“Client” is an organization or business entity for which Miratel provides services.
“Collect or Collection” is the act of gathering, acquiring, or obtaining Personal Information from any source, including third parties, by any means.
“Consent” is voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of Miratel. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
“Customer Data” is data collected by Miratel on behalf of its Client(s). Each Client shall define the types of data to be collected by Miratel and provide its privacy requirements.
“Disclose or Disclosure” is defined as making Employee Personal information available to other parties outside of Miratel and to internal Miratel Employees and departments.
“Employee(s)” shall include all individuals employed by Miratel, consultants engaged by Miratel and contract employees.
“Employee Personal Information” is defined as information about an identifiable individual that is recorded in any form but does not include the name, title, business address, business telephone number or e-mail address of an employee of Miratel.
“Personal Information” shall mean Miratel’s Employee Personal Information and Customer Data.
“Use” refers to the treatment and handling of Personal Information by Miratel.
This policy is applicable to all Personal Information collected in the process of conducting Miratel’s’ business, including:
(ii) Customer Data – Miratel shall Collect, Use, and Disclose Customer Data based on the Client’s requirements as set out in its contract with Miratel.
||4.1.1 Privacy Officer
Miratel is responsible and accountable for all Personal Information under its control including information that has been transferred to third party companies for processing (i.e. Customer Data or employee benefit information). One of the Managing Partners of Miratel is the Privacy Officer and she shall be responsible and accountable for Miratel’s’ compliance with privacy legislations.
The Privacy Officer shall implement procedures and controls to protect Personal Information, establish procedures to receive and respond to privacy related complaints and inquiries, develop and provide training, and ensure that Miratel’s privacy related policies, procedures and practices are communicated to all Employees.
4.1.2 All Employees
All Employees must complete an awareness training briefing pertaining to this policy and abide by this policy and any changes that may occur from time to time.
Employees shall seek the necessary support from their managers and/or the Privacy Officer whenever required in order to comply with this policy. Employees shall direct and report all privacy related concerns to the attention of the Privacy Officer at email@example.com or 416-650-7858.
Miratel shall use commercially reasonable efforts to ensure subcontractors with access to Personal Information abide by this policy.
Miratel shall identify the purposes for which information is collected at or before the time the information is collected.
4.2.1 Employee Personal Information
Miratel collects Employee Personal Information for the following purposes:
(i) Establish and maintain employee relationships;
(ii) Develop, enhance, or provide Employee benefits;
(iii) Manage and develop personnel and employment matters; and
(iv) Meet legal and regulatory requirements.
4.2.2 Customer Data
Miratel’s collects Customer Data for the purposes defined by its Clients. For the purpose of illustration, the Customer Data may be collected for the following purposes:
(i) Order/literature capture & fulfillment, follow up on previously placed orders
(ii) Establish and maintain customer relationships;
(iii) Develop and enhance marketing and/or provide marketing services; or
(iv) Meet legal and regulatory requirements.
4.3.1 Obtaining Consent
Miratel must ensure that; (i) Consent is sought from an Employee for the Collection, Use or Disclosure of all Employee Personal Data; and (ii) the Employee whose Consent is to be sought has a full understanding of why the Consent is being sought. Miratel shall ensure Consent is obtained from those Employees whose Personal Information has been Collected by Miratel prior to January 1, 2004.
4.3.2 Seeking Employee Consent
When seeking the Consent of an Employee, Miratel shall ensure that all Consents are obtained in an appropriate manner taking into consideration the circumstances, type and sensitivity of the information to be Collected, Used or Disclosed when determining the form of Consent.
4.3.3 Deceptive Means
Miratel shall ensure that Consent is not obtained through deceptive means.
4.3.4 Questions Regarding Consent
In cases where an Employee is unsure as to whether or not there is a requirement to obtain consent prior to the collection of information, the Employee shall seek guidance from the Privacy Officer.
4.3.5 Notification to Withdraw Consent
If at anytime Miratel receives notification of intent to withdraw Consent from an Employee, such request shall be forwarded to the Privacy Officer.
Miratel may disclose Employee Personal Information without the Employee’s knowledge or Consent in certain circumstances where seeking Consent may be impractical or unlawful. For example, emergency medical situations, law enforcement or as may otherwise be required by applicable laws.
The Collection of Personal Information shall be: (i) limited to that Personal Information that is necessary for the purposes identified in Section 4.2 Identifying Purposes;(ii) by fair and lawful means; and (iii) in accordance with approved Miratel processes and procedures.
Whenever previously Collected Employee Personal Information is to be utilized for a purpose not previously identified, except when required by law, Miratel shall; (i) identify the new purpose; (ii) inform Employee(s) of the new purpose; and (iii) seek the Employee’s consent prior to use.
||Limiting Use, Retention and Disclosure
4.5.1 Use and Disclosure
Employee Personal Information shall not be Used or Disclosed for purposes other than those for which the Personal Information was Collected, except with the Consent of the Employee.
Miratel shall only retain Employee Personal Information in accordance with the period of time specified in Miratel’ document retention policy and/or as required by law.
Employee Personal Information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is to be used. Miratel shall use commercially reasonable efforts and have systems and processes in place to ensure the integrity of Employee Personal Information.
4.6.2 Employee Responsibilities
Employees shall ensure the accuracy and completeness of Employee Personal Information and further ensure that such information is up-to-date as necessary for the purposes for which it is to be used.
4.6.3 Challenging Accuracy
An Employee may challenge the accuracy and completeness of his/her Employee Personal Information and seek amendment to the inaccurate information.
Miratel shall ensure that Employee Personal Information is adequately and securely protected at all times by utilizing appropriate safeguards commensurate to the sensitivity of the Employee Personal Information that has been or is being Collected, the amount, distribution, and format of the information, and the method of storage.
4.7.2 Methods of Security
Safeguards shall be implemented to protect Employee Personal Information against loss or theft, unauthorized access, Disclosure, copying, Use, or modification.
The following methods of protection shall be considered:
(i) Physical measures including but not limited to locked filing cabinets and restricted access to offices;
(ii) Organizational measures including security clearances and limiting access on a “need-to-know'' basis; and
(iii) Technological measures including but not limited to the use of passwords, encryption or other available technology.
4.7.3 Unauthorized Access
Miratel shall ensure that necessary care is used in the disposal or destruction of Employee Personal Information to prevent unauthorized parties from gaining access to Employee Personal Information.
Miratel shall document and readily make available to Employees specific information about Miratel’s’ policies and procedures relating to the management of Employee Personal Information.
Upon request, an Employee shall be informed of the existence, Use, and Disclosure of his or her Employee Personal Information and shall be given access to such information in a timely manner.
||Concerns Regarding Compliance (Challenging Compliance)
If any Employee is concerned about the Collection, Use or Disclosure of their Employee Personal Information in relation to the principles of this policy, such concerns should be forwarded to the attention of the Privacy Officer at firstname.lastname@example.org. The Privacy Officer shall investigate and respond to all complaints.
In cases where a concern or complaint is found to be justified through a complaint review process, the Privacy Officer shall ensure that appropriate measures are taken to rectify the complaint including, if necessary, amending the policies and practices.
The Privacy Officer shall ensure that Miratel’s’ privacy practices are monitored and reviewed on an annual basis.
Any Employee that is found to have breached this policy shall be subjected to disciplinary actions up to and including dismissal.
The Privacy Officer shall decide exceptions to this policy on a case basis.