Privacy Policy

The CEPM Privacy Policy reflects the requirements of the Personal Information Protection and  Electronic  Documents  Act  and  incorporates  the  ten  principles  of  the  Canadian Standards Association (CSA) Model Code for the Protection of Personal Information (CAN/CSA-Q830-96), which was published in March 1996 as a National Standard of Canada.

 

Introduction

Central Erin Property Management (CEPM) and its affiliated group of companies provide a full range of services including the management of real estate of multi-residential, condominium, commercial and industrial properties throughout Ontario.

CEPM has long been committed to maintaining the accuracy, confidentiality, security and privacy of customer and employee personal information. This is reflected in existing privacy and confidentiality provisions found in various CEPM policies, agreements and in applicable service rules developed and implemented over the years. It is also reflected in the high regard and trust with which customers and employees view the management of personal information by CEPM.

In March 1996, the new Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 (the “CSA Code”), was published as a National Standard of Canada. In March 2014, CEPM revised the organizations Privacy Policy to describe in detail how we subscribe to the principles of the CSA Code and the requirements of the Personal Information Protection and Electronic Documents Act, which came into force in 2001.

CEPM’s Privacy Policy is a formal statement of principles and guidelines concerning the minimum requirements for the protection of personal information provided by CEPM to our customers and employees. The objective of the Privacy Policy is responsible and transparent practices in the management of personal information, in accordance with all levels of legislation.

CEPM will continue to review the Privacy Policy and privacy-related information made publicly available to make sure it is relevant and remains current with changing technologies and laws and the evolving needs of CEPM, our customers and employees. This version of the Privacy Policy was updated in January 2017.

 

Scope and Application

The 10 principles that form the basis of CEPM’s Privacy Policy are interrelated and CEPM shall adhere to the 10 principles as a whole. Each principle must be read in conjunction with the accompanying commentary. As permitted by the CSA Code, the commentary in the Privacy Policy has been tailored to reflect personal information issues specific to CEPM.

The scope and application of the Privacy Policy are as follows:

  • CEPM’s Privacy Policy applies to the various CEPM companies offering Real estate management and ancillary services.

  • CEPM’s Privacy Policy applies to personal information about customers and employees of CEPM that is collected, used or disclosed by these companies.
  • CEPM’s Privacy Policy applies to the management of personal information in any form whether oral, electronic or written.

  •  CEPM’s Privacy Policy does not impose any limits on the collection, use or disclosure of the following information by CEPM:

a) information that is publicly available, such as a customer’s name, address and telephone number when listed in a directory or made available through directory assistance;

 b) name, title or business address or telephone number of an employee of an organization; or

c) other information about a customer or an employee that is publicly available and is set out in Regulations made pursuant to the Personal Information Protection and Electronic Documents Act.

 

  • CEPM’s Privacy Policy does not apply to customers that are not individuals, such as corporate customers; however, information collected from such customers is protected by other CEPM policies and practices and by applicable contractual terms, including CEPM’s standard Confidentiality Agreement.

 

  • The application of CEPM’s Privacy Policy is subject to the requirements or provisions of the Personal Information Protection and Electronic Documents Act, the Regulations made there under, and any other applicable legislation,  regulations, tariffs or agreements (such as collective agreements), or the order of any court or other lawful request.

 

Definitions

Collection - the act of gathering, acquiring, recording or obtaining personal information from any source, including third parties, by any means.

Consent - voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require any inference on the part of CEPM. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.

 Customer - an individual who

  • uses, or applies to use, the products or services of CEPM;
  • corresponds with CEPM; or
  • rent’s and/or visits a property managed and/or owned by CEPM.

Disclosure - making personal information available to a third party.

Employee - an employee CEPM.

Personal information - information about an identifiable individual but not aggregated information that cannot be associated with a specific individual.

o For a customer, such information includes a customer's credit information, billing records, service records, and any recorded complaints.

o For an employee, such information includes information found in personal employment files, performance appraisals and medical and benefits information.

Third party - an individual other than the customer or his agent, or an organization other than CEPM or their agents.

Use - the treatment, handling, and management of personal information by CEPM and their agents.

 

Principle 1 - Accountability

CEPM is responsible for personal information under their control and shall designate one or more persons who are accountable for the companies’ compliance with the following principles.

 1.1       Responsibility for ensuring compliance with the provisions of the Privacy Policy rests with the senior management of CEPM, which shall designate one or more persons to be accountable for compliance with the Privacy Policy. Other individuals within CEPM may be delegated to act on behalf of the designated person(s) or to take responsibility for the day-to-day collection and processing of personal information.

1.2       CEPM shall make known, upon request, the title of the person or persons designated to oversee the companies’ compliance with the Privacy Policy.

            CEPM has designated the Privacy Manager to oversee compliance with the Privacy Policy. The Privacy Manager can be contacted at:

Central Erin Property Management

151 Randall Stree, Oakville, ON, L6J 1P5

privacy@centralerin.com

1.3       CEPM are responsible for personal information in their possession or control, including information that has been transferred to a third party for processing. CEPM shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).

1.4       CEPM has implemented policies and procedures to give effect to the Privacy Policy, including:

a.    implementing procedures to protect personal information and to oversee the company’s compliance with the Privacy Policy;

b.    establishing procedures to receive and respond to inquiries or complaints;

c.    training and communicating to staff about the company’s policies and practices; and

d.    developing public information to explain the company’s policies and practices.

 

Principle 2 - Identifying Purposes for Collection of Personal Information

CEPM shall identify the purposes for which personal information is collected at or before the time the information is collected.

2.1       CEPM collect’s personal information only for the following purposes:

a)    to establish and maintain responsible relations with customers and to provide ongoing service;

b) to understand customer needs and preferences

c) to manage and develop their business and operations, including personnel and employment matters; and

d) to meet legal and regulatory requirements.

Further references to “identified purposes” mean the purposes identified in this

2.2       CEPM shall specify orally, electronically or in writing the identified purposes to the customer or employee at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within CEPM who shall explain the purposes.

2.3       Unless required by law, CEPM shall not use or disclose, for any new purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer or employee.

 

Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information

The knowledge and consent of a customer or employee are required for the collection, use or disclosure of personal information, except where inappropriate.

3.1       In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, CEPM may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a minor, seriously ill or mentally incapacitated.

CEPM may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.

CEPM may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.

CEPM may disclose personal information without knowledge or consent to a lawyer representing the companies, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.

3.2       In obtaining consent, CEPM shall use reasonable efforts to ensure that a customer or employee is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the customer or employee.

3.3       Generally, CEPM shall seek consent to use and disclose personal information at the same time it collects the information. However, CEPM may seek consent to use and disclose personal information after it has been collected but before it is used or disclosed for a new purpose.

3.4       CEPM will require customers to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.

3.5       In determining the appropriate form of consent, CEPM shall take into account the sensitivity of the personal information and the reasonable expectations of its customers and employees.

3.6       In general, the use of products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for CEPM to collect, use and disclose personal information for all identified purposes.

 

3.7       A customer or employee may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Customers and employees may contact CEPM for more information regarding the implications of withdrawing consent.

 

Principle 4 - Limiting Collection of Personal Information

CEPM shall limit the collection of personal information to that which is necessary for the purposes identified by the company. CEPM shall collect personal information by fair and lawful means.

4.1       CEPM collect personal information primarily from their customers or employees.

4.2      CEPM may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties that represent that they have the right to disclose the information.

 

Principle 5 - Limiting Use, Disclosure and Retention of Personal Information

CEPM shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. CEPM shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.

5.1       In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. (see Principle 3.1)

5.2       In addition, the CEPM companies may disclose a customer’s personal information to:

a.  an agent retained by CEPM to evaluate the customer’s creditworthiness

b.   or to collect a customer's account;

c.    credit grantors and reporting agencies;

d.  a person who, in the reasonable judgment of CEPM, is seeking the information as an agent of the customer; and

e.  a third party or parties, where the customer consents to such disclosure or disclosure is required by law.

 

5.3 CEPM may disclose personal information about its employees:

a.    for normal personnel and benefits administration;

b.   in the context of providing references regarding current or former employees in response to requests from prospective employers; or

c.    where disclosure is required by law.

5.4     Only those employees of CEPM who require access for business reasons, or whose duties reasonably so require, are granted access to personal information about customers and employees.

5.5     CEPM shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or employee, CEPM shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or employee either the actual information or the rationale for making the decision.

5.6     CEPM shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.

 

Principle 6 - Accuracy of Personal Information

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

6.1       Personal information used by CEPM shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a customer or employee.

6.2       CEPM shall update personal information about customers and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.

 

Principle 7 - Security Safeguards

CEPM shall protect personal information by security safeguards appropriate to the sensitivity of the information.

7.1       CEPM shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. CEPM shall protect the information regardless of the format in which it is held.

 

7.2       CEPM shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information, the purposes for which it is to be used, limits on the number of persons whose job function requires access to the information, and the physical and procedural security measures required to safeguard that information.

7.3       All employees of CEPM with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.

 

Principle 8 - Openness Concerning Policies and Practices

CEPM shall make readily available to customers and employees specific information about its policies and practices relating to the management of personal information.

8.1       CEPM shall make information about its policies and practices easy to understand, including:

a)    the title and address of the person or persons accountable for the companies’ compliance with the Privacy Policy (see Principle 1.2) and to whom inquiries or complaints can be forwarded (see "How to Contact Us" below);

b)    the means of gaining access to personal information held by the companies (see principle 9); and

c)   a description of the type of personal information held by the companies, including a general account of its use.

8.2       CEPM shall make available information to help customers and employees exercise choices regarding the use of their personal information and the privacy-enhancing services available from the company.

 

Principle 9 - Customer and Employee Access to Personal Information

CEPM shall inform a customer or employee of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

9.1       Upon request, CEPM shall afford to a customer or an employee a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in understandable form within a reasonable time and at minimal or no cost to the individual.

9.2       In certain situations, CEPM may not be able to provide access to all of the personal information that they hold about a customer or employee. For example, CEPM may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Also, CEPM may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor- client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in of a breach of an agreement or a contravention law. If access to personal information cannot be relation to the investigation of a federal or provincial provided, CEPM shall provide the reasons for denying access upon request.

9.3       Upon request, CEPM shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, the Bell companies shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.

9.4       In order to safeguard personal information, a customer or employee may be required to provide sufficient identification information to permit CEPM to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.

9.5       CEPM shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, CEPM shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.

9.6       A customer can obtain information or seek access to his or her individual file by contacting the Privacy Manager at CEPM head office.

9.7       An employee can obtain information or seek access to his or her individual file by            contacting his or her immediate supervisor.

 

Principle 10 - Challenging Compliance

A customer or employee shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for the compliance of CEPM with the Privacy Policy.

10.1    CEPM shall maintain procedures for addressing and responding to all inquiries or complaints from its customers and employees about the companies’ handling of personal information.

10.2    CEPM shall inform their customers and employees about the existence of these procedures as well as the availability of complaint procedures (see "How to Contact Us" below).

 

10.3    The person or persons accountable for compliance with the Privacy Policy may seek external advice where appropriate before providing a final response to individual complaints.

10.4    CEPM shall investigate all complaints concerning compliance with the Privacy Policy. If a complaint is found to be justified, the company shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A customer or employee shall be informed of the outcome of the investigation regarding his or her complaint.

 

Questions or concerns about your privacy?

For more information on CEPM’s commitment to privacy, contact the Privacy Manager at privacy@centralerin.com, or visit our privacy pages at www.centralerin.com/privacy.

If CEPM’s Privacy Manager does not resolve the issue to your satisfaction, you can contact:

The Office of the Privacy Commissioner of Canada

112 Kent Street, Place de Ville

Tower B, 3rd Floor

Ottawa, Ontario K1A 1H3

1-800-282-1376

www.priv.gc.ca

 

For copies of the CSA Model Code for the Protection of Personal Information contact:

Canadian Standards Association

5060 Spectrum Way, Suite 100

Mississauga, Ontario L4W 5N6

www.csa.ca