UNDER THE CANADIAN FEDERAL GOVERNMENT’S PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA)
THOMSON ARCHITECTURE, INC., (TAI) as an Architectural Practice licensed by The Ontario Association of Architects, is bound by PIPEDA and requires consent where the personal information it collects, uses, discloses and retains is in the course of its commercial activities. Therefore, in every proposal and contract TAI issues for client review and approval, we will request such consent. We respect the privacy of our clients, and we are committed to keeping personal information accurate, confidential, secure and private. “Personal Information” used in our practice may include, but is not limited to; Individual and/or Business names or Numbers, Addresses, Telephone, Email Addresses, Utility Bills and Financial Information as it relates specifically to the subject project(s) such as land or building purchase prices, locations(s), taxes, utility costs, and other information required or related to project budgets and schedule and energy performance information. In some cases we may request consent and authorization to act as agents on behalf of our clients for the purpose of facilitation communication with Authorities Having Jurisdiction (AHJ’s), such as Municipalities (ie. Permits, Committees), Conservation Authorities or other public agencies. Toward securing this information, we implement the following 10 steps in our office:
TAI is responsible for personal information under its control and it’s Director and/or OAA-licensed Officers are accountable for TAI’s compliance. Directors and Officers of TAI are OAA-licensed Certificate of Practice Holders, and as such, mandatory insurance covers some aspects of PIPEDA compliance. Concerns related to TAI’s Compliance with the legislation, including the collection, use, retention and destruction of personal information held by TAI should be forwarded to TAI’s Director: Andy Thomson at email: firstname.lastname@example.org
2. IDENTIFYING PURPOSES
Policy: The typical purpose for which personal information is collected, used and disclosed by TAI in the course of its commercial activities is described by but not limited to the following;
a. Responding to and creating a proposal for Architectural Services that is appropriate and responsive to a client’s requirements such as budget, timeline, and even health issues as they relate to mobility and universal design and other considerations.
b. To create legally binding contracts for Architectural Services by noting a client’s complete name and/or business name and contact information.
c. In order to share the client/owner’s project information with Authorities Having Jurisdiction (AHJ) ie. Building Inspectors, Planners, and other Municipal Officials, suppliers, vendors, sub-consultants and other contractors in order to obtain additional services or pricing required for the advancement of the contract. TAI will make efforts to not disclose a project’s owner or address where this is not deemed necessary. Separate ‘Authorization of an Agent’ forms will in some cases also be required by such AHJ’s, that will require the express consent of the individual.
d. In order to add Project Information to our online portfolio and website. As a rule, we will include only the Municipality or General Information regarding a project’s location (ie. ‘Collingwood Residence’), but not the particulars of its address, owners, budget or project costs unless agreed to by the client.
e. Acting as a reference for a new client(s), but only as agreed to by the referring client.
f. On occasion, TAI may request contact information from a consultant, contractor, or other third party to provide references for the same third party. In such cases, on receipt of information pertaining to the performance or quality of services rendered by the third party to the referred party, such information will be used only to form a general opinion of the third party and to advise a client of TAI of this opinion, but the information provided and collected shall not be retained.
e. On occasion, TAI may request an owner’s consent to provide the architect with utility bill information such as volumes of natural gas consumed (m3/yr) and/or electricity (kWh/yr) and water (litres/yr) in order to better evaluate, benchmark and improve building energy and environmental performance measures in their project portfolio. This data may be subject to publication and/or used in public presentations to demonstrate best practices. Such data will be anonymized to protect the identity and locations of projects where appropriate.
The knowledge and consent of the individual is required for the collection, use, disclosure or retention of personal information in the course of TAI’s commercial activities except where inappropriate. TAI may collect, use and disclose personal information in the course of its commercial activities without the knowledge or consent of the individual if the collection, use or disclosure is clearly in the interest of the individual and/or the consent cannot be obtained in a timely manner.
4. LIMITING COLLECTION
The collection, use and disclosure of personal information in the course of its commercial activities shall be limited to that which is necessary for the purposes identified by TAI. Information shall be collected by fair and lawful means.
Policy: All personal information collected, used and disclosed by TAI in the course of its commercial activities is obtained from individual Proposals and/or Contracts.
Procedure: Collect, use and disclose personal information in the course of its commercial activities from Proposals, Contracts and Contract Documents.
5. LIMITING USE, DISCLOSURE AND RETENTION
Policy: Personal information collected, used or disclosed by TAI in the course of its commercial activities shall not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
TAI may disclose personal information collected in the course of its commercial activities without the knowledge or consent of the individual if the disclosure is to a lawyer who represents TAI or for the purposes of collecting a debt owed by the individual to TAI or where such is required to comply with a subpoena or an Order of the Court or a person or body with jurisdiction to compel the production of information or where a request has been made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or contravention of the Laws of Canada or a Province or are required by law.
Use of personal information may be communicated to employees, subcontractors and sub-consultants in the course of fulfilling contract obligations. Employees are bound by our privacy signatories to employment contracts with TIA. In the course of daily operations, access to personal information is limited to those employees with a legitimate reason for accessing it. Unauthorized use or disclosure of personal information by an employee of the TAI is prohibited and may result in disciplinary measures including dismissal. Personal Information will not be shared with or sold to third parties for the purposes of advertisement, endorsements or marketing purposes without the express written consent of the individual, except where this information is in the interest of the individual’s specific project with TAI.
Procedure: Only personal information collected from the Proposals or Contracts may be provided to third parties for the purposes noted above.
Personal information collected, used or disclosed by TAI in the course of its commercial activities shall be as accurate, complete and up to date as is necessary for the purpose for which it is to be used.
Policy: TAI endeavours to maintain accurate and up-to-date records, however, the onus is on the individual to advise TAI, in writing, with respect to any change in particulars.
Procedure: Changes to all information submitted in Proposals and Contracts will only be accepted in writing.
Policy: Personal information collected, used and disclosed by TAI in the course of its commercial activities shall be protected by security safeguards appropriate for the sensitivity of the information.
• TAI’s Computers, Cloud Services, Project Management Website, Banking and Payment Systems and other electronic services are password protected and encrypted (SSL) wherever possible. Our Server is an SSD, with dual redundant cloud and local backups, with full local encryption.
• Access to our office is by a keyed, alarmed entry, and we also have internet connected camera and motion detection, together with an alarm contacts at all openings on the premises.
• Printed Records are cross shredded prior to disposal/recycling.
Policy: An individual may request access to his/her personal information collected, used or disclosed by TAI in the course of its commercial activities.
Procedure: Written request to the staff member responsible for TAI’s compliance with the PIPEDA.
9. INDIVIDUAL ACCESS
Upon request, an individual shall be informed of the existence, use and disclosure of his/her personal information collected, used or disclosed by TAI in the course of its commercial activities and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Policy: An individual may request access to his/her personal information collected, used or disclosed by TAI in the course of its commercial activities (Proposal or Contract), which the individual shall also be in possession of as a function of completing a Proposal or Contract with TAI.
• Request access in writing for copies of Contracts or Proposals containing Personal Information.
10. CHALLENGING COMPLIANCE
An individual may challenge compliance with the above 9 principles with the Director or Officer accountable for TAI’s compliance.
Policy: Complaints may be made to TAI’s Director or Officers accountable for TAI’s compliance with the PIPEDA in addition to the Federal Privacy Commission.
• Complaint must be made in writing and should be addressed to the Director or Officer accountable for ensuring TAI’s compliance with the PIPEDA.
• The Director or Officer accountable for TAI’s compliance with the PIPEDA, in consultation with the Director of Policy, will address the matter and issue a response to the individual within 30 days of receipt of the complaint.
Revised February 2020