In Canada
pursuant to principle 4.1.3 of PIPEDA and throughout the European
Union, in the case where personal information of individuals has
been transferred or is being collected by a third party corporation
such as Exposoft on behalf of, or as an "agent" for (to use the
terminology of PIPEDA) or "data processor" (to use EU Data
Protection Directive terminology), the customers and clients of the
data processor nevertheless remain responsible for that personal
information.
The choice of who
is to be your data processor is therefore an important business
decision because the consequences of failing to act in compliance
with PIPEDA and other international privacy and data protection
legislation can be significant (audit and investigation, bad
publicity, fines, possible court case, and even criminal
sanctions).
Below is a list
of some of the actions Exposoft has taken to comply with PIPEDA and
to protect its customer’s databases and the personal information of
individuals accessing Our clients’ Web Registration Sites:
1.
Exposoft has taken
commercially reasonable measures to protect the security of its
customer’s databases (which includes the personal information of
individuals collected and processed through the Web Registration
Sites). Each Web Registration Site that Exposoft hosts for a client
that ‘processes’ financial or credit card information of individuals
is developed using the industry standard SSL encryption technology.
Our cluster of Dell computer servers are located at a state of the
art secure facility in downtown Toronto
and are firewalled. Continually updated antivirus
software is installed on the servers as well as on all corporate
computers. Any archived databases on CD or other media are locked
up in Our secure premises in an industrial IT park in Mississauga, Ontario. Access to
any customer databases is strictly on a “need-to-know” basis for all
Exposoft staff (who have been trained in the principles of privacy
protection). The current security policy is under revision to deal
with the additional international issues associated with a major
international EU oriented software development and data processing
project.
2.
Exposoft enters into a
written data protection agreement with each client, (whether a
direct client or as a subcontractor of a DMC) based on the Canadian
Chamber of Commerce Model Data Protection Contract so that each and
everyone of Our clients will be in compliance with the provisions of
PIPEDA respecting the transfer of data to third parties when they do
business with us. Our standard form service agreements make it
clear that we have no ownership rights in any of the customer data
being collected and following the completion of any Events, Our
customer receives a digital version of their database on CD rom (and
Our Dell servers are scrubbed clean of the Event database).
3.
Exposoft limits its
use of customer data in all of its standard form agreements to
providing the services under the agreement with Our customer. We
will never sell or disclose any data including critical personal
information to third parties who are not involved in the performance
of Our services for Our clients. Our employees will only access
such data in providing Our services on a ‘need-to-know’ basis. In
the case of ecommerce enabled services, however, we will of course,
provide elements of data collected for Our clients to Our merchant
service provider and
other related financial service providers in order to process the
relevant credit/debit card transactions.
4.
Exposoft has appointed
a Chief Privacy Officer under PIPEDA and legislations of various
countries in the European Union to deal proactively with all
national and international privacy and data protection issues that
arise in the provision of Our international online registration and
software development services. Our Chief Privacy Officer can be
contacted at legal@exposoft.com or at 905-812-3770 ext. 237.
5.
Our various
proprietary computer software systems, Web Registration Sites and
online application forms have also been carefully developed to
include the following privacy enhancement features:
a.
Our customers can set
various levels of access (with varying levels of control to change,
edit, etc.) to the back-end reporting components of Our proprietary
software so that their employees can operate on a ‘need-to-know’
basis;
b.
Customers have control
over the access to their data by their employees because they
control the authentication process by setting their own passwords
and usernames;
c.
The Exposoft
proprietary software can Log or track everyone who accesses the data
to maintain a digital audit trail of what,
if any,
personal information has been accessed and when
and,
how it has been changed, deleted, etc.;
d.
Permit real time
access to the customer database to make changes or deletions to
personal information (or consent to use of personal information) by
any individual requesting the change; and
e.
The addition of any
necessary consent(s) to future uses of the personal information
being collected from the Web Registration Sites that we set up for
Our clients by way of opt in or opt out boxes. (Our project
managers canvass the need for any consents prior to any web sites
going live over the Internet that collect personal information.)
