We collect personal information from our customers in the regular course of doing business. This page answers some of your most frequently asked questions, and lets you know exactly how we’re protecting the information you entrust to us.
What personal information do you collect about me?
We collect the following information about you:
When you visit our web site, we also collect:
How do you use this information?
The main reasons we collect personal information from you are:
If it’s a necessary part of any of these transactions, we may disclose your information to another company. For example, when you apply for credit, we pass on your personal information to a credit reporting agency so we can complete a credit check. We also pass on your name and address to a courier company to complete a delivery.
Use of Personal Information for Secondary Reasons
We also may use your personal information for other, secondary reasons, including:
Sharing of Personal Information with Third Parties
Sometimes, we also share your personal information with other companies, including:
We will also disclose your personal information if we are required by law to do so.
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we assume you consent to our collecting it and using it for that specific reason only.
If we ask you for personal information for a secondary reason, like marketing, we will either ask you directly for your consent or provide you with an opportunity to say no. Saying no is called “opting out”. By opting out, you can tell us not to collect the information and/or not to share it with other companies.
How do I opt out?
Describe exactly what a customer has to do to opt out. Give concrete examples. For e.g.:
When you fill out a warranty card, you provide us with information about your preferences and opinions. At the bottom of the card, there are boxes you can check off if you do not want that information to be used for marketing purposes or to be shared with other companies.
How do I get more information?
Our staff will be happy to answer any questions you may have about your personal information. If you would like more information about our policies, or you would like to see exactly what personal information we have about you in our records, or you wish to register a complaint, please contact:
Name: Martinus Geleynse
Address: 195 James St N, Hamilton, ON L8R 2L2
You can also contact the Privacy Commissioner of Canada for assistance between the hours of 8:30 a.m. to 4:30 p.m. est, at:
or by mail at:
30 Victoria Street
or on the web at:
You can also contact your Provincial or Territorial Privacy Commissioner’s office for more information:
Office of the Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: (416) 326-3333
Toll-free: 1 (800) 387-0073 (free within Ontario)
Web Site: http://www.ipc.on.ca/
You have indicated that you do not collect any personal information, therefore it is important to explain to your employees that they are not to collect any personal information about customers.
EMPLOYEE ACCESS TO PERSONAL INFORMATION
You indicated that your organization does not collect any information without knowing why.
HOW MUCH PERSONAL INFORMATION SHOULD YOU COLLECT?
With new information technologies, there’s a temptation to collect personal information just in case it could be useful in the future. But under privacy laws, you have to tell your customers why you’re collecting the information and then stick to that purpose. If you want to use the information for another purpose, you have to go back to the customer and get his or her permission.
Once you do collect the information, you are also required by law to keep it up-to-date, accurate and secure and to provide customers with access to it on request.
In other words, there are hidden costs and obligations involved when you collect personal information. One of the easiest and cheapest ways you can make your business privacy-compliant is to collect only what you actually need.
Another quick and easy privacy win is to make sure any software or paper forms you use don’t have any free-form fields – things like “Notes” or “Additional Information”. That cuts down on the possibility that your staff will collect unnecessary personal information.
When you’re deciding what to collect, remember that you’re obligated to make sure you’re only collecting information for purposes that a “reasonable person would consider appropriate in the circumstances”. In Quebec, the requirement is that the information has to be “necessary for the object of the file”.
So the next step is to review the information you collect and follow the 3 Rs – make sure it’s Reasonable, Relevant to your purpose, and Really Needed for your business. If not, don’t collect it.
HOW TO PROTECT THE PERSONAL INFORMATION YOU COLLECT?
Now that you’ve limited the personal information you collect to what’s Reasonable, Relevant and Really Needed, the next step is to make sure you keep that information safe and secure.
Under the law, you are required to use security safeguards to protect the personal information you have from things like unauthorized persons getting access to it for copying, modifying or destroying it. Federal laws also talk about protecting it from loss or theft, and Quebec laws call for safety measures that will ensure the information is kept confidential.
Keeping information secure doesn’t have to be high-tech. The best protection is to limit who gets access to it on a “need-to-know” basis only. Here’s a summary of who uses the personal information you collect in your business.
Next, think about how sensitive the information you collect is. Generally speaking, the more sensitive it is, the better your security arrangements should be. Information about a person’s health or financial situation is always considered sensitive and must be protected with higher safeguards.
This information needs to be well protected from prying eyes, so consider using multiple methods to protect it. For example, consider purchasing cash registers that truncate (“x” out) payment or credit card numbers on customer receipts to protect the information from identity thieves.
It is also important to remember that other information may be sensitive, depending on the context. For example, the fact a person subscribes to a magazine for cancer survivors may be sensitive in some circumstances. Customer relationship management databases and lists may also be sensitive because they are a lucrative target for identity thieves who want access to the information so they can impersonate your customers.
Next, think about where you keep your personal information. Security can be as simple as locking a filing cabinet or restricting who has access to an office.
You indicated that you keep the following information in electronic files:
Finally, think about what you do with old files. As a general rule of thumb, you should only keep personal information for as long as you need to fulfill the purpose that you collected it for. After that, you should destroy it.
But take care. Canadian organizations have ended up in the news when their old files ended up in boxes on the beach or on the back of real estate pamphlets circulated in Toronto. Invest in a shredder for smaller jobs, and use a magnet to destroy any electronic files that may be stored on old equipment. If you’re contracting out, make sure you use a reputable firm that will completely destroy your files.
EXPLAIN WHY AND ASK FOR PERMISSION
The best way to manage your privacy risks is to let your customers know why you’re collecting the information and ask them for their permission.
There are times when it’s obvious your customer knows why you’re collecting the information and consents to it. For example, when a customer hands the cashier a payment card, he or she knows your business will record the card number and pass it onto the bank so you’ll be paid. The customer’s consent to the use of the card number for the limited purpose of payment can be implied from the circumstances.
So long as this information is necessary to complete one of the transactions listed above, you can assume your customer has consented to the collection and use of his or her personal information for that purpose. (This is called “implied consent.”) But remember, if you decide later to use this information for another purpose, you have to go back and get the customer’s consent.
You have indicated that you collect the following information for the following secondary purposes:
In these situations – when you’re using personal information for a purpose other than the original sale or transaction – you can’t assume the customer will consent to it being using for something else, like marketing or customer relationship management. In these circumstances, you have to give the customer an opportunity to tell you they don’t want you to use their information for that purpose. This is called an “opt-out”.
Opt-outs must be clear, easy to understand and easy for the customer to do. You can have an opt-out box on a paper-based or web application form, for example, that tells customers that they don’t want to receive promotional material in the mail, just check here. You may want to let the customer know what they’ll be missing – special deals and new product information, for example – but don’t minimize, hide or obscure the opt-out. And don’t make it complicated, like requiring the customer to write a letter to a specific address within a specific time frame. The point is to let the customer decide.
With sensitive information like this, you should always make sure you get express consent from your customer. Especially if you’re sharing the information with a third party, like a credit reporting agency, you must ask the customer directly if they consent to you disclosing the information. You can do this, for example, by having them sign an application form that states what you will do with the information and that they consent to it.
But remember that you can’t refuse a sale if the customer refuses to consent to the collection of information that isn’t necessary and legitimately needed to complete the transaction. This is called “tied consent” and it is against the law.
Lastly, under federal law, your customers have a right to withdraw their consent at any time, so long as they give you reasonable notice. The exception is where customers have signed a contract that restricts their right to withdraw their consent.
HOW TO RESPOND TO INQUIRIES AND COMPLAINTS
Responding fairly and quickly to customer concerns is one of the fastest ways to privacy compliance. The single most important thing you can do is to make sure your frontline staff knows exactly what personal information your organization collects and why you collect it, so they can answer customers’ questions.
Here are the people in your organization who collect information from customers:
If a customer wants more information about your privacy practices, make sure your frontline staff has copies of a brochure that tells customers:
Designing an effective brochure isn’t that difficult, once you know what information the customer needs. To make it easier, we’ll give you a sample brochure at the end of this training session.
THIRD PARTY SUPPLIERS OR AGENTS
Sometimes sharing customers’ personal information is just a regular part of doing business, like when a store passes on a customer’s address to a courier to deliver a product. Other retailers may decide to share that information – with the customer’s consent – with partners or marketers.
It’s important to remember that your responsibility doesn’t end when the information leaves your hands. Whenever you share personal information with a third party, it’s up to you to make sure it’s going to be protected.
Your organization shares personal information with the following third parties:
You’ll have to review the privacy practices of these firms to make sure they meet the same standards that you apply to your business. You should also talk to your lawyer about adding special clauses to any contracts that involve you sharing personal information with a third party to: