PIPEDA (Personal Information Protection and Electronic Documents Act) Policy
Intent
The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use, and disclosure of personal information in a manner that recognizes the right to privacy of individuals with respect to their personal information and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Driven Brands Canada is committed to protecting and respecting the personal information of its customers, employees, business partners, and all other entities it interacts with in accordance with PIPEDA. This policy will provide guidelines to ensure that Driven Brands Canada remains compliant with PIPEDA requirements.
Definitions
Breach of security safeguards – The loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
Personal information – Information about an identifiable individual.
Security safeguards – Security safeguards include the following:
-
Physical measures, for example, locking filing cabinets and restricted access to offices;
-
Organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
-
Technological measures, for example, the use of passwords and encryption.
Significant harm – Includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property
Guidelines
Compliance
The following guidelines have been implemented to ensure Boss Auto Group and The Collision Man remains compliant with PIPEDA requirements. The personal information of Boss Auto Group and The Collision Man employees, customers, clients, business partners, etc., must be managed so as to meet the following PIPEDA requirements:
- All personal information in Boss Auto Group and The Collision Man possession or custody must be protected in an appropriate manner.
- Individuals must be informed as to why personal information is being collected.
- Consent must be obtained for the collection of information.
- The consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose, and consequences of the collection, use, or disclosure of the personal information.
- Personal information may only be collected without consent if:
- The collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- It was produced by the individual in the course of their employment, business, or profession, and the collection is consistent with the purposes for which the information was provided;
- The collection is made for the purpose of making a disclosure; or
- Any other reason as defined in PIPEDA’s section 7. (1).
- Individuals have the right to withdraw their consent.
- Personal information collected is only collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances.
- Personal information is used only for the purposes for which it was collected, except with the consent of the individual or as required by law.
- Personal information is retained only for the period of time that it is reasonably required.
- Personal information is destroyed that is no longer required using a safe, secure, and effective manner (e.g., shredding).
- All personal information collected is accurate.
- Individuals are allowed to gain access to their personal information, and make corrections as appropriate.
- Appropriate security and safeguards are employed for the protection of personal information.
- Access to personal information is limited to authorized personnel who have a legitimate need to access the information.
- Consent must generally be obtained prior to the release of personal information to any third party.
- Consent to disclose personal information to a third party is not required if:
- Boss Auto Group and The Collision Man has reasonable grounds to believe that the information could be useful in the investigation of a contravention of the laws of Canada, a province/territory, or a foreign jurisdiction, and the information is used for the purpose of investigating that contravention;
- It is used for the purpose of acting in respect to an emergency that threatens the life, health, or security of an individual;
- The information was produced by the individual in the course of their employment, business, or profession, and the use is consistent with the purposes for which the information was produced; or
- Any other circumstances as defined in PIPEDA’s section 7. (2) are met.
- The forms of information being collected must be identified and communicated to the individual as well as the rationale for the collection of these forms of information.
- Individuals must be notified and consent must be obtained prior to using personal information for any reason other than those provided at the time of collection.
In addition to the above requirements, Boss Auto Group and The Collision Man will designate a representative to hold accountability for the organization’s compliance with PIPEDA. The representative will hold responsibility for the management of the personal information policies and procedures of Boss Auto Group and The Collision Man .
The representative shall be the Privacy Manager
The PIPEDA representative shall be responsible for:
- Developing and implementing policies and practices under PIPEDA including:
- Procedures that address the collection, use, retention, destruction, and management of personal information;
- Procedures for protecting personal information;
- Procedures for complaints and inquiries; and
- Staff training on PIPEDA obligations.
- Employing privacy agreements/contracts to ensure the protection of personal information where the information must be provided to a third party.
- Reviewing policies, practices and procedures on an annual basis, or as needed, making appropriate revisions.
Breaches of Security Safeguards
Reporting Breaches
If Boss Auto Group and The Collision Man becomes aware of a breach of our security safeguards that compromises the privacy of the personal information retained by the company, the following action shall be taken:
- The Privacy Manager is responsible for coordinating the response to the breach and ensuring that all reasonable action is taken to address the breach.
- The Privacy Manager will notify the Privacy Commissioner of the breach in the prescribed form and manner as soon as feasible once Boss Auto Group and The Collision Man has determined that a breach has occurred.
- Boss Auto Group and The Collision Man will comply to the greatest extent possible and in a timely manner with any requests, orders, or other instructions from the Office of the Privacy Commissioner in order to respond to and address the security breach.
- Boss Auto Group and The Collision Man shall maintain records of every breach of security safeguards, and will provide the Privacy Commissioner with access to, or a copy of, a record of a breach, at the request of the Commissioner.
Notifying Affected Individuals
Determining Whether a Real Risk of Significant Harm Exists
Boss Auto Group and The Collision Man will assess the following factors when determining whether a security breach constitutes a real risk of significant harm to an individual or individuals:
- The sensitivity of the personal information involved in the breach;
- The probability that the personal information has been, is being, or will be misused; and
- Any other prescribed factor.
Notice to Nevada Residents
Nevada law allows consumers to direct certain businesses not to sell their personally identifiable information to third parties to license or sell that information to additional third parties. If you are a Nevada resident, you may submit such opt-out requests to info@thecollisionman.com. To be effective, your request must include your full name, address, phone number, and email address [or other information reasonably necessary to verify the authenticity of the consumer request]. Boss Auto Group and The Collision Man will endeavor to respond to your verified request within 60 days of receiving the request. However, due to unforeseen circumstances, Boss Auto Group and The Collision Man may need to extend this period by up to 30 days. If an extension is reasonably necessary, Boss Auto Group and The Collision Man will notify you of this during the initial 60-day period.
Notifications
(Insert Title of Appropriate Authority) is responsible for ensuring that all individuals affected by the breach for whom the breach creates a real risk of significant harm are notified at the earliest available opportunity, subject to any legal restrictions. Notifications shall:
- Contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm from it or to mitigate that harm.
- Contain any other prescribed information.
- Be conspicuous and given directly or indirectly to the individual in the prescribed form and manner as legislatively required as the situation dictates.
- Be given as soon as feasible after the organization determines that the breach has occurred.
In addition to the individual(s) affected by the breach, Boss Auto Group and The Collision Man may notify other parties of the breach or disclose personal information relating to the breach, subject to the following guidelines:
- Boss Auto Group and The Collision Man shall notify other organizations, government institutions, or part(s) of government institutions if it is believed that doing so can reduce or mitigate the harm from the breach.
- Boss Auto Group and The Collision Man may disclose personal information without the knowledge or consent of the individual if:
- The disclosure is made to the other organization, the government institution, or the part of a government institution, that was notified under the breach; and
- The disclosure is made solely for the purpose of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.
Privacy Policy (Client Files PIPEDA)
Intent
Boss Auto Group and The Collision Man has adopted this Policy to ensure that all Boss Auto Group and The Collision Man employees are aware of our commitment to the privacy and protection of client information.
Protecting the privacy and confidentiality of personal information is an important aspect of the way Boss Auto Group and The Collision Man conducts its business. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner is fundamental to Boss Auto Group and The Collision Man’s daily operations.
Boss Auto Group and The Collision Man strives to protect and respect the personal information of its customers, employees, business partners, and so on in accordance with all applicable regional and federal laws. Each staff member of Boss Auto Group and The Collision Man must abide by the organization’s procedures and practices when handling personal information.
Guidelines
Requirement of Confidentiality
In accordance with the Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act), Boss Auto Group and The Collision Man requires all employees to handle sensitive personal client information in a confidential and appropriate manner. It is understood that employees of Boss Auto Group and The Collision Man will become aware of confidential information regarding our clients through the course of their employment. Employees agree that if confidential information is not effectively protected, the operations of Boss Auto Group and The Collision Man may be threatened, and the well-being and privacy of our clients may suffer irreparably.
Employees of Boss Auto Group and The Collision Man are required to keep all confidential information and relevant medical knowledge regarding both the Company and our clients confidential both during and after their term of employment. These practices have been adopted as they have been deemed essential to the protection of Boss Auto Group and The Collision Man, and the well-being and privacy of our clients.
Confidentiality Agreement
The following is classed as Confidential Information:
- Client lists
- Client medical histories
- Client personal information
- Medical research
- Labour relations
- Human resource planning, policies or procedures
- Company financial information, status and statements
- Any information, or documentation labelled “Confidential” by the Company, or listed as such by separate memorandum, or e-mail that informs of confidential status
- Any information pertaining to (Boss Auto Group and The Collision Man’s) clients, clients and visitors
Any information relating to the Company that is freely in the public domain may not be considered “Confidential”. In the event that an employee can prove that information was possessed before it was received from Boss Auto Group and The Collision Man , or that information was gained from an unrelated third party, said information will not be classified as “Confidential”.
Nondisclosure
In working for Boss Auto Group and The Collision Man, employees shall not divulge, disclose, provide or disseminate Confidential Information to any third party not employed by Boss Auto Group and The Collision Man at any time, unless Boss Auto Group and The Collision Man gives written authorization. Furthermore, Confidential Information shall not be used for any purpose other than its reasonable use in the normal performance of employment duties for Boss Auto Group and The Collision Man.
Company Property
Upon termination of employment with Boss Auto Group and The Collision Man, employees shall promptly return (without duplicating or summarizing), any and all material pertaining to Boss Auto Group and The Collision Man business in their possession including, but not limited to: all client information (charts, lists, etc.),physical property, documents, keys, electronic information storage media, manuals, letters, notes and reports.
Legal
This agreement will not supersede any legal obligation to disseminate information when required to do so in a court of law.