1.1 Principle 1 — Accountability
Eddy Wealth is responsible for personal information under its control and shall designate an
individual or individuals (see 2.0 below) who are accountable for the organization’s compliance with
the following principles.
1.1.1 Accountability for the organization’s
compliance with the principles rests with the designated individual(s), even though other
individuals within the organization may be responsible for the day-to-day collection and processing
of personal information. In addition, other individuals within the organization may be delegated to
act on behalf of the designated individual(s).
1.1.2 The identity of
the individual(s) designated by the organization to oversee the organization’s compliance with the
principles shall be made known upon request. It is also available on the Eddy Wealth website
(www.eddywealth.com).
1.1.3 Eddy Wealth is responsible for personal
information in its possession or custody, including information that has been transferred to a third
party for processing. Eddy Wealth uses contractual or other means to provide a comparable level of
protection while the information is being processed by a third party.
1.1.4
Eddy Wealth has implemented policies and practices to give effect to the principles,
including
(a) implementing procedures to protect personal information;
(b) establishing
procedures to receive and respond to complaints and inquiries;
(c) training staff and
communicating to staff information about the organization’s policies and practices; and
(d)
developing information to explain the organization’s policies and procedures.
1.2 Principle 2 — Identifying Purposes
The purposes for which personal information is collected shall be identified by the Eddy Wealth at
or before the time the information is collected.
1.2.1 Eddy Wealth
shall document the purposes for which personal information is collected in order to comply with the
Openness principle (Clause 1.8) and the Individual Access principle (Clause 1.9).
1.2.2 Identifying the purposes for which personal information is collected at
or before the time of collection will allow Eddy Wealth to determine the information it needs to
collect to fulfill these purposes. The Limiting Collection principle (Clause 1.4) requires Eddy
Wealth to collect only that information necessary for the purposes that have been identified.
1.2.3 The identified purposes should be specified at or before the time of
collection to the individual from whom the personal information is collected. Depending upon the way
in which the information is collected, this can be done orally or in writing. An application form,
for example, may give notice of the purposes.
1.2.4 When personal
information that has been collected is to be used for a purpose not previously identified, the new
purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of
the individual is required before information can be used for that purpose. For an elaboration on
consent, please refer to the Consent principle (Clause 1.3).
1.2.5 Persons
collecting personal information should be able to explain to individuals the purposes for which
the information is being collected.
1.2.6 This principle is linked
closely to the Limiting Collection principle (Clause 1.4) and the Limiting Use, Disclosure, and
Retention principle (Clause 1.5).
1.3 Principle 3 — Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of
personal information, except where inappropriate.
Note: In certain circumstances personal
information can be collected, used, or disclosed without the knowledge and consent of the individual.
For example, legal, medical, or security reasons may make it impossible or impractical to seek
consent. When information is being collected for the detection and prevention of fraud or for law
enforcement, seeking the consent of the individual might defeat the purpose of collecting the
information. Seeking consent may be impossible or inappropriate when the individual is a minor,
seriously ill, or mentally incapacitated.
1.3.1 Consent is required for
the collection of personal information and the subsequent use or disclosure of this information.
Typically, Eddy Wealth will seek consent for the use or disclosure of the information at the time of
collection. In certain circumstances, consent with respect to use or disclosure may be sought after
the information has been collected but before use (for example, when an organization wants to use
information for a purpose not previously identified).
1.3.2 The
principle requires “knowledge and consent”. Eddy Wealth will make a reasonable effort to ensure
that the individual is advised of the purposes for which the information will be used. To make the
consent meaningful, the purposes must be stated in such a manner that the individual can reasonably
understand how the information will be used or disclosed.
1.3.3 Eddy
Wealth will not, as a condition of the supply of a product or service, require an individual to
consent to the collection, use, or disclosure of information beyond that required to fulfill the
explicitly specified, and legitimate purposes.
1.3.4 The form of the
consent sought by Eddy Wealth may vary, depending upon the circumstances and the type of information.
In determining the form of consent to use, Eddy Wealth will take into account the sensitivity of the
information. Although some information (for example, medical records and income records) is almost
always considered to be sensitive, any information can be sensitive, depending on the context.
1.3.5 In obtaining consent, the reasonable expectations of the individual
are also relevant. For example, a client of Eddy Wealth should expect that Eddy Wealth, in addition
to using the individual’s name and address for mailing and billing purposes, would also contact the
individual to participate in client appreciation events. In this case, the organization can assume
that the individual’s request constitutes consent for such purposes. Consent shall not be obtained
through deception.
1.3.6 The way in which Eddy Wealth seeks consent may
vary, depending on the circumstances and the type of information collected. Eddy Wealth will
generally seek express consent when the information is likely to be considered sensitive. Implied
consent would generally be appropriate when the information is less sensitive. Consent can also be
given by an authorized representative (such as a legal guardian or a person having power of
attorney).
1.3.7 Individuals can give consent in many ways. For
example:
(a) an application form may be used to seek consent, collect information, and inform the
individual of the use that will be made of the information. By completing and signing the form, the
individual is giving consent to the collection and the specified uses;
(b) a checkoff box may be
used to allow individuals to request that their names and addresses not be given to other
organizations. Individuals who do not check the box are assumed to consent to the transfer of this
information to third parties;
(c) consent may be given orally when information is collected over
the telephone; or
(d) consent may be given at the time that individuals use a product or
service.
1.3.8 An individual may withdraw consent at any time,
subject to legal or contractual restrictions and reasonable notice. Eddy Wealth shall inform the
individual of the implications of such withdrawal.
1.4 Principle 4 — Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes
identified Eddy Wealth. Information shall be collected by fair and lawful means.
1.4.1 Eddy Wealth will not collect personal information indiscriminately.
Both the amount and the type of information collected shall be limited to that which is necessary
to fulfill the purposes identified. Eddy Wealth will specify the type of information collected as
part of their information-handling policies and practices, in accordance with the Openness principle
(Clause 1.8).
1.4.2 This principle is linked closely to the Identifying
Purposes principle (Clause 1.2) and the Consent principle (Clause 1.3).
1.5 Principle 5 — Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was
collected, except with the consent of the individual or as required by law. Personal information
shall be retained only as long as necessary for the fulfillment of those purposes.
1.5.1 When using personal information for a new purpose, Eddy Wealth shall
document this purpose (see Clause 1.2.1).
1.5.2 Eddy Wealth has
developed guidelines and implemented procedures with respect to the retention of personal
information. These guidelines include minimum and maximum retention periods. Personal information
that has been used to make a decision about an individual shall be retained long enough to allow
the individual access to the information after the decision has been made. Eddy Wealth may be
subject to legislative requirements with respect to retention periods.
1.5.3 Personal information that is no longer required to fulfill the identified
purposes should be destroyed, erased, or made anonymous. Eddy Wealth has developed guidelines and
implemented procedures to govern the destruction of personal information.
1.5.4 This principle is closely linked to the Consent principle (Clause 1.3),
the Identifying Purposes principle (Clause 4.2), and the Individual Access principle (Clause 1.9).
1.6 Principle 6 — Accuracy
Personal information shall be as
accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
1.6.1 The extent to which personal information shall be accurate, complete,
and up-to-date will depend upon the use of the information, taking into account the interests of the
individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the
possibility that inappropriate information may be used to make a decision about the individual.
1.6.2 Eddy Wealth will not routinely update personal information, unless
such a process is necessary to fulfill the purposes for which the information was collected.
1.6.3 Personal information that is used on an ongoing basis, including
information that is disclosed to third parties, should generally be accurate and up-to-date, unless
limits to the requirement for accuracy are clearly set out.
1.7 Principle 7 — Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity
of the information.
1.7.1 The security safeguards shall protect personal
information against loss or theft, as well as unauthorized access, disclosure, copying, use, or
modification. Eddy Wealth will protect personal information regardless of the format in which it is
held.
1.7.2 The nature of the safeguards will vary depending on the
sensitivity of the information that has been collected, the amount, distribution, and format of the
information, and the method of storage. More sensitive information should be safeguarded by a higher
level of protection. The concept of sensitivity is discussed in Clause 1.3.4.
1.7.3 The methods of protection include
(a) physical measures, for example,
locked filing cabinets and restricted access to offices;
(b) organizational measures, for example,
security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures,
for example, the use of passwords and encryption.
1.7.4 Eddy Wealth
makes their employees aware of the importance of maintaining the confidentiality of personal
information.
1.7.5 Care shall be used in the disposal or destruction of
personal information, to prevent unauthorized parties from gaining access to the information (see
Clause 1.5.3).
1.8 Principle 8 — Openness
Eddy Wealth will make
readily available to individuals specific information about its policies and
practices relating
to the management of personal information.
1.8.1 Eddy Wealth is open
about its policies and practices with respect to the management of personal information. Individuals
shall be able to acquire information about Eddy Wealth policies and practices without unreasonable
effort. This information shall be made available in a form that is generally understandable.
Individuals can have access to this information by visiting the Eddy Wealth website
(www.eddywealth.com) or by contacting any employee.
1.8.2 The information
made available shall include
(a) the name or title, and the address, of the person who is accountable
for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description
of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization’s policies, standards,
or codes; and
(e) what personal information is made available to related organizations (e.g.,
subsidiaries, custodian, reporting provider).
1.8.3 Eddy Wealth may
make information on its policies and practices available in a variety of ways. For example, Eddy
Wealth may choose to make brochures available in its place of business, mail information to its
customers, provide online access (www.eddywealth.com), or establish a telephone
number (403-407-1233).
1.9 Principle 9 — Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her
personal information and shall be given access to that information. An individual shall be able to
challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, Eddy Wealth may not be able to provide access to all the personal
information it holds about an individual. Exceptions to the access requirement are limited and
specific. The reasons for denying access will be provided to the individual upon request. Exceptions
may include information that is prohibitively costly to provide, information that contains references
to other individuals, information that cannot be disclosed for legal, security, or commercial
proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
1.9.1 Upon request, Eddy Wealth will inform an individual whether or
not the organization holds personal information about the individual. Eddy Wealth will indicate the
source of this information. Eddy Wealth will allow the individual access to this information and
will provide an account of the use that has been made or is being made of this information and an
account of the third parties to which it has been disclosed.
1.9.2 An
individual may be required to provide sufficient information to permit an organization to provide an
account of the existence, use, and disclosure of personal information. The information provided
shall only be used for this purpose.
1.9.3 In providing an account of
third parties to which it has disclosed personal information about an individual, Eddy Wealth will
attempt to be as specific as possible. When it is not possible to provide a list of the organizations
to which it has actually disclosed information about an individual, Eddy Wealth will provide a list
of organizations to which it may have disclosed information about the individual.
1.9.4 Eddy Wealth will respond to an individual’s request within a reasonable
time and at minimal or no cost to the individual. The requested information shall be provided or
made available in a form that is generally understandable. For example, if Eddy Wealth uses
abbreviations or codes to record information, an explanation shall be provided.
1.9.5 When an individual successfully demonstrates the inaccuracy or
incompleteness of personal information, Eddy Wealth will amend the information as required. Depending
upon the nature of the information challenged, amendment involves the correction, deletion, or
addition of information. Where appropriate, the amended information shall be transmitted to third
parties having access to the information in question.
1.9.6 When a
challenge is not resolved to the satisfaction of the individual, the substance of the unresolved
challenge shall be recorded by Eddy Wealth. When appropriate, the existence of the unresolved
challenge shall be transmitted to third parties having access to the information in question.
1.10 Principle 10 — Challenging Compliance
An individual shall be able
to address a challenge concerning compliance with the above principles to
the designated
individual or individuals accountable for Eddy Wealth compliance.
1.10.1 The individual accountable for an organization’s compliance is
discussed in Clause 1.1.1.
1.10.2 Eddy Wealth will put procedures in
place to receive and respond to complaints or inquiries about their policies and practices relating
to the handling of personal information. The complaint procedures should be easily accessible and
simple to use.
1.10.3 Eddy Wealth will inform individuals who make
inquiries or lodge complaints of the existence of relevant complaint procedures.
1.10.4 Eddy Wealth will investigate all complaints. If a complaint is found
to be justified, the organization will take appropriate measures, including, if necessary, amending
its policies and practices.
2.0 Designated Privacy Officer
The
designated Privacy Officer at Polaris Financial is Jim Steel. Any concern, request or inquiry should
be made in writing or e-mail to:
Jim Steel, Privacy Officer
Polaris Financial Inc.
343
Preston Street
11th Floor
Ottawa ON K1S 1N4
e-mail: jimsteel@polarisfinancial.ca
telephone: 613-755-4004
toll free:
877-755-4004