Privacy Commitment
OCR Document #1
By: The Clone
Date: Tuesday March 14, 2000
Note:
The original hard copy version of the 'TELUS Privacy Commitment'
is not © Copyright in any way. Therefore the legality of the electronic representation, 'TELUS Privacy Commitment', should not
be a concern.
http://www.nettwerked.net theclone@nettwerked.net The following information was OCR'd from the 'TELUS Privacy Commitment' booklet. The booklet is available at most Edmonton
based Telus stores and/or TELUS approved dealer stores.
Privacy Commitment
The TELUS Privacy Commitment incorporates the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) which was published in March 1996 as a National Standard of Canada, and is based on the
Stentor Privacy Commitment , which was approved by the Quality Management Institute (QMI), a division of CSA, on September 8, 1998.
Table of Contents Introduction [1] Summary of Principles [2] Scope and Application [3] Definitions [4] The TELUS Code in Detail [5]
Principle 1 - Accountability Principle 2 - Identifying Purposes for Collection of Personal Information Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information Principle 4 - Limiting Collection of Personal Information Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information Principle 6 - Accuracy of Personal Information Principle 7 - Security Safeguards Principle 8 - Openness Concerning Policies and Practices Principle 9 - Customer and Employee Access to Personal Information Principle 10 - Challenging Compliance Introduction
TELUS is Canada's second largest communications and information management services company. TELUS has made customer privacy a high priority. We have a long-standing policy of protecting the privacy of customers in all of our business operations.TELUS has the responsibility to safeguard the use of information that customers may reasonably expect us to keep private. TELUS' privacy code adopts the Canadian Standards Association privacy standard, Model code for the Protection of Personal Information CAN/CSA-Q830-96 (CSA Standard).
The CSA Standard is a voluntary code for ensuring the protection of consumer privacy and is a world-respected cornerstone for addressing privacy issues. The point of origin for the CSA privacy code is the Organization for Economic Co-operation and Development's (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted by the Government of Canada in 1984.
In 1992, the members of the Stentor telephone company alliance introduced a Model Privacy Commitment, which reflected the policies and regulatory rules of Canadian communication companies
The Stentor Model Privacy Commitment was updated to reflect the CSA Standard in 1998, and was subsequently approved by Quality Management Institute (QMI), a division of CSA, on September 9, 1998. The TELUS Code is based on the Model Privacy Commitment approved by QMI.
The revised TELUS Privacy Commitment is a formal statement of principles and guidelines concerning the minimum requirements for the protection of personal information provided by TELUS to its customers and employees.
The objective of the TELUS Code is to promote responsible and transparent practices in the management of personal information, in accordance with the CSA Standard.
TELUS will Continue to review its Code at least every five years. This review will ensure that our Code is relevant and remains current with changing technologies and laws. Most importantly, TELUS wants to ensure it continues to meet the evolving needs of our customers and employees.
Summary of PrinciplesPrinciple 1 - AccountabilityTELUS is responsible for personal information under its control and shall designate one or more persons who are accountable for the company's compliance with the following principles.
Principle 2 - Identifying Purposes for Collection of Personal Information
TELUS shall identify the purposes for which personal information is collected at or before the time the information is collected.
Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information
The knowledge and consent of a customer or employee are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 - Limiting Collection of Personal Information
TELUS shall limit the collection of personal information to that which is necessary for the purposes identified by the company. TELUS shall collect personal information by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information
TELUS shall not use or disclose personal information for purposes other than those for which is was collected, except with the consent of the individual or as required by law. TELUS shall retain personal information only as long as necessary for the fulfillment of those purposes.
Principle 6 - Accuracy of Personal Information
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Principle 7 - Security Safeguards
TELUS shall protect personal information by security safeguards appropriate to the sensitivity of the information.
Principle 8 - Openness Concerning Policies and Practices
TELUS shall make readily available to customers and employees specific information about its policies and practices relating to the management of personal information.
Principle 9 - Customer and Employee Access to Personal Information
TELUS shall inform a customer or employee of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 - Challenging Compliance
A customer or employee shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for TELUS' compliance with the TELUS Code.
Scope and ApplicationThe ten principles which form the basis of the TELUS Code are interrelated and TELUS shall adhere to the ten principles as a whole. Where this is also a note following a principle (see principles 3 and 9), it forms an integral part of the principle.Each principle must be read in conjunction with the accompanying commentary. As permitted by the CSA Standard, the commentary in the TELUS Code may be tailored to reflect personal information issues specific to TELUS.
The scope and application of the TELUS Code are as follows:
The TELUS Code applies to personal information about TELUS' customers and employees that is collected, used, or disclosed by TELUS.
The TELUS Code applies to the management of personal information in any form whether oral, electronic or written.
The TELUS Code does not impose any limits on the use or disclosure of the following information by TELUS: a) a customer's name, address, telephone number and electronic address, when listed in a directory or available through directory assistance;
b) an employee's name and position with TELUS; or
c) information that his publicly available without any restrictions on use or disclosure from persons that have the right to disclose the information.
The application of the TELUS Code is subject to the requirements or provisions of any applicable legislation, regulations or agreements, such as collective agreements, or order of any court, or other lawful authority. The TELUS Code does not apply to information regarding TELUS' corporate customers; however, such information is protected by other TELUS policies and practices and through contractual arrangements. Definitionscollection - the act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.consent - voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing, but is always unequivocal and does not require any inference on the part of TELUS. Implied consent is consent that can reasonably be inferred from an individual's action or inaction.
customer - an individual who uses, or applies to use, TELUS' products or services, where such individual is a residential customer or an individual carrying on business alone as a sole proprietorship or in partnership with other individuals.
disclosure - making personal information available to a third party.
employee - an employee or pensioner of TELUS.
personal information - information about an identifiable individual that is recorded in any form, but does not include aggregated information that cannot be associated with a specific individual.
For a customer, such information includes a customer's credit information, billing records, service and equipment, and any recorded complaints.For an employee, such information includes information found in personal employment files, performance appraisals, and medical and benefits information.
TELUS - including all divisions, such as TELUS Communications, TELUS Mobility and TELUS Multimedia.
TELUS Services Inc., including all divisions, such as TELUS Advanced Communications and TELUS Advertising Services.TELUS Enterprises Inc.
BC TEL
BC TEL Mobility Cellular Inc.
BC TEL Systems Support Inc., including all divisions, such as BC TEL Interactive and BC TEL Advanced Communications.
B.C. Mobile Ltd.
Canadian Telephones and Supplies Ltd.
SRI Strategic Resources Inc.
Telecom Leasing Canada (TLC) Limited
and any successor company or companies of the above, as a result of corporate reorganization or restructuring.
third party - an individual or organization outside TELUS.
use - the treatment, handling, and management of personal information by and within TELUS.
The TELUS Code in DetailPrinciple 1 - AccountabilityTELUS is responsible for personal information under its control and shall designate one or more persons who are accountable for TELUS' compliance with the following principles.
1.1 Responsibility for ensuring compliance with the provisions of the TELUS Code rests with the senior management of TELUS, which shall designate one or more persons to be accountable for compliance with the TELUS Code. Other individuals within TELUS may be delegated to act on behalf of the designated person(s) or to take responsibility for the day-to-day collection and processing of personal information.Principle 2 - Identifying Purposes for Collection of Personal Information1.2 TELUS shall make known, upon request, the title of the person or persons designated to oversee TELUS' compliance with the TELUS Code.
1.3 TELUS is responsible for personal information in its possession or control. TELUS shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).
1.4 TELUS shall implement policies and procedures to give effect to the TELUS Code, including:
a) implementing procedures to protect personal information and to oversee TELUS' compliance with the TELUS Code;
b) establishing procedures to receive and respond to inquiries or complaints;
c) training and communicating to staff about TELUS' policies and practices; and
d) developing public information to explain TELUS' policies and practices.
TELUS shall identify the purposes for which personal information is collected at or before the time the information is collected.
2.1 TELUS collects personal information only for the following purposes:Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Informationa) to establish and maintain responsible commercial relations with customers and to provide ongoing service;
b) to understand customer needs;
c) to develop, enhance, market or provide products and services;
d) to manage and develop TELUS' business and operations, including personnel and employment matters; and
e) to meet legal and regulatory requirements.
Further references to "identified purposes" mean the purposes identified in this Principle 2.
2.2 TELUS shall specify orally, electronically or in writing the identified purposes to the customer or employee at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within TELUS who shall explain the purposes.
2.3 Unless required by law, TELUS shall not use or disclose for any new purpose personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer or employee.
The knowledge and consent of a customer or employee are required for the collection, use, or disclosure of personal information, except where inappropriate.
NOTE:
In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated.
3.1 In obtaining consent, TELUS shall use reasonable efforts to ensure that a customer or employee is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the customer or employee.Principle 4 - Limiting Collection of Personal Information3.2 Generally, TELUS shall seek consent to use and disclose personal information at the same time it collects the information. However, TELUS may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.
3.3 TELUS will require customers to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.
3.4 In determining the appropriate form of consent, TELUS shall take into account the sensitivity of the personal information and the reasonable expectations of its customers and employees.
3.5 In general, the use of products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for TELUS to collect, use and disclose personal information for all identified purposes.
3.6 A customer may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Customers may contact TELUS for more information regarding the implications of doing so.
TELUS shall limit the collection of personal information to that which is necessary for the purposes identified by TELUS.
TELUS shall collect personal information by fair and lawful means.
4.1 TELUS collects personal information primarily from its customers or employees.4.2 TELUS may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties who represent that they have the right to disclose the information.
Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information
TELUS shall not use or disclose personal information for purposes other than those for which is was collected, except with the consent of the individual or as required by law.
TELUS shall retain personal information only as long as necessary for the fulfillment of those purposes.
Principle 6 - Accuracy of Personal Information5.1 TELUS may disclose a customer's personal information to:
a) another telecommunications company for the efficient and effective provision of telecommunications services;
b) a company involved in supplying the customer with communications or communications directory related services;
c) another person for the development, enhancement, marketing or provision of any of TELUS' products or services;
d) an agent retained by TELUS in connection with the collection of the customer's account;
e) credit grantors and reporting agencies;
f) a person who, in the reasonable judgment of TELUS, is seeking the information as an agent of the customer; and
g) a third party or parties, where the customer consents to such disclosure or disclosures is required by law.
5.2 TELUS may disclose personal information about its employees:
a) for normal personnel and benefits administration;
b) in the context of providing references regarding current or former employees in response to requests from prospective employers; or
c) where disclosure is required by law.
5.3 Only TELUS' employees with a business need to know, or whose duties reasonably so require, are granted access to personal information about customers and employees.
5.4 TELUS shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or employee, TELUS shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or employee, either the actual information or the rationale for making the decision.
5.5 TELUS shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
6.1 Personal information used by TELUS shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a customer or employee.Principle 7 - Security Safeguards6.2 TELUS shall update personal information about customers and employees as and when necessary to fulfill the identified purpose or upon notification by the individual.
TELUS shall protect personal information by security safeguards appropriate to the sensitivity of the information.
7.1 TELUS shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. TELUS shall protect the information regardless of the format in which it is held.Principle 8 - Openness Concerning Policies and Practices7.2 TELUS shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.
7.3 All of TELUS' employees with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.
TELUS shall make readily available to customers and employees specific information about its policies and practices relating to the management of personal information.
8.1 TELUS shall make information about its policies and practices easy to understand, including:Principle 9 - Customers and Employee Access to Personal Informationa) the title and address of the person or persons accountable for TELUS' compliance with the TELUS Code and to whom inquiries or complaints can be forwarded;
b) the means of gaining access to personal information held by TELUS; and
c) a description of the type of personal information held by TELUS, including a general account of its use.
8.2 TELUS shall make available information to help customers and employees exercise choices regarding the use of their personal information and the privacy enhancing services available from TELUS.
TELUS shall inform a customer or employee of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information.
A customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
NOTE:Principle 10 - Challenging ComplianceIn certain situations, TELUS may not be able to provide access to all of the personal information it holds about a customer or employee. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, information that is subject to solicitor-client or litigation privilege, or, in certain circumstances, information of a medical nature. TELUS shall provide the reasons for denying access upon request. 9.1 Upon request, TELUS shall afford customers and employees a reasonable opportunity to review the personal information in the individual's file. Personal information shall be provided in understandable form within a reasonable time, and at a minimal or no cost to the individual.
9.2 Upon request, TELUS shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, TELUS shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.
9.3 In order to safeguard personal information, a customer or employee may be required to provide sufficient identification information to permit TELUS to account for the existence, use and disclosure of personal information and to authorize access to the individual's file. Any such information shall be used only for this purpose.
9.4 TELUS shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual's file. Where appropriate, TELUS shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.
9.5 Customers can obtain information or seek access to their individual files by contacting a designated representative at TELUS' business offices.
9.6 employees can obtain information or seek access to their individual files by contacting their immediate supervisor within TELUS.
A customer or employee shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for TELUS' compliance with the TELUS Code.
10.1 TELUS shall maintain procedures for addressing and responding to all inquiries or complaints from its customers and employees about TELUS' handling of personal information.10.2 TELUS shall inform its customers and employees about the existence of these procedures as well as the availability of complaint procedures.
10.3 The person or persons accountable for compliance with the TELUS Code may seek external advice where appropriate before providing a final response to individual complaints.
10.4 TELUS shall investigate all complaints concerning compliance with the TELUS Code. If a complaint is found to be justified, TELUS shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A customer or employee shall be informed of the outcome of the investigation regarding his or her complaint.
For more information on the TELUS Privacy Commitment contact: 1-800-567-0000
For copies of the CSA Model Code for the
Protection of Personal Information contact:Canadian Standards Association
178 Rexdale Blvd.
Etobicoke, Ontario
M9W 1R3