Privacy Officer / Privacy Team
The Company's Vice President, Human Resources is hereby designated as the Company's Privacy Officer to maintain compliance with the 10 Principles included under the Personal Information Protection and Electronic Documents Act, a copy of which is attached as Schedule "A". The Privacy Officer will review and monitor all complaints, as and when required.
Collection and Use of Personal Information
- The Company has determined that personal information is collected in the ordinary course of business from various sources, namely: employees, customers and shareholders. The Company has documented the purposes for the use of this personal information and will collect only that information necessary for the purposes identified. In order to give effect to this requirement and others within this Policy, certain Departments have developed Guidelines and Restrictions as to the use, protection, disclosure and accessibility of personal information collected through corporate office and at each Branch level. These Departments are: Human Resources, Payroll, Credit, Information Systems and Investor Relations. Each of the Department's Practices and Procedures shall form part of this Policy.
- If the personal information collected by the Company will be used for a new purpose, it will also be documented and consent of the individual will be obtained before the information can be used for that purpose. Collection of the information will normally be done in writing; however, it may be done verbally.
- The Company will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified.
- The Company will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.
- The Company will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.
- Consent will not be obtained through deception.
- Consent may also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
- An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The Company will inform the individual of the implications of such withdrawal.
Accuracy of Personal Information
- Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
- The Company will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
- Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Protection of Personal Information
The Company will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification by implementing the following safeguards and security measures:
- Access to personal information is restricted to those employees who require the information to perform their duties.
- Personal information that is stored in databases and computer systems is protected by the use of passwords, encryption files and firewalls.
- Personal information in paper form retained in cabinets and desk drawers is locked-up.
- Where personal information is transferred to external sources for processing, the Company has entered into contractual relationships where third parties are involved, in order that such personal information is protected and safeguarded.
- Each Department has developed Guidelines as to the protection of the personal information collected through corporate office and at each Branch level. These guidelines include the security protection, security level and individuals or positions within the Company who have access to such information. These Guidelines form part of this Policy.
Retention of Personal Information
Each Department has developed guidelines and procedures to be adhered to with respect to the retention of personal information. These guidelines include, amongst other things, minimum and maximum retention periods and where personal information has been used to make a decision about an individual, such information is retained long enough to allow the individual access to the information after the decision has been made.
Destruction of Personal Information
Each Department has developed guidelines and procedures to be adhered to with respect to the destruction of personal information, which includes, amongst other things:
- established dates as to when the personal information is no longer required;
- how the personal information is to be destroyed, erased, or made anonymous; and
- standards of care to be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.
Communication Materials, Brochures, etc.
- the name or title, the address, fax and phone numbers and e-mail address of the person who is accountable for the Company's policies and practices and to whom complaints or inquiries can be forwarded;
- how to access personal information held by the Company;
- a description of the type of personal information held by the Company, including a general account of its use;
- a copy of any brochures or other information that explains the Company's policies, standards, or codes; and
- what personal information is made available to related organizations (e.g., subsidiaries).
Access to Personal Information
- Upon request, the Company will inform an individual whether or not the Company holds personal information about the individual. The Company may indicate the source of this information. The Company will allow the individual access to this information. However, it may choose to make sensitive medical information available through a medical practitioner. In addition, the Company will provide details on the use that has been made or is being made of this information and details of the third parties to which it has been disclosed.
- An individual may be required to provide sufficient information to permit the Company to provide details on the existence, use, and disclosure of personal information. The information provided will only be used for this purpose.
- In providing details of third parties to which it has disclosed personal information about an individual, the Company will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the Company will provide a list of organizations to which it may have disclosed information about the individual.
- The Company will respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the Company uses abbreviations or codes to record information, an explanation will be provided.
- When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Company will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
- If a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge will be recorded by the Company. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
Challenging Compliance, Complaints and Inquiries
The Privacy Officer, Vanden Bussche Irrigation, PO Box 304, 970 James Street, Delhi, Ontario N4B 2X1
-or- by telephone to: 519-582-2380
-or- by fax to: 519-582-1514
- All correspondence communicated internally and externally regarding the collection and use of personal information, will include details on how to contact the Privacy Officer.
- Complaints received by the Privacy Officer will be documented and investigated, indicating the nature of the complaint and if necessary, communicated to the Privacy Team for review and discussion. If a complaint is found to be justified, the Company will take appropriate measures, including, if necessary, amending its policies and practices.
- The Company has made its employees aware of the importance of maintaining the confidentiality of personal information.
- E-mail, Quotes and Orders:
The Company receives requests for information by email from visitors to its websites, as well as through the processing of quotes and orders. The Company uses the information received to process and fill the request. The request and any responses thereto are retained for a period necessary to fulfill the Company's legal requirements. The information is not disclosed to any third parties.
Cookies (small pieces of information that are stored by the visitor's browser on its computer hard drive) enable the Company to provide the visitor with certain features, such as retaining the visitor's log in information for customization the next time the visitor visits the Company's sites. Passwords are not stored. Cookies cannot read data off of the visitor's hard drive. The visitor's browser may allow the visitor to be notified when they are receiving a cookie, giving the visitor a choice to accept it or not. By not accepting cookies, the visitor may not be able to access certain information on the Company's sites.
The Company receives requests for information from time to time, for its continuous disclosure documents and information packages. The request and any responses thereto are retained for a period necessary to fulfill the Company's legal requirements. The information is not disclosed to any third parties.
The Company has adopted the following 10 Principles with respect to the protection of personal information that it collects from individuals and uses in the course of conducting business.
Principle 1 - Accountability
- The Company is responsible for personal information under its control and shall designate an individual as the Company's Privacy Officer as responsible for the Company's compliance with the Personal Information and Electronic Documents Act.
Principle 2 - Identifying Purposes
- The Company shall identify the purposes for which personal information is collected at or before the time the information is collected.
Principle 3 - Consent
- The knowledge and consent of an individual is required for the collection, use, or disclosure of personal information, except where inappropriate. Consent shall be obtained, either verbally or in writing.
Principle 4 - Limiting Collection
- The collection of personal information shall be limited to that which is necessary for the purposes identified by the Company. Information shall be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention
- Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
Principle 6 - Accuracy
- Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Principle 7 - Safeguards
- Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Principle 8 - Openness
- The Company shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Principle 9 - Individual Access
- Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 - Challenging Compliance
- An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the Company's compliance.