Privacy Policy
Commitment to Privacy
The appropriate collection, use and disclosure of clients’ personal information is fundamental to our day-to-day operations and to the provision of our professional services. Protecting the privacy and the confidentiality of our clients’ personal information is important to the staff at Roots.
We strive to provide our clients with excellent service, and in doing so, we will abide by our commitment to privacy in the collection and handling of personal information.
Applicability of This Privacy Policy
This policy attests to our commitment to privacy and demonstrates the ways we ensure that our clients’ and employees’ privacy is protected. This policy applies to the personal information of all our clients, employees, contractors and service providers that is in our possession and control.
What is Personal Information?
Personal information means any and all information about an identifiable individual. Business information means any information about business activities, operations or projects of our clients.
Guidelines for Compliance
The following guidelines have been implemented to ensure Roots remains compliant with PIPEDA and PIPA requirements. The personal information of Roots employees, customers, clients, business partners, etc., must be managed so as to meet proper information practices, applicable laws and standards of practice.
1. Accountability
We take our commitment to securing client privacy very seriously. Each service provider, contractor and employee of Roots is responsible for the personal information under his/her/their control. Our employees are informed about the importance of privacy and receive information periodically to update them about our Privacy Policy and related issues. All individuals that have access to personal information are being instructed and required to comply with the advanced protection requirements relating to the information pertaining minors.
2. Purpose of Information Collection
Personal information is collected in order to establish a relationship with our clients and provide them with our professional services. Roots obtains most of the personal information directly from its clients or from other sources whom a client has authorized to disclose such information to Roots. Roots will limit the collection and use of information only for the following permitted purposes:
-
To prepare and provide our professional services to a client;
-
To plan, administer and manage our internal operations;
-
To conduct risk management and quality improvement activities;
-
To compile statistics (without the use of identifiable information);
-
To comply with legal and regulatory requirements, and
-
Fulfill other purposes permitted or required by law.
Roots will obtain a client's particular consent if the use of the client’s personal information is required for any other purpose. In addition, where possible, Roots will limit its use of personal information only to non-identifiable information (no names, ID’s and other identifying details will be used).
There are certain types of information that Roots is required to collect and store as an educational institution in accordance with various requirements of its professional and licensing organizations.
3. Consent
The provision of services by Roots is regularly preceded by a contract signed by a client. Client’s execution of such contract will serve as its explicit consent to disclosure and collection of information by Roots.
A client has the right to withdraw his/her/their consent at any time and for any reason. In such case, Roots will cease any use of the client’s personal information.
Notwithstanding the withdrawal request, the law permits (and in certain circumstances requires) certain collection, use, storage and disclosure of the personal information, despite the consent withdrawal. Such information might be stored for record keeping purposes, future accounting and legal purposes, but its use will be limited only to the circumstances of emergency or in accordance with the order of any relevant legal or administrative tribunal.
4. Limiting Collection Use, Disclosure and Retention
Roots collects information by fair and lawful means and collects only that information which may be necessary for purposes related to the provision of its professional services.
Under no circumstances does Roots sell client lists or other personal information to third parties.
Roots will retain personal information only for the time it is required for the purpose of providing its professional services, managing client’s file and records keeping, and will destroy such information once it is no longer needed. However, some information is kept for a longer period for various legal, accounting and tax related purposes. The storage and destruction of the personal information shall be governed by our Records Retention and Disposal Policy.
5. Accuracy
As the main source of the personal information, the client is responsible to provide accurate, up-to-date and relevant information and to advise Roots of any changes in a timely manner. Roots will not be responsible for the accuracy of information provided by its clients or other service providers.
6. Safeguards: Protecting Private Information
Protection and safeguard of clients’ personal information is of utmost importance for Roots, and we will invest our reasonable efforts into protecting clients’ information from unauthorized disclosure or use.
Access to personal information will be authorized only for the service providers and employees that are dealing with the client, and other agents who require access in the performance of their duties, and to those otherwise authorized by law.
Roots computer systems are password-secured and constructed in such a way that only authorized individuals can access secure systems and databases.
7. Access and Correction
In a case an error is found in a personal information, Roots will make the appropriate corrections following its receipt of client’s written request. Any correction requests should be sent to the following email address: office@rootsprivateschool.ca
8. Breach, Theft or Unauthorized Access
Roots will immediately inform any affected clients and individuals of any breach, theft or unauthorized use of their personal information, and will implement any remedial actions in order to limit any further disclosure or prevent additional instances of similar circumstances.
In addition to the individual(s) affected by the breach, Roots may notify other affected parties, whose identity might be reasonably identified by Roots. Roots shall notify other organizations and government institutions if it is believed that doing so can reduce or mitigate the harm from the breach.
Where it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual, Roots will act immediately to inform any affected individuals, Office of the Privacy Commissioner, as well as any government institutions or organizations that Roots believes can reduce the risk of harm that could result from the breach or mitigate the harm, including without limitation such organizations as law enforcement, payment processing, information storage, email providers and more.
Significant harm shall include any of the following: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Notwithstanding the provisions contained in this section, Roots will take any reasonable and diligent precautions to protect personal and personal health information in its possession. Nevertheless, Roots may fall victim to unauthorized access, theft or destruction of the information it possesses, in which case and as long as Roots acted in a reasonable manner, it shall not be held responsible or accountable for such instances.
Roots will keep all the records relating to potential or actual breaches, whether reported to the OPC or not. The information shall contain the following details:
-
date or estimated date of the breach;
-
general description of the circumstances of the breach;
-
nature of information involved in the breach;
-
internal assessment of “the real risk of significant harm” standard; and
-
whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified.