Pay your bill by Visa or MasterCard
HomePrivacy Policy

Privacy Policy

Download WHESC Privacy Policy in Adobe PDF Format Download PDF [124KB] 

 

Table of Contents

 

Introduction

Welland Hydro-Electric System Corp. is committed to maintaining the accuracy, confidentiality, security and privacy of customer personal information.

 

In March 1996, the new Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 (the “CSA Code”), was published as a National Standard of Canada.  Welland Hydro-Electric System Corp. subscribes to the principles of the CSA Code.  Furthermore, in light of the requirements of the Personal Information Protection and Electronic Documents Act and any other applicable provincial legislation (collectively the “Privacy Legislation”), Welland Hydro-Electric System Corp. has created certain documents and procedures, including this Policy, as may be updated from time to time.

 

This Welland Hydro-Electric System Corp. Privacy Policy is a formal statement of principles and guidelines concerning the requirements for the protection of personal information that we collect, use and disclose with respect to our customers.  This Policy not only informs individuals about their rights but also sets out Welland Hydro-Electric System Corp.’s privacy operations and goals to implement these rights.

 

Summary of Principles

10 internationally accepted principles lie at the core of organizational responsibilities for safeguarding personal information. These are:

  1. Accountability:  An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with privacy principles.
  2. Identifying Purposes:  The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  3. Consent:  The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  4. Limiting Collection:  The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.  Information shall be collected by fair and lawful means.
  5. Limiting Use, Disclosure, and Retention:  Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.  Personal information must be retained only as long as necessary for the fulfillment of those purposes.
  6. Accuracy:  Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  7. Safeguards:  Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  8. Openness:  An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  9. Individual Access:  Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.  An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging Compliance:  An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
Top of Page

 

Definitions

  • Collection – the act of gathering, acquiring, recording or obtaining personal information from any source, including third parties, by any means.
  • Consent – voluntary agreement of an individual to the collection, use and disclosure of personal information for defined purposes.  Consent can be either express or implied and can be provided directly by the individual or through an authorized representative of the individual. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require any inference on the part of Welland Hydro-Electric System Corp.. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
  • Customer – an individual who uses or applies to use the services of Welland Hydro-Electric System Corp..
  • Disclosure – making personal information available to a third party.
  • Personal Information – information about an identifiable individual. For a customer, personal information includes a customer’s credit information, billing records, service and equipment, and any recorded complaints.
  • Use – the treatment, handling, and management of personal information by Welland Hydro-Electric System Corp..

 

Distinctions among Privacy, Security and Confidentiality:

 

Privacy relates to people, process and accountability. It gives individuals control over their
personal information and allows them to grant permission to an organization for the collection,
use, disclosure and retention of that information.

Security is the essential component for preventing the inadvertent release of personal
information. Security also relates to the availability and integrity of personal information.

Confidentiality addresses the disclosure of personal information.

Top of Page

 

Principle 1 — Accountability

Welland Hydro-Electric System Corp. is accountable for all personal information in its possession or control and shall designate one or more persons who will be responsible for the companies’ compliance with the following principles:

1.1
The Chief Executive Officer/President (CEO) of Welland Hydro-Electric System Corp. has ultimate responsibility for the protection of personal information of customers. The CEO may delegate the day-to-day operational privacy responsibilities to another individual. All staff share responsibility for adhering to the Welland Hydro-Electric System Corp.’s privacy policies and procedures.
1.2
Welland Hydro-Electric System Corp. has designated a Corporate Privacy Officer to oversee compliance with the Welland Hydro-Electric System Corp. Privacy Policy. Welland Hydro-Electric System Corp. shall provide, upon request, the name and contact information of the Corporate Privacy Officer.
1.3
Welland Hydro-Electric System Corp. is responsible for personal information in their possession or control, including any personal information that has been transferred to a third party for processing. Welland Hydro-Electric System Corp. will use contractual or other means to provide a comparable level of protection of personal information while such information is being processed by a third party.
1.4
Welland Hydro-Electric System Corp. shall implement policies and procedures to give
effect to the Welland Hydro-Electric System Corp. Privacy Policy including:
  1. implementing procedures to protect personal information and to oversee the company’s compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA);
  2. establishing procedures to receive and respond to inquiries or complaints with respect to an individual’s personal information; and
  3. training staff and communicating to staff about the company’s privacy policies and practices.
Top of Page

 

Principle 2 – Identifying Purposes

2.1
Identifying the purposes for which personal information is collected at or before the time ofcollection allows Welland Hydro-Electric System Corp. to determine the information needed to fulfill these purposes. Welland Hydro-Electric System Corp. collects personal information only for the following purposes:
  1. to establish and maintain responsible commercial relationships with customers and provide ongoing service; and
  2. to meet all of its legal and regulatory requirements.
2.2
Welland Hydro-Electric System Corp. shall specify, either orally, in writing or electronically, all identified purposes for the collection, use and disclosure of personal information to the customer at the time such personal information is collected. 
2.3
Those responsible for collecting personal information should be able to explain to individuals the purposes for which the information is being collected. In certain circumstances, the customer may be referred to a designated person within Welland Hydro-Electric System Corp. who can explain those purposes in greater detail.
2.4
Unless required by law, Welland Hydro-Electric System Corp. shall not use or disclose, for any new purpose, personal information that has already been collected without first identifying and documenting the new purpose and obtaining the consent of the customer.
 
Top of Page

 

Principle 3 – Consent

The knowledge and consent of a customer are required for the collection, use or disclosure of personal information, except where inappropriate.

3.1
In certain circumstances, personal information may be collected, used or disclosed without the knowledge and consent of the individual.  For example, some legal, medical or security reasons may make it impossible or impractical to seek consent.

Welland Hydro-Electric System Corp. may collect, use or disclose personal information without an individual’s knowledge or consent only in limited circumstances as permitted by law.

Welland Hydro-Electric System Corp. may use or disclose personal information without the individual’s knowledge or consent if it is clearly in the individual’s best interests to do so and consent cannot be sought in a timely manner.  An example of such circumstances is in the case of an emergency where the life, health or security of an individual is threatened.

3.2
This principle requires “knowledge and consent” of an individual for the collection, use or disclosure of their personal information. In obtaining consent, Welland Hydro-Electric System Corp. shall use reasonable efforts to ensure that a customer is advised of all the identified purposes for which personal information will be used or disclosed. These purposes shall be stated in a manner that can be reasonably understood by the customer.
3.3
Generally, Welland Hydro-Electric System Corp. shall seek an individual’s consent for use and disclosure of personal information before or when it collects, uses or discloses personal information. In certain circumstances, Welland Hydro-Electric System Corp. may seek an individual’s consent to use and disclose personal information after it has been collected but before it is used or disclosed for a purpose not previously identified.
3.4
Welland Hydro-Electric System Corp. may require customers to consent to the collection, use or disclosure of certain personal information in order to provide the individual with electricity services.
3.5
In determining an appropriate form of consent, Welland Hydro-Electric System Corp. shall take into account the sensitivity of the personal information and also the reasonable expectations of its customers with respect to the protection, collection, use and disclosure of their personal information.
3.6
A customer may refuse or withdraw consent at any time, subject to legal or contractual restrictions, and reasonable notice. Customers may contact Welland Hydro-Electric System Corp. for more information regarding the withdrawal of consent and any implications of such withdrawal.
 
Top of Page

 

Principle 4 – Limiting Collection

Welland Hydro-Electric System Corp. shall limit the amount and type of personal information it collects to that which is necessary for the purposes identified by the company. Welland Hydro- Electric System Corp. shall collect personal information using procedures which are fair and lawful.

4.1
Welland Hydro-Electric System Corp. shall collect only the amount and type of information needed for the purposes documented by Welland Hydro-Electric System Corp. and identified to the individual.
4.2
The requirement that personal information be collected through fair and lawful means is intended to prevent Welland Hydro-Electric System Corp. from collecting information by misleading or deceiving individuals about the purposes for which the information is being collected.
 
Top of Page

 

Principle 5 – Limiting Use, Disclosure and Retention

Welland Hydro-Electric System Corp. shall not use or disclose personal information for purposes other than those for which it was collected, unless consent is given by the individual to use or disclose it for another purpose or as required by law. Welland Hydro-Electric System Corp. shall retain personal information only as long as necessary for the identified purposes.

5.1
If Welland Hydro-Electric System Corp. uses personal information for a new purpose, it will document this purpose.
5.2
With the consent of the customer, Welland Hydro-Electric System Corp. may disclose a customer’s personal information to the following:
  1. an agent retained by Welland Hydro-Electric System Corp. in connection with the collection of the customer’s account;
  2. credit grantors and reporting agencies;
  3. a person who, in the reasonable judgment of Welland Hydro-Electric System Corp., is seeking the information as an agent of the customer; and
  4. any other third party or parties, where the customer has provided consent to such disclosure or disclosure as required by law.
5.3
Welland Hydro-Electric System Corp. shall maintain reasonable and systematic controls, schedules and practices for the protection of personal information. Record retention, which shall include minimum and maximum retention periods, and destruction shall apply to personal information. Information that is no longer necessary or relevant for the identified purposes for which it was collected or required by law to be retained shall be destroyed.
5.4
Welland Hydro-Electric System Corp. will keep personal information only as long as necessary for the identified purposes.
5.5
Personal information that is no longer required to fulfil the identified purposes will be destroyed, erased or made anonymous. Welland Hydro-Electric System Corp. will develop guidelines and implement procedures to govern the destruction of personal information.
5.6
Only those employees of Welland Hydro-Electric System Corp. who require access for business reasons or whose duties reasonably so require, are granted access to personal information about customers.
 
Top of Page

 

Principle 6 – Accuracy

Welland Hydro-Electric System Corp. will keep the Personal information in its possession or control accurate, complete current and relevant based on the most recent information provided to Welland Hydro-Electric System Corp..

6.1
Personal information used by Welland Hydro-Electric System Corp. shall be sufficiently accurate, complete, current and relevant to minimize the possibility that inappropriate information may be used to make a decision about a customer.
6.2
Welland Hydro-Electric System Corp. shall update personal information about customers only if it is necessary for the purposes for which it was collected or upon notification by the individual requesting that their personal information be updated or amended.
 
Top of Page

Principle 7 – Safeguards

Welland Hydro-Electric System Corp. shall protect personal information with security safeguards appropriate to the sensitivity of the information.

7.1
Welland Hydro-Electric System Corp. shall protect personal information from loss or theft, unauthorized access, disclosure, copying, use, modification or destruction through appropriate security measures. Welland Hydro-Electric System Corp. shall protect all personal information regardless of the format in which it is held.
7.2
The nature of the safeguards will vary depending on the sensitivity of the information, amount, distribution, format and the method of storage of the personal information. Welland Hydro-Electric System Corp. will give the highest level of protection to the most sensitive personal information.
7.3
The methods of protection should include:
  • Physical security, such as locked filing cabinets and restricted access to offices;
  • Organizational security, such as security clearances and limiting access on a “need to know” basis; and
  • Technological security, such as, the use of passwords and encryption.
7.4
Welland Hydro-Electric System Corp. will make all of its employees aware of the importance of maintaining the confidentiality of personal information.
 
Top of Page

 

Principle 8 – Openness

Welland Hydro-Electric System Corp. shall make readily available to customers specific information about its policies and practices relating to the management of personal information.

8.1
Welland Hydro-Electric System Corp. will be open about the policies and practices used to manage personal information. Individuals will have access to information about these policies and procedures. This information will be available in a format that is easy to understand.
8.2
Welland Hydro-Electric System Corp. shall make the following information about its privacy policies and practices available:
  • the name and address of the Corporate Privacy Officer (or persons) accountable for the Welland Hydro-Electric System Corp.’s privacy policies and practices and to whom inquiries or complaints can be forwarded;
  • how to gain access to personal information held by Welland Hydro-Electric System Corp.
  • a description of the type of personal information held by Welland Hydro-Electric System Corp. including a general account of its use; and
  • a copy of any brochure or other information that explains Welland Hydro-Electric System Corp. privacy policies, standards or codes.
8.3
Welland Hydro-Electric System Corp. may make information on its privacy policies and practices available in a variety of ways, including information at its place of business, bill inserts, bill messages or through mailings to customers.
 
Top of Page

 

Principle 9 – Individual Access

Upon request, an individual shall be informed of the existence, use and/or disclosure of his or her personal information in Welland Hydro-Electric System Corp.’s possession and shall be given access to that information.

A customer shall be able to challenge the accuracy and completeness of the information and have it amended where necessary.

In certain situations, Welland Hydro-Electric System Corp. may not be able to provide access to all the personal information it holds about an individual. However, such exceptions to the access requirement is limited and specific. Exceptions may include information that is prohibitively expensive to provide, information that contains references to other individuals and information that cannot be disclosed for legal, security or commercial proprietary reasons.

9.1
Upon request, Welland Hydro-Electric System Corp. shall inform an individual of the personal information that Welland Hydro-Electric System Corp. has in its possession or control about that individual.
9.2
Upon request, Welland Hydro-Electric System Corp. shall provide an account of the use and disclosure of such personal information and, where reasonable and possible, shall state the source of the information.
9.3
In order to safeguard personal information, a customer may be required to provide sufficient information to properly identify themselves to assure Welland Hydro-Electric System Corp. that they are providing information with respect to the existence, use and disclosure of personal information and authorizing access to an individual’s file to the right individual. Any information provided for identification purposes shall only be used for such purpose.
9.4
In providing a list of third parties that Welland Hydro-Electric System Corp. has disclosed personal information about a customer to, Welland Hydro-Electric System Corp. will provide as much information as possible to the customer. When it is not possible to provide a list of third parties to which it has actually disclosed information to about an individual, Welland Hydro-Electric System Corp. shall provide a list of third parties to which it may have disclosed information to about the individual.
9.5
Welland Hydro-Electric System Corp. shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, Welland Hydro-Electric System Corp. may disclose or share with third parties who have access to such personal information any amended information and identify the existence of any unresolved differences.
 
Top of Page

 

Principle 10 – Challenging Compliance

A customer shall be able to challenge Welland Hydro-Electric System Corp.’s compliance with the above principles to the designated person or persons accountable for the compliance of the Welland Hydro-Electric System Corp. Privacy Policy.

10.1
Welland Hydro-Electric System Corp. shall maintain procedures for receiving, addressing and responding to all inquiries or complaints from its customers relating to its handling of personal information.
10.2
Welland Hydro-Electric System Corp. shall inform its customers about the existence of these procedures as well as the existence of complaint mechanisms.
10.3
The person or persons accountable for compliance with the Welland Hydro-Electric System Corp. Privacy Policy may seek external advice, where appropriate, before providing a final response to individual complaints.
10.4
Welland Hydro-Electric System Corp. shall investigate all complaints concerning compliance with the Welland Hydro-Electric System Corp. Privacy Policy. If a complaint is found to be justified, the company shall take appropriate measures to resolve the complaint including, if necessary, amending its privacy policies and procedures. A customer shall be informed of the outcome of the investigation regarding his or her complaint in a timely manner.
10.5
If individuals are not satisfied with the way Welland Hydro-Electric System Corp. has responded to their complaint, they can contact the Privacy Commissioner of Canada at (613) 995-8210.
 
Top of Page

 

Glossary of Terms

Access (Individual Access): Upon request, an individual shall be informed of the existence, use, and disclosure of his/her personal information and shall be given access to that information. An individual shall have the right to challenge the accuracy and completeness of the information and have it amended as is appropriate.

 

Accountability: An organization is responsible for personal information under its control and shall designate individual(s) who are accountable for the organization’s compliance with the Privacy principles and applicable legislation.

 

Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is collected. Personal information shall be updated only when necessary to fulfill the purposes for which it was collected.


Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual(s) accountable for the organization’s compliance.

Consent: There must be voluntary agreement of the data subject to the collection, use, and disclosure of his/her personal information. This consent may be either express or implied, and should include an explanation as to the implications of withdrawing consent. Express consent is given explicitly and unambiguously, either verbally or in writing. It is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent is given when the action/inaction of an individual reasonably infers this consent. Consent should never be a condition for supplying a product or service, unless the information requested is required to fulfill an explicitly specified and legitimate purpose.

 

Disclosure: Disclosure occurs when personal information is made available to other areas within an organization for which the information was not originally collected, or to others outside the organization.

 

Identify the purpose: Purposes, which include why information is being collected and how it will be used, shall be identified by the organization at or before the time of collection. The reason for collecting information should be documented. The individual from whom the information is collected should be informed as to why this information is required.

 

Limiting Collection: The collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. The type and amount of information collected should be limited to that which is necessary for the purposes identified. Staff members must be able to explain the reason for collecting information.

 

Limiting Use, Disclosure, Retention: Personal information shall not be used or disclosed for purposes other than for which it was collected, except with the consent of the individual or as required by law. Any new use for personal information must be identified. Consent must be obtained from an individual before the information is used for the purpose identified. Personal information shall only be retained as long as is necessary for the fulfillment of the purposes identified. Maximum and minimum retention periods, which take into account any legal requirements or restrictions and redress mechanisms, should be instituted. Information without a specific purpose or that no longer fulfils its intended purpose shall be disposed of in a manner that prevents improper access, such as the shredding of paper files or deletion of electronic records.

Policies outlining the type and frequency of updates to information should be established.

 

Openness: An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals, in a manner that is easy to understand. Customers, clients, and employees shall be informed of these policies.

Personal Information: Personal information is any factual or subjective information, recorded or not, regarding an identifiable individual. Examples include name, age, identification numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit or loan records, medical records, or the existence of a dispute between a consumer and a merchant.

 

Personally Identifiable Information: Personally identifiable information is any data that uniquely links an individual to other piece(s) of data. Examples include PINs (personal identification numbers), access cards, passwords, retinal and fingerprint scans, and e-mail or IP addresses. This type of information should be treated in the same manner as personal information collected in an ‘offline’ environment.

 

Privacy: Privacy is the fundamental right of an individual to decide about the processing of his/her personal data as well as to protect his/her intimate sphere. Privacy violations include:

  • improper acquisition of personal information, including its access, collection, and distribution;
  • improper use of information, including its use for reasons other than for which it was explicitly collected or its transfer to other parties;
  • unwanted solicitation of personal data; and
  • improper storage of information.

 

 

Retention Period: A retention period is the duration of time personal information is held. Personal information should not be held for longer than is necessary to fulfill the purpose for which it was collected, but must be retained long enough to allow individuals to access it if it has formed the basis of a decision that affects them.

 

Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

 

Use: Use refers to the treatment and handling of personal information within an organization.

 
Top of Page

 

 

Last Revised: January 1st, 2004