We are committed to protecting privacy. This policy establishes the rules under which we collect, use and disclose the personal information from individuals and employees in the course of conducting business.
This policy applies to all personal information in our possession or custody, including information that has been transferred to a third party for processing.
Article 1 — Accountability
1. We are responsible for the personal information under our possession or custody.
1. The Privacy Officer may assign the function of Information Custodian to one or more individuals within the organization for ensuring that collections, accesses, disclosures and disposals of personal information are conducted in compliance with established policies and procedures.
2. The Privacy Officer may assign to a Compliance Architect some or all activities related with establishing and maintaining the organization's privacy framework.
3. We use legal agreements to provide a comparable level of protection for personal information while an authorized third party processes the information.
4. We comply with the privacy requirements inherent with third party sources of personal information.
Article 2 — Purpose
1. We provide individuals with information that explains the purposes for which we collect their personal information, at or before the time of collection.
2. We invest reasonable efforts to ensure that individuals understand the purposes for the collection, access, use, disclosure, or disposal of their personal information.
3. The only situation in which we do not inform an individual of the purpose of disclosing his or her personal information is when it is required by law that they not be informed.
4. We document the purposes for collection, access, use, disclosure, or disposal of personal information.
Article 3 — Consent
1. We obtain express consent from individuals for the collection, access, use, disclosure, or disposal of their personal information for the specified purposes.
· Exceptions to this rule must be authorized by the Privacy Officer.
2. We consider we have obtained consent from an individual only when the individual has voluntarily disclosed his or her personal information to us for the stated purpose.
· In the case of an individual of age less than 18, consent is obtained only from one of the individual's parents or legal guardians on the individual's behalf.
3. We collect or access personal information from third party sources only when the individuals whom the information is about have given their consent to that third party for the disclosure to us, or when the individual's consent was not required by statute.
4. An individual may withdraw his or her consent at any time.
· We take appropriate actions within a reasonable time to comply with an individual's decision to withdraw.
· We inform the individual of the implications of such withdrawal.
Article 4 — Limiting Collection
1. We limit the collection of personal information to the amount and type that is necessary for the identified purposes.
2. We collect personal information only by fair and lawful means.
Article 5 — Limiting Use, Disclosure and Retention
1. We use and disclose personal information only to fulfill the purposes for which the information has been collected or to comply with the law.
2. We retain the personal information only as long as necessary for the fulfillment of the identified purposes.
3. We retain personal information that has been used to make a decision about an individual long enough to allow the individual access to the information after the decision has been made.
Article 6 — Accuracy
1. We seek to collect personal information that is as accurate and complete as necessary for the purposes for which this information is to be used taking into account the interests of the individual.
2. We update the personal information as necessary for the stated purposes.
3. We correct personal information as requested in writing by an individual when it is appropriate or necessary for the stated purposes.
· In cases when requested corrections are not appropriate or necessary for the stated purposes, we annotate the personal information in question with the requested corrections.
Article 7 — Safeguards
1. We protect the personal information with safeguards that are commensurate with the sensitivity of the personal information, regardless of the format in which it is held.
2. Our employees pledge, in writing, to protect the confidentiality of the personal information they collect or access.
·We provide our employees with the required training and resources to meet their confidentiality responsibilities.
3. We demonstrate our compliance with safeguard requirements through regular self-assessments and security reviews.
· We conduct quarterly security reviews to assess how our security procedures and practices are aligned with our security policy.
Article 8 — Openness
1. We make available to individuals information about our privacy policies, procedures and practices relating to the management of personal information.
· We establish a privacy group that oversees the adoption and enforcement of privacy policies, procedures and practices throughout the organization.
· We undertake periodic assessments of our privacy policies, procedures, and practices.
- The Privacy Officer commissions an independent third party to perform annual privacy reviews to assess our compliance with privacy legislation and industry best practices.
2. We respond to an individual's written request for such information within 30 days of the receipt of the said request.
· When we cannot deliver the requested information, we provide an explanation to the individual, also within 30 days.
Article 9 — Individual Access
1. Upon request, we give an individual access to his or her personal information; we also give the individual an account of the use and disclosure of his or her information.
2. We charge the individual a fee for responding to a request for information. We inform the individual about the fee before responding, and only proceed with responding to the request once advised by the individual to do so.
3. We respond to an individual's written request for access to information within 30 days of receiving the payment in full of the fee associated with the said request.
· If the requested information cannot be delivered within the allocated time, we will provide an explanation to the individual.
Article 10 — Challenging Compliance
2. We take appropriate measures to resolve challenges that have been received in writing.
3. We respond to an individual's written challenge within 30 days of the receipt of the said challenge.
· If a response cannot be delivered within the allocated time, we will provide an explanation to the individual.
If you have any questions about our policy, please contact the Privacy Officer at firstname.lastname@example.org.
© 2017 Toronto Institute of Pharmaceutical Technology.