At Billee...."mums" the word!
The purpose of this Privacy Statement is to inform Individuals about the types of Personal Information that Corso Innvocations Corporation (“CIC”) receives, holds and processes in its capacity as a service provider on behalf of CIC’s Clients.
CIC is proud to demonstrate our commitment to protecting the Personal Information we receive from its Clients by complying with applicable privacy laws in Canada, including the Personal Information Protection and Electronic Documents Act. In order to fulfill this commitment, CIC has policies and practices intended to appropriately safeguard CIC’s facilities, information systems and data.
This Privacy Statement may be revised periodically to maintain its currency and compliance with evolving law and policy.
1. TO WHOM DOES THIS PRIVACY STATEMENT APPLY?
This Privacy Statement applies to the Employer Services division of CIC. CIC contracts with Clients to provide them with the opportunity to outsource their business processing functions. Specifically, CIC provides its Clients with electronic payment processing and related services, including making electronic or cheque payments to Individuals and providing required information to third parties such as banks, taxing authorities and other government agencies as required (e.g., for the purpose of administering family support payments).
CIC’s “Clients” are various entities such as corporations, partnerships, trusts or other businesses that receive our services.
The Personal Information CIC receives from its Clients relates to a variety of Individuals. An “Individual” is any person directly or indirectly designated by a Client to be covered by the services to which this Privacy Statement applies.
2. WHAT IS PERSONAL INFORMATION?
“Personal Information” is generally any information about an identifiable Individual. The type of information that a Client may collect from an Individual and transfer to CIC in order for us to provide the Client with our business process outsourcing services may include an Individual’s name, residential contact information, annual gross revenue, bank account information, family support payment obligations and tax filing information, as well as additional information that an Individual may choose to disclose. Personal Information may not, however, include an employee’s business title, business address or business telephone number.
3. WHAT ARE CIC’S OBLIGATIONS AS A PROCESSOR OF PERSONAL INFORMATION?
As a service provider, CIC does not independently use or disclose Personal Information transferred to CIC by, or on behalf of, a Client or an Individual for any purpose other than to process that information in order to fulfill our contractual business processing functions, except as required or permitted by law.
Furthermore, CIC takes all commercially reasonable steps to safeguard the Personal Information we hold against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the Personal Information is held. The precise nature of the safeguards CIC employs will vary depending on (i) the sensitivity of the Personal Information at issue, (ii) the format in which it is held, and (iii) the manner in which it is stored.
4. HOW DOES CIC TRAIN AND MANAGE OUR ASSOCIATES?
CIC’s Human Resources Department is responsible for associate management and training.
CIC educates our associates about our information security policies and practices, and uses reasonable efforts to help ensure that our associates comply with these policies and practices. These efforts include:
• Conducting appropriate background checks of all newly-hired associates;
• Including information on CIC’s policies in our associate orientation process;
• Requiring associates to execute appropriate non-disclosure agreements;
• Including information on CIC’s policies and practices on the CIC associate intranet site;
• Disseminating information on CIC’s policies and procedures to associates at appropriate intervals;
• Limiting access to Personal Information to associates with a business need for seeing it;
• Promptly ending associate access to systems and facilities upon termination of associate employment;
• Monitoring associates for compliance with policies; and
• Imposing appropriate disciplinary measures for breaches of policies and procedures.
5. HOW DOES CIC ENSURE THE SECURITY OF OUR FACILITIES?
The Director of Facilities is responsible for the security of CIC’s facilities.
CIC utilizes reasonable security measures at all of our facilities. Such security measures include:
• Using access control devices, such as card keys; computerized access control, and/or receptionist verification of identification badges for all associates;
• Requiring that visitors to our facilities check-in at a reception desk and obtain a visitor badge;
• Utilizing enhanced security measures at all data centers, including limiting access to specially authorized associates (controlled by computerized access control) and limiting visitors to pre-cleared individuals who must be escorted at all times;
• Maintaining secured areas for storage of materials containing confidential information; and
• Implementing other appropriate security measures including security patrols and security cameras, where such measures are judged to be necessary and reasonably appropriate.
6. HOW DOES CIC ENSURE THE SECURITY OF OUR INFORMATION SYSTEMS?
The Chief Information Officer (“CIO”) is responsible for the overall security of CIC’s information systems. Information systems include network and software design, as well as information processing, storage, transmission, retrieval and disposal. CIC employs policies and practices to protect Personal Information throughout its life cycle – from data entry to data disposal. These policies and practices include, among other things:
• Requiring use of virus protection software on all computer systems attached to CIC networks;
• Encrypting all client information transmitted over the Internet;
• Limiting all access to CIC computer resources and networks to approved configurations and utilizing appropriate identification and authentication methods;
• Utilizing firewalls (which are configured and maintained in accordance with CIC and industry-standard procedures and specifications);
• Requiring appropriate disposal of all documents and electronic media containing Personal Information;
• Employing appropriate intrusion detection, monitoring, and logging capabilities to enable detecting and responding to potential security breaches;
• Maintaining appropriate incident handling procedures for responding to any breaches;
• Regularly obtaining and installing patches to address software vulnerabilities;
• Developing Client applications utilizing appropriate security methods including multiple-factor authentication, strong passwords, session time-outs, and access controls; and
• Maintaining adequate disaster recovery and business continuity plans for all core functions.
• The CIO is also responsible for maintaining current documentation of our information systems security procedures. These procedures are disclosed to individuals on a need-to-know basis.
7. HOW DOES CIC ENSURE THE PRIVACY OF PERSONAL INFORMATION WHEN DEALING WITH THIRD PARTY SERVICE PROVIDERS?
In connection with providing our services to our Clients, CIC may from time to time grant certain third party service providers access to the Personal Information CIC holds for the purposes of storing or destroying that information, or for the purpose of physically transporting that information to the Client. CIC requires any third party granted such access to execute contracts mandating many of these same polices and practices with regard to the training and management of their employees, and with regard to the security of their information systems and data.
Further information about the third party service providers that CIC permits to access the Personal Information it holds is available upon request.
8. WHAT ADDITIONAL SAFEGUARDS DOES CIC HAVE IN PLACE TO PROTECT PERSONAL INFORMATION?
Due to the constantly changing nature of technologies and security concerns, CIC conducts appropriate, periodic reviews of our security policies and practices. Additionally, periodic assessments are conducted as appropriate. All allegations of system or data misuse (by associates, contractors or any third parties) are thoroughly investigated by CIC in accordance with our policies, and reported to law enforcement authorities where appropriate.
9. HOW LONG WILL CIC RETAIN PERSONAL INFORMATION?
CIC may keep a record of an Individual’s Personal Information, correspondence or comments in a file specific to the Client, to which access by CIC’s associates and by any third parties with whom CIC contracts will be strictly limited on a business need-to-know basis. CIC will retain an Individual’s Personal Information for as long as necessary to fulfill the purposes for which it was transferred to CIC, or as required or permitted by law. CIC has established minimum and maximum retention periods, as well as appropriate procedures for the destruction and disposal of Personal Information.
10. HOW DOES CIC UPDATE PERSONAL INFORMATION SUCH THAT IT IS SUFFICIENTLY ACCURATE FOR PROCESSING PURPOSES?
As a service provider of business processing functions, CIC relies on its Clients to provide CIC with updated Personal Information on an ongoing basis, as necessary in relation to our provision of the services.
In certain cases, Individuals may not be able to update their Personal Information through the Client. Where this is the case, and where CIC can adequately authenticate the Individual’s identity, CIC will rely on the Individual to provide CIC with the necessary updated information.
Upon receipt of updated Personal Information, CIC will amend the Individual’s Personal Information that CIC’s holds where such amendment is reasonably necessary to enable CIC to continue providing the services to the Client in accordance with CIC’s contractual obligations as a service provider.
11. HOW CAN INDIVIDUALS ACCESS AND CORRECT THEIR PERSONAL INFORMATION THAT HAS BEEN TRANSFERRED TO CIC FOR PROCESSING?
In light of the fact that CIC acts at all times on behalf of CIC’s Clients, any request by an Individual to access and/or correct his or her Personal Information in our possession should be directed to the Client rather than to CIC.
CIC recognizes, however, that there are circumstances where the Client may not be able to respond to an access request (e.g., where the Client no longer exists). Where an Individual successfully demonstrates to us that the access request cannot be addressed by the Client and authenticates his or her identity, CIC will make available to the individual, on written request and to the extent permitted by law, the requested Personal Information, as well as information about the manner in which CIC has handled that information. CIC will make such information available to the Individual in a form that is generally understandable, and will explain any abbreviations or codes or use an alternative format, if required. Furthermore, where CIC provides access under these limited circumstances, and where the Individual successfully demonstrates that the Personal Information we hold is incomplete or inaccurate, CIC will amend the information as required.
Access requests to CIC should be directed to the Privacy Officer listed below.
12. HOW DOES CIC AUTHENTICATE AN INDIVIDUAL’S IDENTITY?
Where CIC receives an access request or an update request from an Individual under the limited circumstances noted above, CIC may request that the Individual provide sufficient identification prior to providing such access. Any such identification information shall be used only for the purpose of authenticating the identity of the Individual. CIC uses a “favourites question”, selected by the client, and only known by the client, which is the primary authenticator of client identity.
CIC reserves the right to deny an access request or an update request where an Individual is unwilling or unable to authenticate his or her identity.
13. CONTACT CIC REGARDING OUR PRIVACY POLICIES AND PRACTICES.
Any inquiries or complaints regarding CIC’s privacy policies and practices should be forwarded to CIC’s Privacy Officer as follows:
Attn: Privacy Officer
Corso Innovations Corporation
83 Elma Place