Privacy Policy
ACCOUNTABILITY
An organization is responsible for personal information under its control and shall
designate an individual or individuals who are accountable for the organization's
compliance with the following principles.
1. We have analyzed all personal information handling practices including ongoing
activities and new initiatives as follows:
- What personal information we collect
- Why we collect it
- How we collect it
- What we use it for
- Where we keep it
- How we secure it
- Who has access to it
- Who uses it
- Who we disclose information to
- When it is disposed of
2. We have developed and implemented policies and procedures to protect personal
information as follows:
- Define the purposes of its collection
- Obtain consent
- Limit its collection, use and disclosure
- Ensure information is correct, complete and up to date
- Ensure adequate security measures
- Develop retention and destruction periods
- Process requests to access information
- Respond to inquiries and complaints
3. ESRS has appointed a Privacy Officer responsible for the organization's compliance
with the Privacy Principles as follows:
Wendy Fralick
AVP Quality & Education / Privacy Officer
50 Burnhamthorpe Rd. W., Suite 1102
Mississauga, ON L5B 3C2
Telephone (905) 896-8181 Ext. 8406
Toll Free 1-800-214-4111
Fax (905)896-9269
E-mail: wfralick@cl-na.com
We have made our employees and outside inquirers aware of the identity of the Privacy
Officer.
4. ESRS has trained all existing employees and will train all new employees to ensure
they understand and abide by the Privacy Principles.
IDENTIFYING PURPOSES
The purpose for which personal information is collected shall be identified by the
organization at or before the time the information is collected.
ESRS provides general contracting services for events impacting our air, land and water
resources. We offer comprehensive, professional environmental services to our clients, for
any type of event that has environmental implications. ESRS will investigate nationwide
incidents that can potentially affect the environment, make scientifically, legally and
economically sound recommendations, and manage all aspects of risk communication,
cleanup, remediation and disposal of environmental hazards.
We are experienced in a number of environmental scenarios including Mould Remediation,
Petroleum Remediation, Emergency Spill Response, Chemical Remediation, Habitat
Restoration, Fisheries Management and Loss Prevention.
1. At the time of the initial contact with the individual, we will obtain written consent forms
that clearly identify the purpose for which their personal information is being collected.
Subsequent consent will be obtained should the purpose change from the time of initial
consent.
2. All files will be clearly documented, confirming the purpose of collection of the personal
information.
3. Where ESRS is providing personal information to a third party, the identified purposes
are communicated and confirmation documented in our file.
4. We have identified our customers and have made known ESRS business purposes.
5. A training program has been established to ensure employees can explain the purpose
information is collected.
CONSENT
The knowledge and informed consent of the individual are required for the
collection, use, or disclosure of personal information, except where exempted by law.
1. ESRS will seek consent for the collection, use or disclosure of personal information
before the time of collection or at the time of collection.
2. ESRS will ensure that the individual is advised of the purpose for which the information
will be collected, used and disclosed. The purpose will be clear so that the individual
can reasonably understand how the information will be used or disclosed.
3. Express written consent will be obtained from individuals with regard to the collection,
use and disclosure of their personal information.
4. Further consent will be obtained if the purpose for collecting, using or disclosing
personal information changes.
5. Compliance of the consent process shall regularly be reviewed through ongoing audit
process by ESRS Management team.
6. An organization may collect personal information without the knowledge or consent of
the individual if consent is clearly in the interest of the individual and consent cannot be
obtained in a timely way; it is reasonable to expect that the collection with knowledge or
consent would compromise the availability or the accuracy of the information, and the
collection is reasonable for the purposes related to investigating a breach of an
agreement, or a contravention of the laws of Canada or a province; the information is
publicly available and is specified by the regulations.
7. An organization may, without knowledge or consent of the individual, use personal
information only if:
a) The organization becomes aware of information that it has reasonable grounds
to believe could be useful in the investigation of a contravention of the laws of
Canada, a province or a foreign jurisdiction that has been made, is being or is
about to be committed, and the information is used for the purpose of
investigating that contravention
b) If it is used for the purpose of acting in respect of an emergency that threatens
the life, health or security of an individual
c) It is publicly available and is specified by the regulations
d) Consent is clearly in the interest of the individual and consent cannot be
obtained in a timely way
e) It is reasonable to expect that the collection with the knowledge or consent of
the individual would compromise the availability or the accuracy of the
information and the collection is reasonable for the purposes related to
investigating a breach of an agreement or a contravention of the laws of
Canada or a province
8. An organization may disclose personal information without knowledge and consent of
the individual only if the disclosure is:
a) Made to, in the Province of Quebec, an advocate or notary, or in any other
province, a barrister or solicitor who is representing the organization
b) For the purpose of collecting a debt owed by the individual to the organization
c) Required to comply with a subpoena or warrant issued, or an order made by a
court, person or body with jurisdiction to compel the production of information,
or to comply with rules of court relating to the production of records made to a
government institution or part of a government institution that has made a
request for the information, identified its lawful authority to obtain information
and indicated that (i) it suspects that the information relates to national security,
the defense of Canada or the conduct of international affairs, (ii) the disclosure
is requested for the purpose of enforcing any law of Canada, a province or a
foreign jurisdiction, carrying out an investigation relating to the enforcement of
any such law or gathering intelligence for the purpose of enforcing any such
law, or (iii) the disclosure is requested for the purpose of administering any law
of Canada or a province
d) Made on the initiative of the organization to an investigative body, a
government institution or a part of a government institution and the organization
(i) has reasonable grounds to believe could be useful in the investigation of a
contravention of the laws of Canada, a province or a foreign jurisdiction that
has been made, is being or is about to be committed, or (ii) it suspects that the
information relates to national security, the defense of Canada or the conduct
of international affairs
e) Made to a person who needs the information because of an emergency that
threatens the life, health, security of an individual and, if the individual whom
the information is about is alive, the organization informs that individual in
writing without delay of the disclosure
f) Information that is publicly available and is specified by the regulations
g) Made by an investigating body and the disclosure is reasonable for purposes
related to investigating a breach of an agreement or a contravention of the laws
of Canada, or a province; or required by law
LIMITING COLLECTION
The collection of personal information shall be limited to that which is necessary for
the purposes identified by the organization. Information shall be collected by fair and
lawful means.
1. ESRS limits the type and the amount of information collected to only that which is
necessary for the identified purposes.
2. The personal information collected shall be conducted in a fair and lawful way and
will not deceive or mislead individuals. We will ensure compliance by conducting
random audits of files.
LIMITING USE, DISCLOSURE AND RETENTION
Personal information shall not be used or disclosed for purposes other than those
for which it was collected, except with the consent of the individual or as required by
Law. Personal information shall be retained only as long as for the fulfillment of
those purposes.
1. When ESRS is using personal information for a new purpose that was not originally
identified they shall identify and disclose to the individual the new purpose in the same
manner as original consent was obtained.
2. Personal information that is in the possession of ESRS employees will be accessed only
by those employees that have a need to fulfill their employment responsibilities.
3. Personal information will not be released to third parties without the knowledge and
consent of the individual. ESRS employees should request the reason the third party
needs the information, and (ii) determine if ESRS already has consent for the purpose
indicated, (iii) if a new consent must be obtained. Before personal information is
released, the authority of the employees Branch Manager must be obtained. ESRS
employees should also consult their Principals and obtain their instructions.
4. Request for release of personal information will be documented in either the paper file or
electronic file.
5. If it is decided to release personal information to a third party, the paper or electronic file
notes will be documented, as will any decision to withhold personal information.
6. The third party may challenge ESRS decision to withhold personal information by
submitting a request in writing. The letter should state the reason the information is
required and what information is required. Following receipt of the letter, it will be
presented to the next level of authority. A final decision will be made and a response
provided in writing to the third party. ESRS employees should also consult their
Principals and obtain their instructions.
7. If personal information is compelled under legal compulsion as a result of subpoena,
search warrant or other court or government similar order, the personal information will
not be made available without the authority of the Operations Vice President, as well as
the Privacy Officer.
8. There can be no destruction of paper files that preceded implementation of the Link
system. Electronic files contain all file notes, reports and all file documents. If there is a
fully completed electronic file it will not be necessary to keep paper files longer than six
months following file closure. The electronic file will be made anonymous after six
months following closure by the IT Department.
9. If ESRS has personal information about an individual that is the subject of a privacy
request, ESRS shall retain the information as long as necessary to allow the individual
to exhaust any resource.
10. ESRS file handlers shall be responsible for marking the 6-month destroy date on the
front cover of the paper file at the time of closing the file. A document that lists files by
monthly destroy dates shall be kept by each branch office of ESRS. Once a month files
noted on that list shall be destroyed by means of a shredder so that the personal
information is not recoverable by any source.
11. Day to day paper documents containing personal information will not be disposed of in
trash cans without first destroying the personal information to ensure the personal
information is not legible or retrievable by any other party.
12. An Operations Manager will establish guidelines to ensure that personal information has
been destroyed in accordance with the above rules and if requested by the Privacy
Officer will provide the details of those guidelines.
ACCURACY
Personal information shall be as accurate, complete and up-to-date as is necessary
for purposes for which it was used.
1. Information that is collected by an ESRS file handler or employee, regardless of format
(electronic, telephone, fax or any other format) will be collected in a cautious manner to
ensure accuracy and completeness so the information can be relied upon for the
purpose for which it will be used.
2. When information is collected it is placed in an accurate and complete manner in either
a paper or electronic file.
3. If it is determined from any source that the personal information collected is inaccurate
or incomplete, the paper or electronic file must be immediately updated.
4. The employee responsible for collecting, using and disclosing the personal information
will also be responsible for ensuring the accuracy of personal information that has
already been disclosed to any third party, and if necessary will advise third parties of
any revisions or updates to the personal information so that third parties may also rely
on the accuracy of the information. Third parties must be advised within 30 days after
the new information becomes available.
SECURITY SAFEGUARDS
Personal information shall be protected by security safeguards appropriate to the
sensitivity of the information.
1. ESRS will protect personal information against loss or theft, and unauthorized access,
disclosure, copying, use or modification.
2. We will protect personal information contained in any paper file, electronic file or any
other format.
3. ESRS present and future employees will receive training on the importance of
maintaining confidentiality of personal information whether the format is written, verbal
or electronic.
4. ESRS employees will not access either a paper file or an electronic file or retrieve
communications or data that is not normally accessible to that employee as part of their
job duties. An unauthorized employee is strictly prohibited from viewing, collecting,
using, disclosing or altering restricted data unless they have a specific need to do so to
conduct their employment duties.
5. Branch Managers shall ensure that all exterior office doors leading into or out of any
Branch Office are secured with adequate locks such as combination locks, electronic
locks and deadbolts to prevent access by unauthorized individuals.
6. Employees who are the last individual to be exiting the office premises shall do a walk
around to ensure all office doors are adequately locked and secured.
7. Branch Managers will provide keys, access cards and door combinations to responsible
employees who have an absolute need to access the office doors. Branch Managers
will keep an up to date list of employees who have access to office doors.
8. Where employment of individuals is terminated, Branch Managers are responsible for
having all keys/access cards returned, or changing door locks or changing the
combination of the door lock.
9. Files should be removed from desks before leaving for the day, and wherever possible
returned to the safety of filing cabinets.
10. Files containing sensitive information will always be removed from desks unless the file
is being worked upon and the employee is present to protect the security of the file.
11. Employees that have access to personal information via computer systems shall have
access to computers through the use of a security password. Employees shall not share
their password with any individual. Employees should not leave their desks without
signing off their computers.
12. Files should not be left in automobiles overnight.
13. Visitors to the office shall not be left alone, where they will be able to gain access to
unauthorized areas.
14. Files that are being reviewed in public should be safeguarded so that no individual in the
vicinity has access to the file.
15. If ESRS is disclosing personal information to any third party, we will ensure that they are
aware of the Privacy legislation and that they will protect the personal information as
required by the Act.
16. There will be ongoing audits conducted by the Privacy Officer and ESRS management
to ensure that guidelines established are being adhered to.
17. When a fax containing sensitive personal information is being submitted/received, the
sender shall contact the receiver and advise the information is being submitted. The
receiver shall attend the fax machine and await arrival of the fax containing the personal
information.
18. Security measures for all computer hardware and software are the responsibility of the
IT Department. All guidelines for security are already established in accordance with
ESRS Information Security Policy and Standards and have been supplied to each
branch. The IT Department has ensured personal information is protected through the
use of passwords, encryption, firewalls and anonymizing software.
19. The IT Department will be responsible for the secure removal and making anonymous
files that are electronically stored once the file has been closed.
OPENNESS
An organization shall make readily available to individuals, specific information
about its policies and practices relating to the management of personal information.
1. ESRS employees will make themselves familiar with this privacy policy and work within
the realms of these procedures and will be able to assist individuals in obtaining specific
information about our policy.
2. When requested to do so, ESRS employees will readily make available this privacy
policy.
3. ESRS employees will have access to this privacy policy and any future amendments
to this policy via the ESRS website and through our Intranet site. Individuals can be
referred to our web site at www.esrs.info. They can click on “Privacy” to view or print
our privacy policy. If requested to do so, employees will print and mail, fax or e-mail our
privacy policy immediately to the individual.
4. When requested, an ESRS employee will convey the name, title, address, phone
number and e-mail address of the Privacy Officer.
ACCESS
Upon request, a customer shall be informed of the existence, use and disclosure of
his or her personal information and shall be given access to that information. A
customer shall be able to challenge the accuracy and completeness of the
information and have it amended as appropriate.
1. The following procedures have been established to ensure the rapid process for access
to personal information is in place.
2. We will respond to an individual’s request for access to their personal information within
30 days.
3. ESRS can extend the 30-day time frame if responding to the request within the original
30 days would unreasonably interfere with ESRS activities, and if additional time is
necessary to conduct consultations or convert the information to an alternate format.
Individuals will be notified in writing if an extension is required.
4. Requests to access or correct personal information will be received from an individual
who is the owner of the personal information or a representative of the individual who
owns the personal information.
5. ESRS employees will accept requests for personal information once the request has
been made in writing.
6. Employees that receive requests from individuals to access personal information will
advise the ESRS Privacy Officer the same day the request is received.
Privacy Officer, Wendy Fralick
Telephone: 905-521-0340 Ext. 3259
Toll free: 1-877-268-5976
Fax: 905-521-0340
E-mail: wfralick@cl-na.com
7. Providing the individual with personal information should be provided at no cost to the
individual, unless the information is lengthy, complicated or time consuming and then a
minimal cost can be applied. The individual should be advised of the cost prior to
duplicating the information.
8. Once a valid request has been received, ESRS will respond with the source of the
personal information, an account of the use that has been made of the information and
to what third parties (if applicable) information has been disclosed.
9. When an individual successfully demonstrates the inaccuracy or incompleteness of
personal information, ESRS shall amend the information as required. Where
information has already been submitted to a third party, the amended information shall
also be transmitted to third parties. Where a challenge is not resolved to the satisfaction
of the individual, ESRS shall record the substance of the unresolved challenge and add
it to the file as a document.
10. Organizations may refuse access to personal information if the information falls under
one of the following categories:
- The personal information is protected by the organizations solicitor-client privilege
- The documents contain confidential commercial information
- Its disclosure may threaten the life or security of an individual
- It was collected without the individual’s knowledge or consent to ensure its
availability and accuracy; and the collection was required to investigate a breach of
an agreement or contravention of a federal or provincial law (The privacy
commissioner must be notified)
- It was generated in the course of a formal dispute – resolution process
CHALLENGING COMPLIANCE
A customer shall be able to challenge compliance with the person or persons
accountable for compliance.
All complaints or inquiries can be directed to:
Wendy Fralick, CIP
AVP Quality and Education/Privacy Officer
Cunningham Lindsey
50 Burnhamthorpe Road West, Suite 1102
Mississauga, On L5B 3C2
Telephone (905) 896-8181 Ext. 8406
Toll Free 1-800-214-4111
Fax (905)896-9269
E-mail: wfralick@cl-na.com
There may be rare occasions when we are unable to resolve a complaint to the satisfaction
of the individual. When this occurs, the individual will be advised that they can file a written
complaint with the Privacy Commissioner of Canada:
112 Kent Street
Ottawa, Ontario K1A 1H3
Telephone: 1-613-995-8210
Toll free: 1-800-282-1376
Fax: 1-613-947-6850
Web Site: www.privcom.gc.ca
E-mail: info@privcom.gc.ca
If a complaint is justified, the Privacy Officer will ensure policies and practices are amended
as necessary. Improvements and changes to policies and practices will be shared with all
ESRS employees as a means of training.
