Orillia Power Corporation is committed to maintaining the accuracy, confidentiality, security and privacy of customer personal information.
In March 1996, the new Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 (the CSA Code), was published as a National Standard of Canada. Orillia Power Corporation subscribes to the principles of the CSA Code. Furthermore, in light of the requirements of the Personal Information Protection and Electronic Documents Act and any other applicable provincial legislation (collectively the Privacy Legislation), Orillia Power has created certain documents and procedures, including this Policy, as may be updated from time to time.
Summary of Principles
The following are the ten internationally accepted principles that lie at the core of organizational responsibilities for safeguarding personal information:
- Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with privacy principles.
- Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only as long as necessary for the fulfillment of those purposes.
- Accuracy: Personal information shall be as accurate, complete, and up- to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
- Collection – the act of gathering, acquiring, recording or obtaining personal information from any source, including third parties, by any means.
- Consent – voluntary agreement of an individual to the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or through an authorized representative of the individual. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require any inference on the part of Orillia Power. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
- Customer – an individual who uses or applies to use the services of Orillia Power.
- Disclosure – making personal information available to a third party.
- Personal Information – information about an identifiable individual. For a customer, personal information includes a customer’s credit information, billing records, service and equipment, and any recorded complaints.
- Third party – an individual other than the customer or his agent, or an organization other than Orillia Power.
- Use – the treatment, handling, and management of personal information by Orillia Power.
Distinctions among Privacy, Security and Confidentiality:
Privacy relates to people, process and accountability. It gives individuals control over their personal information and allows them to grant permission to an organization for the collection, use, disclosure and retention of that information.
Security is the essential component for preventing the inadvertent release of personal information. Security also relates to the availability and integrity of personal information.
Confidentiality addresses the disclosure of personal information.
Principle 1 – Accountability
Orillia Power is accountable for all personal information in its possession or control and shall designate one or more persons who will be responsible for the companies’ compliance.
- The President of Orillia Power has ultimate responsibility for the protection of personal information of customers. The President may delegate the day-to-day operational privacy responsibilities to another individual. All staff share responsibility for adhering to the Orillia Power’s privacy policies and procedures.
- Orillia Power is responsible for personal information in their possession or control, including any personal information that has been transferred to a third party for processing. Orillia Power will use contractual or other means to provide a comparable level of protection of personal information while such information is being processed by a third party.
- implementing procedures to protect personal information and to oversee the company’s compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA);
- establishing procedures to receive and respond to inquiries or complaints with respect to an individual’s personal information; and
- training staff and communicating to staff about the company’s privacy policies and practices.
Principle 2 – Identifying Purposes
- Identifying the purposes for which personal information is collected at or before the time of collection allows Orillia Power to determine the information needed to fulfill these purposes. Orillia Power collects personal information only for the following purposes:
- to establish and maintain responsible commercial relationships with customers and to provide ongoing service; and
- to meet all of its legal and regulatory requirements.
- Orillia Power shall specify, either orally, in writing or electronically, all identified purposes for the collection, use and disclosure of personal information to the customer at the time such personal information is collected.
- Those responsible for collecting personal information should be able to explain to individuals the purposes for which the information is being collected. In certain circumstances, the customer may be referred to a designated person within Orillia Power who can explain those purposes in greater detail.
- Unless required by law, Orillia Power shall not use or disclose, for any new purpose, personal information that has already been collected without first identifying and documenting the new purpose and obtaining the consent of the customer.
Principle 3 – Consent
The knowledge and consent of a customer are required for the collection, use or disclosure of personal information, except where inappropriate.
- In certain circumstances, personal information may be collected, used or disclosed without the knowledge and consent of the individual. For example, some legal, medical or security reasons may make it impossible or impractical to seek consent.Orillia Power may collect, use or disclose personal information without an individual’s knowledge or consent only in limited circumstances as permitted by law.Orillia Power may use or disclose personal information without the individual’s knowledge or consent if it is clearly in the individual’s best interests to do so and consent cannot be sought in a timely manner. An example of such circumstances is in the case of an emergency where the life, health or security of an individual is threatened.
- This principle requires â€œknowledge and consentâ€ of an individual for the collection, use or disclosure of their personal information. In obtaining consent, Orillia Power shall use reasonable efforts to ensure that a customer is advised of all the identified purposes for which personal information will be used or disclosed. These purposes shall be stated in a manner that can be reasonably understood by the customer.
- Generally, Orillia Power shall seek an individual’s consent for use and disclosure of personal information before or when it collects uses or discloses personal information. In certain circumstances, Orillia Power may seek an individual’s consent to use and disclose personal information after it has been collected but before it is used or disclosed for a purpose not previously identified.
- Orillia Power may require customers to consent to the collection, use or disclosure of certain personal information in order to provide the individual with electricity services.
- In determining an appropriate form of consent, Orillia Power shall take into account the sensitivity of the personal information and also the reasonable expectations of its customers with respect to the protection, collection, use and disclosure of their personal information.
- A customer may refuse or withdraw consent at any time, subject to legal or contractual restrictions, and reasonable notice. Customers may contact Orillia Power for more information regarding the withdrawal of consent and any implications of such withdrawal.
Principle 4 – Limiting Collection
Orillia Power shall limit the amount and type of personal information it collects to that which is necessary for the purposes identified by the company. Orillia Power shall collect personal information using procedures, which are fair and lawful.
- Orillia Power shall collect only the amount and type of information needed for the purposes documented by Orillia Power and identified to the individual.
- The requirement that personal information be collected through fair and lawful means is intended to prevent Orillia Power from collecting information by misleading or deceiving individuals about the purposes for which the information is being collected.
Principle 5 – Limiting Use, Disclosure and Retention
Orillia Power shall not use or disclose personal information for purposes other than those for which it was collected, unless consent is given by the individual to use or disclose it for another purpose or as required by law. Orillia Power shall retain personal information only as long as necessary for the identified purposes.
- If Orillia Power uses personal information for a new purpose, it will document this purpose.
- With the consent of the customer, Orillia Power may disclose a customer’s personal information to the following:
- an agent retained by Orillia Power in connection with the collection of the customer’s account;
- credit grantors and reporting agencies;
- a person who, in the reasonable judgment of Orillia Power, is seeking the information as an agent of the customer; and
- any other third party or parties, where the customer has provided consent to such disclosure or disclosure as required by law.
- Orillia Power shall maintain reasonable and systematic controls, schedules and practices for the protection of personal information. Record retention, which shall include minimum and maximum retention periods, and destruction, shall apply to personal information. Information that is no longer necessary or relevant for the identified purposes for which it was collected or required by law to be retained shall be destroyed.
- Orillia Power will keep personal information only as long as necessary for the identified purposes.
- Personal information that is no longer required to fulfil the identified purposes will be destroyed, erased or made anonymous. Orillia Power will develop guidelines and implement procedures to govern the destruction of personal information.
- Only those employees of Orillia Power who require access for business reasons or whose duties reasonably so require are granted access to personal information about customers.
Principle 6 – Accuracy
Orillia Power will keep the Personal information in its possession or control accurate, complete current and relevant based on the most recent information provided to Orillia Power.
- Personal information used by Orillia Power shall be sufficiently accurate, complete, current and relevant to minimize the possibility that inappropriate information may be used to make a decision about a customer.
- Orillia Power shall update personal information about customers only if it is necessary for the purposes for which it was collected or upon notification by the individual requesting that their personal information be updated or amended.
Principle 7 – Safeguards
Orillia Power shall protect personal information with security safeguards appropriate to the sensitivity of the information.
- Orillia Power shall protect personal information from loss or theft, unauthorized access, disclosure, copying, use, modification or destruction through appropriate security measures. Orillia Power shall protect all personal information regardless of the format in which it is held.
- The nature of the safeguards will vary depending on the sensitivity of the information, amount, distribution, format and the method of storage of the personal information. Orillia Power will give the highest level of protection to the most sensitive personal information.
- The methods of protection shall include:
- Physical security, such as locked filing cabinets and restricted access to offices;
- Organizational security, such as security clearances and limiting access on a â€œneed to knowâ€ basis; and
- Technological security, such as, the use of passwords and encryption.
- Orillia Power will make all of its employees aware of the importance of maintaining the confidentiality of personal information.
Principle 8 – Openness
Orillia Power shall make readily available to customers’ specific information about its policies and practices relating to the management of personal information.
- Orillia Power will be open about the policies and practices used to manage personal information. Individuals will have access to information about these policies and procedures. This information will be available in a format that is easy to understand.
- Orillia Power shall make the following information about its privacy policies and practices available:
- the name, title and address of the Corporate Privacy Officer accountable for the Orillia Power privacy policies and practices and to whom inquiries or complaints can be forwarded;
- how to gain access to personal information held by Orillia Power;
- a description of the type of personal information held by Orillia Power including a general account of its use; and
- a copy of any brochure or other information that explains Orillia Power’s privacy policies, standards or codes.
- Orillia Power may make information on its privacy policies and practices available in a variety of ways, including brochures at its place of business, online access a mailing to customers or through a toll free telephone number.
Principle 9 – Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information in Orillia Power’s possession and shall be given access to that information.
A customer shall be able to challenge the accuracy and completeness of the information and have it amended where necessary.
In certain situations, Orillia Power may not be able to provide access to all the personal information it holds about an individual. However, such exceptions to the access requirement are limited and specific. Exceptions may include information that is prohibitively expensive to provide, information that contains references to other individuals and information that cannot be disclosed for legal, security or commercial proprietary reasons.
- Upon request, Orillia shall inform an individual of the personal information that Orillia Power has in its possession or control about that individual.
- Upon request, Orillia Power shall provide an account of the use and disclosure of such personal information and, where reasonable and possible, shall state the source of the information.
- In order to safeguard personal information, a customer may be required to provide sufficient information to properly identify themselves to assure Orillia Power that they are providing information with respect to the existence, use and disclosure of personal information and authorizing access to an individual’s file to the right individual. Any information provided for identification purposes shall only be used for such purpose.
- In providing a list of third parties that Orillia Power has disclosed personal information about a customer to, Orillia Power will provide as much information as possible to the customer. When it is not possible to provide a list of third parties to which it has actually disclosed information to about an individual, Orillia Power shall provide a list of third parties to which it may have disclosed information to about the individual.
- Orillia Power shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, Orillia Power may disclose or share with third parties that have access to such personal information any amended information and identify the existence of any unresolved differences.
Principle 10 – Challenging Compliance
- Orillia Power shall maintain procedures for receiving, addressing and responding to all inquiries or complaints from its customers relating to its handling of personal information.
- Orillia Power shall inform its customers about the existence of these procedures as well as the existence of complaint mechanisms.
- If individuals are not satisfied with the way Orillia Power has responded to their complaint, they can contact the Privacy Commissioner of Canada at (613) 995-8210.