This document was last updated on January 1, 2019, to add detail about how we limit disclosures of personal information, and to update some language used throughout the document (e.g., replacing references to Poynt360’s “Privacy Ombudsman” with “Data Protection Office”).
Poynt360 Inc. (“Poynt360”) and its subsidiaries and affiliates (collectively “Poynt360 Companies”, and each individually “Poynt360 Company”) provide a broad range of telecommunications services to customers, including Internet access, and local and long distance services in Canada.
II. SCOPE AND APPLICATION
(i) information that is publicly available; or
(ii) the name, title or business address or telephone number of an employee of an organization.
Collection – the act of gathering, acquiring, recording or otherwise obtaining any personal information from any source, including third parties, by any means.
Poynt360 Companies -Poynt360 Inc., POYNT360.
Consent – voluntarily agreeing to the collection, use and disclosure of personal information for a defined purpose. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require any inference on the part of the Poynt360 Companies. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
Customer – an individual who uses, or applies to use, a Poynt360 Company’s products or services or otherwise provides personal information to a Poynt360 Company in the course of a Poynt360 Company’s commercial activities.
Disclosure – the act of making personal information available to a third party.
Employee – an employee of a Poynt360 Company.
Personal information – any information about an identifiable individual, but not aggregated information that cannot be associated with a specific individual. For a customer, such information includes, but is not limited to, a customer’s credit information, billing records, service and equipment information, and any recorded complaints. For an employee, such information includes information found in personal employment files, performance appraisals and medical and benefits information.
Third party – an individual other than the customer, their agent or an organization other than the Poynt360 Companies.
Use – the treatment, handling, and management of personal information by the Poynt360 Companies.
IV. PRIVACY PRINCIPLES
Principle 1 – Accountability
The Poynt360 Companies are responsible for all personal information under their control and shall designate one or more persons who are accountable for compliance with the following principles.
1.3 The Poynt360 Companies are responsible for all personal information in their possession or control, including information that has been transferred to a third party for processing. The Poynt360 Companies shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).
b) establishing procedures to receive and respond to inquiries or complaints;
c) training and communicating to staff about the Poynt360 Companies’ policies and practices; and
d) developing public information to explain the Poynt360 Companies’ policies and practices.
Principle 2 – Identifying Purposes for Collection of Personal Information
The Poynt360 Companies shall identify the purposes for which personal information is collected at or before the time the information is collected.
2.1 The Poynt360 Companies shall collect personal information only for the following purposes:
a) To establish and maintain responsible commercial relations with customers and to provide ongoing service;
b) To understand customer needs;
c) To develop, enhance, market or provide products and services;
d) To manage and develop their business and operations, including personnel and employment matters; and
e) To meet legal and regulatory requirements.
Further references to “identified purposes” mean the purposes identified in this Principle 2.1.
2.2 The Poynt360 Companies shall specify orally, electronically or in writing the identified purposes to the customer or employee at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within the Poynt360 Companies who shall explain the purposes.
2.3 Unless required by law, the Poynt360 Companies shall not use or disclose, for any new purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer or employee.
Principle 3 – Obtaining Consent for Collection, Use or Disclosure of Personal Information
The knowledge and consent of a customer or employee is required for the collection, use or disclosure of personal information, except where inappropriate.
3.1 In certain circumstances personal information can be collected, used or disclosed without the knowledge or consent of the individual. For example, the Poynt360 Companies may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a minor, seriously ill or mentally incapacitated.
The Poynt360 Companies may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.
The Poynt360 Companies may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.
The Poynt360 Companies may disclose personal information without knowledge or consent to a lawyer representing the Poynt360 Companies, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.
3.2 In obtaining consent, the Poynt360 Companies shall use reasonable efforts to ensure that a customer or employee is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the customer or employee.
3.3 Generally, the Poynt360 Companies shall seek consent to use and disclose personal information at the same time they collect the information. However, the Poynt360 Companies may seek consent to use and disclose personal information after it has been collected but before it is used or disclosed for a new purpose.
3.4 The Poynt360 Companies will require customers to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.
· For example, Poynt360 may collect customers’ IP address, MAC address, and router settings from routers connected to Poynt360’s network for the purpose of providing ongoing service. Poynt360 uses this data to routinely monitor and manage end-users’ connectivity and performance on Poynt360’s network.
3.5 In determining the appropriate form of consent, the Poynt360 Companies shall take into account the sensitivity of the personal information and the reasonable expectations of their customers and employees.
3.6 In general, the use of products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for the Poynt360 Companies to collect, use and disclose personal information for all identified purposes.
3.7 A customer or employee may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Customers and employees may contact the Poynt360 Companies for more information regarding the implications of withdrawing consent.
Principle 4 – Limiting Collection of Personal Information
The Poynt360 Companies shall limit the collection of personal information to that which is necessary for the purposes identified. The Poynt360 Companies shall collect personal information by fair and lawful means.
4.1 The Poynt360 Companies collect personal information primarily from their customers or employees.
4.2 The Poynt360 Companies may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties that represent that they have the right to disclose the information.
Principle 5 – Limiting Use, Disclosure and Retention of Personal Information
The Poynt360 Companies shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The Poynt360 Companies shall retain personal information only as long as necessary for the fulfillment of those purposes.
5.1 We do not share personal information with anyone outside the Poynt360 Companies where we can avoid it, however circumstances when we have to do so.
· We limit how much information we disclose to third parties: With respect to third party requests for information, where we are required to disclose personal information we limit it to the information required in the circumstances, provide it only for the purpose stipulated, and make it subject to strict terms of confidentiality. When a court orders us to provide personal information, we tell you about it unless we have been ordered by law not to, and we follow up regularly to question whether non-disclosure orders ought to remain in force.
· We work to keep as much traffic within Canada as we can: With respect to Internet traffic, we place an emphasis on preferring in-country interconnection for domestic traffic. We peer openly with peers in Canada whose Autonomous Systems are mostly located within Canada and who provide geographically diverse peering within Canada. We peer conditionally with other peers. We maintain publicly-available information on our traffic routing.
5.2 In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. (See Principle 3.1)
5.3 In addition, the Poynt360 Companies may disclose a customer’s personal information to:
a) another telecommunications services provider for the efficient and effective provision of telecommunications services;
b) an entity involved in supplying the customer with communications or communications directory related services;
c) another entity for the development, enhancement, marketing or provision of any of the products or services of the Poynt360 Companies;
d) an agent retained by the Poynt360 Companies in connection with the collection of the customer’s account;
e) credit grantors and reporting agencies;
f) a person who, in the reasonable judgment of the Poynt360 Companies, is seeking the information as an agent of the customer; and
g) a third party or parties, where the customer consents to such disclosure or disclosure is required by law.
5.4 The Poynt360 Companies may disclose personal information about their employees:
a) for normal personnel and benefits administration;
b) in the context of providing references regarding current or former employees in response to requests from prospective employers, to the extent that such references are granted at all; or
c) where disclosure is required by law.
5.5 Only those employees of the Poynt360 Companies who require access for business reasons, or whose duties reasonably so require, are granted access to personal information about customers and employees.
5.6 The Poynt360 Companies shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or employee, the Poynt360 Companies shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or employee, either the actual information or the rationale for making the decision.
5.7 The Poynt360 Companies shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.
Principle 6 – Accuracy of Personal Information
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
6.1 Personal information used by the Poynt360 Companies shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a customer or employee.
6.2 The Poynt360 Companies shall update personal information about customers and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.
Principle 7 – Security Safeguards
The Poynt360 Companies shall protect personal information by security safeguards appropriate to the sensitivity of the information.
7.1 The Poynt360 Companies shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. The Poynt360 Companies shall protect the information regardless of the format in which it is held.
7.2 The Poynt360 Companies shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.
7.3 All employees of the Poynt360 Companies with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.
Principle 8 – Openness Concerning Policies and Practices
The Poynt360 Companies shall make readily available to customers and employees specific information about their policies and practices relating to the management of personal information.
8.1 The Poynt360 Companies shall make information about their policies and practices easy to understand, including:
b) The means of gaining access to personal information held by the Poynt360 Companies; and
c) A description of the type of personal information held by the Poynt360 Companies, including a general account of its use.
8.2 The Poynt360 Companies shall make available information to help customers and employees exercise choices regarding the use of their personal information and the privacy-enhancing services available from the Poynt360 Companies.
Principle 9 – Customer and Employee Access to Personal Information
The Poynt360 Companies shall inform a customer or employee of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or employee shall be able to challenge the accuracy and completeness of the information and to have it amended as appropriate.
9.1 Upon request, the Poynt360 Companies shall afford to a customer or an employee a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in understandable form within a reasonable time and at minimal or no cost to the individual.
9.2 In certain situations, the Poynt360 Companies may not be able to provide access to all of the personal information that they hold about a customer or employee. For example, the Poynt360 Companies may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Also, the Poynt360 Companies may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, the Poynt360 Companies shall provide the reasons for denying access upon request.
9.3 Upon request, the Poynt360 Companies shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, the Poynt360 Companies shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.
9.4 In order to safeguard personal information, a customer or employee may be required to provide sufficient identification information to permit the Poynt360 Companies to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.
9.5 The Poynt360 Companies shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, the Poynt360 Companies shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.
9.6 A customer can obtain information or seek access to his or her individual file by contacting a designated representative at 1.855.921.7211, or by sending an email containing such a request in English to info@Poynt360.ca.
9.7 An employee can obtain information or seek access to his or her individual file by contacting his or her immediate supervisor within the applicable Poynt360 Company.
Principle 10 – Challenging Compliance
10.1 The Poynt360 Companies shall maintain procedures for addressing and responding to all inquiries or complaints from their customers and employees about the Poynt360 Companies’ handling of personal information.
10.2 The Poynt360 Companies shall inform their customers and employees about the existence of these procedures as well as the availability of complaint procedures.
For inquiries, complaints or more information please contact:
Data Protection Office Poynt360 Inc.
295 Waterloo Street
London, Ontario N6B2N5