to third parties.Additional information about access and correction of personal information:
Our roles and responsibilities
We are responsible for the personal information that we collect, retain, use, disclose, and destroy in the course of fulfilling the direction of the Ontario Law Society.
Employees –staff that collect personal information on our behalf will be required to explain the purpose(s) for which the information is being collected. If unable to do so, they will be required to refer the individual to someone within our office who is able to explain the purpose(s). It is every OPC employee’s duty to inform themselves of their obligations under this Policy and the Privacy Act. Employees must report any and all violations of the Policy or the Act to their manager.
Managers and Supervisors – along with the responsibilities noted above, managers and supervisors must instruct their staff to respect the Policy and the Act. They must also examine and/or make inquiries into any issues brought to their attention concerning this Policy and the Act.
Monitoring and evaluation
Measuring compliance with this policy is part of our good will.
The following laws, policies and guidelines should be read along with this Policy:
Questions or complaints
Questions or concerns may be brought to the attention of any OPC employee. If they are unable to help, the employee must refer the matter to their immediate supervisor or member of management staff.
If you have any questions about this policy or about how we manage personal information, you may also contact us.
Where an individual is not satisfied with the actions we may have taken to rectify a matter, or with the explanations given, they will be informed of their right to file a Privacy Act complaint, and will be given direction as to how to do so. Please note that we do not investigate our own actions with respect to compliance with the Privacy Act.