PIPEDA Compliance
Updated August 2, 2020
US residents, please review our HIPAA compliance statement.
This privacy policy has been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA sets out rules for the collection, use and disclosure of personal information in the course of commercial activity as defined in the Act.
The Ten Principles of PIPEDA Summarized
The ten Principles of PIPEDA that form the basis of this Privacy Policy are as follows:
- Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
- Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;
- Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;
- Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
- Limiting Use, Disclosure and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;
- Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;
- Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or
- Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;
- Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and
- Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the Individual.
This Privacy Policy applies to ESAD INT’L’s Board of Directors, members, employees and contracted employees.
Definitions
“Personal information” means any information about an identifiable individual. It includes, without limitation, information relating to identity, nationality, age, gender, address, telephone number, e- mail address, Social Insurance Number, date of birth, marital status, education, employment health history as well as certain personal opinions or views of an Individual.
1.0 Purposes of Collecting Personal Information
Personal information is collected in order to assess the eligibility of the individual completing an application for Emotional Support Animal documentation. The individual is the main source of information.
2.0 Consent
An individual’s express, written consent will be obtained before or at the time of collecting personal information. The purposes for the collection, use or disclosure of the personal information will be provided to the individual at the time of seeking his or her consent.
This Privacy Policy does not cover statistical data from which the identity of individuals cannot be determined. ESAD INT’L retains the right to use and disclose statistical data as it determines appropriate.
3.0 Limiting Collection
Personal information collected will be limited to the purposes set out in this Privacy Policy, ESAD INT’L applications, and/or other forms.
4.0 Limiting Use, Disclosure and Retention
4.1 Use of Personal Information
Personal information will be used for only those purposes to which the individual has consented with the following exceptions, as permitted under PIPEDA:
ESAD INT’L will use personal information without the individual’s consent, where:
- the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
- an emergency exists that threatens an individual’s life, health or security;
- the information is for statistical study or research;
- the information is publicly available;
- the use is clearly in the individual’s interest, and consent is not available in a timely way;
- knowledge and consent would compromise the availability or accuracy of the information, and
- collection is required to investigate a breach of an
4.2 Disclosure and Transfer of Personal Information
Personal information will be disclosed to only those ESAD INT’L employees, members of ESAD INT’L committees, and the Board of Directors that need to know.
Personal information will be disclosed to third parties with the individual’s knowledge and consent.
PIPEDA permits ESAD INT’L to disclose personal information to third parties, without an individual’s knowledge and consent, to:
- a lawyer representing ESAD INT’L;
- comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
- a law enforcement agency in the process of a civil or criminal investigation;
- a government agency or department requesting the information; or,
- as required by
PIPEDA permits ESAD INT’L to transfer personal information to a third party, without the individual’s knowledge or consent, if the transfer is simply for processing purposes and the third party only uses the information for the purposes for which it was transferred. ESAD INT’L will ensure, by contractual or other means, that the third party protects the information and uses it only for the purposes for which it was transferred.
4.3 Retention of Personal Information
Personal information will be retained in client files as long as the file is active and for such periods of time as may be prescribed by applicable laws and regulations.
Information will be retained for a period of seven (7) years.
5.0 Accuracy
ESAD INT’L endeavours to ensure that any personal information provided by the individual in his or her active file(s) is accurate, current and complete as is necessary to fulfill the purposes for which the information has been collected, used, retained and disclosed. Individuals are requested to notify ESAD INT’L of any change in personal or business information.
Information contained in inactive files is not updated.
6.0 Safeguards
ESAD INT’L will use physical, organizational, and technological measures to safeguard personal information to only those ESAD INT’L employees, volunteers, or third parties who need to know this information for the purposes set out in this Privacy Policy.
Physical Safeguards: Active files are stored in locked filing cabinets when not in use. Access to work areas where active files may be in use is restricted to ESAD INT’L employees only and authorized third parties.
All inactive files or personal information no longer required are shredded prior to disposal to prevent inadvertent disclosure to unauthorized persons.
Technological Safeguards: Personal information contained in ESAD INT’L computers and electronic data bases are password protected in accordance with ESAD INT’L’s Information Security Policy. Access to any of the ESAD INT’L’s computers also is password protected. ESAD INT’L’s Internet router or server has firewall protection sufficient to protect personal and confidential business information against virus attacks and “sniffer” software arising from Internet activity. Personal information is not transferred to volunteer committee members, the Board of Directors, or third parties by e-mail or other electronic form.
7.0 Openness
ESAD INT’L will endeavour to make its privacy policies and procedures known to the individual via this Privacy Policy as well as the ESAD INT’L Privacy Statement.
8.0 Individual Access
An Individual who wishes to review or verify what personal information is held by ESAD INT’L, or to whom the information has been disclosed (as permitted by the Act), may make the request for access, in writing, to the ESAD INT’L’s Chief Privacy Officer. Upon verification of the individual’s identity, the Chief Privacy Officer will respond within 60 days.
If the individual finds that the information held by ESAD INT’L is inaccurate or incomplete, upon the individual providing documentary evidence to verify the correct information, ESAD INT’L will make the required changes to the individual’s active file(s) promptly.
9.0 Complaints/Recourse
If an individual has a concern about ESAD INT’L’s personal information handling practices, a complaint, in writing, may be directed to ESAD INT’L’s Chief Privacy Officer.
Upon verification of the individual’s identity, ESAD INT’L’s Chief Privacy Officer will act promptly to investigate the complaint and provide a written report of the investigation’s findings to the individual.
Where ESAD INT’L’s Chief Privacy Officer makes a determination that the individual’s complaint is well founded, the Chief Privacy Officer will take the necessary steps to correct the offending information handling practise and/or revise ESAD INT’L’s privacy policies and procedures.
Where ESAD INT’L’s Chief Privacy Officer determines that the individual’s complaint is not well founded, the individual will be notified in writing.
If the individual is dissatisfied with the finding and corresponding action taken by ESAD INT’L’s Chief Privacy Officer, the individual may bring a complaint to the Federal Privacy Commissioner at the address below:
The Privacy Commissioner of Canada Website:
www.priv.gc.ca
112 Kent Street
Place de Ville Tower B, 3rd Floor
Ottawa, Ontario K1A 1H3 Toll Free 1-800-282-1376
Email [email protected]
Questions/Access Request/Complaint
Any questions regarding this or any other privacy policy of ESAD INT’L may be directed to the Chief Privacy Officer. Requests for access to information, or to make a complaint, are to be made in writing and sent to the Chief Privacy Officer at the address below:
Chief Privacy Officer
ESAD International
980 N. Federal Highway, #110
Boca Raton, FL 33432
or
Email address: [email protected]