NoNO Inc. is committed to protecting the privacy of personal information where this type of information is collected, used or distributed in the course of conducting its’ activities. As a Canadian organization NoNO Inc. will be bound by both Federal and Provincial legislation with regards to the protection of personal information. NoNO Inc. is also sensitive to, and will adhere to where applicable, International laws pertaining to the protection of personal information. This policy applies to individuals such as: Customers, Patients, Subjects involved in Research Studies and employees with respect to business activities associated with NoNO Inc.
The definition of ‘Personal Information’ may vary, to some degree, from one legislation to another. For the purposes of this policy, ‘personal information’ will mean information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. An individual is identifiable for the purpose of this policy if:
- a. information includes his or her name;
- b. information makes his or her identity obvious;
- c. the information does not itself include the name of the individual or make his or her identity obvious but is likely under the circumstances to be combined with other information that does;
Personal information will include personal health information, comments, opinions or employment related information. NoNO Inc. will apply Federal and Provincial privacy laws as applicable for each jurisdiction where NoNO Inc. Only where the provincial legislation is substantially similar to the Federal privacy laws, will the provincial laws take precedents, or where specific concerns are not included in the Federal laws.
NoNO Inc. will take into consideration any foreign laws which apply to protecting personal information when operating in a foreign jurisdiction. In general terms, information collected in a foreign jurisdiction will be managed local to that jurisdiction and accountable to the local laws which apply.
Each employee (both permanent and contract) of NoNO Inc. is responsible for maintaining the confidentiality of all personal information to which they have access. As a condition of employment, NoNO Inc. employees are required to comply with all NoNO Inc. policies and to sign an employment agreement and a confidentiality agreement binding them to this responsibility which governs their actions.
This policy applies to personal information that NoNO Inc. collects, uses or discloses in the course of its commercial activities or in connection with its employees.
Information that is publicly available, such as a customer’s or employee’s name, title, address, telephone number and electronic address, when listed in a directory or made available through directory assistance; and personal information that NoNO Inc. collects, uses or discloses for journalistic, artistic or literary purposes;
This policy has been modeled after the ‘Canadian Standards Association Model Code for the Protection of Personal Information’, CAN/CSA-Q830-96 (the ‘CSA Code’). Accordingly, the ten principles of fair information practices, as identified by the Canadian Standards Association, have been adopted by NoNO Inc. and represent a formal statement of the minimum requirements to be adhered to for the protection of personal information under applicable legislation.
Accountability for the NoNO Inc. compliance with the principles rests with the CEO even though other individuals within NoNO Inc. may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within NoNO Inc. may be delegated to act on behalf of the designated individual(s).
The identity of the individual(s) designated by NoNO Inc. to oversee the organization’s compliance with the principles will be made known upon request.
NoNO Inc. is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
NoNO Inc. implemented policies and practices to give effect to the principles, including
- (a) implementing procedures to protect personal information;
- (b) establishing procedures to receive and respond to complaints and inquiries;
- (c) training staff and communicating to staff information about the organization’s policies and practices; and
- (d) developing information to explain the organization’s policies and procedures.
2. Identifying Purposes
NoNO Inc. will document the purposes for which personal information is collected in order to comply with the Openness principle and the Individual Access principle.
Identifying the purposes for which personal information is collected at or before the time of collection allows NoNO Inc. to determine the information required to collect to fulfil these purposes. The Limiting Collection principle requires NoNO Inc. to collect only that information necessary for the purposes that have been identified.
The identified purposes will be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. NoNO Inc. will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when NoNO Inc wants to use information for a purpose not previously identified).
The principle requires “knowledge and consent”. NoNO Inc will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
NoNO Inc. will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
The form of the consent sought by the NoNO Inc. may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, NoNO Inc. will take into account the sensitivity of the information.
NoNO Inc will not obtain consent through deception.
The way in which an NoNO Inc. will seeks consent may vary, depending on the circumstances and the type of information collected. NoNO Inc. should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
Individuals can give consent in many ways. For example:
- (a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
- (c) consent may be given orally when information is collected over the telephone; or
- (d) consent may be given at the time that individuals use a product or service.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. NoNO Inc. will inform the individual of the implications of such withdrawal.
4. Limiting Collection
The collection of personal information at NoNO Inc. will be limited to that which is necessary for the purposes identified by the organization. Information will be collected by fair and lawful means.
NoNO Inc. will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfil the purposes identified. NoNO Inc. will specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle.
The requirement that personal information be collected by fair and lawful means is intended to prevent NoNO Inc. from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
This principle is linked closely to the Identifying Purposes principle and the Consent principle.
5. Limiting Use, Disclosure, and Retention
Personal information at NoNO Inc. will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfilment of those purposes.
NoNO Inc. will document use of the personal information for a new purpose.
Personal information retained at NoNO Inc. that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made.
Personal information that is no longer required to fulfil the identified purposes will be destroyed, erased, or made anonymous.
Personal information retained by NONO Inc. will be accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used to minimize the possibility that inappropriate information may be used to make a decision about the individual.
NoNO Inc. will not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Personal information will be protected by security safeguards appropriate to the sensitivity of the information.
The security safeguards at NoNO Inc. protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. NoNO Inc. protects personal information regardless of the format in which it is held.
The nature of the safeguards applied to personal Information will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should will be safeguarded by a higher level of protection.
The methods of protection include
- (a) physical measures, like locked filing cabinets and restricted access to offices;
- (b) organizational measures, like security clearances and limiting access on a “need-to-know” basis; and
- (c) technological measures, like the use of passwords and encryption.
NoNO Inc. will make employees aware of the importance of maintaining the confidentiality of personal information.
Care will be utilized in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
NoNO Inc. will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
NoNO Inc. will be open about their policies and practices with respect to the management of personal information as individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort.
The information made available will include
- (a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
- (b) the means of gaining access to personal information held by the organization;
- (c) a description of the type of personal information held by the organization, including a general account of its use;
- (d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
- (e) what personal information is made available to related organizations (e.g., subsidiaries).
9. Individual Access
Note: In certain situations, NoNO Inc. may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement may be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Upon request, NoNO Inc. will inform an individual if NoNO Inc. holds personal information about the individual. However, NoNO Inc. may choose to make sensitive medical information available through a medical practitioner. In addition, NoNO Inc. will provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.
An individual may be required to provide sufficient information to permit NoNO Inc. to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.
In providing an account of third parties to which it has disclosed personal information about an individual, NoNO Inc. will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, NoNO Inc. will provide a list of organizations to which it may have disclosed information about the individual.
NoNO Inc. will respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information will be provided or made available in a form that is generally understandable. For example, if NoNO Inc. uses abbreviations or codes to record information, an explanation will be provided.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the NoNO Inc. will amend the information as required. Depending upon the nature of the information challenged, amendment may involve the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge will be recorded by NONO Inc. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
10. Challenging Compliance
NoNO Inc. will put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.
NoNO Inc. will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist.
NoNO Inc. will investigate all complaints. If a complaint is found to be justified, NoNO Inc. will shall take appropriate measures, including, if necessary, amending its policies and practices.