Terms not otherwise defined herein shall have the meaning ascribed to such term in the General Terms and Conditions.
“Customer” means the party that has entered into the Services Agreement with Edsembli for the provision of Hosted Services.
“Individual” means a person from whom Personal Information is being collected.
“Personal Information” means information about an individual, including the types of information specifically described in Privacy Legislation, that is not already in the public domain, as long as such information did not become part of the public domain as a result of any act or omission of Edsembli or any of its subcontractors, agents, representatives or its employees and such information shall constitute confidential information.
“Privacy Breach” means improper or unauthorized collection, use, disclosure, retention or disposal of Personal Information where it is reasonable to believe that the breach creates a real risk of significant harm to the individual to whom the Personal Information relates.
“Privacy Legislation” means the privacy and personal information statutes, rules or regulations applicable to the Services Agreement or the relationship between the Parties.
“Record” means any hard copy document or any data in a machine-readable format containing Personal Information.
To perform the Hosted Services, Edsembli may be collecting Personal Information from Individuals related to you, your Users or third parties. Edsembli acknowledges that it has no rights in the Personal Information or the Records and that the person from who such Personal Information relates owns the Records. On request, Edsembli must make all the Personal Information and Records available to the Individual to whom the Personal Information and Records relates to in a format acceptable to such Individual.
Edsembli agrees to create, collect, receive, manage, access, use, retain, and dispose of the Personal Information and the Records only for the purposes of performing the Hosted Services in accordance with the Services Agreement.
5.1. Collection Procedure
If Edsembli must collect Personal Information from Individuals related to you, your Users or third parties to perform the Hosted Services, Edsembli must only collect Personal Information that is required to perform the Hosted Services. Edsembli must collect the Personal Information from the individual to whom it relates and Edsembli must inform that individual (at or before the time when it collects the Personal Information) of the following:
5.1.1. on whose behalf the Personal Information is being collected;
5.1.2. the ways the Personal Information will be used;
5.1.3. that the disclosure of the Personal Information is voluntary or, if there is a legal requirement to disclose the Personal Information, the basis of that legal requirement;
5.1.4. the consequences, if any, of refusing to provide the Personal Information;
5.1.5. that the individual has a right to access and correct his or her own Personal Information; and
5.1.6. that the Personal Information will form part of a specific personal information bank and also provide the individual with information about which government institution controls that personal information bank, if the individual has provided this information to Edsembli.
5.2. Identification of Parties Collecting Personal Information
Edsembli, its subcontractors, and their respective employees must identify themselves to the individuals from whom they are collecting Personal Information and must provide those individuals with a way to verify that they are authorized to collect the Personal Information under an agreement with Edsembli’s customer.
5.3. Request for Consent Form
If requested by Customer, Edsembli must develop a Request for Consent Form to be used when collecting Personal Information, or a script for collecting the Personal Information by telephone. Edsembli must not begin using a form or script unless Customer first approves it in writing. Edsembli must also obtain Customer’s approval before making any changes to a form or script.
5.4. Capacity of Individuals Regarding Collection of Personal Information
At the time it requests Personal Information from any individual, if Edsembli doubts that the individual has the capacity to provide consent to the disclosure and use of his or her Personal Information, Edsembli must ask Customer for instructions.
Edsembli must ensure that the Personal Information is as accurate, complete, and up to date as possible. Edsembli must protect the privacy of the Personal Information. To do so, at a minimum, Edsembli must:
6.1. not use any personal identifiers (e.g., social insurance number) to link multiple databases containing Personal Information;
6.2. segregate all Records from Edsembli’s own information and records;
6.3. restrict access to the Personal Information and the Records to people who require access to perform the Hosted Services (for example, by using passwords or biometric access controls);
6.4. provide training to anyone to whom Edsembli will provide access to the Personal Information regarding the obligation to keep it confidential and use it only to perform the Hosted Services. Edsembli must provide this training before giving an individual access to any Personal Information and Edsembli must keep a record of the training and make it available to Customer if requested;
6.5. if requested by Customer, before providing anyone with access to the Personal Information, require anyone to whom Edsembli provides access to the Personal Information to acknowledge in writing (in a form approved by Customer) their responsibilities to maintain the privacy of the Personal Information;
6.6. keep a record of all requests made by an Individual to review his or her Personal Information, and any requests to correct errors or omissions in the Personal Information (whether those requests are made directly by anIindividual or by Customer on behalf of an Individual);
6.7. include a notation on any Record(s) that an individual has requested be corrected if Edsembli has decided not to make the correction for any reason. Whenever this occurs, Edsembli must immediately advise Customer of the details of the requested correction and the reasons for Edsembli’s decision not to make it. If directed by Customer to make the correction, Edsembli must do so;
6.8. keep a record of the date and source of the last update to each Record;
6.9. maintain an audit log of instances of and attempts to access Records stored electronically. The audit log must be in a format that can be reviewed by Edsembli and Customer at any time; and
6.10. secure and control access to any hard copy Records
Edsembli must safeguard the Personal Information at all times by taking all measures reasonably necessary to secure it and protect its integrity and confidentiality. To do so, at a minimum, Edsembli must:
7.1. store the Personal Information electronically so that a password (or a similar access control mechanism, such as biometric access) is required to access the system or database in which the Personal Information is stored;
7.2. ensure that passwords or other access controls are provided only to individuals who require access to the Personal Information to perform the Hosted Services;
7.3. not outsource the electronic storage of Personal Information to a third party (including an affiliate) unless Customer has first consented in writing;
7.4. safeguard any database or computer system on which the Personal Information is stored from external access using methods that are generally used, from time to time, by prudent public and private sector organizations in Canada in order to protect highly secure or sensitive information;
7.5. maintain a secure back-up copy of all Records, updated at least quarterly;
7.6. implement any reasonable security or protection measures requested by Customer from time to time; and
7.7 notify Customer immediately of any security breaches; for example, any time an unauthorized individual accesses any Personal Information.
In the event of a Privacy Breach, Edsembli will take the following action:
8.1. notify the Customer of the Privacy Breach;
8.2. notify the individual whose Personal Information was the subject of the Privacy Breach;
8.3. notify the Privacy Commissioner of the relevant jurisdiction; and
8.4. maintain a record of all Privacy Breaches and make such record available for review by the applicable privacy authorities.
Edsembli must appoint someone to be its privacy officer and to act as its representative for all matters related to the Personal Information and the Records. Edsembli must provide that person’s name to Customer within ten (10) days of the award of the Contract.
On an annual basis, Edsembli will provide Customer (or Customer’s authorized representative) with a copy of a third party audit which evaluates Edsembli’s compliance with generally accepted security controls.
Edsembli must not dispose of any Record, except as instructed by Customer. On request by Customer, or once the Hosted Services involving the Personal Information is complete, the Services Agreement is complete, or the Services Agreement is terminated, whichever of these comes first, Edsembli must return all Records (including all copies) to Customer or dispose of all Records in accordance with Customer instructions.
Before disclosing any of the Personal Information pursuant to any applicable legislation, regulation, or an order of any court, tribunal or administrative body with jurisdiction, Edsembli must immediately notify Customer, in order to provide Customer with an opportunity to participate in any relevant proceedings.
Customer and Edsembli each agree to notify the other immediately if a complaint is received under Privacy Legislation or other relevant legislation regarding the Personal Information. Each Party agrees to provide any necessary information to the other to assist in responding to the complaint and to inform the other immediately of the outcome of that complaint.