This document is enforced on all departments, personnel, contractors, business partners and all third parties who interact with NCRi systems and information.
All bodies have a role to play and contribution to make to ensure the safeguard of privacy of information used and retained for business purposes by NCRi.
PIPEDA: The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canadian law relating to information or data privacy.
- Accountability: Appoint an individual (or individuals) to be responsible for your organization’s compliance. Protect all personal information held by your organization or transferred to third parties for processing. And develop and implement personal information policies and practices.
- Identifying purposes: Your organization must identify the reasons for collecting personal information before or at the time of collection. Before or when any personal information is collected, identify why it is needed and how it will be used. Document why the information is collected. Inform the individual from whom the information is collected why it is needed. Identify any new purpose for the information and obtain the individual’s consent before using it.
- Consent: Inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data; obtain the individual’s consent before or at the time of collection, as well as when a new use is identified.
- Limiting collection: Do not collect personal information indiscriminately; do not deceive or mislead individuals about the reasons for collecting personal information.
- Limiting use, disclosure, and retention: Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act; keep personal information only as long as necessary to satisfy the purposes; put guidelines and procedures in place for retaining and destroying personal information; keep personal information used to decide about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress; destroy, erase, or render anonymous information that is no longer required for an identified purpose or a legal requirement.
- Accuracy: Minimize the possibility of using incorrect information when deciding about the individual or when disclosing information to third parties.
- Safeguards: Protect personal information against loss or theft; safeguard the information from unauthorized access, disclosure, copying, use or modification; protect personal information regardless of the format in which it is held.
- Openness: Inform your customers, clients, and employees that you have policies and practices for the management of personal information; make these policies and practices understandable and easily available.
- Individual Access: When requested, inform individuals if you have any personal information about them; explain how it is or has been used and provide a list of any organizations to which it has been disclosed; give individuals access to their information; correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient; provide a copy of the information requested, or reasons for not providing access, subject to exception set out in Section 9 of the Act; an organization should note any disagreement on the file and advise third parties where appropriate.
- Provide recourse: Develop simple and easily accessible complaint procedures; inform complainants of avenues or recourse. These include your organization’s own complaint procedures, those of industry associations, regulatory bodies, and the Privacy Commissioner of Canada; investigate all complaints received; take appropriate measures to correct information handling practices and policies.
Personal/Private Information: As per North American standards, and in accordance with PIPEDA, personal/private information varies in definition and application in context, primarily when applied to Business versus an individual. However if summarized any information or combination of information about an identifiable individual or business secrets can be considered as Personal/Private Information. It includes, without limitation, information relating to identity, nationality, age, gender, address, telephone number, e-mail address, Social Insurance Number, date of birth, marital status, blood group or medical records, education, employment health history, assets, liabilities, payment records, credit records, loan records, income and information relating to financial transactions as well as certain personal opinions or views of an Individual.
Business Information: Includes business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job title(s), business registration numbers (GST, RST, and source deductions), financial status.
Privacy Officer / Ombudsman: An individual or group of people with designated responsibility for ensuring that organization complies with this policy and PIPEDA and other laws instituted in various Canadian Provinces and Territories, and U.S. States where NCRi or its subsidiaries conducts its businesses.
Company Information System Resources: Includes, but are not limited to, all computers, their data, and programs, as well as all paper information, and any other information at the ‘Internal Use Only’ level and above.
Approved Electronic File Transmission Methods: Includes, but are not limited to, supported FTP clients and protocols (e.g. SSH, SSL), Email clients, and Web browsers and protocols (e.g. SSL, TLS etc.).
Information Retention Period: Defines the time-table established for retaining any information for business purposes in accordance with NCRi’s Information Retention Policy.
Client: Individual or companies to whom NCRi provides its services.
Third Party/Business Partners: Means a person or company that provides services to NCRi in support of the programs, benefits, and other services offered by NCRi, such as other lenders, credit bureaus, persons with whom the individual or client does business, but may not include any Government office or Department to whom NCRi reports in the delivery of such programs, benefits, or services.
Consent: An agreement of usage of personal information. Consent can be further divided into two categories: expressed consent and implied consent. “Express consent” means the individual has registered through application, or other forms containing personal information, authorizing NCRi to collect, use, and disclose the individual’s personal information for the purposes set out in the application and/or forms. Whereas “Implied Consent” means the organization may assume that the individual consents to the information being used, retained, and disclosed for the original purposes, unless notified by the entity.
The privacy guidelines below provide details on how to protect information at varying sensitivity levels.
Conformance includes current laws, future additions, or alterations in the Privacy Act(s).
- Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by NCRi staff, business partners and Board members, as is required for individual personal information under PIPEDA.
- All information should be marked with appropriate classification (where applicable) along with its ownerships and audience/distributions tags.
- Encryption and other security methodologies should be established, and technologies should be tested on regular intervals.
- After the retention period expires, all information shall be carefully expunged using approved shredding methods (physical or electronic) in accordance with Data Retention Policy and Disposal Policy.
- No personal information, confidential information, or restricted information shall be noted in an unsecure place, such as paper, or public-access network file folders.
- At workstations, paperwork shall be secured before leaving unattended.
- All employees shall abstain from discussing or sharing confidential or restricted information with other employees or parties, unless requested by an authorized person or body.
- Accountability: In addition to the Privacy Officer, all employees are responsible for maintaining privacy of the information they have been privy to for conducting their assigned tasks.
- Identifying Purpose: Unless the purposes for collecting personal information are obvious and the client, customer, or business partners voluntarily provide his or her personal information for those purposes, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of (information) collection.
- Consent: We will obtain client, customer, and business partner consent to collect, use, or disclose personal information (except where, as noted below, we are authorized to do so without consent).
Consent can be provided orally, in writing, electronically, through an authorized representative, or it can be implied where the purpose for collecting using or disclosing the personal information would be considered obvious and the client, customer, or business partner voluntarily provide personal information for that purpose.
In addition, consent can be revoked, based on the provisions provided in the related legislations.
- Limiting Collection: Information, especially personal information will only be collected which is deemed necessary for conducting business. All information shall be collected using legal means only. Information collected, may and shall only be used for identity verification, to determine credit worthiness, to manage accounts, to provide adequate services, and to meet regulatory requirements.
- Limiting use, disclosure: Information shall only be used or disclosed for the purpose for which it was collected.
NCRi employees are not permitted to disclose client, customer, and business partner information.
NCRi shall not sell or share personal information to other parties for reasons not related to business practices.
- Retention: All information, personal and non-personal, shall only be retained in accordance with NCRi’s Information Retention & Disposal Policy. Information shall be expunged using necessary methods explained in the Disposal Procedures once the retention period expires.
- Accuracy: Reasonable efforts shall be made to ensure that client, customer, and business partners’ personal information is accurate and complete where it may be used to decide about the client, customer, and business partner or is disclosed to another organization.
Clients, customers, and/or business partners may request correction to their personal information in order to ensure its accuracy and completeness. A request to correct personal information must be made in writing or other approved means and should provide sufficient detail to identify the personal information and the correction being sought.
In the case where the information is deemed incorrect, inaccurate, or incomplete, NCRi shall correct the information as required and send the corrected information to organizations to which it has disclosed the information previously for conducting its business, which includes but may not be limited to credit reporting agencies.
- Safeguards: NCRi is committed to ensuring the security of client, customer, and business partners’ personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Sensitive information shall be protected by the means of using strong and tested encryption techniques, fire-proof safes, or cabinets with strong lock-combinations.
NCRi shall continually review and update its security policies and controls as technology changes to ensure ongoing personal information security.
NCRi shall regularly perform reviews to identify security risks to its networks and data stored or transmitted through its information systems.
- Openness: NCRi shall inform its customers, clients, employees, and business partners about policies NCRi has designed for the management of personal information. Also such policies shall be made easily available and understandable.
- Individual Access: NCRi shall respect the right of its clients, customers, employees, business partners, and will upon request should provide access to their personal information. All information should be provided after reviewing the exceptions provided by any and all Regulatory bodies.
A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought. If unsure, the NCRi staff member will forward the request to the Privacy Officer for further review.
Upon request, clients, customers, business partners, and employees shall be advised about how their personal information has been used and to whom it has been disclosed if applicable.
Requested information shall be provided within thirty (30) business days, or a written notice of an extension will be provided where additional time is required to fulfill the request.
If the request to access personal information is be refused in full or in part the client, customer, employee, and business partner shall be notified in writing, providing the reasons for refusal and the recourse available to the client, customer, employee, or business partner.
- Provision of Recourse: At NCRi the Privacy Office is responsible for ensuring compliance with this policy, PIPEDA, Canadian Provincial, Territorial, and U.S. State legislation regarding privacy and the safeguarding of personal information.
Clients, customers, employees, and business partners should direct any complaints, concerns or questions regarding NCRi’s compliance or handling of personal information to the Privacy Officer/Ombudsman.