Privacy policies and Procedures
Each of our divisions provides a unique service. Through these divisions we provide recruitment services, human resource management and payroll services. There are three main types of groups we deal with:
Candidates: people actively looking for work.
Employees: people currently employed individuals that are payrolled through Career1 .
Clients: businesses that require our services to supply them with recruitment, human resource management or payroll needs.
Definition of Personal Information
“Personal Information” is personally identifiable information, including but not limited to name, address, and date of birth, contact details, resume, qualifications, work history, skills and interests.
What Personal Information do we collect?
How do we collect Personal Information?
We collect personal information through fair and lawful means and personal information is subject to our privacy policies. Information is collected from a wide variety of sources, which includes resumes dropped off in person, received by fax or e-mail. References are obtained through telephone conversations and written reference letters Candidate application forms, payroll information, benefits application forms are received from candidates and employees by fax, e-mail and in person
Garnishee information is received from various organizations in writing by mail or fax Client information is collected by our internal staff and volunteered by our clients in order to provide them with our services We may collect personal information without consent or knowledge if it’s in the interest of the individual and consent is not obtainable in a timely manner Would compromise information availability or accuracy Is reasonable to investigate contravention of laws Is publicly available and specified in the regulations
Why we collect Personal Information?
The very nature of our business means that we require a lot of personal information concerning individuals. Personal information is only collected in order to provide services through our divisions to our candidates, employees and clients and not for any other means.
Only relevant information is collected, to fulfill the needs and requirements to facilitate the services we offer.
How is Personal Information used?
Personal information and references regarding candidates is added to our database, and it is used to place candidates in positions at our client sites. This information may be used by any internal staff member and may be sent to clients interviewing potential candidates for positions.
Other employee personal information, such as SIN, date of birth, etc is used in order to provide payroll and human resource services to our employees.
Information regarding our clients is used only to provide services. We do not sell or share client information with any outside agency unless approval is granted by the client. Information is shared with an outside agency only if additional outsourcing services are required.
Who controls Personal Information?
All internal staffs are responsible for collection of data as required to perform their duties. It is also the responsibility of all internal staff to protect the privacy of all candidates, employees and clients.
Decisions on the collection, use, disclosure and retention of data are shared by the Management Team and the Privacy Officer. The Privacy Officer also deals with any complaints concerning privacy issues.
What is Personal Information used for?
Personal information is used only to provide services to our candidates, employees and clients. Personal information is never sold or passed on to outside organizations or individuals for purposes other than providing these services.
Where is it stored and how is it kept secure?
Storage of paper based personal information is maintained in our offices, along with external secured storage facilities. Electronic information is stored in our computer systems with back up stored off-site.
In order to protect the privacy of our employees, candidates and clients we have various levels of security in place: physical safeguards, administrative safeguards and technical safeguards.
Physical safeguards include:
- Locked cabinets and storage areas
- Limited access to areas where personal information is filed or stored
- Shredding papers containing personal information when disposing
- Alarms and pass keys for restricted areas
Administrative safeguards include:
- Staff training on privacy policies and procedures
- Staffs are required to acknowledge and sign a confidentiality agreement.
The most secure technology is used where possible to protect personal information. Our Information Technology department monitors access and use of our electronic systems and is responsible for maintaining the security of our systems through use of tools such as firewalls, anti-virus programs and passwords. All internal passwords are changed regularly.
All staffs are responsible to protect personal information using the security safeguards in a manner appropriate for the type of information.
Who has access to or uses it?
We limit access to personal information in candidates’, employees’ and clients’ files to:
- Career1 staff or persons authorized by Career1 who require it to perform their duties,
- Persons to whom candidates, employees or clients have granted access, and
- Persons authorized by law.
Certain types of information are segregated to facilitate privacy, provide appropriate access and to protect personal information from unauthorized:
- Use, theft or loss,
- Copying, changing or destroying
Copies of files are kept to a minimum and all information, where possible, is included or scanned into our database in order to maintain the most current and accurate information and to minimize paper documentation.
Who is Personal Information disclosed to?
Career1 may release personal information to a third party under the following circumstances:
- Disclosure of personal information would not constitute an unreasonable invasion of privacy
- For the purpose for which the information was collected or compiled or for a use consistent with that purpose.
- The employee has consented in writing to the disclosure
- Disclosure is necessary to comply with a federal or provincial law
When is it disposed of?
We aim to retain information only as long as is needed to fulfill the purpose that it was collected for.
Resumes are scanned into our database and then the paper copies are shredded. Our database is periodically purged of old information. Resumes, skills and reference information that has not been accessed or used for more than a year, in relation to any of our services, is deleted. Our Information Technology department is responsible for maintaining and enforcing regular deletion of out-dated information.
Other payroll, garnishee and employee information is kept on file according to federal and provincial legislation requirements.
Client information that is considered public domain and does not contain any personal information is kept on file for an indefinite period of time.
All paper files are destroyed at end of the retention stage through confidential shredding services. Electronic files and discs are destroyed by the Information Technology department to ensure proper deletion of data prior to outdated discs being disposed of.
Any activity we perform or provide for our employees or prospective employees.
If employees have a concern with Career1 privacy policies and procedures, the employee is to first Contact the Privacy Officer directly by email at email@example.com.
Candidates Concerns and Correspondence to the Privacy Officer:
All correspondence and/or contact from employees that is directed to the Privacy Officer will be investigated. Such investigation will include a detailed review of the situation and the Privacy Officer will be given a chance to address the member’s concern. Should such efforts fail to rectify the situation the Director is responsible for privacy will then get involved directly with the employee In order to avoid many potential privacy situations, staff and directors must use the “reasonable person test” when obtaining consent. In short, every staff person and director must answer the following question:
For the services Career1 provides, is it reasonable for Career1 to collect, hold, use, or discloses the member’s personal information in the first place?
Identifying the Purpose:
At all times, staff and directors must identify in writing the purpose for obtaining member’s consent. The preferred methods are:
- • A completed registration form,
- • A member signature on any other form used at Career1 and/or the staff and/or directors notes to the employee’s file properly dated as to when the purpose for collecting the Information was discussed.
- • While a member’s signature on the mentioned forms is clear indication of explicit consent. In order to be deemed to be explicit, notes to the employee’s file must have the date of the meeting and clear indication that the employee gave consent. No signature is necessary.
For the purposes of this policy, consent includes the member’s permission to collect, hold, use, and discloses their personal information in accordance with the Career1 Privacy Notice.
No staff person or director may conduct business with anyone that has not provided his or her consent. Consent can be given verbally provided it is recorded in the member’s file and dated. Further, consent may be implied or explicit. When obtaining consent, all members should be referred to the Career1 Privacy Notice. If an employee does not wish to consent to any part of the Career1 Privacy Notice, then the withdrawal of consent MUST be documented in the notes to the employee’s file with the date and the privacy officer notified as soon as possible. The privacy officer will document the situation and ensure that the staff person or director has taken the appropriate action to accommodate the employee’s wishes.
Withdrawal of Consent:
At any time, the member may withdraw their consent. Such action must be documented and brought to the attention of the privacy officer as soon as possible. The privacy officer will document the withdrawal and ensure steps are taken to comply with the employee’s wishes.
The reasonable person rule must be adhered to at all times and the purpose for which the Personal information was collected must be documented. Documentation can be by: employee written instruction, registration form, notes to the employee’s file, or similar correspondence. All verbal consent must be documented with the date received in the employee’s file.
Limit Use, Disclosure and Retention:
Personal information can only be collected, used, and disclosed with the employee’s consent and the Career1 Privacy Notice obtains consent for most business practices.
Once Information is collected, it may only be retained on the employee’s file for as long as the employee has consented to its retention. All collected information is retained in the employee’s file. This does not apply to credit card information which Career1 does not retain, nor has the ability to retain. The only exception is when a legal requirement dictates that the Information be retained for a specified period of time.
Destruction of Information – Electronic Files
In accordance with the aforementioned retention periods, Information must be promptly Deleted from all electronic files when the purpose for which the Information was collected, or when consent to hold such Information has expired.
Destruction of Information –Paper:
All paper files that contain Information must be promptly shredded either on-site at Career1 or by a confidential shredder service.
Information Destroyed In Error:
It is important to note that the Information can be destroyed, but not the consent. Should Information be destroyed, the staff person or director must determine if the consent to collect, hold, and distribute the Information is still valid. If so, then the Information may be reconstructed, replaced, or collected again provided it is for the same purpose as consented to originally. If the status of consent is uncertain, then the staff person or
Director must contact the employee and ensure that proper consent is obtained before replacing, or reconstructing lost information.
Any errors in employee Information must be corrected within 14 business days. Any employee requests for corrections to Information must be documented in the employee’s file with the date received and the date the correction was made. All requests to update member, Information should be in writing, dated, and filed in the employee’s file. Verbal requests must be documented with date received in the employee’s file.
Use Appropriate Safeguards:
Information must be safeguarded at all times against un-authorized access, use, or disclosure.
Computerized Information – Network:
Employee information stored on the Career1 Network must be protected by secure Passwords.
Computerized Information – Desktop and Lap top Computers:
At all times, Employee Information is the corporate property and responsibility of Career1 and must be stored on the network computers. Copies may be retained on Desktop and/or laptop computers for occasional business use. No original Information may be stored solely on desktop or laptop computers. Laptop computers must never be left unattended for any reason. Once available, security software will be installed on all laptop computers to provide reasonable protection against unauthorized access to employee information that may be stored on the computer. All password security software will be updated on a continual basis.
Protection Systems for Network Computers:
All network computers have weekly backups to the server for brief power outages, firewalls, and anti-virus software. Access to the Career1 offices is restricted to staff only and protected by an alarm system. Network computers are not left unattended unless protected from access by a locked door or a locked cabinet.
Computers those are no Longer Required:
Any computer that is no longer required at Career1 must first be cleaned of all Information. The staff or director is responsible for notifying Career1 and ensuring that the procedure was completed prior to the computer leaving Career1 .
Portable Data Storage Devices:
If personal data devices such as palm pilots, cellular telephones, and so on contain Employee’s Information, they must never be left un-attended unless secured with a locking device such as a door or locked filing cabinet. When taken outside of Career1 , such devices must be password protected and such security protocols enabled.
Employee Information stored in Paper Files:
Employee Information stored in paper files is protected from un-authorized access by the Building security systems, locking room doors, and/or locking filing cabinets. Employee files are not left un-attended unless secured.
Employee Paper Files Temporarily Removed from the Building:
Employee Information stored in paper files must be secured at all times. If temporarily Removed from the building (e.g. Meeting), then the Information must be protected From unauthorized access. At a minimum, all Information must be obscured from direct view to avoid unauthorized reading of the material and protected by some sort of locking Mechanisms.
At all times, staff and directors must be familiar with the Career1 Privacy Notice posted on the website. Any questions with regard to the Notice, or requests for interpretation of Career1 policies and procedure should first be directed to the privacy officer. Full name, address, and other contact information for the Privacy officer as well as a description of the procedure for making a privacy complaint are clearly outlined on the Career1 Privacy Notice.
Procedure for New Employees:
The staff must ensure that all new employees are made aware of the Career1 privacy notice. Should the employee not agree with any provision of the Notice, then the staff must document with date the problem and make suggestions as to how to address the employee’s concern. The Privacy Officer must be notified immediately of any such event in order to review the notes to file and ensure that the recommended procedure for handling the employee’s concern is adequate.
If an employee is not content with how his/or her advisor is complying with the terms and Conditions of Career1 Privacy Notice, then he or she may file a complaint with the Privacy Officer as follows:
- By confidential letter mailed to Privacy Officer
- By email at firstname.lastname@example.org
Should a complaint be filed with the privacy officer, the privacy officer will ensure that complaint is properly documented and signed by the employee.
Notify the parties involved in writing that a complaint has been filed and seek a meeting (conference call) to discuss the issues, document the discussion with the staff or director and formulate a plan to deal with the complaint, notify the member in writing the results of the meeting and inform them of the proposed solution, if required, meet again with the member and/or the parties to mediate a solution to the problem.
Career1 Must Refuse the Request when:
If requested for information by employee, Career1 must provide a copy of the Information to the employee within 30 days of the request at no cost to the employee. The copy may be “cleaned” of any other Information, comments, or other information that is not relevant to the employee’s request. The Information must be
Understandable. For example, explain acronyms, unfamiliar terms, and so on prior to Releasing the Information to the employee. In rare circumstances, additional time is needed to prepare the copy for the employee. Such request must be made in writing to the Director who is responsible for Privacy, as soon as possible. Access would reveal Information about another person unless there is life threatening situation.
Career1 May Refuse Access when:
Here are five situations where Career1 may refuse a request for Information:
Career1 security or reasons of law enforcement. Upon request, that governmental institution may instruct Career1 to refuse the request. disclosure could harm the individual life or security, it was collected without the individuals knowledge or consent to ensure accuracy and the collection was required to investigate a breach of an agreement or contravention of a federal or provincial law, it was generated as part of a formal dispute resolution (e.g. divorce).The Privacy Officer will determine if a request falls into any of the above.