Privacy and Access to Information Policy

I. Purpose

1. CSSN is committed to protecting Personal Information and providing access to Company Records in accordance with applicable privacy laws, including Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Personal Health Information Protection Act (“PHIPA”).
2. CSSN upholds transparency and accountability by making Company Records available to authorized individuals, with access restrictions being specific and limited as outlined in this Policy or as required by law.
3. CSSN is equally dedicated to safeguarding individual privacy and ensuring their right to access their own Personal Information. Our privacy practices align with the Canadian Standards Association Model Code for the Protection of Personal Information (“Fair Information Principles”).
4. This Policy ensures that CSSN meets its obligations under FIPPA, PHIPA, and other relevant legislation. The collection, use, disclosure, protection, storage, and disposal of Company Records containing Personal Information, as well as access requests, will be handled in compliance with this policy.

II. Scope and Application

1. This Policy applies to all Company Records, regardless of format, under CSSN’s custody or control, except for the following exceptions (subject to certain limitations):a. Records in CSSN’s historical archives; b. Labour-relations and employment-related records; c. Research records; d. Proprietary business materials.
2. This Policy governs the collection, retention, use, disclosure, and disposal of Personal Information for company purposes.
3. This Policy applies to CSSN employees, contractors, and any other individuals with access to Personal Information within CSSN’s custody or control.
4. This Policy shall be interpreted in accordance with CSSN’s obligations under employment agreements and applicable laws. Nothing in this Policy supersedes legal or contractual obligations.

III. Definitions

1. Personal Information: Recorded information about an identifiable individual, as defined in Section 2 of FIPPA, including Personal Health Information.
2. Personal Health Information: Information identifying an individual’s physical or mental health, medical history, healthcare providers, or health numbers, as defined in Section 4 of PHIPA.
3. Policy: This Privacy and Access to Information Policy.
4. CSSN: The company to which this Policy applies.
5. Company Personnel: All employees, contractors, and individuals associated with CSSN who have access to its records.
6. Company Records: Recorded information created or received in the course of CSSN’s business operations, maintained as evidence of activities in any format.

IV. Policy

Part 1: Privacy

1. Accountability: CSSN is responsible for the Personal Information in its custody and has designated a Chief Privacy Officer to oversee privacy management.
2. Identifying Purposes: CSSN shall inform individuals of the purpose for collecting, using, disclosing, and retaining Personal Information before or at the time of collection.
3. Consent: CSSN shall provide a notice of collection, and individuals who disclose Personal Information to CSSN are deemed to have consented to its use, disclosure, and retention.
4. Limiting Collection: CSSN shall collect only the Personal Information necessary for the identified purposes, using lawful means.
5. Limiting Use, Disclosure, and Retention: CSSN shall restrict the use or disclosure of Personal Information to its intended purposes unless otherwise required by law. Access is limited to authorized personnel.
6. Accuracy: CSSN shall ensure that Personal Information is accurate, complete, and up-to-date.
7. Safeguards: CSSN shall implement security measures appropriate to the sensitivity of the information and require personnel to report privacy breaches promptly.
8. Openness: CSSN shall provide information about its privacy practices upon request.
9. Individual Access: Individuals may request access to their Personal Information and request corrections where necessary.
10. Challenging Compliance: Individuals may file privacy complaints with CSSN’s Privacy Office or escalate concerns to regulatory authorities.

Part 2: Access to Information

11. CSSN shall provide access to Company Records upon request unless there are legal grounds to deny access under FIPPA or other applicable laws.

V. Roles and Responsibilities

1. Chief Privacy Officer and Compliance Team:
   • Conduct periodic assessments of information practices.
   • Develop and implement privacy policies, procedures, and training.
   • Investigate privacy complaints and suspected breaches.
   • Respond to access-to-information requests.
2. Company Personnel:
   • Report known or suspected privacy breaches.
   • Comply with privacy directives to safeguard personal data and cooperate in investigations.
   • Provide records as required under access-to-information laws.

Appendix A: Record Exemptions

1. Donated Records: Privately donated records are exempt unless from an entity covered by FIPPA or PHIPA.
2. Employment Records: Records related to labour relations, employment negotiations, and HR matters are excluded.
3. Research Records: Confidential research data is excluded, except for funding details.
4. Proprietary Business Materials: Confidential business records, trade secrets, and internal strategy documents are excluded.

Appendix B: Privacy Breach Protocol

CSSN is responsible for reporting and managing privacy breaches promptly. A privacy breach includes unauthorized access, loss, or disclosure of Personal Information. Causes may include:

• Sending emails to incorrect recipients;
• Loss or theft of physical or electronic records;
• Unauthorized access to records;
• Cybersecurity incidents;
• Improper disposal of records.