Canadian North Inc, operating as Canadian North, a corporation incorporated under the laws of Canada, with its head office at 200, 580 Palmer Road NE, Calgary AB T2E 7R3. When the term "Canadian North" is used in this policy, it means Canadian North Inc.
As an airline based in Northern Canada, Canadian North is particularly sensitive to the unique nature of privacy issues in smaller communities. Living in a lightly populated land, Northerners have a long tradition of welcoming strangers and participating jointly in the development of their communities. These traditions should be preserved, and the application of Canada's new privacy law, the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") in the North must be balanced with these concerns.
As technology increasingly facilitates the circulation and exchange of information, there is a need for rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals in the North with respect to their personal information, and the needs of Northern businesses, communities and other organizations to collect, use or disclose personal information for purposes that a reasonable Northerner would consider appropriate in the circumstances.
- "Collection"- the act of gathering, acquiring or obtaining personal information from any source, including from third parties, by any means.
- "Consent"- voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the persons seeking the consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
- "Disclosure"- making personal information available to other persons outside of Canadian North.
- "Personal information"- means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
- "Use"- treatment and handling of personal information within Canadian North.
Principle 1: Accountability
Accountability for Canadian North's compliance with the privacy principles shall rest with an individual as appointed by the Vice President of Customer Service from time to time. This individual may delegate other individuals to act in his or her behalf. The individual will be known as the "Manager of Privacy Compliance".
- implementing procedures to protect personal information;
- establishing procedures to receive and respond to complaints and inquiries;
- training staff and communicating to staff information about Canadian North's policies and practices; and
- developing information to explain Canadian North's policies and procedures.
Principle 2: Identifying Purposes
The purposes for which personal information is collected shall be identified by Canadian North before or at the time the information is collected.
Members of Canadian North shall collect personal information only for the purposes of:
- providing air transportation services including reservations, bookings, payment, collection, security, safety and comfort, to customers;
- complying with governmental regulations, including primarily Transport Canada regulations;
- identifying and communicating with individuals interested in receiving information about Canadian North's services, and other marketing purposes;
- participating in customer loyalty programs;
- hiring and employment purposes;
- training its staff;
- operating its web site;
Canadian North generally uses such personal information to carry on its business and serve its customers as described above. If the business is transferred to a new owner, subject to the limitations of Principle 5, the personal information will also be transferred.
The purposes for which a member of Canadian North is collecting personal information shall be identified by the member at or before the time the information is collected. Only information that is necessary for the purposes that have been identified may be collected. The purposes for the collection shall be communicated to the subject individual.
Principle 3: Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except as provided by law.
Consent is required for the collection of personal information and the subsequent use or disclosure of such information. The exceptions to such requirement are specified in the PIPEDA.
When acting as a service provider to another organization (such as a school chartering a plane) with respect to the collection, use or disclosure of personal information, a member of Canadian North shall obtain and adhere to any form of consent previously obtained by such organization, subject to the exceptions provided for in PIPEDA.
Canadian North may not, as a condition for the supply air transport services or employment for example, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary for such purposes.
The adequacy of the form of consent depends upon the circumstances and the type of information that is being collected. Generally speaking, the more sensitive the information (such as heath records or employment evaluations), the more explicit or manifest is the form of consent that is required. In obtaining consent, the reasonable expectations of the individual must also be taken into account. Consent shall not be obtained through deception.
An individual may withdraw a consent at any time, subject to legal or contractual restrictions and reasonable notice. The individual shall be informed of the implications of such withdrawal.
Principle 4: Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by Canadian North. The information shall be collected by fair and lawful means.
Personal information shall not be collected indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified.
Principle 5: Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous.
Principle 6: Accuracy
Personal information shall be accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
This is particularly important where the information is being used to make some evaluation or judgement about the individual, such as granting credit. The extent to which the personal information shall be accurate, complete and up-to-date will depend upon the use of the information taking into account the interests of the individual.
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date.
Principle 7: Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. The nature of the safeguards will vary according to the sensitivity of the information.
The methods of protection will include physical measures, organizational measures and technological measures. All personal information shall be handled on a "need-to-know" basis and each member of Canadian North shall be responsible for the protection of the personal information used in his or her job function.
Canadian North shall regularly make all of its members aware of the importance of maintaining the security of personal information. Care shall be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
Principle 8: Openness
Canadian North shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Canadian North shall be open about its policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about Canadian North's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
The information made available must include:
- how the individual may contact the Manager of Privacy Compliance with respect to complaints or inquiries;
- advice that the individual can gain access to the personal information held by Canadian North by writing to the Manager of Privacy Compliance, confirming and verifying their identity, and requesting the specified information;
- a description of the type of personal information held by Canadian North including a general account of its use;
- a copy of any brochures or other information that explain Canadian North's policies, standards or codes; and
- what personal information is generally made available to related organizations.
This information is also to be made available on the website.
Principle 9: Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Before granting an individual access to the personal information, a member of Canadian North must consult the Manager of Privacy Compliance or that person's delegate. There are restrictions on the grant of access in PIPEDA where revealing the personal information to the requesting individual about a third party that cannot be severed from the information about the individual, and in certain other circumstances there needs to be notification of governmental institutions before release.
Access may also be refused where the information is protected by solicitor-client privilege; where revealing the information would also reveal confidential commercial information; where revealing the information could reasonably be expected to threaten the life or security of another individual; if the information was collected during an investigation of a breach of an agreement or a contravention of the laws of Canada or a province on the expectation that the knowledge or consent or consent of the individual would compromise the availability or accuracy of the information; or where the information was generated in the course of a formal dispute resolution process.
Upon such a request, Canadian North shall inform an individual whether or not Canadian North holds personal information about the individual. When disclosure is made to the individual, the organization shall provide an account of the use that has been made or is being made of the information and an account of the third parties to which the information has been disclosed.
Where the request for access is with respect to personal information collected, used or disclosed in the course of serving a client, the client shall immediately be provided with a copy of the request.
Canadian North shall respond to an individual's request within 30 days and at minimal or no cost to the individual. Canadian North may require a reasonable payment for the information provided only if it has informed the individual in advance of the approximate cost and the individual has advised Canadian North that the request is not being withdrawn.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, Canadian North must amend the information as required. Depending upon the nature of the information challenged, amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the customer, the substance of the unresolved challenge shall be recorded by the member of Canadian North. When appropriate, the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.
Principle 10: Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above privacy principles to the Manager of Privacy Compliance.
The individual accountable for Canadian North's compliance is the Privacy Officer as appointed by the Privacy Committee from time to time. The Privacy Committee will establish procedures to receive and respond to complaints or inquiries about Canadian North's policies and practices relating to the handling of personal information.
Members of Canadian North shall inform individuals who make inquiries or lodge complaints of the existence of the relevant complaint mechanisms of Canadian North. Canadian North shall investigate all complaints. If a complaint is found to be justified through either the internal or external compliant review process, Canadian North will take appropriate measures, including amending its policies and practices if necessary.
Where the complaint arises out of a client matter, the client shall be informed immediately.
- Allow EU subjects the right to obtain from the Service Provider confirmation as to whether or not Data concerning them is being processed, where and for what purpose.
- Allow EU subjects the right to have the Service Provider erase their Data, cease further dissemination of the Data and where possible have third parties halt processing the Data if the Data is no longer relevant for original purposes of processing where the Customer withdraws consent.
- Provide notifications to EU Customers where a Data breach is likely to “result in the risk for the rights and freedoms of individuals” within 72 hours of the Service Provider first having become aware of the breach.
From time to time the Privacy Committee may make changes to this policy to adapt to changing business conditions and for other reasons. In the event that in the opinion of the Privacy Committee acting reasonably such changes will allow Canadian North to make materially greater use and/or disclosure of any personal information, the individuals affected by the changes will be clearly and concisely notified of the changes and their proposed effect, and provided with an opportunity to withdraw their consent to the collection, use and/or disclosure of their personal information.
Date Adopted: May 24, 2003