June 30, 2004
CALEDON SKI CLUB
PRIVACY POLICY
The Caledon Ski Club (“CSC”) recognizes that an individual’s right to privacy is an essential right to be protected. We understand the importance in maintaining anonymity and protecting personal information in our care and control. Our relationship with those that support the CSC is founded on trust and we are committed to maintaining this trust.
For these reasons, our privacy policy (the “Privacy Policy”) provides all the safeguards as standardized in the Personal Information Protection and Electronic Documents Act, 2001, c. 5 (the “PIPEDA”). It confirms our dedication to protecting privacy and maintaining the trust individuals have placed in CSC. This Privacy Policy is our guarantee that we will maintain the confidentiality and privacy of the personal information entrusted to us.
A. AN OVERVIEW
1. WHAT THIS POLICY COVERS
This Privacy Policy applies to personal information about identifiable CSC members, attendees, students, employees and ski chalet owners (collectively referred to as “Participants”) that is collected, used or disclosed by CSC.
This Privacy Policy will not apply to the collection, use or disclosure of the following information:
a) personal information that is aggregated in such a manner that it cannot be connected to a person; therefore any personal information that has been anonymized will not fall under the protection of the PIPEDA;
b) personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
c) the name, title, business address, e-mail address or telephone number of an employee of CSC; or
d) information that is publicly available and is specified by regulation pursuant to the PIPEDA.
2. PERSONAL INFORMATION COLLECTED BY CSC
Name Date of Birth Gender Address (including e mail) Marital Status Health Card Numbers Skier / Snowboarder abilities Credit Card Information Photos
be collected, used or disclosed by CSC includes but is not limited
Age Social Insurance Numbers Phone Number’s Contact Person / Next of Kin Canadian Ski Instructor’s Association Accreditations
Canadian Ski Coach Federation Accreditations Canadian Association of Snowboard Instructor Accreditations
3. GUIDELINES FOR INTERNET/ WEBSITE USERS
CSC does not collect identifying information about visitors to our website. We may collect non- identifying information about our visitors in order to create summary statistics and to determine the level of interest in information available on our site. This information would include such items as the date and time our site was accessed and the web browser used. The CSC collects information about user’s site usage through the use of cookies and through our server log files, including IP Addresses. Our website does not link IP Addresses to any personally identifiable information. In some cases, users’ non- personal information may be automatically collected through the standard operation of the CSC’s internet servers or through the use of “cookies”. A cookie is a small piece of data that is sent to a user’s Internet browser from a web server and stored on a user’s computer’s hard drive. A cookie cannot read data from a computer hard disk or read cookie files created by other websites. CSC uses cookies to identify which areas of the CSC’s website user’s have visited or customized. User’s can choose whether to accept cookies by changing the setting of their Internet browser.
In addition, the CSC may permit third parties to offer users subscriptions and / or registration- based services through our website. In such situations, CSC cannot be responsible for the actions or policies of such third parties. It is advised that users should check the applicable privacy policy of each third party when providing any personal information or even when simply visiting a website of a third party. Please note that CSC cannot control or prevent the use of cookies or any information obtained through such cookies by third parties. If users do not want information collected through the use of cookies, they should take appropriate steps to change the setting of their Internet browser.
Please be advised that information voluntarily disclosed online in discussion areas or other public areas of our website can be collected, used and disclosed by third parties. Any submissions made to discussion areas or other public areas on our website are done at the user’s risk and on the understanding that such information may be accessible to third parties. CSC will not be liable or held responsible for any damages that may result from such user activity.
Personal information that may to the following:
4. HOW PERSONAL INFORMATION IS MAINTAINED
CSC does not sell, barter, trade or give away personal information to third parties. For example, we do not provide our member lists to other organizations regardless of how similar their services may be to ours. By supporting CSC, Participants have confirmed their commitment to our services. If Participants wish to obtain services from other organizations, then this is a personal decision to be made by the Participant alone. We will not intervene in a Participant’s decision by providing their personal information to such organizations.
B. DEFINITIONS
To assist in understanding this Privacy Policy, CSC has set out some basic definitions to use when reading and interpreting the principles below:
Attendees: an individual who is not a member, but uses services or facilities offered by CSC. Collection: obtaining personal information from any source, including third parties, by any
means.
Consent: the granting of voluntary permission regarding the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied.
Disclosure: to make known personal information to a third party. Personal Information: information about an identifiable individual, but does not include the
name, title, or business address or telephone number of an employee of CSC. Use: the treatment, handling and management of personal information by and within CSC.
C. APPLICATION OF THE CODE
There are ten principles that form the basis of this Privacy Policy. These principles are interrelated and CSC shall adhere to them as a whole. As permitted by the PIPEDA and its regulations, the commentary in CSC’s Privacy Policy may be tailored to reflect personal information issues specific to CSC.
CSC applies the ten principles of the Code as follows:
1. ACCOUNT ABILITY
CSC is responsible for the personal information collected and maintained by it and which is under its control. In order to fulfill this responsibility, CSC has designated its Office Manager as Chief Privacy Compliance Officer accountable for CSC’s compliance with the Privacy Policy.
1.1 CSC has established a Privacy Office headed by the Chief Privacy Compliance Officer that has the responsibility for ensuring compliance with the provisions of CSC’s Privacy Policy. The Privacy Office has been established to ensure that Participants have a designated avenue to direct their privacy-related inquiries. The Privacy Office shall designate one or more Privacy Officers to be accountable for day-to-day compliance with CSC’sPrivacyPolicy. The Privacy Office may delegate such authority to other persons within CSC to act on behalf of the designated Privacy Officers or take responsibility for the collection and processing of personal information.
1.2 CSC has taken the following measures to ensure compliance with this Privacy Policy:
a) developed procedures to protect personal information;
b) developed procedures to receive and respond to complaints and inquiries;
c) trained our staff about our policies and practices respecting personal information; and
d) developed and distributed information to our staff and the general public explaining our policies and procedures respecting personal information.
1.3 To ensure that all personal information that is transferred by CSC to third parties on the consent of the Participant is protected, CSC enters into legal agreements with all third parties who use personal information collected by us. These legal agreements seek to ensure that these third parties employ comparable levels of control over this personal information.
1.4 CSC shall make known, upon request, the name of the person or persons designated by the Privacy Office with the responsibility of ensuring CSC’s day-to-day compliance with its Privacy Policy.
2. IDENTIFYING PURPOSES FOR WHICH PERSONAL INFORMATION IS BEING COLLECTED
CSC is committed to openness regarding its collection of personal information. CSC shall identify the purposes for which personal information is collected at or before the time the information is collected.
2.1 CSC usually only collects personal information for the following limited purposes:
i) To establish and maintain records in order to provide services to:
a) Members and prospective members of CSC;
b) Students participating in CSC’s ski and snowboarding
instructional programs;
c) Race participants;
c) individuals that own ski chalets on CSC property;
d) Attendees at CSC facilities;
e) to enter and fulfill transactions;
f) administration, billing, accounting and collection in relation
to Participant’s relationship with us;
ii) To establish and maintain our mailing lists;
iii) To communicate information pertaining to employees for the following purposes:
a) decision making regarding employees hiring, duties, transfer, training, discipline, promotion and retention;
b) recording and determining employees eligibility for participation in various CSC’s benefit plans, including life insurance coverage, group RRSP and personal or maternity leave, and the receipt of short or long term disability payments and the managing of such participation;
c) recording and maintaining employees personal information, attendance record, service award and bonuses record, performance evaluations, performance improvement plans, remuneration details, or maintaining any other necessary information for establishing, managing or terminating the employment relationship (including its related benefits), as well as the determination of the applicable income and benefits;
2.2 CSC shall specify either orally, electronically or in writing the identified purposes to the individual, at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individuals to the Privacy Officers who shall explain the purposes.
2.3 CSC shall not use or disclose for any new purposes, personal information that has been collected from Participants without first identifying and documenting the new purposes and obtaining the prior consent of the Participants unless required to by law.
2.4 Furthermore, if any Participant wishes to be advised of the personal information we have related to them, they can contact us at the address set out in Section D below.
3. CONSENT
CSC is committed to ensuring that Participants are aware of how their personal information is used. CSC is dedicated to obtaining the consent of individuals who provide us with their personal information. To this end, all our employees, personnel or agents are instructed to provide information about how we use personal information to all interested individuals who inquire, as well as obtain the consent of those who provide their personal information.
3.1 In obtaining consent, CSC shall use reasonable efforts to ensure that a Participant is advised of the identified purposes for which personal information collected will be used ordisclosed. CSCshallstatetheidentifiedpurposesinamannerthatcanbereasonably understood by the Participants.
3.2 CSC shall seek consent to use and disclose personal information at the same time it collects the information. However, if CSC decides to use personal information of a Participant for a new purpose, CSC shall obtain consent from the Participant before the personal information is used or disclosed for a new purpose.
3.3 CSC will only require Participants to consent to the collection, use or disclosure of personal information as a condition to CSC providing products or services to the Participant, if such collection, use or disclosure is required in order to fulfill the identified purposes.
3.4 As well, we may periodically request written confirmation from a Participant to ensure that the personal information collected and maintained by us is up-to-date and accurate. We also may ensure that we have continuing consent to the use and retention of personal information.
3.5 In determining the appropriate form of consent, CSC shall take into account the sensitivity of the personal information and the reasonable expectations of the Participant. For sensitive information, CSC will obtain express written consent at or before the time
of collection.
3.6 CSC may collect, use and disclose personal information without the knowledge and consent of the individual, in accordance with the provisions of the PIPEDA.
3.7 A Participant may withdraw consent at any time, subject to legal or contractual restrictionsandreasonablenotice. ParticipantsmaycontactCSCattheaddresssetoutin Section D below for more information.
3.8 Please be advised that at no time does a Participant’s relationship with CSC require that they provide us with their personal information if they do not wish to do so.
Note: In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individuals. For example, legal, medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information. (Clause 4.3 of Schedule 1 of the Act)
4. LIMITING COLLECTION
CSC limits the collection of personal information only to that information that is necessary for the limitedpurposesnotedabove. Inaddition,CSCiscommittedtocollectingpersonalinformationinafair, open and lawful manner. For this reason, CSC does not indiscriminately collect personal information. We collect personal information to fulfill the above-noted purposes only, and for no other purposes.
5. LIMITING USE, DISCLOSURE AND RETENTION
CSC does not use personal information for purposes other than those for which it was originally collected, unless it has first obtained the consent of the individual from whom such information was received or if required to do so by law. We retain personal information only for as long as it is needed and only for the fulfillment of the purposes for which it was originally collected or as required by law.
5.1 Only those CSC staff and employees whose duties reasonably so require, are granted access to personal information about Participants.
5.2 CSC will only keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances where personal information has been used to make a decision about a Participant, CSC shall retain, for a period of time that is reasonably sufficient to allow for access by the Participant, either the actual information or the rationale for making the decision.
5.3 CSC will destroy, erase or make anonymous any personal information that is no longer necessary or relevant for the identified purposes or required to be retained by law. Nevertheless, CSC shall maintain reasonable and systematic controls, schedules and practices for the retention and destruction of personal information.
6. ACCURACY
CSC is committed to maintaining accurate, complete and up-to-date personal information. If a Participant is aware of changes to the personal information they have given to us, they can simply inform us of the changes and we will update our records accordingly.
Personal information that is collected by CSC is processed and maintained in Belfountain, Ontario. ParticipantsmaycheckandcorrecttheirpersonalinformationbycontactingthePrivacyOffice assigned to oversee the day-to-day care and control of personal information by writing or emailing a request to the address set out in Section D below.
6.1 Personal information used by CSC shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used and to minimize the possibility that inappropriate or incorrect information may be used to make a decision about a Participant.
6.2 CSC shall not routinely update personal information. CSC shall update personal information about Participants as and when necessary to fulfill the identified purposes or upon receiving notification by the individual.
7. SAFEGUARDS
CSC has developed and implemented security safeguards commensurate to the level of sensitivity of the information.
7.1 CSC shall implement security safeguards to protect personal information against such risks as theft or loss, unauthorized access, copying, use, modification or destruction.
7.2 CSC shall protect personal information with physical security measures, such as locked cabinet storage and restricted access to areas where personal information is stored.
7.3 CSC shall protect personal information with internal employee security measures, including restricted computer access, employee confidentiality agreements, and limited access to where personal information is stored. CSC will also ensure that any of our employees who deal with personal information are properly trained and are aware of the necessary and appropriate measures required to protect personal information.
7.4 CSC will use security safeguards, including password and encryption security measures, to prevent unauthorized access to personal information stored on computer systems.
7.5 CSC shall protect personal information when disclosing it to third parties by stipulating the confidentiality of the information and the purposes for which it is to be used in contractual agreements. In entering into these legal agreements, we do not transfer any interest in this personal information to third parties. Rather, the purpose of these legal agreements is to ensure that the personal information delivered to third parties is maintained at a level of security equal to that provided by CSC under this Privacy Policy.
7.6 Any personal information kept by CSC is disposed of or destroyed once it is no longer needed to meet the purposes for which it was collected. CSC will ensure appropriate measures regarding the destruction or disposal of personal information so as to prevent unauthorized parties from gaining access to the personal information.
8. OPENNESS
CSC makes information about its policies and practices respecting the collection and maintenance of personal information available to all interested parties.
We are pleased to answer any questions that an individual may have regarding the collection and maintenanceofpersonalinformation. Pleaseforwardanyquestionsinwritingoremailtotheaddressset out in Section D below.
8.1 CSC, through its Privacy Policy, has made information about its policies and practices easy to understand by including:
a) the title and address of the person or persons accountable for CSC’s compliance with the Privacy Policy and to whom inquiries or complaints can be forwarded;
b) the means of gaining access to personal information held by CSC; and
c) a description of the type of personal information held by CSC including a general account of its use.
9. INDIVIDUAL ACCESS
Upon request, CSC shall inform an individual of the existence, use and disclosure of his or her personal information and shall give the individual access to that information. A Participant shall be able to challenge the accuracy and completeness of their personal information and have it amended as appropriate.
9.1 When an individual has inquired as to whether personal information concerning him or her has been collected, used or disclosed, CSC may require that the individual provide sufficient information to allow CSC to provide an account of the existence, use and disclosure of personal information. However, the information provided in response to CSC’s request shall only be used for the purpose of providing the account. Please forward a request in writing or e-mail to the address set out in Section D below.
9.2 Upon written request, we will inform an individual if we have any of their personal information in our care and control, as well as providing them with the details of such personal information. In responding to requests, CSC may charge a nominal fee. If we are unable to provide a Participant with access to all of the personal information that we hold, then the reasons for the denial of access will be provided.
9.3 Upon request, CSC shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, CSC shall provide a list of organizations to which it may have disclosed personal information.
9.4 We are also committed to ensuring that the personal information that is collected and maintained by us is correct, accurate and complete.
9.5 In certain situations, CSC may not be able to provide access to all of the personal information that it holds of a Participant. Exceptions include but are not limited to personal information that is prohibitively costly to provide, information that contains references or identifies the personal information of other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons or information that is subject to solicitor-client or litigation privilege. CSC shall provide the reasons for denying access upon request.
9.6 As well, Participants may challenge the completeness of their personal information under ourcareandcontrol. WhereaParticipantcansuccessfullydemonstratethatanerrorin the accuracy or completeness of their personal information exists, we will amend their personal information appropriately. Any unresolved differences to accuracy or completenessshallbenotedintheirfile. Whereappropriate,CSCshalltransmittothird parties having access to the personal information in question any amended information or the existence of any unresolved differences.
10. CHALLENGING COMPLIANCE
As noted above, CSC has designated a Privacy Officer who is responsible for the day-to-day care and control of personal information. This Privacy Officer will receive and respond to all information requests regarding our privacy policies or about personal information under our care and control. Equally, if a Participant wishes to be added or removed from any of the lists that CSC maintains, please write or email a request to the Privacy Office.
10.1 A Participant shall be able to address a challenge concerning compliance with the above principles to the Privacy Officer accountable for CSC’s compliance with this Privacy Policy.
10.2 CSC shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information.
10.3 CSC shall inform Participants about the existence of these procedures as well as the existence of relevant complaint procedures.
10.4 The Privacy Officer accountable for compliance with CSC’s Privacy Policy reserves the right to seek legal advice where appropriate before providing a final response to complaints.
10.5 CSC shall investigate all complaints received and will respond in writing in a timely manner. If a complaint is found to be justified, then we will take appropriate measures to resolve the matter including, if necessary, amending our policies and proceedings.
D. HOW TO ADD, REMOVE OR AMEND PERSONAL INFORMATION
If, at any time, Participants wish to amend their personal information with CSC, simply inform us in writing at:
Caledon Ski Club Privacy Office 17431 Mississauga Road Caledon, Ontario L7K 0E9 or by e-mail to: admin@caledonskiclub.on.ca Please note that further information can be obtained as well as a copy of the PIPEDA through the
Privacy Commissioner of Canada’s web site at www.privcom.gc.ca
E. CHANGES TO PRIVACY POLICY
CSC reserves the right to modify or remove this Privacy Policy at our discretion and without notice.