Privacy Policy
Overview
The right to privacy and the need to protect personal information entrusted to CSRS
by our clients is important to CSRS. We recognize that when you choose to provide
us with information about yourself and your clients, you trust us to act in a responsible
manner. We also understand the obligations for our clients to comply with the provisions
of the Personal Information and Electronics Document Act (PIPEDA). CSRS will aid
our clients to provide timely and accurate responses, as the act requires, and protect
our clients' information in accordance with current best practices. CSRS has executed
a formal privacy policy to describe how we manage the information entrusted to us
by our clients and has appointed a privacy officer who is accountable for the organization's
compliance to this policy.
Accountability
CSRS is responsible for personal information under its control and has a designated
Privacy/Security Officer who is accountable for the organization's compliance with
the following principles. CSRS shall provide reference to CSRS's policies and procedures
within each contract to ensure that the information entrusted to CSRS is not compromised,
sold, or disclosed to any party without a client's consent or contractual obligation.
The Privacy /Security Officer shall ensure that CSRS complies with all privacy policies
and liaise with clients to aid them with any privacy issues or requests that may
arise. The identity of CSRS's Privacy/Security Officer or the Officer's delegate
shall be released upon request. CSRS is responsible for personal information in
its possession or custody, including information that has been transferred to CSRS
acting as a third party for processing. CSRS has implemented policies and practices
to give effect to the principles of fair information practices.
Purpose
CSRS shall, within each client contract, identify the purpose for which they are
receiving a client's information. Additionally CSRS shall within reason verify that
the purpose for collecting the information was clearly expressed to all parties.
Consent
CSRS shall, within each client contract, ensure that CSRS's client has obtained
consent for CSRS to process their information. This consent may be written, implied,
or oral. CSRS shall track and record the type of consent obtained by the client.
Limit Collection To Use
CSRS shall, within each client contract, specify exactly how the information is
processed and limit the collection of information in accordance to each contract.
Limit Use For Purpose
CSRS shall also do their best to ensure that their clients limit the collection
of information to the purpose for which it was requested. If the client identifies
a secondary use of the information entrusted to CSRS, a modification of the client's
contract to identify CSRS's obligations, and to ensure additional consent was obtained,
should be performed.
Limit Use Of Distribution
CSRS shall limit the use and distribution of their client’s information by contractual
agreements and shall not sell, distribute or provide a client’s information without
a client’s consent.
Limit Use Of Retention /Destruction
CSRS limits the retention of information for the duration of the purpose for which
it was collected. Overriding factors of this limit would be contract specific orders
to destroy the information within a shorter period of time.
Safeguard
CSRS shall implement all reasonable safeguards as outlined in CSRS’s Corporate Security
Policy to ensure that client information entrusted to CSRS is protected against
accidental disclosure, unauthorised publication, damage, or other breach of privacy.
These safeguards are governed by CSRS’s Corporate Security Policy and related procedures.
Accuracy
CSRS shall implement processes and other safeguards to ensure that the accuracy
of the information they process is maintained to the highest possible standards.
Openness
CSRS shall make readily available to individuals specific information about its
policies and practices relating to the management of client and personal information
within the restraints of contractual obligations.
Individual Access
CSRS shall make provision for clients to provide individuals to access their personal
and private information within 30 days in a form that they can understand.
Challenging Compliance
CSRS shall put procedures in place to receive and respond to complaints or inquiries
about policies and practices relating to the handling of personal information. Details
for aiding CSRS clients to provide complaint procedures that are accessible and
simple to use shall be determined on a client-by-client basis.
Complaints
CSRS shall investigate all complaints. If a complaint is justified, the organization
shall take appropriate measures, including, if necessary, amending its policies
and practices.
Exemptions
Exemptions to this policy may be made for the detection and prevention of fraud
or for law enforcement. Additional exemptions may be made under the directions of
CSRS's Executive Management, or in the cause of National Security. Additional exemptions
are detailed in the provisions of the Canadian privacy law PIPEDA.
|
|
|
|
