This document refers to the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information (CAN/CSA-Q830-96). These principles were published in March 1996 as a National Standard of Canada.
- The Policy applies to personal information collected, used, or disclosed by ESIS, including personal information of ESIS’ customers and team members.
- The Policy applies to the management of personal information in any form whether oral, electronic or written.
- The Policy does not apply to personal information created by, or collected from, or on behalf of ESIS’ business customers and their employees or businesses receiving ESIS services under corporate customer agreements; however, such information is protected by other ESIS policies and practices and through contractual arrangements.
Customer – An individual who uses, or applies to use, ESIS’ products or services.
Team member – A former, current or prospective employee of ESIS, as well as independent contractors performing services for ESIS.
Personal information – Any information about an identifiable individual, other than the name, title or business address (including business email address) or business telephone or fax numbers of an employee of an organization.
Personal information does not include de-identified or aggregated information that cannot reasonably be associated with a specific individual.
Information about customers who are sole proprietors or partners is considered to be “personal information” if it is information about the individuals themselves, as distinct from information about their businesses. The latter is protected by other ESIS policies and practices and through contractual business arrangements.
Principle 1 – Accountability
ESIS is responsible for personal information under its control and shall designate one or more persons who are accountable for ESIS’ compliance with the following principles.
1.3 ESIS is responsible for personal information in its possession or control. ESIS shall use appropriate means to provide a comparable level of protection while information is being processed by a service provider or partner (see Principle 7).
- Establishing procedures to receive and respond to inquiries or complaints;
- Training and communicating to team members about ESIS’ policies and practices;
- Developing public information to explain ESIS’ policies and practices.
Principle 2 – Identifying purposes for collection of personal information
ESIS shall identify the purposes for which personal information is collected at or before the time the information is collected.
2.1 ESIS collects personal information of customers and team members only for the following purposes:
- To establish and maintain a responsible commercial relationship with our customers and to provide ongoing service;
- To understand customer needs and preferences;
- To develop, enhance, market or provide products and services to our customers;
- To manage and develop ESIS’ business and operations, including personnel and employment matters;
- To meet legal and regulatory requirements.
2.2 ESIS shall outline the purposes for which it collects personal information of team members in the Team Member Privacy Commitment.
2.3 ESIS shall specify the identified purpose or purposes to the customer or team member at or before the time personal information is collected. Upon request, team members collecting personal information shall explain these identified purposes or refer the individual to a designated person within ESIS who shall explain the purposes.
2.4 Unless required by law or for exceptions set out in applicable legislation, ESIS shall not use or disclose for any new (not previously-identified) purpose personal information that has been collected without first identifying the new purpose and obtaining appropriate consent of the customer or team member.
2.5 We may record interactions, such as telephone calls or chats, to or from ESIS service representatives for quality assurance and training purposes.
Principle 3 – Obtaining consent for collection, use or disclosure of personal information
The knowledge and consent of a customer or team member are required for the collection, use, or disclosure of personal information, except where not required by applicable privacy legislation. In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual as explained below.
For example, ESIS may collect personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is seriously ill or mentally incapacitated.
ESIS may also collect, use or disclose personal information without knowledge or consent if, for example, seeking consent would compromise the availability or accuracy of the information in the context of an investigation, collection and use of the information is reasonable and useful in the investigation of a contravention of a federal or provincial law, or disclosure is required for investigating a breach of an agreement or for the purposes of detecting, suppressing or preventing fraud.
ESIS may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.
ESIS may also disclose personal information without knowledge or consent to a lawyer representing ESIS, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required or permitted by law.
The Policy does not require consent for the collection, use or disclosure of information about a customer or team member that is publicly available and is specified by regulation pursuant to the Personal Information Protection and Electronic Documents Act or provincial privacy legislation, where applicable.
3.1 In obtaining consent, ESIS shall use reasonable efforts to ensure that a customer or team member is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated so that it is reasonable to expect that the customer or team member would understand the nature, purpose and consequences of granting consent.
3.2 Generally, ESIS shall seek consent to use and disclose personal information at the same time it collects the information. However, ESIS may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.
3.3 ESIS will require customers to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service if such collection, use or disclosure is required to fulfill the identified purposes.
3.4 In determining the appropriate form of consent, ESIS shall take into account the sensitivity of the personal information and the reasonable expectations of its customers and team members.
3.5 In general, the use of products and services by a customer, or the acceptance of employment or benefits by a team member, constitutes implied consent for ESIS to collect, use and disclose personal information for all identified purposes.
3.6 A customer or team member may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Customers and team members may contact ESIS for more information regarding the implications of withdrawing consent.
Principle 4 – Limiting collection of personal information
ESIS shall limit the collection of personal information to that which is necessary for the purposes identified by ESIS. ESIS shall collect personal information by fair and lawful means.
4.1 ESIS collects personal information primarily from its customers or team members.
4.2 ESIS may also collect personal information from other sources including credit bureaus, employers or personal references, publicly available sources or other third parties who properly represent that they have the right to disclose the information.
Principle 5 – Limiting use, disclosure, and retention of personal information
ESIS shall not use or disclose personal information for purposes other than for identified purposes, except with the consent of the individual, for exceptions set out in legislation, or as required by law. ESIS shall retain personal information only as long as reasonably necessary for the fulfillment of those purposes.
5.1 Subject to applicable CRTC regulations, ESIS may share a customer’s personal information, with the information to be used only for the purpose for which it was shared, to:
- a person seeking information as an agent of a customer, such as a customer’s legal representative or as an authorized user under their account, if ESIS is satisfied that the person is authorized to receive the information;
- other ESIS business units to help ESIS serve its customers better and to provide them with services from different parts of the company;
- other telecommunications companies for the efficient and cost-effective provision of telecommunications services;
- a company involved in supplying a customer with telecommunications or directory-related services;
- our suppliers, agents or other organizations or individuals contracted to ESIS to perform services or functions on our behalf where they require the information to assist us in serving you; this information may be processed or stored in countries other than Canada;
- ESIS’ partners or third-party agents responsible for administering ESIS offers or programs;
- a credit bureau to evaluate a customer’s creditworthiness and for monthly reporting purposes on the status of your payment history with ESIS;
- with collection agencies to collect an account if your account has been referred for collection;
- a public authority or agent of a public authority if, in the reasonable judgment of ESIS, it appears that there is imminent danger to life, health or security of an individual which could be avoided or minimized by disclosure of the information;
- a government agency or other third party, if required to meet legal and regulatory requirements.
5.2 ESIS may disclose personal information about its team members:
- For standard personnel and benefits administration;
- In the context of providing references regarding current or former team members in response to requests from prospective employers;
- Where the team member consents to such disclosure or disclosure is required by law or for exceptions specified under the applicable legislation.
5.3 Only ESIS’ team members with a business need to know, or whose duties reasonably so require, are granted access to personal information about customers and team members.
5.4 ESIS shall keep personal information for as long as it remains reasonably necessary or relevant for the identified purposes, or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or team member, ESIS shall retain the information for a reasonably sufficient period of time after the decision has been made to allow the customer or team member to access the information.
5.5 ESIS shall develop guidelines and implement procedures and controls for the retention and destruction of records containing personal information. Once personal information is no longer reasonably necessary or relevant for the identified purposes, nor required by law to be retained, it shall be destroyed, erased or made anonymous.
Principle 6 – Accuracy of personal information
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
6.1 Personal information used by ESIS shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a customer or team member.
6.2 ESIS shall update personal information about customers and team members as and when reasonably necessary to fulfill the identified purposes or upon notification by the individual.
Principle 7 – Security safeguards
ESIS shall protect personal information by security safeguards appropriate to the sensitivity of the information.
7.1 ESIS shall employ appropriate security measures to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.
7.2 All of ESIS’ team members with access to personal information shall be required to appropriately respect the confidentiality and privacy of that information.
7.3 ESIS will store and process personal information in Canada or other countries. In either case, the personal information is protected with appropriate security safeguards, but may be available to foreign government agencies under applicable law.
Principle 8 – Openness concerning policies and practices
ESIS shall make readily available to customers and team members specific information about its policies and practices relating to the management of personal information.
8.1 ESIS shall make information about its policies and practices easy to understand, including:
- The means of gaining access to one’s own personal information held by ESIS;
- A description of the type of personal information held by ESIS, including a general account of its use.
8.2 ESIS shall make available information to help customers and team members exercise choices regarding the use of their personal information and the privacy-enhancing services available from ESIS.
Principle 9 – Customer and team member access to personal information
ESIS shall inform a customer or team member of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or team member shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
9.1 Upon request, ESIS shall afford customers and team members a reasonable opportunity to review the personal information ESIS holds about them. Personal information shall be made accessible to the individual in understandable form, within a reasonable time, and at minimal or no cost to the individual.
9.2 In certain situations, ESIS may not be able to provide access to all the personal information that it holds about a customer or team member. For example, ESIS may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Also, ESIS may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor – client privilege, or, in civil law, by the professional secrecy of lawyers and notaries, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, ESIS shall provide the reasons for denying access upon request. In general, the exceptions above do not apply if the individual needs the information because an individual’s life, health or security is threatened.
9.3 Upon request, ESIS shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, ESIS shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.
9.4 In order to safeguard personal information, a customer or team member may be required to provide sufficient identification information to permit ESIS to account for the existence, use and disclosure of personal information and to authorize access to the individual’s personal information.
9.5 ESIS shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, ESIS shall transmit to other organizations having access to the personal information in question any amended information or the existence of any unresolved differences.
9.6 Customers can seek access to their personal information by contacting a designated representative at ESIS.
9.7 Team members can seek access to their personal information by contacting their manager within ESIS.
Principle 10 – Challenging compliance
10.1 ESIS shall maintain procedures for addressing and responding to all inquiries or complaints from its customers and team members about ESIS’ handling of personal information.
10.2 ESIS shall inform its customers and team members about the existence of these procedures as well as the availability of complaint procedures.
10.4 A customer or team member may seek advice from the Office of the Privacy Commissioner of Canada or the provincial Privacy Commissioner having jurisdiction, and, if appropriate, file a written complaint with the Commissioner’s office. However, the customer or team member is encouraged to use ESIS’ complaint procedures first.