Trenval Business Development Corporation, “Trenval”, is a federally supported not-for-profit community organization with a volunteer Board of Directors and professional staff whose purpose is to support community economic development and small business growth through business loans or loan guarantees.
This brochure summarizes Trenval’s privacy policies and procedures that have been developed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
PIPEDA sets out rules for the collection, use and disclosure of a client’s or customer’s personal information, as well as safeguarding that information in the course of commercial activity as defined in the legislation.
WHAT IS “PERSONAL INFORMATION”
Under PIPEDA, “Personal Information” means any information that is identifiable to an individual, including name, address, telephone number, Social Insurance Number, and date of birth. It also includes, but is not limited to, other information relating to identity, such as, nationality, gender, marital status, financial information and credit history.
PURPOSES FOR PERSONAL INFORMATION
Trenval collects only that personal information required to assess a prospective applicant’s eligibility for financial assistance, as well as to report to Industry Canada, the federal department that administers the Ontario Community Futures Program.
An applicant may choose not to provide some or all of the personal information requested, but if Trenval is unable to collect sufficient information to validate a financing request, the application for financing may be turned down.
Trenval endeavours to ensure that all personal information in active files are accurate, current and complete. When a client notifies Trenval that his or her personal information requires correction or updating, the necessary changes will be made. Information contained in closed files is not updated.
LIMITING USE, RETENTION & DISCLOSURE
Trenval uses and retains personal information for only those purposes to which the individual has consented.
Trenval utilizes a number of physical, organizational and technological measures to safeguard personal information from unauthorized access or inadvertent disclosure in accordance with its Information Security, Retention and Destruction Policy, including but not limited to:
Active files are stored in locked filing cabinets located in work areas restricted to Trenval employees and authorized volunteers. Closed files are stored in locked cabinets for a period of seven years, after which, the information is shredded prior to disposal.
Trenval employees, volunteers, and third party service providers sign confidentiality agreements binding them to safeguarding the confidentiality of personal information to which they have access.
Personal information contained on Trenval computers and the electronic databases are password protected. As well, the Internet server or router has firewall protection to protect against virus attacks and hacking into the database.
Electronic Transmission of Information
Notwithstanding the technological safeguards implemented by Trenval, all Internet transmissions are susceptible to possible loss, misrouting, interception and misuse. For this reason, as part of the application that individual’s sign consenting to their personal information being collected, used, retained, and disclosed, Trenval will assume that it has the individual’s consent to communicate via the Internet unless notified to the contrary.
An individual who wishes to review or verify what personal information is held by Trenval, may do so by making a request, in writing to the Trenval’s Chief Privacy Officer. Upon verification of the individual’s identity, the Chief Privacy Office will provide a written report within 60 days.
Any concern or issue about Trenval’s personal information handling practises may be made, in writing, to the Chief Privacy Officer. Upon verification of the individual’s identity, the Chief Privacy Officer will act promptly to investigate the complaint and provide a written report to the individual.
If the individual is dissatisfied with the report provided by the Chief Privacy Officer, or feels that the corrective action taken by Trenval is insufficient, the individual may direct a complaint to the Federal Privacy Commissioner in writing. The address of the Federal Privacy Commissioner is provided in this Privacy Statement for your convenience.
Trenval BDC (613) 961-7999
284B Wallbridge-Loyalist Rd.
PO Box 610
Belleville, Ontario K8N 5B3
OTHER HELPFUL PRIVACY LINKS
For a copy of PIPEDA, or for answers to other questions regarding privacy legislation, below are some helpful privacy links.
Federal Privacy Commissioner
112 Kent Street, Ottawa, ON K1A 1H3
Provincial Privacy Commissioner
www.privcom.gc.caSiskind, Cromarty, Ivey & Dowler LLP
1.1 The Ten Principles of PIPEDA Summarized 2
1.2 Personal Information Defined 4
2.0 PURPOSES OF COLLECTING PERSONAL INFORMATION 5
3.0 CONSENT 5
4.0 LIMITING COLLECTION 6
5.0 LIMITING USE, DISCLOSURE AND RETENTION 6
5.1 Use of Personal Information 6
5.2 Disclosure of Personal Information 6
5.3 Retention of Personal Information 7
6.0 ACCURACY 7
7.0 SAFEGUARDS 7
8.0 OPENNESS 8
9.0 INDIVIDUAL ACCESS 8
10.0 COMPLAINTS / RECOURSE 8
Trenval Business Development Corporation (“Trenval”) is a federally supported not-for-profit community organization with a volunteer board of directors and professional staff whose purpose is to develop and diversify local economies. Trenval supports community economic development and small business growth by developing and implementing strategic community plans, delivering a range of counselling and information services to small business and operating locally controlled investment funds to provide repayable financing to new and existing businesses.
1.1 The Ten Principles of PIPEDA Summarized
1. Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
2. Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;
3. Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;
4. Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
5. Limiting Use, Disclosure and Retention: personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;
6. Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;
7. Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.
8. Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;
9. Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and
10. Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.
“Personal information” means any information about an identifiable individual. It includes, without limitation, information relating to identity, nationality, age, gender, address, telephone number, e-mail address, Social Insurance Number, date of birth, marital status, education, employment health history, assets, liabilities, payment records, credit records, loan records, income and information relating to financial transactions as well as certain personal opinions or views of an Individual.
“Business information” means business name, business address, business telephone number, name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST, RST, source deductions), financial status. Although business information is not subject to PIPEDA, confidentiality of business information will be treated with the same security measures by Trenval staff, members and Board members, as is required for individual personal information under PIPEDA.
“Client” means the business that is applying for or has been approved for a loan, (including sole proprietorships and individuals carrying on business in a partnership);
“Individual” means the client’s owner(s) or shareholders, co-signors, and/or any guarantor associated with a client.
“Member” means a person who volunteers on a Trenval committee, but who is not a current or active board member, or chair of the committee.
“Application” means the application form or related forms completed by the individual(s) to request financing for the client through the Investment Fund of Trenval.
“Data base” means the list of names, addresses and telephone numbers of clients and individuals held by Trenval in the forms of, but not limited to, computer files, paper files, and files on computer hard-drives.
“File” means the information collected in the course of processing an application, as well as information collected/updated to maintain /service the account.
“Express consent” means the individual signs the application, or other forms containing personal information, authorizing Trenval to collect, use, and disclose the individual’s personal information for the purposes set out in the application and/or forms.
“Implied Consent” means the organization may assume that the individual consents to the information being used, retained and disclosed for the original purposes, unless notified by the individual.
“Third Party” means a person or company that provides services to Trenval in support of the programs, benefits, and other services offered by Trenval, such as other lenders, credit bureaus, persons with whom the individual or client does business, but does not include any Government office or department to whom Trenval reports in the delivery of such programs, benefits or services.
2.0 Purposes of Collecting Personal Information
Personal information is collected in order to assess the eligibility of the individual completing an application for financial assistance, as well as to report to Industry Canada. The individual is the main source of information but Trenval will also ask to obtain information directly from a third source where the individual does not have the required information.
Only that information which is required to make a determination of an individual’s eligibility will be collected. Although the individual’s Social Insurance Number may be requested in the application for confirming identification of the individual to the credit reporting agency, provision of this personal information is optional. The individual may provide alternative forms of identification, such as date of birth and driver’s license number.
An individual’s express, written consent will be obtained before or at the time of collecting personal information. The purposes for the collection, use or disclosure of the personal information will be provided to the individual at the time of seeking his or her consent. Once consent is obtained from the individual to use his or her information for those purposes, Trenval has the individual’s implied consent to collect or receive any supplementary information that is necessary to fulfil the same purposes. Express consent will also be obtained if, or when, a new use is identified.
By signing the application and/or other forms, implied consent is granted by the individual to obtain and/or to verify information from third parties such as banks, credit bureaus, other lenders, and insurance companies in the process of assessing the eligibility of an individual or client. Implied consent is also granted by the individual to permit Trenval to report or otherwise disclose information to Industry Canada, the federal department that administers the Ontario Community Futures Program.
An individual can choose not to provide some or all of the personal information at any time, but if Trenval is unable to collect sufficient information to validate the request for financing, the individual’s application for such financing may be turned down.
4.0 Limiting Collection
5.0 Limiting Use, Disclosure and Retention
5.1 Use of Personal Information
Personal information will be used for only those purposes to which the individual has consented with the following exceptions, as permitted under PIPEDA:
Trenval will use personal information without the individual’s consent, where:
5.2 Disclosure and Transfer of Personal Information
Personal information will be disclosed to only those Trenval employees, members of Trenval committees, and the Board of Directors that need to know the information for the purposes of their work or making an assessment as to the individual’s eligibility to the loan program.
Personal information will be disclosed to third parties with the individual’s knowledge and consent.
PIPEDA permits Trenval to disclose personal information to third parties, without an individual’s knowledge and consent, to:
PIPEDA permits Trenval to transfer personal information to a third party, without the individual’s knowledge or consent, if the transfer is simply for processing purposes and the third party only uses the information for the purposes for which it was transferred. Trenval will ensure, by contractual or other means, that the third party protects the information and uses it only for the purposes for which it was transferred.
5.3 Retention of Personal Information
Personal information will be retained in client files as long as the file is active and for such periods of time as may be prescribed by applicable laws and regulations.
A file will be deemed inactive if the Investment Committee rejects an application, when a loan is repaid in full and securities are discharged, or when a guarantee is terminated.
Information contained in an inactive file will be retained for a period of seven (7) years, except in the case where an application is rejected. Where an application has been rejected, the file and all personal information contained in the file will be retained for a period of two (2) years.
Trenval endeavours to ensure that any personal information provided by the individual in his or her active file(s) is accurate, current and complete as is necessary to fulfill the purposes for which the information has been collected, used, retained and disclosed. Individuals are requested to notify Trenval of any change in personal or business information.
Information contained in inactive files is not updated.
Organizational Safeguards: Access to personal information will be limited to the Loans Officer, the Administration Officer, and/or the Executive Director who have to make a determination as to the individual’s eligibility for a business loan. Personal information provided to members of Trenval committee(s) will be limited to only that information required to carry out the mandate of that committee. Members of the Trenval committee(s) and/or Board of Directors are not permitted to copy or retain any personal information on individuals or clients and must return for destruction all such information given to them to review once the purpose for being provided with this information has been fulfilled.
Employees and members of Trenval committee(s) and/or Board of Directors are required to sign a confidentiality agreement binding them to maintaining the confidentiality of all personal information to which they have access.
Physical Safeguards: Active files are stored in locked filing cabinets when not in use. Access to work areas where active files may be in use is restricted to Trenval employees only and authorized third parties.
All inactive files or personal information no longer required are shredded prior to disposal to prevent inadvertent disclosure to unauthorized persons.
Technological Safeguards: Personal information contained in Trenval computers and electronic data bases are password protected in accordance with Trenval’s Information Security Policy.
Access to any of the Trenval’s computers also is password protected. Trenval’s Internet router or server has firewall protection sufficient to protect personal and confidential business information against virus attacks and “sniffer” software arising from Internet activity. Personal information is not transferred to volunteer committee members, the Board of Directors, or third parties by e-mail or other electronic form.
9.0 Individual Access
An Individual who wishes to review or verify what personal information is held by Trenval, or to whom the information has been disclosed (as permitted by the Act), may make the request for access, in writing, to Trenval’s Chief Privacy Officer. Upon verification of the individual’s identity, the Chief Privacy Officer will respond within 60 days.
If the individual finds that the information held by Trenval is inaccurate or incomplete, upon the individual providing documentary evidence to verify the correct information, Trenval will make the required changes to the individual’s active file(s) promptly.
If an individual has a concern about Trenval’s personal information handling practises, a complaint, in writing, may be directed to the Trenval’s Chief Privacy Officer.
Upon verification of the individual’s identity, Trenval’s Chief Privacy Officer will act promptly to investigate the complaint and provide a written report of the investigation’s findings to the individual.
Where Trenval’s Chief Privacy Officer makes a determination that the individual’s complaint is well founded, the Chief Privacy Officer will take the necessary steps to correct the offending information handling practise and/or revise Trenval’s privacy policies and procedures.
Where Trenval’s Chief Privacy Officer determines that the individual’s complaint is not well founded, the individual will be notified in writing.
If the individual is dissatisfied with the finding and corresponding action taken by Trenval’s Chief Privacy Officer, the individual may bring a complaint to the Federal Privacy Commissioner at the address below:
The Privacy Commissioner of Canada
Email address: www.privcom.gc.ca.
112 Kent Street, Ottawa,
Ontario K1A 1H3
Privacy Law Group:
Chief Privacy Officer Email address: firstname.lastname@example.org
Trenval Business Development Corporation
284B Wallbridge-Loyalist Rd.
Belleville, ON K8N 4Z5
Amendment to Trenval’s Privacy Policies
Copyright © 2010 Trenval Business Development Corporation