In carrying out our mandate under both the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), we (Pandreco Energy Advisory) collect personal information as defined by section 3 of the Privacy Act. We are committed to respecting the privacy rights of everyone whose personal information we have collected. Please also see our cookies policy to see how this policy applies to our website. This Policy does not apply to our employees’ personal information.
This Policy is designed to comply with the Privacy Act and the principles of natural justice.
Why we collect personal data?
We collect personal information for various reasons. Usually, it relates to the investigations that we conduct or the enquiries that we receive. We may also collect personal information for administrative reasons such as providing individuals with publications or other information that they ask for. We may also, for example, collect it for the purposes of holding a public consultation.
We can only use your personal information for the purpose for which it was obtained or for a use consistent with that purpose, or for a purpose listed in Section 8 of the Privacy Act.
Some of our online tools, which we use to better serve Canadians, involve the collection of personal information.
What personal data do we collect?
We only collect personal information that is directly related to one of our programs or activities. Wherever possible, such information will be collected directly from the individual about whom it pertains. The amount and the type of the information collected will be limited to that which is needed to fulfil the identified purpose(s). We only collect what we need.
We may for example, collect your name, contact information, and views in connection with an investigation or a consultation. We may also collect your IP address if you visit our website.
Sometimes we receive more personal information than is needed. For example, we sometimes receive a social insurance number on someone’s general information enquiry. We strongly encourage you not to provide us with information beyond that which is necessary.
Who sees your personal information?
We will not disclose your personal information without your consent unless it is allowed under section 8(2) of the Privacy Act. In this case, we will aim to disclose only the specific information that is needed under the circumstances and, wherever possible, will inform you about the disclosure.
Access to personal information within Pandreco will be restricted to those staff members who need the information in order to carry out their job duties. Those employees will maintain the information in the strictest of confidence and will not provide access to the information to anyone who is not authorized. The level of staff access to personal information will be granted on a need-to-know basis.
All individuals we hire under contract or other means to conduct business on our behalf will be required to respect the provisions of the Privacy Act as well as this Policy and related internal procedures. Violations of any part of the contractual agreement may result in termination of the contract.
How we protect your personal information
In any organization, failure to protect personal information can increase the risk of a privacy breach. These privacy breaches can lead to things such as reputational harm, fraud or identity theft.
We will protect personal information from loss or theft, unauthorized access, use or disclosure, modification or destruction through appropriate administrative, technical and physical security measures and safeguards.
The level of safeguards used to protect personal information will depend on the:
- sensitivity of the personal information;
- amount, distribution and format of the information;
- method of storage.
We follow the Government of Canada’s Security Policy and any other direction or guidance on information technology security received from the relevant federal agencies.
Wherever possible, we seek a person’s consent before we collect their personal information. The form of consent may vary depending on the circumstances and the type of information being requested. Consent can be express or implied, and can be provided directly by the individual or by an authorized representative.
Express consent is preferred. Express consent can be given orally, electronically or in writing. Implied consent may be reasonably inferred from a person’s action or inaction. For example, providing a name and address to receive a publication or providing a name and telephone number to receive a response to a question. When determining the appropriate form of consent, we take into account the sensitivity of the personal information, the reasons we are collecting it, and the reasonable expectations of the person. When using personal information for a new purpose, we will document that new purpose and ask for consent again.
During our investigations, it may not always be possible to obtain a person’s consent to collect, use, or disclose their personal information. Both the Privacy Act and PIPEDA allow for the disclosure of personal information during the course of an investigation if it is necessary to carry out that investigation.
We will not use your personal information without your consent unless it is either:
- for the same purpose for which the information was originally collected or compiled,
- consistent with that purpose,
- for a purpose that may be disclosed under section 8(2) of the Privacy Act.
Retention and destruction of personal information
We are responsible for ensuring that all personal information is managed within a set life cycle. According to the Privacy Act, the Privacy Regulations and the Library and Archives of Canada Act, personal information we use to make a decision about an individual shall be retained for at least two years after that decision was made. This allows the person time to exercise legal recourse and provides them with a chance to exercise all their rights under the Privacy Act.
We will retain personal information in accordance with the maximum retention periods set out under the Library and Archives of Canada Act.
The retention, disposition and destruction of personal information is made in strict accordance with the Government of Canada’s Directive on Privacy Practices.
Access or corrections to personal information
Individuals do not always need to use the Privacy Act to access to or correct their personal information (e.g. informal request). However, they do have the right to formally request access or corrections to their personal information under the Privacy Act. People also have the right under the Access to Information Act to formally request access to information in our files which may contain their personal information.
Only formal access requests to personal information under the Privacy Act provide you with the right to complain to the Ad Hoc Privacy Commissioner should you be unhappy with the outcome. Likewise, you can only request a correction of your personal information if it has been provided under an official access request pursuant to the Privacy Act. Moreover, only formal access requests for information under the Access to Information Act provide you with the right to complain to the Information Commissioner should you be unsatisfied with the result of your request.
We make every effort to ensure that information we use to make a decision that directly affects someone is as accurate, up-to-date and complete as possible. This also applies to personal information disclosed to third parties.
Our roles and responsibilities
We are responsible for the personal information that we collect, retain, use, disclose, and destroy in the course of fulfilling our mandate. We will continue to develop policies and practices to ensure that personal information is handled in strict accordance with the Privacy Act. We are responsible for overseeing the implementation of those policies and practices, including:
- ensuring open, full and timely communication with employees and individuals about our policies, practices and expectations with respect to the handling of personal information;
- establishing standards for classifying the sensitivity of personal information, to determine the appropriate level of security required for the information;
- working with the Departmental Security Officer to ensure that personal information is safeguarded from improper access, loss, use, disclosure or destruction through;
- the implementation of systems to ensure that only our staff whose responsibilities require access to personal information, are granted access to that information;
- the inclusion of specific provisions in contracts or other arrangements with third parties, that require adherence to the Privacy Act as well as to this Policy and other internal procedures;
- ensuring procedures are in place under which individuals may request access to their personal information, request correction of their personal information, and file complaints concerning the management of their personal information;
- ensuring procedures are in place under which individuals are notified of an improper collection, retention, use, disclosure or destruction of their personal information; and
- monitoring the degree of compliance with this Policy and, where required, initiating action to correct any issues.
Questions or complaints
Questions or concerns may be brought to the attention of any Pandreco employee. If they are unable to help, the employee must refer the matter to their immediate supervisor or member of management staff.
If you have any questions about this policy or about how we manage personal information, you may also contact:
+1 438 334 1660
Where an individual is not satisfied with the actions we may have taken to rectify a matter, or with the explanations given, they will be informed of their right to file a Privacy Act complaint, and will be given direction as to how to do so. Please note that we do not investigate our own actions with respect to compliance with the Privacy Act. Any related complaints are independently investigated by the Ad Hoc Privacy Commissioner.