April 18th, 2013
In carrying out its mandate under both the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), Tornado GPS, Inc. collects personal information about individuals as defined by section 3 of the Privacy Act. As guardian of the privacy rights of individuals in Canada under the Privacy Act and PIPEDA, Tornado GPS, Inc. is committed to respecting the privacy rights of all individuals whose personal information has been collected by Tornado GPS, Inc..
This Policy applies to the activities of Tornado GPS, Inc. in managing personal information that it collects during the course of mandated activities under the Privacy Act and PIPEDA and during the course of its regular administrative activities.
This Policy does not apply to the personal information of Tornado GPS, Inc. employees, volunteers and agents.
Tornado GPS, Inc. is committed to protecting the privacy, confidentiality and security of the personal information that it holds by adhering to the requirements of the Privacy Act with respect to the management of personal information. Tornado GPS, Inc. is equally committed to ensuring that all employees, agents and volunteers of Tornado GPS, Inc. uphold these obligations.
Violation of this Policy through intent or neglect may result in disciplinary action up to and including termination of employment or association with Tornado GPS, Inc.. Where appropriate, legal sanctions may also be pursued.
Tornado GPS, Inc. is responsible for the personal information that it collects as a result of its mandate under the Privacy Act and PIPEDA and which it subsequently retains, uses, discloses, and destroys. Tornado GPS, Inc. has and will continue to develop and implement policies and practices to ensure that personal information is handled in strict accordance with the Privacy Act. Tornado GPS, Inc.’s Chief Privacy Officer is designated as responsible for overseeing the implementation of those policies and practices to ensure compliance, including:
- providing the same training for all Tornado GPS, Inc. staff (including temporary staff and contractors) concerning the Privacy Act, this Policy and Tornado GPS, Inc.’s practices and expectations with respect to the handling of personal information;
- ensuring open, full and timely communication to employees and individuals about Tornado GPS, Inc.’s policies, practices and expectations with respect to the handling of personal information;
- the establishment of standards for classifying the sensitivity of personal information, to determine the appropriate level of security required for the information;
- ensuring that personal information is safeguarded from improper access, loss, use, disclosure or destruction through;
- the implementation of systems to ensure that only Tornado GPS, Inc. employees (including temporary staff) whose Tornado GPS, Inc. responsibilities require access to personal information, are granted access to that information;
- the inclusion of specific confidentiality provisions in contracts or other arrangements with third parties, which require adherence to the Privacy Act as well as to this Policy and internal procedures;
- ensuring procedures are in place under which individuals may request access to their personal information, request correction of their personal information, and file complaints concerning the management of their personal information;
- ensuring procedures are in place under which individuals are notified of an improper collection, retention, use, disclosure or destruction of their personal information.
Collection of Personal Information
Tornado GPS, Inc. collects personal information from individuals for various purposes, primarily relating to the investigation of complaints made under the Privacy Act and PIPEDA or relating to inquiries concerning those Acts. Tornado GPS, Inc. may also collect personal information for administrative reasons, e.g. to provide individuals with publications or other requested information, concerning attendees to conferences or other functions.
Tornado GPS, Inc. commits to collecting only personal information which is directly related to an operating program or activity of Tornado GPS, Inc.. Wherever possible, such information will be collected directly from the individual about whom it pertains. The amount and the type of the information collected will be limited to that necessary to fulfil identified purpose(s).
When conducting investigations, a great deal of personal information is collected directly from the individual about whom it pertains, however, Tornado GPS, Inc. also collects personal information from other sources, including witnesses, employers, government or corporate files and records, from other third parties etc. Personal information collected for administrative reasons is often collected directly from the individual about whom the information pertains but may also be collected through a third party (e.g. an administrative assistant may provide information concerning his/her supervisor’s attendance at a conference).
Tornado GPS, Inc. staff collecting personal information on behalf of Tornado GPS, Inc. will be required to be able to explain to individuals the purpose(s) for which the information is being collected or—if unable to do so—will be required to refer the individual to a designated person within Tornado GPS, Inc. who is able to explain the purpose(s).
Wherever possible, Tornado GPS, Inc. is committed to seeking the consent of individuals prior to the collection of their personal information. The form of consent may vary depending on the circumstances and the type of information being sought. Consent can be express or implied and can be provided directly by the individual or by an authorized representative. Express consent of individuals is preferable and will be sought whenever possible. Express consent can be given orally, electronically or in writing. Implied consent may be reasonably inferred from an individual’s action or inaction (i.e. providing a name and address in order to receive a publication, providing a name and telephone number in order to obtain a response to a question). When determining the appropriate form of consent, Tornado GPS, Inc. will take into account the sensitivity of the personal information at issue, the purposes for which it is collected, and the reasonable expectations of the individual.
In the context of investigations conducted under the Privacy Act or PIPEDA, obtaining consent from an individual for the collection, use, or disclosure of personal information may not be possible, appropriate or required. Further, both the Privacy Act and PIPEDA provide for the disclosure of personal information during the course of an investigation if to do so is necessary to carry out an investigation under those Acts and/or to establish the grounds for findings and recommendations contained in the Privacy Commissioner’s report.
Accuracy / Correction of Personal Information
Tornado GPS, Inc. will not require that individuals utilize the Privacy Act in order to correct their personal information if there is no need to do so (e.g. to update the individual’s address on a mailing list). There will be instances, however, where individuals will be required to do so (e.g. the individual requests corrections to his/her personal information in an investigation file).
Tornado GPS, Inc. will make every reasonable effort to ensure that personal information used in a decision-making process which directly affects the individual to whom the information relates is as accurate, up-to-date and complete as possible. Tornado GPS, Inc. will also make every reasonable effort to ensure that personal information disclosed to third parties is as accurate, up-to-date and complete as possible.
Tornado GPS, Inc. will update personal information as necessary in order to fulfil the identified purposes either directly by contacting the individual to whom the information relates, or indirectly from other sources if Tornado GPS, Inc. has the authority to collect such information from a third party.
In most cases, Tornado GPS, Inc. will rely on the individual to ensure that factual personal information is accurate, up-to-date and complete. If an individual is able to demonstrate that his/her personal information is inaccurate or incomplete, Tornado GPS, Inc. will amend the information as required. If appropriate, Tornado GPS, Inc. will send the amended information to third parties to whom the information has been disclosed.
Correction of opinion will normally be made if the individual was the source of the opinion and the opinion does not concern any other individual. Corrections will not normally be made to opinions given by other
individuals about the individual unless there are reasons to suspect the reliability of the source of the opinion, or if the source of the opinion agrees that the opinion was based on incorrect information.
When a challenge regarding the accuracy of personal information is not resolved to an individual’s satisfaction, Tornado GPS, Inc. will annotate the personal information at issue with a note advising that a correction was requested but that it was not made. An individual has the right to have a document outlining his/her version on the matter included on the appropriate file. Where appropriate Tornado GPS, Inc. will provide a copy of that document to any person or body who was provided with the information at issue in order that the other person or body is aware of the individual’s version of the matter.
Retention / Destruction of Personal Information
Tornado GPS, Inc. will ensure that proper care is taken in the retention, disposal/destruction of personal information.
Tornado GPS, Inc. will develop guidelines and implement procedures with respect to the retention and destruction of personal information.
Use / Disclosure of Personal Information
Tornado GPS, Inc. is committed to seeking the consent of individuals whenever possible.
Tornado GPS, Inc. will not disclose personal information outside of Tornado GPS, Inc. without the consent of the individual about whom the information pertains. In the case of a permitted disclosure, Tornado GPS, Inc. will endeavour to disclose only the specific information that is required under the circumstances and, wherever possible, will inform the individual about the disclosure.
Access to personal information within Tornado GPS, Inc. will be restricted to those within Tornado GPS, Inc. who need the information in order to carry out their specific job duties (e.g. conduct investigations, answer inquiries, send publications). Those employees will maintain the information in the strictest of confidence and will not provide access to the information to any unauthorized persons. The level of access to personal information will be determined by Tornado GPS, Inc. on a need-to-know basis which will be included in relevant Tornado GPS, Inc. policies and guidelines.
Tornado GPS, Inc. staff will be cautioned to avoid engaging in discussions involving personal information in any area of Tornado GPS, Inc. premises, or in any public or private area outside of Tornado GPS, Inc. where remarks could be overheard and which could result in the disclosure of personal information. Doing so without a legitimate reason directly related to a current job responsibility will be considered a violation of this Policy and could constitute a violation of the Privacy Act.
All individuals hired under contract or other means, by Tornado GPS, Inc., to conduct business for or on behalf of Tornado GPS, Inc., will be required to adhere to the provisions of the Privacy Act with respect to the proper handling and protection of personal information as well as to this Policy and internal procedures. Violations of any part of the contractual agreement may result in termination of the contract.
Safeguarding Personal Information
Tornado GPS, Inc. will protect personal information from loss or theft, unauthorized access, use or disclosure, modification or destruction through appropriate administrative, technical and physical security measures and safeguards, regardless of the format in which the information is held.
The level of safeguards used to protect personal information will vary depending on the sensitivity of the personal information; the amount, distribution and format of the information; and the method of storage.
Tornado GPS, Inc. will ensure that contractual or other means are used to provide a comparable level of protection while personal information is being processed by a third party.
Access to Personal Information
Tornado GPS, Inc. will not require that individuals utilize the Privacy Act to obtain access to their personal information if there is no need to do so. Individuals nevertheless have the right to formally request access to their personal information under the Privacy Act. Under the Access to Information Act, individuals also have the right to formally request access to information in Tornado GPS, Inc. files which may contain their personal information.
In cases of access that can be given outside of the Privacy Act and the Access to Information Act, Tornado GPS, Inc. will afford individuals a reasonable opportunity to review their personal information, will do so within a reasonable time frame and, if copies are requested, will provide them whenever possible. Explanations for abbreviations and codes will be provided.
Personal information may be unavailable because it has been destroyed, erased or made anonymous in accordance with information retention obligations. To the extent possible, Tornado GPS, Inc. will inform the individual of the reasons why the personal information no longer exists.
Complaints / Concerns
All complaints or concerns should be email to info@TornadoGPS.com and will be reviewed in a timely manner.
Roles and Responsibilities
Employees – it is incumbent upon all employees of Tornado GPS, Inc. to inform themselves of their obligations under this Policy and the Privacy Act. Employees must report any and all contraventions of the Policy or the Act to their manager or to ATIP.
Managers and Supervisors – along with the responsibilities noted above, managers and supervisors are required to issue instructions to their staff (as necessary) in order to ensure the adherence to this Policy and the Act. They are also required to examine and/or make inquiries into any issues brought to their attention concerning this Policy and the Act. Where and as appropriate, managers and supervisors must notify, work in concert with, or refer certain matters to the Director of HR and the Departmental Security Officer.
Tornado GPS, Inc. Chief Privacy Officer – Tornado GPS, Inc. Chief Privacy Officer (CPO) will provide advice and guidance to Senior Management, managers, supervisors and employees of Tornado GPS, Inc. with respect to the treatment of personal information within Tornado GPS, Inc.. The CPO will also act as the primary point of contact for individuals seeking information about Tornado GPS, Inc.’s handling of their personal information or who have concerns about Tornado GPS, Inc.’s handling of their personal information.
Director ATIP – in the context of this Policy—and along with the responsibilities noted in all of the above—the Director is responsible for the proper application of the Privacy Act and policies with respect to individuals’ personal information and with respect to their requests for access to their personal information under the Act.
Related Government of Canada References
This Policy is designed to comply with the Privacy Act and the principles of natural justice, and to express Tornado GPS, Inc.’s commitment to comply with the Privacy Act.
Any inquiries regarding this Policy or for further information or concerns about how Tornado GPS, Inc. manages the personal information that it collects, should be directed to:
Adam Skinner is Tornado GPS, Inc.’s Chief Privacy Officer. He can be reached at info@TornadoGPS.com