Privacy Policy

  • Home
  • /
  • Privacy Policy

Introduction

In the course of your work, you may come into contact with or handle confidential information about employees, clients, customers, and suppliers, such as their names, home addresses, and other personal details. Canada’s Personal Data Protection Bill (PDPB) 2023 outlines principles regarding the protection of employees’ and other personal data. The law applies to both electronic and manual records, including employee files, databases, and digital communications.

This policy ensures compliance with Canada’s data protection regulations and prevents unauthorized disclosure of personal information. If you are uncertain about whether certain information can be shared, seek guidance from the Company’s Data Protection Compliance Officer (DPCO) before disclosing any data.

Knowingly or recklessly disclosing personal data in violation of the law may lead to legal consequences. A serious breach of data protection is also considered a disciplinary offense and may result in action under the Company’s disciplinary procedure. Unauthorized access to another employee’s records constitutes gross misconduct and may lead to immediate dismissal.

This policy does not form part of an employment contract, but adherence to it is a condition of employment.

The Data Protection Principles

Under Canada’s Personal Data Protection Bill (PDPB) 2023, personal data must be handled in accordance with the following principles:

  • Lawful and Fair Processing: Personal data should only be processed for legitimate purposes, such as business operations, employee management, or legal compliance.
  • Purpose Limitation: Data should only be collected for specified and lawful purposes and not used for unrelated activities.
  • Data Minimization: Only necessary and relevant data should be collected and stored. Regular reviews will ensure that outdated information is removed.
  • Accuracy: Personal data must be accurate and kept up to date. Employees must inform the Company of any changes, such as address or marital status.
  • Storage and Retention: Personal data should not be kept longer than necessary. Employee records will be retained for six years after employment ends, while unsuccessful job applications will be deleted after one year.
  • Data Security: Appropriate technical and organizational measures must be taken to prevent unauthorized access, loss, or destruction of data.
  • Employees' Rights: Employees have the right to request access to their data, demand corrections, and object to processing under certain conditions.
  • Data Transfers: Personal data should not be transferred outside Canada unless adequate protections are ensured.

Employees’ Consent to Personal Information Being Held

The Company holds personal data about its employees, and by signing the contract of employment, employees consent to their data being processed for business operations, HR management, and legal compliance.

By signing this policy, employees provide explicit consent for processing sensitive personal data, including:

  • Health conditions, sick leave, or medical requirements
  • Equal opportunities monitoring
  • Disciplinary records or performance management

Employees’ Rights to Access Personal Information

Under the PDPB 2023, employees can request access to their personal data. Employees have the right to:

  • Know whether their data is being processed and for what purpose.
  • Obtain a copy of their personal data.
  • Request corrections to inaccurate information.
  • Be informed about any automated decision-making processes affecting them.

To request access, employees must submit a written request to the Data Protection Compliance Officer (DPCO). The Company will respond within 30 days.

Data Security Guidelines for Employees

All employees must adhere to the following security practices:

  • Do not disclose personal information to unauthorized individuals.
  • Verify the identity of the requester before sharing personal data over the phone or email.
  • Use secure methods (e.g., encrypted emails, VPNs) when transmitting sensitive data.
  • Store personal data securely (password-protected, encrypted, or locked cabinets).
  • Report any data breaches immediately to the Data Protection Compliance Officer (DPCO).

Non-Compliance and Disciplinary Actions

Failure to comply with this policy may result in:

  • Disciplinary action, including termination of employment.
  • Legal consequences, including fines or prosecution under Canada’s data protection laws.

Exemptions

Certain types of data may be exempt from this policy, including:

  • References provided in confidence by the Company.
  • Data legally required to be publicly available.
  • Information protected by legal privilege.

Employees’ Obligations in Relation to Personal Information

All employees must ensure compliance with the following:

  • Do not disclose personal data without the subject’s consent.
  • Always verify the legitimacy of data requests, especially by phone or email.
  • Only transmit personal data through secure networks.
  • Report any security concerns or data breaches to the Data Protection Compliance Officer (DPCO).