PIPEDA POLICIES AND PROCEDURES
In accordance with PIPEDA (the “Act”) all organizations must follow a code for the protection of
personal information, which is included in the Act as Schedule 1. The code was developed by
businesses, consumers, academics and government under the auspices of the Canadian
- All Employees and Contracts must know, understand and confirm their knowledge of the Act
- BestLifeRewarded Innovations (BLRi) has an appointed individual to be responsible for BestLifeRewarded Innovations’ compliance (the “Privacy Officer”).
- The Privacy Officer shall have senior management support and the authority to intervene on privacy issues related to any of BestLifeRewarded Innovations’ operations.
- All employees and contractors will be aware of BestLifeRewarded Innovations’ Privacy Officer.
- All BLRi employees and Contractors that have access to Member Personal Information will acknowledge BLRi’s PIPEDA SOP annually.
- A recording of all personal information handling practices including ongoing activities and new initiatives, using the following checklist:
- What personal information do we collect and is it sensitive?
- Why do we collect it?
- How do we collect it?
- What do we use it for?
- Where do we keep it
- How is it secured?
- Who has access to or uses it?
- To whom is it disclosed?
- When is it disposed of?
- Annual review of privacy management program and employee and contractor confirmation.
- Information Security and Privacy is about protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
- integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
- confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
- availability, which means ensuring timely and reliable access to and use of information.
BestLifeRewarded Innovations Data Retention Policy:
BLRi will record and retain member information for a minimum of two (2) years after the expiration or termination of the member account, the notice provided to, and the written, electronic or verbal consent obtained from, members regarding the collection, use, disclosure and retention of member’s Personal Information;
- Collect, use, disclose and retain Personal Information only for the purposes for which consent has been obtained;
- Destroy or erase all Personally Identifiable Information that is no longer required to be retained for the purpose of performing the Services at the request of the member or client, in a manner that prevents unauthorized access to the information;
- Establish commercially reasonable controls to ensure the confidentiality of Personal Information and to ensure that Personal Information is not disclosed:
- All data transfers occur over secured network transmissions ensuring confidentiality is maintained. Data exports are also encrypted and password protected to ensure confidentiality of data stored on backup systems.
- Transporting data using HTTPS (with SSL Certificate)
- Limited employees or contractors will have access to the Member Personal Information “Key”, with clearly defined rational as to why they require access.
- Physical safeguards and other security measures that are designed to keep Member Personal Information safe, including:
• 24/7 uniformed security, CCTV, door entry-card access, front door “mantrap” for controlled entry.
• 25 diverse points of entry for Fibre
• 2 incoming 13.8kV feeds (one active and one is fully redundant).
• 25 diesel generators for backup power
• Enwave” for cooling using Toronto’s deep-water cooling system.
• 4 diesel fuel storage units holding 44 thousand gallons of fuel.
Implementation of an Offsite Data Backup Solution with Encryption and ‘Versioning’
• Offsite data backup solution is imperative for organizations that handle critical data. With the implementation of a data backup solution that includes ‘versioning’, data ‘snapshots’ (i.e. the set of files at defined points in time, e.g. the end of each day). The technologies utilized for backup consist of Rsync and SSH. Rsync allows for fast bit-level backups that allow for identical copies of data to be created quickly and efficiently.
• BLRi does not store Member Personal Information on any portable computer devices or media including, without limitation, laptop computers, removable hard disks, USB, mobile phones, and the like unless the Member Personal Information is encrypted; BLRi agrees to assist the Member in fulfilling Individuals’ rights of access, amendment, accounting and deletion of their Personal Information;
BLRi will not disclose Personal Information to third parties, other than disclosures made on a need to know basis as required to perform the Services to BLRi authorized employees, agents and subcontractors, unless: (a) BLRi has received prior written authorization from the Member (or client); or (b) such disclosure is required by law, in which case BLRi shall immediately notify the client in writing of any subpoena or other court or administrative order or proceeding or other request seeking access to or disclosure of Personal Information; provided, further,
• BLRi shall use its best efforts to limit the nature and scope of the required disclosure and will only disclose the minimum amount of Personal Information necessary to comply with law;
BLRi will not disclose Member Personal Information to the client unless BLRi has received prior written authorization from the Member (or through the client consent process, respecting PIPEDIA);
• BLRi will grant clients the right to audit BLRi’s business processes and practices that involve the collection, use, disclosure or retention of Personal Information in relation to the Services rendered under this Agreement. BLRi shall fully cooperate with any such audit. In the event that any such audit reveals material gaps or weaknesses in BLRi’s security program, BLRi will work to resolve the issues in accordance with PIPEDA;
• BLRi will provide to the client or Member, and as otherwise required by law, oral notice within 24 hours of discovery followed by prompt written notice of all real or suspected security incidents that involve, or which BLRi reasonably believes involve, the unauthorized access, use or disclosure of Personal Information; provided, further, such notice shall summarize in reasonable detail the impact on the client or Member of the breach or unauthorized use or disclosure of, or access to, Personal Information and the corrective action taken or to be taken by BLRi.
Upon Member termination or revoking access, BLRi will de-identify Member Personal Information. Specifically, within 24 hrs of a Member revoking access and requesting termination to the BestLifeRewarded portal, the following process will occur:
- Member’s first name, last name and email address will be changed by adding and inserting alphabetic and numerical characters so that they are not identifiable
- There will NOT be a code ‘key’ to re-active a member once they have been ‘revoked’ or terminated.
- Member status will be changed to ‘inactive’
Data is wiped from the hard-drive and back up systems using a Permanent Erase Program.