Privacy Policy

ACCOUNTABILITY

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

1. We have analyzed all personal information handling practices including ongoing activities and new initiatives as follows:

- What personal information we collect
- Why we collect it
- How we collect it
- What we use it for
- Where we keep it
- How we secure it
- Who has access to it
- Who uses it
- Who we disclose information to
- When it is disposed of

2. We have developed and implemented policies and procedures to protect personal information as follows:

- Define the purposes of its collection
- Obtain consent
- Limit its collection, use and disclosure
- Ensure information is correct, complete and up to date
- Ensure adequate security measures
- Develop retention and destruction periods
- Process requests to access information
- Respond to inquiries and complaints

3. ESRS has appointed a Privacy Officer responsible for the organization's compliance with the Privacy Principles as follows:

Nick MacDonald, CIP
Sr VP Quality and Education and Corporate Privacy Officer
50 Burnhamthorpe Rd. W., Suite 1102
Mississauga, ON L5B 3C2

Tel: 905-896-8181
Fax: 905-896-3485
Cell: 416-970-5917
nmacdonald@cl-na.com

We have made our employees and outside inquirers aware of the identity of the Privacy Officer.

4. ESRS has trained all existing employees and will train all new employees to ensure they understand and abide by the Privacy Principles.

IDENTIFYING PURPOSES

The purpose for which personal information is collected shall be identified by the organization at or before the time the information is collected.

ESRS provides general contracting services for events impacting our air, land and water resources. We offer comprehensive, professional environmentalservices to our clients, for any type of event that has environmental implications. ESRS will investigate nationwide incidents that can potentially affect the environment, make scientifically, legally and
economically sound recommendations, and manage all aspects of risk communication, cleanup, remediation and disposal of environmental hazards.

We are experienced in a number of environmental scenarios including Mould Remediation, Petroleum Remediation, Emergency Spill Response, Chemical Remediation, Habitat Restoration, Fisheries Management and Loss Prevention.

1. At the time of the initial contact with the individual, we will obtain written consent forms that clearly identify the purpose for which their personal information is being collected.
Subsequent consent will be obtained should the purpose change from the time of initial consent.

2. All files will be clearly documented, confirming the purpose of collection of the personal information.

3. Where ESRS is providing personal information to a third party, the identified purposes are communicated and confirmation documented in our file.

4. We have identified our customers and have made known ESRS business purposes.

5. A training program has been established to ensure employees can explain the purpose information is collected.

CONSENT

The knowledge and informed consent of the individual are required for the

collection, use, or disclosure of personal information, except where exempted by law.

1. ESRS will seek consent for the collection, use or disclosure of personal information before the time of collection or at the time of collection.

2. ESRS will ensure that the individual is advised of the purpose for which the information will be collected, used and disclosed. The purpose will be clear so that the individual can reasonably understand how the information will be used or disclosed.

3. Express written consent will be obtained from individuals with regard to the collection, use and disclosure of their personal information.

4. Further consent will be obtained if the purpose for collecting, using or disclosing personal information changes.

5. Compliance of the consent process shall regularly be reviewed through ongoing audit process by ESRS Management team.

6. An organization may collect personal information without the knowledge or consent of the individual if consent is clearly in the interest of the individual and consent cannot be obtained in a timely way; it is reasonable to expect that the collection with knowledge or consent would compromise the availability or the accuracy of the information, and the collection is reasonable for the purposes related to investigating a breach of an agreement, or a contravention of the laws of Canada or a province; the information is publicly available and is specified by the regulations.

7. An organization may, without knowledge or consent of the individual, use personal information only if:

a) The organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been made, is being or is about to be committed, and the information is used for the purpose of investigating that contravention

b) If it is used for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual

c) It is publicly available and is specified by the regulations

d) Consent is clearly in the interest of the individual and consent cannot be
obtained in a timely way

e) It is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the
information and the collection is reasonable for the purposes related to
investigating a breach of an agreement or a contravention of the laws of
Canada or a province

8. An organization may disclose personal information without knowledge and consent of the individual only if the disclosure is:

a) Made to, in the Province of Quebec, an advocate or notary, or in any other
province, a barrister or solicitor who is representing the organization

b) For the purpose of collecting a debt owed by the individual to the organization

c) Required to comply with a subpoena or warrant issued, or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain information and indicated that (i) it suspects that the information relates to national security, the defense of Canada or the conduct of international affairs, (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or (iii) the disclosure is requested for the purpose of administering any law of Canada or a provinced) Made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization
(i) has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that
has been made, is being or is about to be committed, or (ii) it suspects that the information relates to national security, the defense of Canada or the conduct of international affairs

e) Made to a person who needs the information because of an emergency that threatens the life, health, security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure

f) Information that is publicly available and is specified by the regulations

g) Made by an investigating body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada, or a province; or required by law

LIMITING COLLECTION

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

1. ESRS limits the type and the amount of information collected to only that which is necessary for the identified purposes.

2. The personal information collected shall be conducted in a fair and lawful way and will not deceive or mislead individuals. We will ensure compliance by conducting random audits of files.

LIMITING USE, DISCLOSURE AND RETENTION

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by Law. Personal information shall be retained only as long as for the fulfillment of those purposes.

1. When ESRS is using personal information for a new purpose that was not originally identified they shall identify and disclose to the individual the new purpose in the same manner as original consent was obtained.

2. Personal information that is in the possession of ESRS employees will be accessed only by those employees that have a need to fulfill their employment responsibilities.

3. Personal information will not be released to third parties without the knowledge and consent of the individual. ESRS employees should request the reason the third party needs the information, and (ii) determine if ESRS already has consent for the purpose indicated, (iii) if a new consent must be obtained. Before personal information is released, the authority of the employees Branch Manager must be obtained. ESRS employees should also consult their Principals and obtain their instructions.

4. Request for release of personal information will be documented in either the paper file or electronic file.

5. If it is decided to release personal information to a third party, the paper or electronic file notes will be documented, as will any decision to withhold personal information.

6. The third party may challenge ESRS decision to withhold personal information by submitting a request in writing. The letter should state the reason the information is required and what information is required. Following receipt of the letter, it will be presented to the next level of authority. A final decision will be made and a response provided in writing to the third party. ESRS employees should also consult their Principals and obtain their instructions.

7. If personal information is compelled under legal compulsion as a result of subpoena, search warrant or other court or government similar order, the personal information will not be made available without the authority of the Operations Vice President, as well as the Privacy Officer.

8. There can be no destruction of paper files that preceded implementation of the Link system. Electronic files contain all file notes, reports and all file documents. If there is a fully completed electronic file it will not be necessary to keep paper files longer than six months following file closure. The electronic file will be made anonymous after six months following closure by the IT Department.

9. If ESRS has personal information about an individual that is the subject of a privacy request, ESRS shall retain the information as long as necessary to allow the individual to exhaust any resource.

10. ESRS file handlers shall be responsible for marking the 6-month destroy date on the front cover of the paper file at the time of closing the file. A document that lists files by monthly destroy dates shall be kept by each branch office of ESRS. Once a month files noted on that list shall be destroyed by means of a shredder so that the personal information is not recoverable by any source.

11. Day to day paper documents containing personal information will not be disposed of in trash cans without first destroying the personal information to ensure the personal
information is not legible or retrievable by any other party.

12. An Operations Manager will establish guidelines to ensure that personal information has been destroyed in accordance with the above rules and if requested by the Privacy Officer will provide the details of those guidelines.

ACCURACY

Personal information shall be as accurate, complete and up-to-date as is necessary for purposes for which it was used.

1. Information that is collected by an ESRS file handler or employee, regardless of format (electronic, telephone, fax or any other format) will be collected in a cautious manner to ensure accuracy and completeness so the information can be relied upon for the purpose for which it will be used.

2. When information is collected it is placed in an accurate and complete manner in either a paper or electronic file.

3. If it is determined from any source that the personal information collected is inaccurate or incomplete, the paper or electronic file must be immediately updated.

4. The employee responsible for collecting, using and disclosing the personal information will also be responsible for ensuring the accuracy of personal information that has already been disclosed to any third party, and if necessary will advise third parties of any revisions or updates to the personal information so that third parties may also rely on the accuracy of the information. Third parties must be advised within 30 days after the new information becomes available.

SECURITY SAFEGUARDS

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

1. ESRS will protect personal information against loss or theft, and unauthorized access, disclosure, copying, use or modification.

2. We will protect personal information contained in any paper file, electronic file or any other format.

3. ESRS present and future employees will receive training on the importance of
maintaining confidentiality of personal information whether the format is written, verbal or electronic.

4. ESRS employees will not access either a paper file or an electronic file or retrieve communications or data that is not normally accessible to that employee as part of their job duties. An unauthorized employee is strictlyprohibited from viewing, collecting, using, disclosing or altering restricted data unless they have a specific need to do so to conduct their employment duties.

5. Branch Managers shall ensure that all exterior office doors leading into or out of any Branch Office are secured with adequate locks such as combination locks, electronic locks and deadbolts to prevent access by unauthorized individuals.

6. Employees who are the last individual to be exiting the office premises shall do a walk around to ensure all office doors are adequately locked and secured.

7. Branch Managers will provide keys, access cards and door combinations to responsible employees who have an absolute need to access the office doors. Branch Managers will keep an up to date list of employees who have access to office doors.

8. Where employment of individuals is terminated, Branch Managers are responsible for having all keys/access cards returned, or changing door locks or changing the combination of the door lock.

9. Files should be removed from desks before leaving for the day, and wherever possible returned to the safety of filing cabinets.

10. Files containing sensitive information will always be removed from desks unless the file is being worked upon and the employee is present to protect the security of the file.

11. Employees that have access to personal information via computer systems shall have access to computers through the use of a security password. Employees shall not share their password with any individual. Employees should not leave their desks without signing off their computers.

12. Files should not be left in automobiles overnight.

13. Visitors to the office shall not be left alone, where they will be able to gain access to unauthorized areas.

14. Files that are being reviewed in public should be safeguarded so that no individual in the vicinity has access to the file.

15. If ESRS is disclosing personal information to any third party, we will ensure that they are aware of the Privacy legislation and that they will protect the personal information as required by the Act.

16. There will be ongoing audits conducted by the Privacy Officer and ESRS management to ensure that guidelines established are being adhered to.

17. When a fax containing sensitive personal information is being submitted/received, the sender shall contact the receiver and advise the information is being submitted. The receiver shall attend the fax machine and await arrival of the fax containing the personal information.

18. Security measures for all computer hardware and software are the responsibility of the IT Department. All guidelines for security are already established in accordance with ESRS Information Security Policy and Standards and have been supplied to each branch. The IT Department has ensured personal information is protected through the use of passwords, encryption, firewalls and anonymizing software.

19. The IT Department will be responsible for the secure removal and making anonymous files that are electronically stored once the file has been closed.

OPENNESS

An organization shall make readily available to individuals, specific informationabout its policies and practices relating to the management of personal information.

1. ESRS employees will make themselves familiar with this privacy policy and work within the realms of these procedures and will be able to assist individuals in obtaining specific
information about our policy.

2. When requested to do so, ESRS employees will readily make available this privacy policy.

3. ESRS employees will have access to this privacy policy and any future amendments

to this policy via the ESRS website and through our Intranet site. Individuals can be referred to our web site at www.esrs.info. They can click on “Privacy” to view or print

our privacy policy. If requested to do so, employees will print and mail, fax or e-mail our privacy policy immediately to the individual.

4. When requested, an ESRS employee will convey the name, title, address, phone number and e-mail address of the Privacy Officer.

ACCESS

Upon request, a customer shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. A customer shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

1. The following procedures have been established to ensure the rapid process for access to personal information is in place.

2. We will respond to an individual’s request for access to their personal information within 30 days.

3. ESRS can extend the 30-day time frame if responding to the request within the original 30 days would unreasonably interfere with ESRS activities, and if additional time is necessary to conduct consultations or convert the information to an alternate format. Individuals will be notified in writing if an extension is required.

4. Requests to access or correct personal information will be received from an individual who is the owner of the personal information or a representative of the individual who owns the personal information.

5. ESRS employees will accept requests for personal information once the request has been made in writing.

6. Employees that receive requests from individuals to access personal information will advise the ESRS Privacy Officer the same day the request is received.

7. Providing the individual with personal information should be provided at no cost to the individual, unless the information is lengthy, complicated or time consuming and then a minimal cost can be applied. The individual should be advised of the cost prior to duplicating the information.

8. Once a valid request has been received, ESRS will respond with the source of the personal information, an account of the use that has been made of the information and to what third parties (if applicable) information has been disclosed.

9. When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, ESRS shall amend the information as required. Where information has already been submitted to a third party, the amended information shall also be transmitted to third parties. Where a challenge is not resolved to the satisfaction of the individual, ESRS shall record the substance of the unresolved challenge and add it to the file as a document.

10. Organizations may refuse access to personal information if the information falls under one of the following categories:

- The personal information is protected by the organizations solicitor-client privilege

- The documents contain confidential commercial information

- Its disclosure may threaten the life or security of an individual

- It was collected without the individual’s knowledge or consent to ensure its
availability and accuracy; and the collection was required to investigate a breach of an agreement or contravention of a federal or provincial law (The privacy commissioner must be notified)

- It was generated in the course of a formal dispute – resolution process

CHALLENGING COMPLIANCE

A customer shall be able to challenge compliance with the person or persons
accountable for compliance.

All complaints or inquiries can be directed to:

There may be rare occasions when we are unable to resolve a complaint to the satisfaction of the individual. When this occurs, the individual will be advised that they can file a written complaint with the Privacy Commissioner of Canada:

112 Kent Street
Ottawa, Ontario K1A 1H3

Telephone: 1-613-995-8210
Toll free: 1-800-282-1376
Fax: 1-613-947-6850
Web Site: www.privcom.gc.ca

E-mail: info@privcom.gc.ca

If a complaint is justified, the Privacy Officer will ensure policies and practices are amended as necessary. Improvements and changes to policies and practices will be shared with all ESRS employees as a means of training.

Top