PURPOSE AND SCOPE
Northumberland Ferries Limited ("NFL") and Bay Ferries Limited ("BFL") are committed to serving the needs of our customers, employees, and members of the public while at the same time complying with all applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act ("PIPEDA").
This policy applies to the personal information about identifiable individuals collected, used, disclosed, stored, or disclosed by NFL and BFL, respectively, in the course of our commercial activities.
NFL and BFL are each obliged and committed to complying with PIPEDA, and this policy, with regard to the personal information each of us collects, uses and discloses.
This policy applies to all personal information now in the custody or control of NFL and BFL, respectively, and all personal information that we subsequently collect or acquire.
All directors, employees, and agents of NFL and BFL are required to comply with this policy.
NFL is also required to comply with PIPEDA and this policy when sharing personal information with BFL, and vice versa.
The following defined terms are used throughout this policy:
- (a) "collection" means the act of gathering, acquiring, recording or obtaining personal information from any source, including from third parties, by any means, whether written or verbal;
- (b) "customer" means an individual who applies to use or uses NFL or BFL's products, services, or facilities, and includes a tenant of the NFL or BFL, a concessionaire of NFL or BFL, a sub-tenant of NFL or BFL, a guarantor of their obligations, and passengers or others using NFL or BFL's facilities;
- (c) "consent" means voluntary agreement for the collection, use, or disclosure of personal information;
- (d) "disclosure" means making personal information available to a third party outside of either NFL or BFL;
- (d) "employee" means an employee or former employee of NFL or BFL;
- (e) "personal information" means information about an identifiable individual, whether recorded or not, and includes, but is not limited to, such things as race, ethnic origin, nationality, colour, age, gender, marital status, religion, education, medical information, criminal information, employment history, performance reviews, disciplinary actions, trade union membership, financial history, income, credit records, credit card numbers, information pertaining to existence of a dispute between an employer/employee, landlord/tenant, or business/consumer, intentions (such as intention to acquire goods/services, or provide/withdraw services, home address, home telephone number, email address, numerical identifiers such as social insurance number, and personal opinions or evaluations. "Personal Information" does not include:
- the name, title, business address, or business telephone number, of an employee of an organization;
- information that is publicly available, such as a client's name, home address, home telephone number, if published in a public telephone directory, made available through directory assistance, or some other public source (e.g. a web page);
- information that pertains only to a commercial or corporate entity;
- aggregate information that cannot be associated with any specific individual.
- (f) "third party" means an individual or organization outside of either NFL or BFL;
- (g) "use" means use within NFL or BFL.
THE TEN PRINCIPLES
This policy has been developed in accordance with the standards set out in PIPEDA including Schedule 1 of PIPEDA, which is modelled on the Canadian Standards Association Model Code for the Protection of Personal Information. In collecting, using, and disclosing personal information, we shall conform to the provisions of PIPEDA, including Schedule 1.
1. Principle 1 – Accountability:
NFL and BFL, respectively, are responsible for the personal information in our custody or under our control, and shall each designate one or more individuals who will be accountable for their compliance with PIPEDA and this policy.
- 1.1 NFL and BFL's Vice President-Corporate Services shall be the individual responsible for their compliance with PIPEDA and this policy. He or she shall be known as the NFL and BFL's Privacy Officer. NFL and BFL's Privacy Officer may, from time to time, designate one or more individuals within NFL and BFL to act on his or her behalf.
- 1.2 We are responsible for the personal information in our custody or control, including information that has been transferred to a third party for processing. We shall use contractual or other appropriate means to ensure that information is afforded a comparable level of protection while it is being processed by a third party.
- 1.3 We have implemented policies and practices to give effect to the principles and procedures set out in PIPEDA and this policy.
2. Principle 2 – Identifying Purpose
NFL and BFL, respectively, will identify the purpose for which they collect personal information at or before the time of the collection. The purposes for which information is collected, used, or disclosed by us must be those that a reasonable person would consider appropriate in the circumstances.
- 2.1 We will document the purposes for which it collects personal information.
- 2.2 Every individual responsible for collecting personal information on behalf of either NFL or BFL will explain to the individual from whom the information is sought, why the information is being collected in a manner that can be reasonably understood. This shall be done at or before the time of collection and may, depending upon the way in which the information is collected, be done orally, in writing, or electronically. If this is done orally, a note to file shall be made. This policy may be used to identify such purposes.
- 2.3 If we propose to use personal information that we have collected for a purpose not previously identified, we will identify the new purpose to the individual concerned before using that personal information for that new purpose. The consent of that individual must also be obtained before the personal information is used for the new purpose.
- 2.4 The explanation and consent referred to in para. 2.2 and 2.3 is not required where consent to the collection of the information is not required by law (see: para. 3.3).
- 2.5 The purpose for which the personal information of NFL and BFL's employees is collected may include, but is not limited to:
- administrating employee payroll and benefits;
- conducting employee performance evaluations;
- effecting training of employees;
- conducting occupational medical assessments of employees, where such medical assessments are required;
- regulating attendance;
- managing disability and return to work situations;
- conducting disciplinary investigations and taking disciplinary action against an employee;
- participating in union negotiations and labour arbitrations;
- enhancing safety and security (e.g., we may use security cameras to monitor access, egress, and use of public and restricted areas) – signs are posted in the areas in which security cameras have been installed);
- facilitating contacts in the event of an emergency;
- complying with legal and regulatory requirements (e.g. subpoenas, and court orders);
- processing employment applications and assessing suitability for employment;
- entering into, and administering employment contracts;
- responding to employee inquiries.
- 2.6 The purpose for which personal information of tenants, sub-tenants, concessionaires is collected may include, but is not limited to:
- Processing tenant, sub-tenant, or concession applications;
- checking credit and other references;
- administering tenant, sub-tenant, and concession agreements;
- communicating with tenants, sub-tenants, and concessionaires and responding to their inquiries;
- invoicing and collecting rent or fees, and otherwise enforcing any tenant, sub-tenant, or concession agreement;
- tax reporting, where required;
- reporting to our insurers, where necessary;
- enhancing safety and security (e.g. we may use security cameras to monitor access, egress, and use of public and restricted areas – signs are posted in the areas in which security cameras have been installed);
- complying with legal and regulatory requirements (e.g. subpoenas, and court orders).
- 2.7 The purpose for which personal information is collected from customers or other individuals may include, but is not limited to:
- making reservations for passage on one of our ferries (for reservations for passage between Yarmouth, Nova Scotia and Bar Harbor, Maine, we require that you provide us the full names, dates of birth, gender for all travellers, a telephone number and zip or postal code);
- providing other products, services, or facilities requested by the customer or individual;
- processing payment for the use of such products, services, or facilities (e.g. where payment for passage is made by credit card);
- responding to inquiries by the customer or individual;
- enhancing safety and security (e.g. we may use security cameras to monitor access, egress, and use of public and restricted areas – signs are posted in areas in which security cameras have been installed);
- complying with legal and regulatory requirements.
3. Principle 3 – Consent
NFL and BFL, respectively, will require the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where consent is not required by applicable privacy legislation.
- 3.1 We will collect personal information only with the knowledge and consent of the individual concerned, except where knowledge and consent is not required by applicable privacy legislation, or where collection without knowledge or consent is permitted by law. Consent will be obtained at or before the time of collection.
- 3.2 The way in which we will seek consent may vary, depending on the circumstances and the type of information collected. We can obtain consent through e.g. application, enrolment or contract forms, facsimiles, e-mail, and telephone conferences. Express consent will usually be obtained when the information is likely to be considered sensitive (such as medical information). Implied consent may generally be relied upon where a reasonably person would infer that the employee, client, or other individual has consented by his or her action or inaction.
- 3.3 There are circumstances in which such consent is not required such as:
- where we collect information in the individual's interest and timely consent is unavailable, or to investigate a breach of an agreement (e.g. an employment or lease agreement), or a contravention of the law;
- where we use personal information without consent for reasons similar to those described above, or in an emergency situation in which an individual's life, health, or security is threatened;
- where we disclose information to a third party without consent for law enforcement, or national security purposes, for debt collection, to our lawyers, or in an emergency situation in which an individual's life, health, or security is threatened.
- 3.4 We will not require, as a condition of supply of products, services or facilities, that an individual consent to the collection, use, or disclosure of information beyond that required to fulfill our explicitly specified and legitimate purposes.
- 3.5 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform individuals of the implications of withdrawing consent.
4. Principle 4 – Limiting Collection
NFL and BFL, respectively, shall limit the collection of personal information to that which is necessary for the purposes identified by us. Personal information shall be collected by fair and lawful means.
- 4.1 We will not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes stated.
- 4.2 In collecting information, we will use fair and lawful means and will not mislead or deceive individuals about the purpose for which information is being collected.
5. Principle 5 – Limiting Use, Disclosure and Retention
NFL and BFL, respectively, shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected.
- 5.1 We will only use or disclose personal information for legitimate, identified purposes (except with the consent of the individual, or as required or permitted by law).
- 5.2 Where we intend to use personal information for a purpose not previously identified, we shall document the new purpose and shall obtain the consent of the individual prior to using the information for that new purpose (except where such consent is not required by law).
- 5.3 We may disclose the personal information of our employees to the following third parties:
- to third party service providers for the purposes of administering employee payroll or benefits programs, or obtaining human resource assistance or advice;
- to union representatives, (where required by law or under a collective agreement, or otherwise with the employee's consent), and to labour tribunals;
- to our external consultants (e.g. to our lawyers, auditors, accountants, and information technology consultants);
- to prospective employers and/or financial institutions, seeking references, provided the consent of the employee has first been obtained;
- to prospective purchasers or purchasers of our business;
- to any third party where disclosure is required or permitted by law (e.g. to Canada Customs and Revenue Agency).
- 5.4 We may disclose the personal information of its tenants or concessionaires, or other customers to the following third parties:
- to third parties named as credit or other references by a tenant or concessionaire;
- to a credit bureau where the tenant or concessionaire has authorized us to conduct a credit check;
- to our lenders, if and as required by them;
- to government tax authorities, where required;
- to a third party who processes credit card transactions;
- to third party service providers for the purposes of debt collection;
- to our external consultants, if and as required (e.g. our lawyers, auditors, accountants, and information technology consultants);
- to our insurers, if and as required;
- to prospective tenants or concessionaires, or real estate agents (disclosure is limited to the existing tenant or concessionaire's name, space, and rent);
- to prospective purchasers or purchasers of our business; and
- where disclosure is required or permitted by law.
- 5.5 Unless authorized by the employee, customer or other individual, we will not sell, lease, or trade personal information, with third parties.
- 5.6 Personal information shall be kept only as long as it remains necessary or relevant for the identified and legitimate purposes, or as required or permitted by law. Where personal information has been used to make a decision about an individual, we will retain that personal information for a period of time that is reasonably sufficient to allow for access to that information by that individual, and to allow that individual to exhaust any legal recourses he or she has.
- 5.7 Personal information that is no longer required to fulfill our identified purposes shall be destroyed, erased, or made anonymous.
6. Principal 6 – Accuracy
NFL and BFL, respectively, shall ensure the personal information is as accurate, complete and up to date as is necessary for the purposes for which it is to be used.
- 6.1 Personal information used by us shall be kept sufficiently accurate, complete and up to date.
- 6.2 We will not, however, routinely update personal information, unless this is necessary to fulfill the purposes for which the information was collected.
7. Principal 7 – Safeguards
NFL and BFL, respectively, shall protect all personnel information by security safeguards appropriate to the sensitivity of the information.
- 7.1 We are committed to protecting personal information held by us, and to ensure that information is not obtained by others without the consent of the individual.
- 7.2 We will ensure security procedures are in place to safeguard and protect personal information against loss, theft, unauthorized access, disclosure, copying, and use, modification, or destruction.
- 7.3 We shall maintain appropriate safeguards and security procedures such as:
- physical measures (e.g. providing and using locked filing cabinets for hard copy personal information, and restricting access to offices);
- technical measures, (such as requiring passwords for access for electronic personal information, and using encryption, and firewalls); and
- organizational measures, (e.g. permitting access to employees on a "need to know" basis, and staff training).
- 7.4 The nature of the safeguards implemented will vary depending on:
- the sensitivity of the information that has been collected;
- the parties to whom information will be disclosed;
- the amount of information held;
- the format of the information; and
- the manner of storage.
- 7.5 Each director, employee, and agent of NFL or BFL shall be made aware of the importance of complying with this policy. Any director, employee, or agent who violates this policy or applicable privacy legislation shall be subject to disciplinary action, up to including removal, dismissal, or contract termination.
- 7.6 Personal information disclosed by us to third parties shall be protected by contractual agreements stipulating the confidentiality of the information and the purpose for which it is to be used.
- 7.7 We ensure that our employees are aware of the importance of maintaining the security and confidentiality of personal information.
- 7.8 We will use care when disposing of or destroying personal information and shall do so in a manner that will ensure that no one will be able to retrieve the information.
8. Principle 8 – Openness
NFL and BFL, respectively, shall make readily available to its employees, clients, and other individuals, specific information about our policies and practices relating to the management of personal information.
- 8.1 We will be open about our policies and practices with respect to the management of personal information, the name or our Privacy Officers, and how to contact him or her.
- 8.2 Information shall be made available to NFL and BFL's employees, customers, and other individuals upon request in written form, and shall also be available through our websites.
9. Principle 9 – Individual Access
NFL and BFL, respectively, shall upon request, inform an individual of the existence, use and disclosure of his or her personal information and shall give him or her access to that information except where we are permitted or required by law not to disclose personal information to the individual.
- 9.1 Upon written request, we shall inform an employee, customer, or other individual as to whether it holds personal information about the individual (except where we are or required or permitted by law not to disclose personal information), and shall afford him or her a reasonable opportunity to review the personal information in his or her file at minimal or no cost. We shall also provide an account of the use that has been made or is being made of the personal information, and of the third parties to whom the personal information has been disclosed.
- 9.2 An employee can obtain information or seek access to his or her individual file by contacting his or her immediate supervisor.
- 9.3 A customer can obtain information or seek access to his or her individual file by contacting NFL or BFL's Privacy Officer.
- 9.4 We will normally respond to a request for access for access to personal information within 30 days, however, that time period may be extended under PIPEDA for another 30 days in certain circumstances.
- 9.5 In some circumstances, we may not be required by law to permit access to personal information kept in our files. Where we refuse such a request we will, within the period referred to in para. 9.4, provide reasons and will advise the individual of his or her recourse under applicable privacy laws.
- 9.6 An individual also has the right to request, in writing, that we correct personal information that we have in our custody and control. We shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to the accuracy or completeness shall be noted in the individual's file. Where appropriate, we shall transmit to third parties that were given access to the personal information in question any amended information or will inform them the existence of any unresolved differences.
10. Principle 10 – Challenging Compliance
An individual employee or customer shall be able to address a challenge concerning compliance with the provisions of this policy to NFL or BFL's Privacy Officer, as applicable.
- 10.1 We shall maintain procedures for addressing and responding that all inquiries or complaints from our employees and customers about our handling of personal information.
- 10.2 We will inform our employees, customers, and other individuals, who make inquires or complaints, about the existence of these procedures as well as the availability of complaint procedures.
- 10.3 We shall investigate all written complaints concerning compliance with this policy. If a complaint is found to be justified, we shall take appropriate measures to resolve the complaint.
- 10.4 If an individual is not satisfied with the response from NFL or BFL's Privacy Officer, he or she may have a recourse to additional remedies under applicable privacy legislation.
- 10.5 Any individual who has an inquiry or complaint may contact our Privacy Officer:
Vice President-Corporate Services
Northumberland Ferries Limited/Bay Ferries Limited
P.O. Box 634
94 Water Street
Charlottetown, PE C1A 7L3
Effective Date and Amendment
This policy is effective as of January 01, 2004. We reserve the right to amend this policy from time to time for any reason.