Confidentiality of Information

Objective

  • To ensure that confidential business information that is an important business asset, is valuable to our company and that which employees will acquire knowledge in the course of employment, is protected to ensure its confidentiality, integrity and availability.

 

Applicability

  • This policy applies to all staff of Ferguslea Properties’ Canadian operations.

 

Other Relevant Legislation/Policies/Forms

  • Conflict of Interest Policy
  • Offer Letter or Employment Agreement

 

Coverage/Terminology

  • Forms, letters, policies, plans, drawings, contracts, business plans, financial statements and any other documents or intellectual property, including media and software, related to business and produced by staff while in Ferguslea Properties’ employ are confidential and considered the property of Ferguslea Properties.
  • All statement requests from the media or any organization are to be immediately referred to the Group Leader of the division to which the issue applies.
  • All interviews with the media and engagements to speak in public on any subject related to real estate development/management must be approved in advance by the Chairman and CEO.
  • Under no circumstances should confidential business information be shared with any person outside Ferguslea Properties unless the employee is specifically instructed to do so by his/her supervisor, and the group leader.

 

Implementation

  • Employees must ensure that any documents in their possession are protected including keeping confidential information under lock and key.
  • Accurate and complete information must be given in all communications to the public regarding Ferguslea Properties’ activities.
  • Employees must avoid participating in any activities that may be detrimental to Ferguslea Properties’ best interests.
  • Employees who leave the employ of Ferguslea Properties are required to maintain the confidentiality of all information obtained while in the employ of Ferguslea Properties.

 

Effective Date and Duration

  • This policy is currently in place and will remain in effect until otherwise stated.

 

 


 

Privacy Compliance

Objective

  • To ensure that all employees and practices are compliant with federal legislation entitled the “Personal Information Protection and Electronic Documents Act” (PIPEDA), by following Ferguslea Properties’ established procedures for the handling of personal information in our custody and control. (PIPEDA regulates the collection, use and disclosure of personal information in order to protect the privacy of individuals with whom we engage in commercial activities.)

 

Applicability

  • This policy applies to all staff of Ferguslea Properties’ Canadian operations in respect to the collection, use, disclosure and retention of personal information in the course of all commercial activities.

 

Other Relevant Legislation/Policies/Forms

  • Records Management Program Retention Schedule

 

Coverage/Terminology

  • The “Act” refers to PIPEDA.
  • Handling refers to the collection, use, disclosure, safeguarding, and retention of personal information.
  • Personal information means information about an identifiable individual but does not include the name, title or business address or telephone number.  Personal information may include hours of availability, schedules, colour selections, preferences, family size, ethnicity, income, employment details, opinions, observances, disputes, etc.
  • Records of such personal information may include any correspondence, guest cards, agreements, requests, drawings, pictures, etc. in the form of paper, electronic copies, handwritten notes or transcripts of verbal exchanges.
  • Individual means a person, and includes customers, employees and contractors of Ferguslea Properties.
  • Consent means that the individual has been given a reasonable understanding of how the information will be used or disclosed and agrees to this.
  • Customers can express consent orally, in writing or electronically.  If consent is obtained orally, it should be clearly recorded as a note to file or marked on a checklist.
  • Customers can imply consent through action or inaction.  An example of this would be a customer not responding to our offer to remove their name from our customer survey list.  We can assume the customer consents to the use of his personal information for including him in future surveys. Whenever possible, express consent is to be sought.

 

Implementation

  • Ferguslea Properties will collect, use or disclose personal information only for purposes that are reasonable and appropriate for the circumstances. The ten privacy principles which are embedded in the Act will be applied to the handling of all personal information as follows:
    1. Accountability

      • Ferguslea Properties is responsible for personal information under its control and has designated Gwen Cox, the Director of Communications, as its Chief Privacy Officer (CPO). The CPO is accountable for Ferguslea Properties’ compliance with PIPEDA. Comments or questions regarding the Act or this policy should be directed first to your supervisor.  Your supervisor will seek assistance from the CPO or the Director of Compliancy as required.
      • Ferguslea Properties remains responsible for personal information that is transferred to a third party in the course of our business activities. Therefore, departments procuring the services of a third party which necessitates the disclosure of personal information will contract with the third party to ensure there is a comparable level of protection for the personal information being shared.  A form letter must be issued to first time suppliers/vendors concerning Ferguslea Properties’ Privacy Policy in the absence of a formal contract.
    2. Identifying Purpose

      • The following purposes have been identified for the collection of personal information at Ferguslea Properties:
      • To respond to requests for product information.
      • To complete business transactions and to provide appropriate levels of service following the completion of a transaction, such as a property rental, lease or sale.
      • To share personal information that we collect with other service providers, such as utilities, banking institutions and credit agencies, as well as trades and contractors, etc. who perform various functions to assist in our delivery of service.
      • We may also be required to provide personal information to third parties for legal or regulatory purposes or to the owners of properties we are providing management services to.
      • From time to time, we may provide personal information to a third party in order to conduct customer satisfaction surveys.
      • We will use personal information at an aggregate level to improve the quality and efficiency of our products and services and to enhance our marketing efforts.
      • We may share personal information within the Ferguslea Properties Group of Companies to cross promote products and services which we believe will be of interest to our customers.
      • Wherever possible, forms completed by individuals on which personal information is collected must identify the purpose for which the information is being collected.  Otherwise, individuals will be informed verbally before or at the time of collection of the intended use.
      • If a new use is identified for personal information already collected, consent to use the personal information for the new purpose must be obtained.
    3. Consent

      • The knowledge and consent of the individual are required for the collection, use and disclosure of personal information. Ferguslea Properties forms that contain personal information, including but not limited to online registration forms, guest cards, applications, requests for service, etc., must stipulate the purpose for the collection.
      • Exceptions to obtaining consent that are permitted are limited to the following circumstances:
      • When the collection is in the best interests of the individual and consent cannot be obtained in a timely manner.
      • When the information is used to act in an emergency where said emergency threatens the life, health or safety or security of an individual or others.  In this case, the individual must be notified in writing as soon as possible afterward of any disclosure and to whom.
      • When required to comply with a subpoena, warrant or court ruling.
      • When a government institution or government agency has demonstrated its lawful authority.  The request must be in writing and clearly identify the legislation that substantiates the disclosure.  Unless identified in the Privacy Commitment section of the Tree House as confirmed lawful authority, all such requests must be referred to the CPO for a legal opinion prior to disclosing the information.  (With written consent from the individual, personal information may be released to government institutions or agencies.)
      • Individuals must be allowed to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.  Such requests for withdrawal of consent should be made in writing and documented in the appropriate file systems to ensure compliance with each individual’s request.  Any individual wishing to withdraw consent must be made aware of all consequences affecting the delivery of services or products.  All requests to withdraw consent must be acknowledged in writing by the affected department(s).
    4. Limiting Collection

      • Employees are required to limit the collection of personal information to that which is necessary for the purposes that it has identified.  Such information is to be collected using fair and lawful means.
    5. Limiting Use, Disclosure and Retention

      • Personal information cannot be used or disclosed for purposes other than those for which it has been collected except with the consent of the individual or as required by law, for example:
      • Subpoenas,
      • Search warrants
      • Other court orders
      • Demands from government institutions that have a legal right to personal information.
      • In these circumstances, employees are expected to make reasonable efforts to ensure that orders or demands appear to comply with the laws under which they were issued and that they only disclose the personal information that is legally required and nothing more.  Employees shall not comply with casual requests for personal information from government or law enforcement authorities.  If lawful authority is not noted on the Tree House privacy web page, guidance must be sought from the Chief Privacy Officer prior to complying with any request from a third party for personal information.
      • Personal information can only be retained for as long as necessary to fulfill the stated purposes. Ferguslea Properties employees are required to comply with approved retention periods identified in the Records Management Program on the Tree House or with individual departmental procedures outlining information purging timelines.
      • Personal information no longer required to fulfill the identified purposes must be destroyed, erased or made anonymous.
    6. Accuracy

      • Personal information that is used continually, including information that is disclosed to third parties, must be kept accurate, complete and up-to-date as is necessary to fulfill the purpose for which it is to be used.  It is not Ferguslea Properties’ intention to routinely update personal information unless it is required to fulfill the purpose for which the information has been collected.
      • Customers may be asked to notify the appropriate department to view or correct personal information.
    7. Safeguards

      • Regardless of the format, employees are responsible for safeguarding personal information against loss or theft, as well as unauthorized access, use, modification or disclosure.  To this end, employees must follow the safeguards established for their work area which may include but are not necessarily restricted to the following:
      • Physical measures such as restricted access to offices, locked filing cabinets and desk drawers. Privacy practices such as the use of file folders and binders during desk top usage, clean desks and supervised office cleaning.
      • Organizational measures such as limiting access on a need to know basis.Technological measures such as the use of passwords and encryption.
      • Employees are required to take care in disposing of discarded personal information.  All documents, notes, reports, etc., containing personal information that are not marked for archiving must be shredded, not discarded in recycle or garbage bins.
      • Employees discovering lost or discarded documents containing personal information on any work site are required to retrieve the documents for safe keeping and report the breach to their supervisor.  Supervisors are required to address any breach, including those made through a third party disclosure, to prevent reoccurrences.
      • In the event of a breach, the Supervisor is required to notify the Chief Privacy Officer, provide details of the breach and outline steps taken to remedy the situation and prevent future incidents.
    8. Openness

      • Ferguslea Properties is required to make information available to the public on our privacy practices and identify the person responsible for overseeing our compliance.
      • All Ferguslea Properties offices with public traffic, such as sales and rental centres and service offices, must be able to produce our Privacy Policy upon request, indicate the means by which an individual may access their personal information and provide a general account of its use.
      • Ferguslea Properties employees must be able to provide, upon request, the name, title and address of the person who is accountable for our privacy policies and practices and where to direct inquiries or complaints.
    9. Individual Access

      • Individuals shall be granted access to view all personal information on themselves that has been collected and used.  Individuals shall also be informed of the nature of any disclosures, except under circumstances outlined below.  Such requests by individuals to view their personal information must be made in writing, and photo ID must be provided at the time of viewing.  All requests must be acknowledged within five (5) business days and an appointment to view must be scheduled to occur within thirty (30) days of the initial request.
      • Access relates to personal information captured on paper documents (for example, leases and agreements of purchase and sale, photographs, etc.), in data stored electronically in management systems and emails that contain personal information.
      • Granting access includes providing a time and place for an individual to review their personal information in the presence of a Ferguslea Properties employee.  It also includes providing photocopies of personal information upon the individual’s request.  Access must be granted within 30 days of the date requested.
      • An administration fee of $10 may be applied to requests for photocopies at the discretion of individual departments.  No fee will be charged without first informing the individual of the charge.
      • In providing access, employees must take care not to reveal to personal information relating to another individual.  Any request to view personal information must be refused when it would reveal personal information about another individual that cannot be severed or removed.
      • Employees are not permitted to provide information to individuals concerning legally authorized disclosures made to a government institution for law enforcement or national security reasons.  The CPO must be advised if a government institution has instructed a department to refuse access or not to reveal that the information has been released to them.

      Access may be refused if the personal information falls under one of the following:

      • Solicitor-client privilege
      • Confidential commercial information
      • Disclosure could harm an individual’s life or security
      • It was collected without the individual’s knowledge or consent to ensure its availability and accuracy, and the collection was required to investigate a breach of an agreement or contravention of a federal or provincial law (in which case, the Privacy Commissioner must be notified).
      • It was generated in the course of a formal dispute resolution process.
      • When an individual has proven that personal information in their file is inaccurate or incomplete, the information shall be corrected at the individual’s request.
    10. Challenging Compliance

      • In the event that an individual wishes to make a complaint concerning the handling of their personal information, they should be directed to contact the Internal Compliance Team member responsible for privacy compliance in that division.  If an individual chooses to contact the CPO by letter or via the Internet, the CPO will channel complaints back to the appropriate Internal Compliance Team member for investigation and resolution.  Team members are listed on the Tree House under the Privacy Commitment link.
      • The Chief Privacy Officer and the Director of Compliance must be copied on all correspondence relating to the complaint, the results of any investigation and the resolution thereof.
      • In the event of a breach in compliance, appropriate measures must be taken to make amendments to policies and procedures to prevent future occurrences.

 

Effective Date and Duration

This policy is currently in place and will remain as long as legislated or until such time as new legislation or changes to existing legislation are enacted.