Sysmarc’s Privacy Code is based on the Privacy Principles that establish the minimum requirements for the protection of personal information provided by customers and employees. The Privacy Code applies to personal information about customers and employees of Sysmarc that we collect, use or disclose.
Personal Information does not include information that is publicly available, such as a customer’s name, address, telephone number, when listed in a directory or any other similar sources. The name, title or business address and telephone number of an employee is not considered personal information.
1.1 Sysmarc is responsible for all customer and employee personal information in its possession and under its control. Sysmarc has designated its Vice President as Privacy Officer to oversee the organization’s compliance with its privacy code and the federal Privacy Act. There maybe other individuals within Sysmarc who are designated with the responsibility for day-to-day collection and management of customer and employee personal information.
1.2 Sysmarc has established policies and procedures to implement and comply with its Privacy Code, including procedures relating to the collection, handling, storage and destruction of personal information. Sysmarc’s staff has been provided the requisite education and training to protect personal information and to deal with complaints on privacy issues.
1.3 Sysmarc is not responsible for any personal information transferred to third parties for processing on its behalf. Sysmarc uses contractual means to provide an appropriate level of protection for such transferred information.
2. Identifying the purposes for collection of personal information
2.1 Generally, Sysmarc collects personal information from customers for the following purposes:
for the purpose of collecting a debt owed by the individual to Sysmarc;required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;made to a government institution or part of a government institution or an investigative body that has made a request for the information and identified its lawful authority to obtain the information.made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;of information that is publicly available and is specified by the regulations;made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;required by law.
4. Limiting collection of personal information4.1 Sysmarc will collect only the amount and type of personal information needed for the purposes it has identified. Personal information is collected by fair and lawful means.4.2 Although Sysmarc will collect personal information primarily from customers and employees, it may also collect personal information from other sources including credit bureaus, or other third parties who represent that they have the right to disclose the information.
5. Limiting use, disclosure and retention of personal information5.1 The personal information that Sysmarc collects is used or disclosed only for the purposes for which it was collected, unless the individual gives consent or as required by law. Sysmarc may disclose personal information without consent when it is required to do so by law, e.g. subpoenas, search warrants, other court and government orders, or demands from other parties who have a legal right to personal information, or to protect the security and integrity of its network or system. In such circumstances, the interests of the individual is protected by ensuring that:orders or demands appear to comply with the laws under which they were issued; and
Sysmarc discloses only the personal information that is legally required, and nothing more.
The customer or employee may be notified that an order requiring disclosure has been received, if the law allows it.5.2 Only employees with a business need-to-know, or whose duties so require, are granted access to customer and employee personal information.5.3 Sysmarc will retain personal information only as long as necessary to fulfill the identified purposes. Depending on the circumstances, personal information used to make a decision about a customer or employee is kept long enough to allow the customer or employee access to the information after the decision has been made.5.4 Sysmarc has established reasonable guidelines and procedures for information and records retention, and any personal information no longer needed for its identified purposes or for legal requirements will be destroyed, erased or made anonymous within a reasonable period of time
6. Ensuring accuracy of personal information6.1 Personal information collected by Sysmarc will be kept as accurate, complete and as up-to-date as necessary for the identified purposes. Sysmarc will rely exclusively on the representation provided by individuals in determining the completeness, accuracy, and timeliness of the personal information and will have no obligation to seek independent verification of any personal information supplied by the individual.
7. Safeguarding personal information7.1 Sysmarc will protect personal information with safeguards appropriate to the sensitivity of the information. Sysmarc has implemented appropriate safeguards to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. Sysmarc’s employees are made aware of the need to maintain the confidentiality of all personal information.
9. Providing access to personal information9.1 When customers or employees request it, Sysmarc will disclose to them what personal information Sysmarc has about the customer or employee, what it is being used for, and to whom it has been disclosed, and will give them reasonable access to their information. Sysmarc will provide a list of the third parties to which it may have disclosed the personal information when it is not possible to provide an actual list. Wrong or incomplete information will be amended and the amended information transmitted to third parties where appropriate. Any dispute over amending a file will be recorded and details of disputed data provided to third parties where appropriate.9.2 In certain situations, however, Sysmarc may not be able to give customers or employees access to all personal information it holds about the customer or employee. This may, for example, be the case when the information is unreasonably costly to provide, the information contains references to other individuals, the information cannot be disclosed for legal, security or commercial proprietary reasons or the information is subject to solicitor-client or litigation privilege. Sysmarc will explain the reasons for denying access in writing, and the recourse available to the customer or employee.9.3 Sysmarc will make reasonable efforts to respond to an individual’s request for access to his or her personal information no later than 30 days after receipt of the written request, and at minimal or no cost. The individual will be informed of any extensions to the time limit and his or her right to complain to the Privacy Commissioner.9.4 Sysmarc may not provide access to personal information to an individual if doing so would likely reveal personal information about a third party, unless:the information about the third party can be severed from the record containing the information about the individual, in which case it will be severed prior to providing the access; orthe third party consents to the access; orthe individual needs the information because an individual's life, health or security is threatened.9.5 Access to personal information will not be given if:the information is protected by solicitor-client privilege;to do so would reveal confidential commercial information;to do so could reasonably be expected to threaten the life or security of another individual; orthe information was generated in the course of a formal dispute resolution process.9.6 A customer can obtain information or seek access to his or her personal information by contacting a Sysmarc representative at any of Sysmarc’s offices.9.7 An employee can obtain information or seek access to his or her individual personal file by contacting his or her immediate supervisor at work.
10. Handling complaints and questions10.1 Customers or employees may challenge Sysmarc’s compliance with its Privacy Code. Sysmarc has implemented an internal escalation policy to deal with the receipt, investigation and responses to complaints and questions regarding privacy issues.10.2 All complaints and questions will be responded to in a timely manner under the circumstances. All complaints will be investigated and appropriate measures taken to correct deficient policies and practices. Customers or employees have the right to contact the Privacy Commissioner in the event of any dispute.If the Privacy Officer is unable to resolve the issue, a written complaint may be filed with the federal Privacy Commissioner