Protecting the privacy and confidentiality of personal information is an important aspect of the way that wrksourcing conducts its business. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner is fundamental to wrksourcing’s daily operations.
wrksourcing strives to protect and respect the personal information of its customers, employees, business partners, etc. in accordance with all applicable regional and federal laws. Each staff member of wrksourcing must abide by this organization’s procedures and practices when handling personal information.
Personal information is defined as any identifying information about an individual or group of individuals, including name, date of birth, address, phone number, e-mail address, social insurance/security number, nationality, gender, health history, financial data, credit card numbers, bank account numbers, assets, debts, liabilities, payment records, credit records, loan records, opinions, and personal views.
Business information refers to: wrksourcing, business address, business telephone number, name(s) of owner(s), executive officer(s), and director(s), job titles, business registration numbers, and financial status. Business information is treated and handled with the same level of confidentiality, privacy, and respect as personal information.
Consent occurs and is obtained when an individual signs an application or other form containing personal information, thereby authorizing wrksourcing to collect, use, and disclose the individual’s personal information for the purposes stated on the form or in the
Appropriate Use section of this policy.
- wrksourcing collects and uses personal information solely for the purpose of conducting business and developing an understanding of its customers. wrksourcing hereby asserts that personal information will only be used for the following purposes:
- Customer & Vendor Setup and Contact
- Hashed/encrypted email/device list uploads for digital advertising targeting
- wrksourcing assumes full accountability for the personal information within its possession and control. This organization has appointed the CEO as custodian of all privacy matters and legal compliance with privacy laws.
- wrksourcing obtains personal information directly from the individual to whom the information belongs. Individuals are entitled to know how wrksourcing uses personal information and this organization will limit the use of any personal information collected only to what is needed for those stated purposes. wrksourcing will obtain individual consent if personal information is to be used for any other purpose. wrksourcing will not use that information without the consent of the individual.
- wrksourcing will retain personal information only for the duration it is needed for conducting business. Once personal information is no longer required, it will be destroyed in a safe and secure manner. However, certain laws may require that certain personal information be kept for a specified amount of time. Where this is the case, the law will supersede this policy.
- wrksourcing vows to protect personal information with the appropriate security measures, physical safeguards, and electronic precautions.wrksourcing maintains personal information through a combination of paper and electronic files. Where required by law or disaster recovery/business continuity policies, older records may be stored in a secure, offsite location.
- Access to personal information will be authorized only for the employees and other agents of wrksourcing who require the information to perform their job duties, and to those otherwise authorized by law.
- wrksourcing’s computer and network systems are secured by complex passwords. Only authorized individuals may access secure systems and databases.
- Routers and servers connected to the Internet are protected by a firewall, and are further protected by virus attacks or “snooping” by sufficient software solutions.
- Personal information is not transferred to volunteers, summer students, interns, or other non-paid staff by e-mail or any other electronic format.
Website Privacy Procedures
- Personally identifiable information about the individual that is collected from the website or through affiliate sites.
- Information about the organization collecting the data.
- How the data will be used.
- With whom the data may or may not be disclosed.
- The options available to the individual regarding the collection, use, and disclosure of personal information.
- The information technology security procedures in place that protect against the destruction, loss, theft, alteration, or misuse of personal information under wrksourcing’s possession and control.
- How an individual may access and correct any inaccuracies in his/her personal information.
- wrksourcing does not collect personally identifiable information from any individual known to be under the age of thirteen (13).
- wrksourcing may share compiled demographic information with its business partners and/or advertisers, but no personal information that can identify any individual person shall be disclosed.
- This website may contain links to other sites, but wrksourcing is not responsible for the privacy practices of other organizations’ sites.
- While IP addresses will be logged in order to administer the site, track visitor movement, and gather demographic information, these IP addresses will not be linked to any personally identifiable information.
- Any registration or order form asking site visitors to enter personal or financial information will be protected by SSL encryption.
- Site visitors are given the choice to opt out of having their personal information used at the point where the information is gathered.
- In most instances, wrksourcing will grant individuals access to their personal information upon presentation of a written request and satisfactory identification. If an individual finds errors of fact with his/her personal information, the individual should notify wrksourcing as soon as possible to make the appropriate corrections. Should wrksourcing deny an individual’s request for access to his/her personal information, wrksourcing will advise in writing of the reason for such a refusal. The individual may then challenge the decision.
- wrksourcing may use personal information without the individual’s consent under particular circumstances. These situations include, but are not limited to:
- wrksourcing is under obligation by law to disclose personal information in order to adhere to the requirements of an investigation of the contravention of a regional or federal law, under the purview of the appropriate authorities.
- An emergency exists that threatens an individual’s life, health, or personal security.
- The personal information is for in-house statistical study or research.
- The personal information is already publicly available.
- Disclosure is required to investigate a breach of contract.
PIPEDA Compliance Policy
The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use, and disclosure of personal information in a manner that recognizes the right to privacy of individual’s personal information and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances wrksourcing is committed to protecting and respecting the personal information of its customers, employees, business partners, and all other entities it interacts with in accordance with PIPEDA. This policy will provide guidelines to ensure that wrksourcing remains compliant with PIPEDA requirements.
Breach of security safeguards: The loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
Personal information: Information about an identifiable individual.
Security safeguards: Security safeguards include the following:
Physical measures: for example, locking filing cabinets and restricting access to offices;
Organizational measures: for example, security clearances and limiting access on a “need-to-know” basis; and
Technological measures: for example, the use of passwords and encryption.
Significant harm: Includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on a credit record; and damage to or loss of property.
All definitions sourced from PIPEDA.
wrksourcing has implemented these guidelines to ensure continuing compliance with PIPEDA requirements. The personal information of wrksourcing employees, customers, clients, business partners, and so on will be managed to meet the following PIPEDA requirements:
All personal information in wrksourcing possession or custody must be protected appropriately.
Individuals must be informed as to why personal information is being collected.
Consent must be obtained for the collection and use of information.
The consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose, and consequences of the collection, use, or disclosure of the personal information.
Personal information may only be collected without consent if:
The collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
The personal information was produced by the individual in the course of their employment, business, or profession, and the collection is consistent with the purposes for which the information was provided;
The collection is made for the purpose of making a disclosure; or
Any other reason as defined in PIPEDA section 7(1).
Individuals have the right to withdraw their consent.
Personal information collected is only collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances.
Personal information is used only for the purposes for which it was collected, except with the consent of the individual or as required by law.
Personal information is retained only for the period of time that it is reasonably required.
Personal information is destroyed that is no longer required using a safe, secure, and effective manner (for example, shredding).
All personal information collected is accurate.
Individuals are allowed access to their personal information, and to make corrections as appropriate.
Appropriate security and safeguards are employed for the protection of personal information.
Access to personal information is limited to authorized personnel who have a legitimate need to access the information.
Consent must generally be obtained before the release of personal information to any third party.
Consent to disclose personal information to a third party is not required if:
wrksourcing has reasonable grounds to believe that the information could be useful in the investigation of a contravention of the laws of Canada, a province or territory, or a foreign jurisdiction, and the information is used for the purpose of investigating that contravention;
It is used for the purpose of acting in respect to an emergency that threatens the life, health, or security of an individual;
The information was produced by the individual in the course of their employment, business, or profession, and the use is consistent with the purposes for which the information was produced; or
Any other circumstances as defined in PIPEDA section 7(2) are met.
The forms of information being collected must be identified and communicated to the individual, as well as the rationale for the collection of these forms of information.
Individuals must be notified and consent must be obtained before using personal information for any reason other than those provided at the time of collection.
In addition to the above requirements, wrksourcing will designate a representative to hold accountability for the organization’s compliance with PIPEDA. The representative will hold responsibility for the management of the personal information policies and procedures of wrksourcing
The representative shall be Tyler Cameron (CEO).
The PIPEDA representative shall be responsible for:
Developing and implementing policies and practices under PIPEDA, including:
Procedures that address the collection, use, retention, destruction, and management of personal information;
Procedures for protecting personal information in all formats;
Procedures for complaints and inquiries; and
Staff training on PIPEDA obligations.
Using privacy agreements and contracts to ensure the protection of personal information where the information must be provided to a third party.
Reviewing policies, practices, and procedures annually or as needed, making appropriate revisions.
Breaches of Security Safeguards
If wrksourcing becomes aware of a breach of our security safeguards that compromises the privacy of the personal information retained by the company, the following action shall be taken:
CEO is responsible for coordinating the response to the breach and ensuring that all reasonable action is taken to address the breach.
CEO will notify the privacy commissioner of Canada of the breach in the prescribed form and manner as soon as feasible once wrksourcing has determined that a breach has occurred. wrksourcing will also submit any new information that the company becomes aware of after having made the report.
CEO will notify any affected individuals of the breach in the prescribed form and manner as soon as feasible
wrksourcing will comply to the greatest extent possible and in a timely manner with any requests, orders, or other instructions from the Office of the Privacy Commissioner of Canada in order to respond to and address the security breach.
wrksourcing will maintain records of every breach of security safeguards, and will provide the privacy commissioner of Canada with access to or a copy of a record of a breach at the request of the commissioner.
As per the Breach of Security Safeguards Regulations, the report submitted to the privacy commissioner will contain:
A description of the circumstances of the breach and if known the cause;
The date on which or the period during which the breach occurred or if neither is known the approximate period;
A description of the personal information that is the subject of the breach to the extent that the information is known;
The number of individuals affected by the breach or if unknown the approximate number;
A description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
A description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of PIPEDA; and
The name and contact information of a person who can answer the commissioner’s questions about the breach on behalf of the organization.
Notifying Affected Individuals
Determining Whether a Real Risk of Significant Harm Exists
wrksourcing will assess the following factors when determining whether a security breach constitutes a real risk of significant harm to an individual or individuals:
The sensitivity of the personal information involved in the breach;
The probability that the personal information has been, is being, or will be misused; and
Any other prescribed factor.
CEO is responsible for ensuring that all individuals for whom the breach creates a real risk of significant harm are notified at the earliest available opportunity, subject to any legal restrictions, in a form of communication that a reasonable person would consider appropriate in the circumstances. As per the regulation, notifications shall contain sufficient information to allow the individual to understand the significance to them of the breach, including:
A description of the circumstances of the breach;
The date on which or period during which the breach occurred or if neither is known the approximate period;
A description of the personal information that is the subject of the breach to the extent that the information is known;
A description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
A description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm;
Contact information that the affected individual can use to obtain further information about the breach; and
Any other prescribed information.
The notice shall be conspicuous and given directly or indirectly to the individual in the prescribed form and manner as legislatively required as the situation dictates.
In addition to the individuals affected by the breach, wrksourcing may notify other parties of the breach or disclose personal information relating to the breach, subject to the following guidelines:
wrksourcing will notify other organizations, government institutions, or parts of government institutions if wrksourcing believes that doing so can reduce or mitigate the harm from the breach.
wrksourcing may disclose personal information without the knowledge or consent of the individual if:
The disclosure is made to the other organization, the government institution, or the part of a government institution that was notified under the breach; and
The disclosure is made solely for the purpose of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.