Table of Contents
1.0 Purpose of Privacy Policy
1.1 The Ten Principles of PIPEDA Summarized
1.2 Personal Information Defined
2.0 Purposes of Collecting Personal Information
3.0 Consent
4.0 Limiting Collection
5.0 Limiting Use, Disclosure and Retention
5.1 Use of Personal Information
5.2 Disclosure of Personal Information
5.3 Retention of Personal Information
6.0 Accuracy
7.0 Safeguards
8.0 Openness
9.0 Individual Access
10.0 Complaints / Recourse
1.0 Purpose of the Orillia Area Community Development Corp. (CDC) Privacy Policy
The CDC is a federally supported not-for-profit community organization with a volunteer board of directors and professional staff whose purpose is to develop and diversify local economies. The CDC supports community economic development and small business growth by developing and implementing strategic community plans, delivering a range of counselling and information services to small business and operating locally controlled investment funds to provide repayable financing to new and existing businesses. This privacy policy has been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA sets out rules for the collection, use and disclosure of personal information in the course of commercial activity as defined in the Act.1.1 The Ten Principles of PIPEDA Summarized
The Ten Principles of PIPEDA that form the basis of this Privacy Policy are as follows:- Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
- Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;
- Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;
- Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
- Limiting Use, Disclosure and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;
- Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;
- Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.
- Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;
- Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and
- Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.
1.2 Definitions
“Personal information” means any information about an identifiable individual. It includes, without limitation, information relating to identity, nationality, age, gender, address, telephone number, e-mail address, Social Insurance Number, date of birth, marital status, education, employment health history, assets, liabilities, payment records, credit records, loan records, income and information relating to financial transactions as well as certain personal opinions or views of an Individual. “Business information” means business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions), financial status. Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by the CDC staff, members and Board members, as is required for individual personal information under PIPEDA. “Client” means the business that is applying for or has been approved for a loan, (including sole proprietorships and individuals carrying on business in a partnership); “Individual” means the client’s owner(s) or shareholders, co-signors, and/or any guarantor associated with a client. “Member” means a person who volunteers on a CDC committee, but who is not a current or active board member, or chair of the committee. “Application” means the application form or related forms completed by the individual(s) to request financing for the client through the Investment Fund of the CDC. “Data base” means the list of names, addresses and telephone numbers of clients and individuals held by the CDC in the forms of, but not limited to, computer files, paper files, and files on computer hard-drives. “File” means the information collected in the course of processing an application, as well as information collected/updated to maintain /service the account. “Express consent” means the individual signs the application, or other forms containing personal information, authorizing the CDC to collect, use, and disclose the individual’s personal information for the purposes set out in the application and/or forms. “Implied Consent” means the organization may assume that the individual consents to the information being used, retained and disclosed for the original purposes, unless notified by the individual. “Third Party” means a person or company that provides services to the CDC in support of the programs, benefits, and other services offered by the CDC, such as other lenders, credit bureaus, persons with whom the individual or client does business, but does not include any Government office or department to whom the CDC reports in the delivery of such programs, benefits or services.2.0 Purposes of Collecting Personal Information
Financial or Other Assistance Personal information is collected in order to assess the eligibility of the individual completing an application for financial or other assistance, as well as to report to Industry Canada. The individual is the main source of information but the CDC will also ask to obtain information directly from a third source where the individual does not have the required information. Only that information which is required to make a determination of an individual’s eligibility will be collected. Although the individual’s Social Insurance Number may be requested in the application for confirming identification of the individual to the credit reporting agency, provision of this personal information is optional. The individual may provide alternative forms of identification, such as date of birth and driver’s license number. Advertising When an individual accesses our website directly or indirectly, the CDC may serve them advertisements regarding goods and services that may be of interest based on information relating to their access to and use of the website. To do so, CDC or its service providers may place or recognize a unique cookie on the individual’s browser (alone or in conjunction with web beacons, pixel tags, or other tracking technologies). For more information about this practice and to learn about choices in connection with these practices, please visit: https://youradchoices.ca/choices/. CDC may also use Facebook Custom Audiences to deliver advertisements to Website Visitors on Facebook based on email addresses that have been collected. For more information about Facebook Custom Audiences please visit www.facebook.com/business/help/341425252616329, and to learn how to opt-out of receiving advertisements from CDC based on your email address please visit www.facebook.com/business/help/www/1415256572060999 or https://www.facebook.com/help/568137493302217?helpref=faq_content.3.0 Consent
An individual’s express, written consent will be obtained before or at the time of collecting personal information for financial or other assistance. The purposes for the collection, use or disclosure of the personal information will be provided to the individual at the time of seeking his or her consent. Once consent is obtained from the individual to use his or her information for those purposes, the CDC has the individual’s implied consent to collect or receive any supplementary information that is necessary to fulfil the same purposes. Express consent will also be obtained if, or when, a new use is identified. By signing the application and/or other forms, implied consent is granted by the individual to obtain and/or to verify information from third parties such as banks, credit bureaus, other lenders, and insurance companies in the process of assessing the eligibility of an individual or client. Implied consent is also granted by the individual to permit the CDC to report or otherwise disclose information to Industry Canada, the federal department that administers the Ontario Community Futures Program. An individual can choose not to provide some or all of the personal information at any time, but if the CDC is unable to collect sufficient information to validate the request for financing, the individual’s application for such financing may be turned down. A client or an individual can withdraw consent to the CDC’s use of personal information at any time prior to the application being approved, by making such request in writing. Once a loan has been approved, an individual cannot withdraw consent authorizing the CDC to use and disclose the personal information for the purposes set out in this Privacy Policy. Express consent will be obtained from the individual prior to disclosing the individual’s personal information to other lenders, credit insurers and credit bureaus. This Privacy Policy does not cover statistical data from which the identity of individuals cannot be determined. The CDC retains the right to use and disclose statistical data as it determines appropriate.4.0 Limiting Collection
Personal information collected will be limited to the purposes set out in this Privacy Policy, the CDC applications, and/or other forms.5.0 Limiting Use, Disclosure and Retention
5.1 Use of Personal Information
Personal information will be used for only those purposes to which the individual has consented with the following exceptions, as permitted under PIPEDA: The CDC will use personal information without the individual’s consent, where:- the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
- an emergency exists that threatens an individual’s life, health or security;
- the information is for statistical study or research;
- the information is publicly available;
- the use is clearly in the individual’s interest, and consent is not available in a timely way;
- knowledge and consent would compromise the availability or accuracy of the information, and
- collection is required to investigate a breach of an agreement.
5.2 Disclosure and Transfer of Personal Information
Personal information will be disclosed to only those CDC employees, members of the CDC committees, and the Board of Directors that need to know the information for the purposes of their work or making an assessment as to the individual’s eligibility to the loan program. Personal information will be disclosed to third parties with the individual’s knowledge and consent. PIPEDA permits the CDC to disclose personal information to third parties, without an individual’s knowledge and consent, to:- a lawyer representing the CDC;
- collect a debt owed to the CDC by the individual or client;
- comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
- a law enforcement agency in the process of a civil or criminal investigation;
- a government agency or department requesting the information; or,
- as required by law.