PRIVACY CODE

 

Creō-Tech INDUSTRIAL GROUP INC.

 

PRIVACY CODE – JUNE 2021

 

INTRODUCTION

 

Creō-TechIndustrial Group Inc. (“Creō-Tech”) is a BC company that offers its regional engineering, procurement and contracting services in Western Canada and Pacific Northwest.

This Privacy Code sets out our privacy commitment to the protection of personal information of our employees, and personal information obtained through individuals accessing website or through engaging us to provide customized e-learning solutions and how we manage personal information, safeguards privacy in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) of Canada, Protection of Personal Information (B.C.) and comply with Canada’s international obligations for data protection under General Data Protection Regulation (“GDPR”).

This Privacy Code is also intended to assist us to meet our obligations under respecting the personal information of our employees and service providers PIPEDA, PIPA and GDPR.[1]

PIPEDA and PIPA are built on the following principles of fair information principles:   Accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, challenging compliance.  Compliance with PIPEDA is under the authority of the Privacy Commissioner of Canada and PIPA is under the authority of the BC Privacy Commissioner.

The GDPR applies to organizations that have an established presence in the EU, offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU.  The GDPR applies when personal data is “processed” and defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”  Data controllers or processors must also respect the principle of data minimization, meaning that the processing of personal data must be limited to that which is adequate, relevant, and necessary to achieve the specified purpose. Personal data must be accurate, kept up to date, kept in a form which permits identification of data subjects for no longer than is necessary, and must be processed in a manner that ensures appropriate security of the personal data.

The Privacy Code is also intended to provide open and transparent principles, policies, practices and procedures by which Creō-Tech can meet its privacy commitment to the protection of personal information.  It is also intended to set out the choices available for individuals regarding our collection, use or disclosure and processing of their personal information.

The purpose of this Privacy Code is to articulate clearly our privacy practices respecting the management of personal information collected and used by Creō-Tech and to ensure compliance with the federal and international privacy laws.  At the same time, it recognizes the needs of Creō-Tech to collect, use or disclose personal information for legitimate business purposes versus the right of individuals to protect their personal information.  The standard for the collection of personal information by Creō-Tech is one of what a reasonable person would consider appropriate in the circumstances and complies with applicable laws.

 

GUIDING PRINCIPLES

 

The following ten principles are the basis of Creō-Tech Privacy Code and shall guide Creō-Tech’s management of personal information and its privacy practices together with the statutory requirements of PIPEDA and PIPA.

1. Accountability – Creō-Tech is responsible for personal information under its control including personal information not in the custody of Creō-Tech. Creō-Tech shall designate one or more individuals to be responsible for ensuring that Creō-Tech complies with this Privacy Code and shall make the position name or title and contact information of each individual so designated.

2. Identifying Purposes for Collection of Personal Information – Creō-Tech shall identify the purposes for which personal information is collected or before personal information is collected.

3. Obtaining Consent for Collection, Use or Disclosure of Personal Information – Creō-Tech shall ensure that consent is obtained from each individual for the collection, use or disclosure or processing of their personal information unless inappropriate. Creō-Tech shall recognize and act on any withdrawal of consent by an individual to collect their personal information.

4. Limiting Collection of Personal Information – Creō-Tech shall limit the collection of personal information to the purposes identified by Creō-Tech and shall only collect personal information using appropriate, fair and lawful means.

5. Limiting Use, Disclosure and Retention of Personal Information – Creō-Tech shall not use or disclose personal information for purposes other than for the purpose it was collected unless Creō-Tech has the consent of the individual or as provided by law. Creō-Tech shall retain personal information for only as long as necessary to meet the purposes of the collection of the personal information.

6. Accuracy of Personal Information – Creō-Tech shall ensure that personal information collected, used and disclosed shall be as accurate, complete and up-to date as possible for the purposes for which it has been collected used and disclosed.

7. Security Safeguards – Creō-Tech shall take all appropriate steps to protect the personal information collected, used and disclosed and use security measures appropriate to sensitivity of the personal information.

8. Openness Concerning Policies and Practices – Creō-Tech shall ensure that information is made available to clients and employees regarding this Privacy Code and our privacy practices regarding personal information.

9. Client Access to Personal Information – Creō-Tech shall inform an individual of the collection, use and disclosure and processing of his/her personal information at the individual’s request and shall grant access to the individual to such personal information. An individual shall be entitled to challenge the accuracy and completeness of the personal information collected, used or disclosed by Creō-Tech and have it amended and or corrected as necessary or appropriate.

10. Challenging Compliance – This Privacy Code and our privacy practices shall include a clear process for responding to complaints that may arise with respect to our handling and managing of personal information of customers and employees. A client or employee may make a complaint regarding Creō-Tech’s compliance with its privacy policies and practices to the designated individual in accordance with our complaint process.

 

APPLICATION OF THE PRIVACY CODE

1.1       Creō-Tech as a private sector organization is required to comply with the purposes of the PIPEDA, PIPA and GDPR and therefore this Privacy Code sets out Creō-Tech’s policies and practices for managing personal information of individuals being collected, used and disclosed or processed from our clients, employees and or services providers or through our Creō-Tech Website whether collected, used or disclosed or processed orally, electronically or in writing in compliance with PIPEDA, PIPA and GDPR.

Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: ʶ age, name, ID numbers, income, ethnic origin, or blood type; ʶ opinions, evaluations, comments, social status, or disciplinary actions; and ʶ employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

There are some instances where PIPEDA and PIPA do not apply. Some examples include: ʶ Personal information collected, used or disclosed by federal government organizations listed under the Privacy Act. ʶ Provincial or territorial governments and their agents. ʶ Business contact information–including an employee’s name, title, business address, telephone number facsimile number or email addresses–which an organization collects, uses or discloses solely for the purpose of communicating with a person in relation to their employment, business or profession. ʶ an individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list). ʶ an organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.

PIPEDA and PIPA each set out the principles of fair information practices, which form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. These principles give individuals control over how their personal information is handled in the private sector. In addition to the principles set out under PIPEDA and PIPA, the Acts contains an overriding obligation that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider are appropriate in the circumstances. This overarching standard of appropriateness of purposes continues to apply under PIPEDA and PIPA for the collection, use and disclosure of personal information.

Creō-Tech strives as an organization to be responsible for the protection of personal information and the fair handling of it at all times, throughout the organization and in dealings with third parties.

 

1.2       The following categories of personal information are exempt from the PIPEDA and PIPA privacy practices and policies of our Privacy Code:

• Personal information handled by federal government organizations listed under the Privacy Act;
• Provincial or territorial governments and their agents;
• Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession;
• An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list); and
• An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.

 

PRIVACY POLICIES AND PRACTICES

 

Accountability

2.1       In order to meet its responsibilities for personal information under its possession or control, Creō-Tech appoints Tony Harrison and or his designate to be accountable for   Creō-Tech’s compliance with this Privacy Code and its statutory requirements under PIPEDA and PIPA and GDPR.

2.2       The contact information of persons designated to be accountable for Creō-Tech’s compliance with the Privacy Code shall be made known upon request.

2.3       Creō-Tech does not provide personal information to third parties except as compelled by law or as part of its online automated broker-agent services that match a client’s electric vehicle specifications and needs for an electric vehicle to their electric vehicle dealer directory listings which listings have been approved by each individual electric vehicle dealer.

2.4       Creō-Tech has put in place procedures and practices to give effect to this Privacy Code and shall include:

• Procedures and practices to protect personal information and to oversee compliance with this Privacy Code;
• Procedures and practices to receive and respond to requests for personal information, inquiries and complaints under PIPEDA, PIPA and GDPR;
• Methods and means for training and communicating our privacy procedures and practices to employees; and
• Methods and means for communicating our privacy procedures and practices to our clients and the public.

2.5       Creō-Tech shall continue to update and enhance its privacy policies and practices on and as and when basis.

 

Purposes of Collection

3.1       Creō-Tech collects, uses and discloses personal information from clients and employees for the provision of its online automated broker-agent services that match a client’s electric vehicle specifications and needs for an electric vehicle to their electric vehicle dealer directory listings which listings have been approved by each individual electric vehicle dealer and for legitimate business interests only.

3.2       In using, processing and disclosing personal information as part of its contractual agreement(s), such personal information shall only be collected, used, processed and disclosed as necessary for the performance of Creō-Tech’s business and contractual obligations.

3.3       Creō-Tech also collects uses and discloses personal information of its clients, employees or visitors to its Website but such personal information shall only be collected, used or processed and disclosed for legitimate business interests that a reasonable person would consider appropriate in the circumstances and that fulfill the purposes that Creō-Tech has disclosed to the individual in accordance with PIPEDA and PIPA.

3.4       Creō-Tech shall identify and specify orally, electronically or in writing to the client, employee or visitor to its Creō-Tech Website the purposes for which personal information is collected, used. processed and disclosed at or before the time the personal information is collected.

3.5       Creō-Tech shall not collect, process, disclose or use personal information for any purpose not identified or specified to an individual without obtaining their consent. 

 

Consent

4.1       Creō-Tech will obtain consent from an individual when collecting, using, processing or disclosing personal information of its clients, individuals, employees, and contractors for the purposes outlined above.

4.2       Consent will be explicit for EU individuals and may be explicit (orally or in writing) or implied. Consent may be implied by Creō-Tech where at the time consent is deemed as follows:

4.2.1    the purpose would be considered obvious to a reasonable person;

4.2.2    the individual has freely and voluntarily provided the personal information for that purpose; or

• Creō-Tech has given notice of the collection of personal information for a specified period in a form that can be reasonably understood of its intention to collect, use, process or disclose the personal information and the individual is given a reasonable period of time to decline or revoke and does not decline or revoke and it is reasonable to collect, use, process or disclose having regard to the sensitivity of the personal information and that it is collected solely for legitimate business purposes.

4.3       Consent will always be obtained for EU individuals where it is not for legitimate business purposes and EU individuals will have the ability to revoke such consent at any time.  Consent is not required for the following personal information which is permitted to be collected and used from an individual or from a source other than an individual without limitations:

• is clearly in the interest of the individual and consent cannot be obtained in a timely way;
• is necessary for medical treatment of the individual and individual is unable to give consent;
• it is reasonable to expect that the collection or use with the consent of individual would compromise the availability or accuracy of the personal information and the collection is reasonable for an investigation or a proceeding;
• organization is credit reporting agency and collection is for a credit report and individual consents at the time the original collection occurs;
• is required or authorized by law;
• personal information is necessary to facilitate collection of debt owed or payment of debt to an organization;
• collection or use of employee personal information is reasonable for establishing, managing or terminating an employment relationship; and
• for any other category identified under PIPEDA and PIPA.

4.4       With respect to EU individuals, Creō-Tech shall obtain explicit consent from the individual to the disclosure of personal information. With respect to the disclosure of personal information for all other individuals, Creō-Tech shall obtain consent from the individual, with the exception of the following personal information which is permitted to be disclosed from an individual or from a source other than an individual without limitations:

• is clearly in the interest of the individual and consent cannot be obtained in a timely way;
• is necessary for medical treatment of the individual and individual is unable to give consent;
• it is reasonable to expect that the disclosure with the consent of individual would compromise the availability or accuracy of the personal information and the collection is reasonable for an investigation or a proceeding;
• organization is credit reporting agency and disclosure is for a credit report and individual consents at the time the original collection occurs;
• is required or authorized by law;
• personal information is necessary to facilitate collection of debt owed or payment of debt to an organization;
• personal information is disclosed in accordance with a provision of a treaty that authorizes or requires its disclosure or is made under an enactment of Canada;
• disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
• the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation;
• there are reasonable grounds to believe that compelling circumstances exist that affect the health and safety of any individual and if notice of disclosure is mailed to the last known address of the individual to who the personal information relates;
• the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
• the disclosure is to an archival institution if the collection of personal information is reasonable for research or archival purposes; and
• disclosure of employee personal information is reasonable for establishing, managing or terminating an employment relationship.

4.5       Wherever possible, Creō-Tech shall seek consent to collect, use, process or disclose personal information from an individual, client, employee or service provider at the time in which the personal information is collected.  In the event that this is not possible, Creō-Tech will seek consent after the personal information is collected but prior to it being used, processed or disclosed for a different purpose that has not been identified or specified.

4.6       When determining whether express or implied consent is required for all individuals other than EU individuals where there must be explicit consent, Creō-Tech shall take into account the sensitivity of the personal information and the reasonable expectations of the client/customer, individual, employee or service provider.

4.7       With the exception of EU individuals where explicit consent is required, Creō-Tech will, generally, imply consent to collect, use or disclose personal information for its purposes, where an employee accepts employment or receives benefits.

4.8       When seeking consent for the collection of personal information from a client/customer, individual, employee or service provider, Creō-Tech shall set out the choices available to individuals regarding Creō-Tech’s collection, use, processing or disclosure of the personal information at the time of collection or prior to the use or disclosure of such personal information.

4.9       Upon obtaining consent, Creō-Tech may record such consent as via phone, by mail, the Internet, a note to file, copy of an email, copy of a check off box or entry in database field.

 

Withdrawal of Consent

5.1       Creō-Tech will honour a request of an individual to revoke or withdraw his or her consent to the collection, use, processing or disclosure of personal information by email and when it receives email notice will immediately stop collecting, using, processing or disclosing that personal information unless it meets one of the exceptions noted above or would frustrate the performance of a legal obligation or consent was given to a credit reporting agency or is for legitimate business purposes.

 

Limiting Collection of Personal Information

6.1       When collecting personal information of a client, individual, employee or subcontractors, Creō-Tech shall disclose to the individual verbally or in writing, the purposes for the collection of the personal information and shall limit the collection to the identified and specified purposes.

6.2       Creō-Tech shall only collect personal information by reasonable, fair and lawful means.

6.3       Creō-Tech generally, collects personal information from its clients, employees and subcontractors although in certain circumstances, Creō-Tech may collect personal information from third parties, such as credit bureaus, employers or personal references but only from those third parties that represent that they have a right to disclose such personal information.

 

Limiting Use, Disclosure and Retention of Personal Information

7.1       Other than where Creō-Tech has explicit or implied consent of the individual or third party or by operation of law, Creō-Tech shall not use or disclose personal information for purposes other than those identified and specified.

7.2       Creō-Tech shall only retain personal information of an individual for the period necessary to fulfill the purposes identified and specified, by operation of law or where making a decision regarding a client/customer, employee or vendor or service provider as long as is reasonable to give such individuals the opportunity to access the personal information concerning the making of the decision.

7.3       Creō-Tech shall limit the access of its employees to personal information to those who are participating in the collection, use, processing or disclosure of personal information as part of their duties or to those who have a need to know within Creō-Tech.

7.4       Creō-Tech shall maintain the means via reasonable controls, systems and practices whereby personal information that no longer is necessary to retain is destroyed, erased or rendered anonymous.

 

Accuracy and Security of Personal Information

8.1       Creō-Tech shall make all reasonable effort to ensure that personal information collected is accurate and complete for the purposes in which it is collected particularly where the personal information is likely going to affect the individual to who the personal information relates or is likely to be disclosed to another organization.

8.2       All personal information used by Creō-Tech shall be as accurate and complete as possible and where such personal information is being used to make a decision that directly affects an individual, such personal information will where applicable be retained by Creō-Tech for no more than one year in order to provide a reasonable opportunity for access by the individual.

8.3       Creō-Tech shall take reasonable security arrangements to prevent the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal information in its custody and control in whatever form it is held.  Such security arrangements will include protection from loss or theft and physical measures, such as, technological tools, such as passwords, encryption, firewalls and anonymizing software, and, limiting access on a need to know basis, staff training and confidentiality agreements.

8.4       Creō-Tech shall destroy its documents containing personal information or remove the means by which personal information can be associated with the individual as soon as the purpose for which the personal information was collected is no longer being served by its retention or retention is no longer necessary for legal or business purposes.

8.5       Creō-Tech shall not use deceptive or coercive means to collect personal information and shall not dispose of personal information with intent to evade a request for access to personal information.

8.6       Creō-Tech shall protect personal information by ensuring that confidentiality provisions bind both third parties in which personal information is disclosed and employees who have access to personal information.

8.7       Creō-Tech shall regularly review and update security measures for personal information where applicable.

 

Access to and Correction of Personal Information

9.1       Where Creō-Tech has collected, used, processed or disclosed personal information of an individual that is within the statutory authority of PIPEDA and PIPA or GDPR, an individual shall have the right to access and correct their personal information in accordance with the following access and correction procedure:

• the individual may, in writing, make a request to Creō-Tech or their designate concerning his or her personal information under the control of Creō-Tech;
• Creō-Tech shall provide information concerning the ways in which personal information of the individual has been and is being used by Creō-Tech or has been disclosed by Creō-Tech;
• the names of individuals and organizations to whom the personal information has been requested;
• with the exception of the following personal information, Creō-Tech will provide access to an individual’s personal information:

(i) personal information is protected by solicitor-client privilege; (ii) disclosure would reveal confidential commercial information that if disclosed could in the reasonable opinion of a reasonable person harm the competitive position of Creō-Tech ; (iii) personal information was collected where consent is not required for the purposes of an investigation or where proceedings have not been completed; (iv) where personal information was collected by a credit organization 12 months prior to the request from the individual; (v) where the disclosure would threaten the safety, physical or mental health of an individual, cause immediate or grave harm to the safety or physical or mental health of an individual, or would reveal personal information about another individual;

• having reviewed the personal information requested, the individual may request Creō-Tech to correct an error or omission in that personal information that is: (i) about the individual and (ii) is under the control of Creō-Tech;
• Creō-Tech shall respond to an individual’s request no later than 30 days from the date of an individual’s request unless the individual has not given sufficient detail to enable Creō-Tech to identify the personal information being requested or more time is needed given the large volume of personal information being requested  which would unreasonably interfere with Creō-Tech’s operation or there is a need for more time to consult with another organization or public body to determine whether to give access to the requested document.  In those circumstances, Creō-Tech may extend the time an additional 30 days or seek a longer period of time to respond from the privacy commissioner and will advise the individual of the extension in time, the time period of the extension and the rights of the individual to complain about the extension;
• in responding to an individual’s request, Creō-Tech shall advise the individual when access to personal information in whole or in part is being refused, the reasons for the refusal and the contact information of the officer or employee of Creō-Tech who can answer the individual’s questions concerning the refusal;
• Creō-Tech shall make a reasonable effort to assist each applicant to respond accurately and completely as is reasonably possible to their request;
• Creō-Tech shall make the correction as soon as reasonably possible or send the corrected personal information to each organization which the personal information was disclosed during the year prior to the date the correction was made, where Creō-Tech is satisfied that there are reasonable grounds for the request; and
• where Creō-Tech does not make a correction, it shall annotate the personal information under its control that a request was made but the request was not implemented.

 

Challenging Compliance

10.1     Creō-Tech shall maintain a process for addressing and responding to complaints or inquiries regarding its compliance with this Privacy Code including where appropriate a process for seeking external advice prior to responding to individual complaints or inquiries.

10.2     A client, individual or employee or contractor may make a complaint or inquiry regarding     Creō-Tech’s compliance with this Privacy Code as follows:

• An individual shall file a written complaint or inquiry to Creō-Tech and or its designate outlining the failure of Creō-Tech to comply with this Privacy Code and the specified section and or principle.
• Creō-Tech shall investigate all written complaints or inquiries regarding its compliance with this Privacy Code.
• Where an investigation determines that a complaint is justified or action is required regarding an inquiry, Creō-Tech shall take all appropriate steps to resolve the complaint or take appropriate action to address the inquiry including where applicable amending the policies, practices and procedures of this Privacy Code.
• Wherever possible, Creō-Tech shall respond to a written complaint within 30 days provided the written complaint or inquiry provides sufficient information to respond to. This response shall include details regarding the outcome of the investigation and individual’s complaint or inquiry.
• In the event that Creō-Tech seeks external advice, the period to respond may be extended for a reasonable period necessary to obtain such external advice.

10.3     In the event that an individual is not satisfied with handling of its complaint by Creō-Tech, the individual may seek the assistance of the Office of the Privacy Commissioner of Canada or British Columbia.

 

Transparency of Privacy Policies, Practices and Procedures

11.1     Creō-Tech shall make its privacy policies, practices and procedures available on its Creō-Tech Website and readily available to individuals in person, in writing, by telephone or as applicable in Creō-Tech publications.

11.2     Creō-Tech shall also make its policies, practices and procedures understandable for its individuals, employees and the public by identifying who within Creō-Tech is responsible for compliance with this Privacy Code, how personal information can be accessed by individuals, what personal information is held by Creō-Tech and how it is used.

 

The contact information for Creō-Tech is as follows:

Brittany Ray-Wilks, COO, Brittany Ray-Wilks <[email protected]>

www.creotechgroup.com

Current contact information can also be found on Creō-Tech’s website.

 

To review the Protection of Privacy Act and Personal Information Protection Act, access to the Act can be found at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/ or Protection of Personal Information Act, access to the Act can be found at oipc.bc.ca and General Data Protection Regulation can be found at: https://eugdpr.org/.

 

A comparison of GPDR and PIPA has been prepared by Office of the Information and Privacy Commissioner of British Columbia.

 

 

[1]  This Privacy Code is built on the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information which was published in March 1996 as a National Standard of Canada Federal and these principles are now incorporated in the federal Personal Information Protection and Electronic Documents Act.