We are accountable for our privacy practices.
We are responsible for safeguarding the personal information entrusted to us.
refsavvy and our partner brands have appointed a team of privacy professionals (the ‘Privacy Team’) which ensures we comply with this Privacy Statement, the law, our contractual obligations and the rights of individuals. The Privacy Team provides training and guidance on privacy matters, and investigates concerns and complaints from colleagues, clients, individuals or government agencies. We take privacy concerns and complaints seriously and investigate and respond to them in good faith.
We have personal information that is subject to various Canadian privacy laws, including the federal Personal Information Protection and Electronic Documents Act, the British Columbia Personal Information Protection Act, the Alberta Personal Information Protection Act, the Ontario Personal Information Protection Act, the Quebec Act respecting the protection of personal information in the private sector, and federal, provincial and territorial public-sector privacy laws. Some information in our custody is also subject to foreign data protection and privacy laws. Additionally, some personal information in our custody is under the legal control of a client, in which case it is also subject to the terms of our contract with that client.
Regardless of the rules that govern it, all personal information in our custody or control is subject to the strict standards set forth in this Privacy Statement. However, when our legal obligations go beyond or contradict part or all of this Privacy Statement, we will comply with those obligations.
If, after reading this Privacy Statement, you still have a question, concern or complaint about our privacy practices or how we will handle or have handled your personal information, or feedback about this Privacy Statement, please contact us. If you are unsatisfied with our response to your concern and would like to escalate your complaint to a regulatory body, we will inform you upon request of the complaint procedures available to you.
The Privacy Director is the designated individual responsible for ensuring compliance with Canadian privacy laws and the promises we have made in this Privacy Statement.
We handle personal information in line with data subjects’ expectations and the law.
We only collect and use personal information with the consent of the data subject or in cases where a legitimate reason exists. The data subject may withdraw consent for the use of the information at any time.
Most of the personal information we collect is for one or more of the purposes listed below. After each purpose, there is more information about how we notify data subjects of the purposes for collecting that personal information and obtain their consent or authorization to do so.
We collect personal information from clients’ employees, job applicants, landlords, tenants and contractors, as, to perform reference checks, due diligence and other human resources services. When collecting personal information for these purposes, we or a client will provide notice of the specific purposes for which the personal information will be used (for example: verification of past employment; character references, etc.) and collect consent from the data subject by electronic or handwritten means. Consent can be withdrawn at any time. On request, our Privacy Team will tell the data subject how to withdraw consent for use of personal information and the consequences of doing so.
The types of personal information collected to complete reference checks or due diligence vary. They may include full name, employment history, rental history, education history, contractor history, driver history, criminal convictions, telephone and email contact information, government-issued identifying numbers, and identity documents, among others. We only require the types of personal information that are needed to complete the services we have been asked to complete, and if a type of information is optional, it will be indicated as such. Any questions about why a specific type of personal information is required can be directed to the person requesting the information or our Privacy Team.
We collect personal information from clients and potential clients to communicate about our services and about their orders. This may include solicitations to purchase additional services. Consent for collection and use of this information is usually implied, based on public availability of contact information or a decision on the part of the data subject to communicate with us about our services. Data subjects can withdraw or withhold consent for use of their personal information for marketing purposes by contacting their refsavvy or subsidiary brand representative or the Privacy Team. Data subjects can withdraw or withhold consent for collection or use of their personal information for the purposes of communicating about services that have been ordered, but that may prevent them from placing orders with us.
We ensure that we collect, use and retain only the personal information we need for a specified purpose. We do this by observing a number of more specific principles:
We do not use personal information for purposes that are incompatible with those that were identified when the information was first collected, unless the data subject has consented to the new purpose or it is required by law.
When handling personal information, we will use it in accordance with the purposes that were set out when the information was collected and will not reuse the information for other purposes without the data subject’s consent, unless the new purposes are compatible with the original purpose and would fit within the data subject’s reasonable expectations for how the personal information should be used.
We avoid the collection, use and disclosure of personal information that is not necessary for the purposes we have identified, unless required by law.
We will endeavor to collect the applicable amount of personal information to achieve the stated purpose, and similarly we will only process personal information to the extent necessary for that purpose. Occasionally, we may need to disclose personal information to a third party. We will only disclose the minimum amount of information that must be disclosed, and disclosure will generally be done only with the knowledge and consent of the data subject, or if it is reasonable to assume the data subject would expect the disclosure. There may be circumstances where we are required by law to disclose personal information without the consent of the data subject, in which case we will fulfill our legal obligations.
We only retain personal information long enough to fulfill the purpose for which it was originally collected, to fulfill our legal obligations, or to allow data subjects to exercise their rights under the law.
We will retain personal information for the minimum amount of time necessary to fulfill the purposes for which it was collected and comply with our legal and contractual obligations. Some kinds of information must be available for a certain amount of time for audit purposes: for example, we must keep criminal record check documents for a minimum of two years, and we must keep information about credit checks for a minimum of three years. We also retain personal information to allow the data subject to exercise any legal recourse, such as requesting access to your information or filing a complaint with a privacy commissioner. Once we no longer have a reason to retain personal information it will be deleted or rendered anonymous.
We take reasonable steps to ensure that personal information is accurate, complete and, where necessary, kept up to date.
We do our best to ensure that the information we have is accurate. When collecting personal information from a data subject or a third party, we will ensure our records match the information as we received it, but we are not responsible for the accuracy of information collected from others. If we have reason to believe that personal information we have collected is inaccurate, we will take steps to correct it. When it is appropriate and necessary to keep information up to date, we will do so. However, personal information collected as part of a background screening, due diligence or other human resources service normally has a date associated with it and is a period in time rather than a living record. This means that we will take steps to ensure it is accurate at the time of collection, but generally will not update it if it changes at a later date.
We ensure personal information in our custody is kept secure.
We take the necessary technical and organizational measures to ensure personal information is secured against accidental access, destruction, loss, modification or disclosure, and take appropriate steps to reduce or eliminate harm in case of a breach. We do not transfer personal information to third parties or overseas when it is prohibited by law. When it is permitted to transfer personal information, we ensure that the protections afforded by this Privacy Statement are applied to information that has been transferred as well.
Our information security systems and practices have been vetted and approved by many clients, including Fintech, crown corporations, credit bureaus and other highly trusted organizations. For more information about our information security practices, contact us.
In the unlikely event that there should be a breach affecting personal information, we have a detailed incident management plan to rapidly contain the breach and minimize harm that may come to the data subject as a result. When appropriate or legally required, we will ensure that the appropriate parties are notified that personal information has been compromised and let them know what we are doing to rectify the problem.
In some cases, we may need to transfer personal information to a third-party service provider or to our subsidiaries or vendors outside of Canada. We will not transfer data outside of the country when such a transfer would be prohibited by law or a contractual agreement. When personal information is transferred to another country or to a service provider, it continues to be subject to the protections in this privacy statement and the laws that apply where it was collected. However, personal information transferred to another country may be subject to the laws of that country as well.
Personal information held by refsavvy is stored on redundant servers located in Ontario and Quebec Canada. It is accessed remotely through secure connections by our remote global team as appropriate and necessary to carry out the purposes for which it was collected. Access to personal information is restricted to team members who need to access it, including but not limited to data entry specialists, order fulfillment specialists and customer service representatives.
We help individuals understand and exercise their legal rights with respect to the personal information entrusted to us.
All individuals have the right to know whether we hold personal information about them and, if we do, how it has been or will be used. They have a right to access personal information about themselves upon request, with reasonable limitations as provided by law. Individuals have the right to dispute the accuracy of their personal information and, if their dispute is successful, have their information updated as appropriate. We inform individuals about their rights upon request and as required by law and take reasonable steps to assist them in exercising those rights.
Our Privacy Team is here to ensure that data subjects’ privacy rights are respected. On request from an individual, we will indicate whether we have personal information about that individual. In most cases, we will also indicate what information we have, where we got it, how it has been or will be used, to whom it has been or will be disclosed and how long it will be retained.
If a data subject would like to receive printed copies of some or all of his or her personal information in our custody, we will indicate how to make that request and we will comply in accordance with applicable law. In some cases, we may not be permitted to discuss or disclose personal information that is under the legal control of the client. In those cases, we will direct the data subject to the person or organization that can assist. Finally, in some situations we may refuse to provide access to some personal information. Among others, this includes situations where the disclosure would expose confidential information about us or a third party, or the disclosure is prohibited by law. For example, we will generally not disclose the details of reference interviews, as they contain the opinions of third parties. If we cannot provide access to personal information, we will indicate the legal basis for the refusal or provide reasonable assistance to obtain the information from another source.
If a data subject feels that personal information in our custody is inaccurate or incomplete, our Privacy Team will investigate the dispute and update the personal information as appropriate. Even if a dispute is not resolved in the data subject’s Favour, we will nevertheless make note of it in the file.
We will endeavor to provide reasonable accommodation for individuals with disabilities, or whose situation otherwise prevents them from communicating with us or accessing their personal information according to our standard practices.
To request access to personal information, to dispute its accuracy or to request special accommodation, please contact us.
We subscribe to the concept of Privacy by Design. This means that we take a proactive approach to privacy. Rather than trying to fix privacy problems as they come up, we aim to prevent them entirely. Before a new system, product or procedure is developed, or an existing one is modified, we carefully review any effect it may have on personal information to ensure our Core Privacy Principles are upheld.
Our Privacy Team consists of dedicated privacy professionals. Privacy Team members keep abreast of changing privacy rules and practices in Canada and around the world through regular engagement with privacy professionals from other organizations and participation in continuing professional education programs.
All refsavvy employees receive comprehensive privacy training tailored to their job function at the beginning of employment and at regular intervals throughout their employment. The Privacy Team is actively engaged with all areas of our business to ensure that our privacy obligations are understood and followed.
We have some personal information in our systems that may not be under our legal control because it belongs to a client. This includes personal information provided to us by public bodies subject to the Privacy Act or similar provincial legislation. Whenever it is in our custody, information that is not under our control is handled in accordance with this Privacy Statement to the extent permitted by the contractual agreement with the client. If you would like clarification as to who controls your personal information, contact us.
refsavvy does not make decisions on behalf of clients as to what types of background screening services or searches to request. Our role is to complete the services as ordered, as long as we have the consent of the data subject. Additionally, we do not know how personal information will be used once it has been disclosed to a client. Any questions about why certain types of background screenings or searches have been requested or how the results will be interpreted or used should be directed to the requesting organization.
We may be asked by law enforcement agencies, courts or other public bodies to disclose personal information without notice to or consent from the data subject. If we are subject to a production order, warrant, subpoena or other enforceable demand, we will comply as required by law. If we receive a request to provide information voluntarily, we will consider the interests of the data subject, our business interests, impact to clients, public safety implications and our legal obligations prior to deciding whether to disclose personal information. If appropriate and permitted by law, we will notify affected data subjects or clients of the disclosure or make information about the disclosure available upon request.