Protecting Customer Information
The Darwin Event Group (known as ‘Darwin’) considers protection of its customers’ information an important part of its business. Darwin has long-standing security measures in place to preserve the confidentiality of sensitive information, including personal information received on behalf of its customers.
The federal government has passed legislation dealing with the collection, use and disclosure of information about any identifiable individual. This legislation is called the Personal Information Protection and Electronic Documents Act or PIPEDA, and applies to commercial activities across Canada that collect, use and/or disclose personal information, except in those provinces that have passed substantially similar legislation. In those jurisdictions, the substantially similar provincial legislation will apply.
Scope of this Policy
This policy sets out ten principles that will be observed by Darwin in the collection, use and disclosure of information of customers. If personal information is made anonymous by removing details so that an individual is not identifiable to the user or recipient of that information, it is not governed by this Policy but still will be treated with appropriate safeguards. Darwin’s customer base is such that it collects personal information from customers only in very rare circumstances. Darwin collects business information from its customers to enable Darwin to perform contracted exhibitor services. Only very infrequently will any identifiable personal information be collected. If any personal information is collected, Darwin will obtain consent at the time of the collection, disclosure and/or use.
The Privacy Principles
Principle 1 – Accountability
Darwin is responsible for maintaining and protecting the personal information under its control and has designated a privacy officer to be accountable for compliance with the principles described in this policy. The Privacy Officer may be contacted at:
Darwin Event Group
2047 Langille Dr.
Coldbrook, NS, Canada
Under this principle, Darwin is responsible not only for personal information in its physical possession or custody, but also for personal information that is transferred by Darwin to a third party for processing. Darwin will use contracts with such third parties to require them to give an appropriate level of protection to the personal information while it is being processed.
Darwin has established and implemented:
(a) procedures to protect personal information;
(b) procedures to receive and respond to complaints and inquiries;
(c) staff training and information programs to explain this policy and related personal information protection procedures and practices; and
(d) practices to ensure that customers and other individuals who contact Darwin have access to this policy and to any available materials that explain Darwin’s policies and procedures.
Upon request, Darwin will disclose the name of the current Privacy Officer.
Principle 2 – Identifying Purposes for Collection of Personal Information
Darwin will identify the purposes for which personal information is collected at or before the time the information is collected.
Depending on the specific circumstances, Darwin may collect personal information for one or more of the following purposes:
(a) to provide exhibition and related services;
(b) to keep materials related to any activities carried on by Darwin, or in determining whether to accept any person as a customer, or keeping records of purchases, sales or other transactions; and
(c) to comply with legal and regulatory requirements.
When a new customer account is opened, Darwin will ensure that the purposes for which the personal information is collected, used and disclosed is identified by Darwin and documented on the relevant documents. Thereafter, Darwin will collect only the personal information that is necessary for the purposes that have been identified to the customer.
Circumstances may arise where Darwin wishes to use or disclose personal information for a new purpose. Darwin will ensure that personal information is not used or disclosed for that new purpose unless the individual is informed of the new purpose and gives his or her consent.
Principle 3 – Consent
The knowledge and consent of the customer are required for the collection, use, or disclosure of personal information by Darwin, except where inappropriate (eg. emergency situations).
Except when the under-noted exceptions apply or except as permitted by law, Darwin will make a reasonable effort to ensure that the individual is advised in advance of the purposes for which his or her personal information will be collected, used or disclosed:
•Information collected in the past: For personal information collected before this policy came into effect, Darwin will ensure that personal information about each individual is used and disclosed for the purposes described in Principle 2 of this policy.
•Withdrawal of Consent: An individual may withdraw his or her consent to collection, use or disclosure at any time, subject to legal or contractual restrictions and reasonable notice. Darwin will inform the individual of the implications of such withdrawal of consent, which generally would limit Darwin’s ability to provide the individual with the requested product of service.
•Disclosure for Business Transfers: Darwin may be involved in the sale, transfer or reorganization of some or all of its business from time to time. As part of that sale, transfer or reorganization, Darwin may disclose personal information to the acquiring organization, but will require the acquiring organization to agree to protect the privacy of that personal information that is consistent with this policy, and in accordance with the relevant federal or provincial law.
•Outsourcing: Darwin may transfer personal information to a third party for processing. In that regard, Darwin will use contractual or other means to provide comparable level of protection while the information is being processed by a third party.
To make the individual’s consent meaningful, Darwin will state the purposes in such a manner that the individual can reasonably understand how the information will be used or disclosed.
Darwin will not, as a condition of the supply of products or services, require an individual to consent to the collection, use or disclosure of personal information beyond that required to fulfill Darwin’s explicitly specified, and legitimate purposes.
When a new account is opened for an individual, Darwin will obtain explicit, signed consent for the proposed collection, use and disclosure or personal information concerning that individual. (In the case of a corporate account, Darwin will require that corporation to represent and warrant that it has the consent of each individual of the corporation, as the case may be, to their personal information being disclosed to, and used by Darwin, for specified purposes.)
Darwin will never obtain consent by deception. Depending on the specific circumstances, Darwin may obtain consent in the following ways:
(a) an application form to seek consent, collect information and inform the individual of the use that will be made of the information;
(b) a check-off box to request that their name and address not be given to the other organizations; (c) orally in person or over the phone;
(d) at the time the individual uses a product of service; or
(e) deeming consent unless the individual expressly informs Darwin to the contrary.
Principle 4 – Limiting Collection of Personal Information
Darwin will limit the collection of personal information to that which is necessary for the purposes identified by it. Darwin will collect personal information by fair and lawful means.
Although Darwin will collect personal information primarily from the individuals concerned, with the individual’s consent, Darwin may also collect information from external sources identified to Darwin by the individual for this purpose. If personal information is collected from a third party, Darwin will note their identity unless there is a lawful reason for not doing so.
Principle 5 – Limiting Use, Disclosure and Retention of Personal Information
Darwin will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The Company will retain personal information only as long as necessary for the fulfillment of those purposes.
Darwin generally retains personal information for 3 to 7 years after an account is closed, which is necessary for the identified purposes and for legal or business purposes.
Darwin will destroy, or make anonymous, any personal information no longer needed for its identified purposes or for legal or business requirements
Principle 6 – Accuracy of Personal Information
Darwin will generally rely on individuals to provide up-dated information, such as changes to addresses, phone numbers and other contact information.
If an individual successfully demonstrates to Darwin that personal information is inaccurate, incomplete, out of date, or irrelevant, Darwin will revise the personal information. If necessary, Darwin will disclose the revised personal information to third parties that were provided with the wrong information to permit them to revise their records as well.
Principle 7 – Safeguarding Personal Information
Darwin will protect personal information using security safeguards that are appropriate to the sensitivity level of the personal information received.
Security arrangements are employed to protect personal information against loss of theft, as well as unauthorized access, disclosure, copying, use, modification, or disposal. Darwin will protect personal information regardless of the format in which it is held.
The nature of Darwin’s safeguards will vary depending on the sensitivity of the personal information that has been collected, the amount, distribution, and format of the information, and the method of storage. The more sensitive personal information will be safeguarded at a higher level of protection.
Currently, Darwin employs physical measures including locked premises and locked filing cabinets (for sensitive information). Access to computerized information is protected by passwords.
Darwin will inform employees about its practices and procedures for protecting personal information and will emphasize the importance of complying with them. As a condition of employment, employees will be required to conform to Darwin’s policies and procedures concerning the security of personal information.
When Darwin discloses personal information to third parties, it will require these third parties to safeguard all personal information in a way that is consistent with Darwin’s measures and which complies with these principles.
Darwin will use care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
Principle 8 – Openness Concerning Policies and Practices
Darwin will make readily available to individuals specific information about its policies and practices relating to the management of personal information. Individuals whose personal information is in the custody and control of Darwin will be able to acquire information about Darwin’s privacy policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
The information made available by Darwin will include:
(a) the contact information of the Privacy Officer;
(b) the means of gaining access to personal information held by Darwin;
(c) a description of the type of personal information that is held by Darwin, including a general account of its use;
(d) a copy of any brochures or other information that explain Darwin’s policies, standards, or codes; and
(e) a description of the type of personal information that is made available to related subsidiaries or affiliates of Darwin.
Darwin will also employ its website to make public information concerning its privacy policies and procedures
Principle 9 – Individual Access to Personal Information
Upon written request, Darwin will (i) inform an individual of the existence, use and disclosure of his or her personal information and (ii) give the individual access to that information, except where the law requires or permits Darwin to deny access. Individuals are entitled to challenge the accuracy and completeness of that personal information and request that it be amended, if appropriate
In providing an account of third parties to whom Darwin has disclosed personal information about an individual, Darwin will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which Darwin has actually disclosed personal information about an individual, Darwin will provide a list of organizations to which it may have disclosed personal information about the individual.
Darwin may require the individual to provide sufficient information to permit Darwin to provide an account of the existence, use and disclosure of personal information. The information provided by the individual in response to Darwin’s request will be used only for this purpose.
Darwin will respond to an individual’s request within a reasonable time. Darwin may respond to the request at a cost to the individual if it informs the individual of the estimate of the fee in advance, and it may require the individual to pay a deposit for all or part of the fee.
Where Darwin is entitled to withhold access to personal information, and that information is severable from other information for which access is requested, Darwin will provide access to any edited copy of the personal information after severing such information.
Where Darwin is satisfied on reasonable grounds that an individual successfully demonstrates that personal information is inaccurate or incomplete, Darwin will correct the information as required. Darwin will send the corrected personal information to third parties having access to the information in question.
Where Darwin disagrees with the requested correction, Darwin will annotate the personal information with the correction that was requested but not made.
Principle 10 – Challenging Compliance
An individual will be able to direct a challenge concerning compliance with the above principles to the Privacy Officer. Darwin will establish procedures to receive and respond to complaints or inquiries about Darwin’s policies and practices relating to the handling of personal information. The complaint procedure will be easily accessible and simple to use.
Darwin will inform individuals who make inquiries or lodge complaints of the use of the existence of relevant complaint procedures.
Darwin will investigate all complaints. If Darwin finds that a complaint is justified, Darwin will take appropriate measures, including, if necessary, amending its policies and practices.