Introduction
Site Digital Technology Inc. (“SiteTechnology”) is a British Columbia company that specializes in Managed IT Services, providing IT Support and IT Consulting to small and medium sized businesses throughout the Lower Mainland of BC.
This Privacy Code sets out our privacy commitment to the protection of personal information of our employees and personal information obtained through individuals accessing website and how we manage personal information, safeguards privacy in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) of Canada, Protection of Personal Information (B.C.) and comply with Canada’s international obligations for data protection under General Data Protection Regulation (“GDPR”).
This Privacy Code is also intended to assist us to meet our obligations under respecting the personal information of our employees and service providers PIPEDA, PIPA and GDPR.
PIPEDA and PIPA are built on the following principles of fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access and challenging compliance. Compliance with PIPEDA is under the authority of the Privacy Commissioner of Canada and PIPA is under the authority of the BC Privacy Commissioner.
The GDPR is the “gold standard” for privacy protection world-wide and is built on the following principles: data processing must be fair to the data subject data must be processed for specific and legitimate purposes, outlined in your privacy policy; do not collect more data than you need; make sure the date you collect is accurate; do not store personal data longer than needed for the specified purpose; process data in a way that ensure security, integrity and confidentiality; and able to demonstrate compliance with these principles.
The GDPR applies to organizations that have an established presence in the EU, offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU. The GDPR applies when personal data is “processed” and defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Data controllers or processors must also respect the principle of data minimization, meaning that the processing of personal data must be limited to that which is adequate, relevant, and necessary to achieve the specified purpose. Personal data must be accurate, kept up to date, kept in a form which permits identification of data subjects for no longer than is necessary, and must be processed in a manner that ensures appropriate security of the personal data.
The Privacy Code is also intended to provide open and transparent principles, policies, practices and procedures by which SiteTechnology can meet its privacy commitment to the protection of personal information. It is also intended to set out the choices available for individuals regarding our collection, use or disclosure and processing of their personal information.
The purpose of this Privacy Code is to articulate clearly our privacy practices respecting the management of personal information collected and used by SiteTechnology and to ensure compliance with the federal and international privacy laws. At the same time, it recognizes the needs of SiteTechnology to collect, use or disclose personal information for legitimate business purposes versus the right of individuals to protect their personal information. The standard for the collection of personal information by SiteTechnology is one of what a reasonable person would consider appropriate in the circumstances and complies with applicable laws.
Guiding Principles
The following ten principles are the basis of SiteTechnology Privacy Code and shall guide SiteTechnology’s management of personal information and its privacy practices together with the statutory requirements of PIPEDA and PIPA and GPDR.
- Accountability – SiteTechnology is responsible for personal information under its control including personal information not in the custody of SiteTechnology. SiteTechnology must be able to demonstrate compliance with its privacy principles. SiteTechnology shall designate one or more individuals to be responsible for ensuring that SiteTechnology complies with this Privacy Code and shall make the position name or title and contact information of each individual so designated.
- Identifying Purposes and Processes for Collection of Personal Information and Data – SiteTechnology shall identify the purposes for which personal information is collected or before personal information is collected. Data processing must be fair to the data subject and must be processed for specific and legitimate purposes as outlined in this Privacy Policy.
- Obtaining Consent for Collection, Use or Disclosure of Personal Information and Processing Data – SiteTechnology shall ensure that consent is obtained from each individual for the collection, use or disclosure or processing of their personal information and data unless such collection or processing is inappropriate. SiteTechnology shall recognize and act on any withdrawal of consent by an individual to collect their personal information or processing of data. SiteTechnology will ensure that collection of personal information and data is processed in a way that ensures the security, integrity and confidentiality of the data.
- Limiting Collection of Personal Information and Data – SiteTechnology shall limit the collection of personal information and data to the purposes identified by SiteTechnology and shall only collect personal information and process data using appropriate, fair and lawful means. SiteTechnology will not collect more personal information and process data than it needs.
- Limiting Use, Disclosure and Retention of Personal Information and Data – SiteTechnology shall not use or disclose personal information or process data for purposes other than for the purpose it was collected unless SiteTechnology has the consent of the individual or as provided by law. SiteTechnology shall retain personal information and data for only as long as necessary to meet the purposes of the collection and processing of the personal information and data.
- Accuracy of Personal Information and Data – SiteTechnology shall ensure that personal information and collected, used and disclosed and processed shall be as accurate, complete and up-to date as possible for the purposes for which it has been collected used, disclosed and processed.
- Security Safeguards – SiteTechnology shall take all appropriate steps to protect the personal information and data collected, used and disclosed and processed and use security measures appropriate to sensitivity, security, confidentiality and integrity of the personal information and data.
- Openness Concerning Policies and Practices – SiteTechnology shall ensure that information is made available to clients and employees regarding this Privacy Code and our privacy practices regarding personal information and data processing.
- Client Access to Personal Information and Data – SiteTechnology shall inform an individual of the collection, use and disclosure and processing of his/her personal information and data at the individual’s request and shall grant access to the individual to such personal information and data. An individual shall be entitled to challenge the accuracy and completeness of the personal information collected, used or disclosed by SiteTechnology and have it amended and or corrected as necessary or appropriate.
- Challenging Compliance – This Privacy Code and our privacy practices shall include a clear process for responding to complaints that may arise with respect to our handling and managing of personal information and data of customers and employees. A client or employee may make a complaint regarding SiteTechnology’s compliance with its privacy policies and practices to the designated individual in accordance with our complaint process.
Application Of The Privacy Code
1.1 SiteTechnology as a private sector organization is required to comply with the purposes of the PIPEDA, PIPA and GDPR and therefore this Privacy Code sets out SiteTechnology’s policies and practices for managing personal information and data of individuals being collected, used and disclosed or processed from our clients, employees and or services providers whether collected, used, or processed or disclosed orally, electronically or in writing in compliance with PIPEDA, PIPA and GDPR.
Under PIPEDA, PIPA and GDPR personal information includes any factual or subjective information or data, recorded or not or processed by SiteTechnology, about an identifiable individual. This includes information in any form, such as: age, name, ID numbers, income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
There are some instances where PIPEDA, PIPA and GPDR do not apply. Some examples include: personal information collected, used or disclosed or processed by federal, provincial or indigenous government organizations listed under the federal, provincial, territorial or indigenous legislation; federal, provincial, territorial or indigenous governments and their agents; business contact information–including an employee’s name, title, business address, telephone number facsimile number or email addresses–which an organization collects, uses or discloses solely for the purpose of communicating with a person in relation to their employment, business or profession; an individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list); an organization’s collection, use or disclosure of personal information or data solely for journalistic, artistic or literary purposes.
PIPEDA, PIPA and GDPR each set out the principles of fair information practices, which form the ground rules for the collection, use, processing and disclosure of personal information, as well as for providing access to personal information and data. These principles give individuals control over how their personal information and data is handled in the private sector. In addition to the principles set out under PIPEDA, PIPA and GDPR, the Acts and Regulations contains an overriding obligation that any collection, use, processing or disclosure of personal information must only be for purposes that a reasonable person would consider are appropriate in the circumstances. This overarching standard of appropriateness of purposes continues to apply under PIPEDA, PIPA and GDPR for the collection, use, processing and disclosure of personal information and data.
SiteTechnology strives as an organization to be responsible for the protection of personal information and data and the fair handling of it at all times throughout the organization and in dealings with third parties.
1.2 The following categories of personal information are exempt from the privacy practices and policies of our Privacy Code:
- Personal information or data handled by federal, provincial, territorial or indigenous government organizations and their under their respective acts and or regulations;
- Business contact information such as an employee’s name, title, business address, telephone number or email address that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession;
- An individual's collection, use or disclosure of personal information and data strictly for personal purposes (e.g. personal greeting card list); and
- An organization's collection, use, processing or disclosure of personal information and data solely for journalistic, artistic or literary purposes.
Privacy Policies And Practices
Accountability
2.1 In order to meet its responsibilities for personal information under its possession or control, SiteTechnology appoints Dustin Cassar and or his designate to be accountable for SiteTechnology’s compliance with this Privacy Code and its statutory requirements under PIPEDA and PIPA and GDPR.
2.2 The contact information of persons designated to be accountable for SiteTechnology’s compliance with the Privacy Code shall be made known upon request.
2.3 SiteTechnology does not provide personal information or processed data to third parties except as compelled by law.
2.4 SiteTechnology has put in place procedures and practices to give effect to this Privacy Code and shall include:
- Procedures and practices to protect personal information and data processed and to oversee compliance with this Privacy Code;
- Procedures and practices to receive and respond to requests for personal information, inquiries and complaints under PIPEDA, PIPA and GDPR;
- Methods and means for training and communicating our privacy procedures and practices to employees; and
- Methods and means for communicating our privacy procedures and practices to our clients and the public.
2.5 SiteTechnology shall continue to update and enhance its privacy policies and practices on and as and when basis.
Purposes of Collection
3.3 SiteTechnology collects uses and discloses personal information and processes data of its employees and customer and for visitors to its website for the purposes of improving the performance and user experience only but such personal information and data shall only be collected, used or processed and disclosed for legitimate business interests that a reasonable person would consider appropriate in the circumstances and that fulfill the purposes that SiteTechnology has disclosed to the individual in accordance with PIPEDA, PIPA and GDPR.
3.4 SiteTechnology shall identify and specify orally, electronically or in writing to the employees, customers and visitors to its website the purposes for which personal information and data is collected, used. processed and disclosed at or before the time the personal information is collected.
3.5 SiteTechnology shall not collect, process, disclose or use personal information and data for any purpose not identified or specified to an individual without obtaining their consent.
Consent
4.1 SiteTechnology will obtain consent from an individual when collecting, using, processing or disclosing personal information of its employees, customers or visitors to its website for the purposes outlined above.
4.2 Consent will be explicit for all individuals and may be explicit (orally or in writing) or implied. Consent may be implied by SiteTechnology where at the time consent is deemed as follows:
- 4.2.1 the purpose would be considered obvious to a reasonable person;
- 4.2.2 the individual has freely and voluntarily provided the personal information or data for that purpose; or
- SiteTechnology has given notice of the collection of personal information and data for a specified period in a form that can be reasonably understood of its intention to collect, use, process or disclose the personal information and the individual is given a reasonable period of time to decline or revoke and does not decline or revoke and it is reasonable to collect, use, process or disclose having regard to the sensitivity, confidentiality and integrity of the personal information and that it is collected and processed solely for legitimate business purposes.
4.3 Consent will always be obtained for all collection, use, disclosure or processing of personal information or data from all employees, customers or visitors to the SiteTechnology website where it is not for legitimate business purposes and individuals will have the ability to opt out or revoke such consent at any time. Consent is not required for the following personal information which is permitted to be collected and used and processed from an individual or from a source other than an individual where:
- is necessary for medical treatment of the individual and individual is unable to give consent;
- it is reasonable to expect that the collection or use or processing with the consent of individual would compromise the availability or accuracy of the personal information data and the collection, use and processing is reasonable for an investigation or a proceeding;
- organization is credit reporting agency and collection is for a credit report and individual consents at the time the original collection, use and processing occurs;
- is required or authorized by law;
- personal information is necessary to facilitate collection of debt owed or payment of debt to an organization;
- collection or use or processing of employee personal information is reasonable for establishing, managing or terminating an employment relationship; and
- for any other category identified under PIPEDA, PIPA and GDPR.
- personal information is necessary to facilitate collection of debt owed or payment of debt to an organization;
4.4 Wherever possible, SiteTechnology shall seek consent to collect, use, process or disclose personal information from an individual at the time in which the personal information or data is collected. In the event that this is not possible, SiteTechnology will seek consent after the personal information is collected but prior to it being used, processed or disclosed for a different purpose than has not been identified or specified.
4.5 When seeking consent for the collection, use, disclosure or processing of personal information and data from an individual, SiteTechnology shall set out the choices available to individuals regarding SiteTechnology’s collection, use, processing or disclosure of the personal information at the time of collection or prior to the use or disclosure of such personal information.
4.6 Upon obtaining consent, SiteTechnology may record such consent by electronic means such as via phone, by mail, the Internet, a note to file, copy of an email, copy of a check off box or entry in database field.
Withdrawal of Consent
5.1 SiteTechnology will honour a request of an individual to opt out, revoke or withdraw his or her consent to the collection, use, processing or disclosure of personal information by electronic means including email and when it receives electronic notice, SiteTechnology will immediately stop collecting, using, processing or disclosing that personal information and data unless it meets one of the exceptions noted above or would frustrate the performance of a legal obligation or consent was given to a credit reporting agency or is for legitimate business purposes.
Limiting Collection and Processing of Personal Information and Data
6.1 When collecting personal information and processing data of a client, individual, employee or subcontractors, SiteTechnology shall disclose to the individual verbally or in writing, the purposes for the collection and processing of the personal information and data and shall limit the collection to the identified and specified purposes.
6.2 SiteTechnology shall only collect and process personal information and data and by reasonable, fair and lawful means and will limit the collection and processing of personal information and data to what it needs.
6.3 SiteTechnology generally, collects personal information from its clients, employees and subcontractors although in certain circumstances, may collect personal information from third parties, such as credit bureaus, employers or personal references but only from those third parties that represent that they have a right to disclose and process such personal information.
Limiting Use, Disclosure and Retention of Personal Information and Data
7.1 Other than where SiteTechnology has explicit or implied consent of the individual or third party or by operation of law, SiteTechnology shall not use or disclose or process personal information and data for purposes other than those identified and specified.
7.2 SiteTechnology shall only retain personal information and data of an individual for the period necessary to fulfill the purposes identified and specified, by operation of law or where making a decision regarding a client/customer, employee or vendor or service provider as long as is reasonable to give such individuals the opportunity to access the personal information and data for the purposes of the making of the decision.
7.3 SiteTechnology shall limit the access of its employees to personal information and data to those who are participating in the collection, use, processing or disclosure of personal information as part of their duties or to those who have a need to know within SiteTechnology.
7.4 SiteTechnology shall maintain the means via reasonable controls, systems and practices whereby personal information and data that no longer is necessary to retain is destroyed, erased or rendered anonymous.
Accuracy and Security of Personal Information and Data
8.1 SiteTechnology shall make all reasonable effort to ensure that personal information and data collected and processed is accurate and complete for the purposes in which it is collected and processed particularly where the personal information is likely going to affect the individual to who the personal information and data relates or is likely to be disclosed to another organization.
8.2 All personal information and data used by SiteTechnology shall be as accurate and complete as possible and, where such personal information is being used to make a decision that directly affects an individual, such personal information and data will, where applicable, be retained by SiteTechnology for no more than is required for its purpose to a maximum of one year in order to provide a reasonable opportunity for access by the individual.
8.3 SiteTechnology shall take reasonable security arrangements to prevent the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal information and data in its custody and control in whatever form it is held. Such security arrangements will include protection from loss or theft and physical measures, such as, technological tools, such as passwords, encryption, firewalls and anonymizing software, and, limiting access on a need to know basis, staff training and confidentiality agreements.
8.4 SiteTechnology shall destroy its documents containing personal information and data or remove the means by which personal information and data can be associated with the individual as soon as the purpose for which the personal information was collected is no longer being served by its retention or retention is no longer necessary for legal or business purposes.
8.5 SiteTechnology shall not use deceptive or coercive means to collect and process personal information and data and shall not dispose of personal information and data with intent to evade a request for access to personal information and data.
8.6 SiteTechnology hall protect personal information and data by ensuring that confidentiality provisions bind both third parties in which personal information and data is disclosed and employees who have access to personal information and data.
8.7 SiteTechnology shall regularly review and update security measures for personal information and data where applicable.
Access to and Correction of Personal Information and Data
9.1 Where SiteTechnology has collected, used, processed or disclosed personal information and data of an individual that is within the statutory authority of PIPEDA and PIPA or GDPR, an individual shall have the right to access and correct their personal information and data in accordance with the following access and correction procedure:
- the individual may, in writing, make a request to SiteTechnology or their designate concerning his or her personal information and data under the control of SiteTechnology;
- SiteTechnology shall provide information concerning the ways in which personal information and data of the individual has been and is being used by SiteTechnology or has been disclosed or processed by SiteTechnology;
- the names of individuals and organizations to whom the personal information and data has been requested;
- with the exception of the following personal information and data, SiteTechnology will provide access to an individual’s personal information and data:
- (i) personal information and data is protected by solicitor-client privilege; (ii) disclosure would reveal confidential commercial information that if disclosed could in the reasonable opinion of a reasonable person harm the competitive position of SiteTechnology; (iii) personal information and data was collected where consent is not required for the purposes of an investigation or where proceedings have not been completed; (iv) where personal information and data was collected by a credit organization 12 months prior to the request from the individual; (v) where the disclosure would threaten the safety, physical or mental health of an individual, cause immediate or grave harm to the safety or physical or mental health of an individual, or would reveal personal information and data about another individual;
- having reviewed the personal information and data requested, the individual may request SiteTechnology to correct an error or omission in that personal information and data that is: (i) about the individual and (ii) is under the control of SiteTechnology
- SiteTechnology shall respond to an individual’s request no later than 30 days from the date of an individual’s request unless the individual has not given sufficient detail to enable SiteTechnology to identify the personal information and data being requested or more time is needed given the large volume of personal information being requested which would unreasonably interfere with SiteTechnology’ operation or there is a need for more time to consult with another organization or public body to determine whether to give access to the requested document. In those circumstances, SiteTechnology may extend the time an additional 30 days or seek a longer period of time to respond from the privacy commissioner and will advise the individual of the extension in time, the time period of the extension and the rights of the individual to complain about the extension;
- in responding to an individual’s request, SiteTechnology shall advise the individual when access to personal information and data in whole or in part is being refused, the reasons for the refusal and the contact information of the officer or employee of SiteTechnology who can answer the individual’s questions concerning the refusal;
- SiteTechnology shall make a reasonable effort to assist each applicant to respond accurately and completely as is reasonably possible to their request;
- SiteTechnology shall make the correction as soon as reasonably possible or send the corrected personal information and data to each organization which the personal information and data was disclosed during the year prior to the date the correction was made, where SiteTechnology is satisfied that there are reasonable grounds for the request; and
- where SiteTechnology does not make a correction, it shall annotate the personal information and data under its control that a request was made but the request was not implemented.
Challenging Compliance
10.1 SiteTechnology shall maintain a process for addressing and responding to complaints or inquiries regarding its compliance with this Privacy Code including where appropriate a process for seeking external advice prior to responding to individual complaints or inquiries.
10.2 A client, individual or employee or contractor or other individual may make a complaint or inquiry regarding SiteTechnology’s compliance with this Privacy Code as follows:
- An individual shall file a written complaint or inquiry to SiteTechnology and or its designate outlining the failure of SiteTechnology to comply with this Privacy Code and the specified section and or principle.
- SiteTechnology shall investigate all written complaints or inquiries regarding its compliance with this Privacy Code.
- Where an investigation determines that a complaint is justified or action is required regarding an inquiry, SiteTechnology shall take all appropriate steps to resolve the complaint or take appropriate action to address the inquiry including where applicable amending the policies, practices and procedures of this Privacy Code.
- Wherever possible, SiteTechnology shall respond to a written complaint within 30 days provided the written complaint or inquiry provides sufficient information to respond to. This response shall include details regarding the outcome of the investigation and individual’s complaint or inquiry.
- In the event that SiteTechnology seeks external advice, the period to respond may be extended for a reasonable period necessary to obtain such external advice.
10.3 In the event that an individual is not satisfied with handling of its complaint by SiteTechnology, the individual may seek the assistance of the Office of the Privacy Commissioner of Canada or British Columbia.
Transparency of Privacy Policies, Practices and Procedures
11.1 SiteTechnology shall make its privacy policies, practices and procedures available on its website with a link and readily available to individuals in person, in writing, by telephone or email as applicable.
11.2 SiteTechnology shall also make its policies, practices and procedures understandable for its individuals, employees and the public by identifying who within SiteTechnology is responsible for compliance with this Privacy Code, how personal information can be accessed by individuals, what personal information is held by SiteTechnology and how it is used.
Dustin Cassar (dustin.cassar@sitetechnology.com)
To review the Protection of Privacy Act and Personal Information Protection Act, access to the Act can be found at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/ or Protection of Personal Information Act, access to the Act can be found at oipc.bc.ca and General Data Protection Regulation can be found at: https://gdpr.eu/.
A comparison of GPDR and PIPA has been prepared by Office of the Information and Privacy Commissioner of British Columbia.