1.1 Compliance with Legislation
As a telecommunications provider, Valo is required to comply with the requirements set out in the Personal Information Protection and Electronic Documents Act (PIPEDA) and its regulations, as well as any privacy-related material issued by the Canadian Radio-Television Commission (CRTC). Valo places utmost importance on compliance with these regulatory frameworks and strives to meet or exceed the compliance requirements.
Schedule 1 of PIPEDA outlines principles that guide an organization’s protection of personal information. These principles are:
2. Identifying purpose
4. Limiting collection
5. Limiting use, disclosure, and retention
9. Individual access
10. Challenging compliance
This Policy serves to outline how Valo will meet the above principles.
1.2 Valo Contact Information
All privacy concerns should be directed to:
• If by email: [email protected]
• If by mail: Valo Networks Ltd.
400-4820 Richard Road SW
Calgary, AB T3E 6L1
Business Contact Information: Means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address
Customer: Means an individual or entity who: (a) has an account with Valo; (b) subscribes for, uses, has used, or applies to use Valo’s products and/or services; (c) corresponds with Valo; (d) is a Web Site User; and/or (e) enters a contest sponsored or administered by Valo.
Employee: Any individual who works for or provides labour to Valo or one of its affiliate companies in exchange for wages or salary.
Personal Information: Means information about an identifiable individual, for example an individual’s name, account number, e-mail address, payment information, user logs or certain numbers associated with that individual’s equipment (for example MAC address or IP address), if Valo can link such numbers to the individual. It does not include aggregate information that cannot be associated with a specific individual.
Web Site User: Means a user of a website owned, controlled or managed by Valo from which Valo collects Personal Information.
3 Collection of Information
Valo has considered best practice guidance in determining what information is collected from the various parties it interacts with. Information collected from the various parties is discussed below; however, Valo may from time to time collect additional information where required.
3.1 Customer Information to be Collected
In order to provide services to a Customer, Valo must collect Customer information of a personal nature. The following chart lists the Personal Information that is collected by Valo and the reason for which it is collected.
|Information||Reason for Collection|
|Contact information including:
• Phone number
• Email address
|Customer contact information for account;
Address to which services are to be provided;
Address to which invoices are to be issued
|Financial information including:
• Payment card information
|Set up automatic payments for services|
• Date of birth/age;
|Product analysis and development;
Customer relationship improvement
Product & service preferences
|Customer history tracking;
Customer relationship improvement;
Vendor relationship improvement
|Customer satisfaction information; Products and services reviews and opinions||Product development; Marketing;
Customer relationship improvement;
Vendor relationship improvement
Valo strives to limit its collection of Customer information to that related to providing a service to the Customer, communicating with the Customer, or improving services provided is collected. However, from time to time Valo may collect other information not listed above in accordance with its needs and in compliance with all legislation and regulations. The data is stored, accessed and disclosed in accordance with Sections 4 and 5 of this Policy.
3.2 Employee Information to be Collected
Valo collects and stores only employee information necessary for Valo to meet its obligations as an employer. Information will be collected as part of the employee onboarding as described in the Valo Employee Handbook.
Valo collects and uses Employee’s Personal Information for the following purposes:
a. administer payroll and benefits;
b. administer personnel and employment programs;
c. document an Employee’s file in the normal course of the employment relationship (i.e. performance reviews, etc.); and
d. provide references regarding current or former employees in response to requests from prospective employers.
3.3 Vendor Information to be Collected
Valo utilizes products and services from various third-party vendors in its delivery of services to Customers. Valo will collect information of its vendors to enable it to conduct business with the vendor.
3.4 Web Site User Personal Information
3.5 Authorization of Collection of Personal Information
Consent is generally required for the collection of Personal Information and the subsequent use or disclosure of the Personal Information. Consent can be either express or implied. The form of consent sought by Valo may vary, depending on the sensitivity of the information and your reasonable expectation, so that you understand the nature, purpose and consequences of the collection, use and/or disclosure of Personal Information. Valo will seek express consent when the Personal Information is sensitive in nature. Implied consent is typically appropriate when the Personal Information is less sensitive. Business Contact Information can be used by Valo without consent solely for the purpose of facilitating communication between Valo and an employee, in relation to his/her employment, business or profession.
Valo may collect personal information from a party without their knowledge and consent:
a) if it is clearly in the individual’s interests and consent is not available in a timely way;
b) if knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law;
c) for journalistic, artistic or literary purposes;
d) if it is publicly available as specified in the regulations;
e) when it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim;
f) where it is produced by individuals in the course of their employment, business or profession–as long as the collection is consistent with the purpose for which the information was produced; or
g) when an individual is employed by a federal work, undertaking or business and the collection is necessary to establish, manage or terminate an employment relationship. The employer must, however, inform individuals in advance that their personal information could be collected for such purposes.
4 Storage of Information
4.1 Electronic Storage
Valo has engaged third-party vendors to provide data processing and storage services. Security measures employed by the vendors include:
a) Secure card-key access, security desk check-in, and indoor and outdoor video systems;
b) HVAC and fire suppression N+1 redundant heating/chilling systems;
c) Very Early Smoke Detection Apparatus (VESDA);
d) Redundant power leveraging UPS and diesel generators;
e) Hardware settings configuration;
f) Troubleshooting and technical support, including but not limited to:
a. Server reboot; and
b. Hardware reconfiguration or replacement; and
g) Regular backup of information:
a. Incremental every hour;
b. Full backup daily; and
c. Backup retention for five (5) days.
The data center is located in Montreal, Quebec.
4.2 Record Retention
4.2.1 Breach of Copyright
Where Valo has received a notice of infringement from a copyright owner, Valo will keep records as required by law for the prescribed lengths of time.
4.2.2 Active Customers
While a party is an active Customer of Valo, all personal information that has been provided will be maintained by Valo.
4.2.3 Past Customers
Where a party was a past Customer of Valo – that is, they subscribed to a service in the past but are no longer receiving services from Valo – their financial, banking and payment information will be deleted from Valo’s records upon termination. Other information, such as service address, contact information, purchase history, etc., will be retained for 1 year unless the Customer expressly requests their records be deleted from Valo’s system. The mechanism for submitting such a request is described in Section 5.3.2 of this Policy.
4.2.4 Past Inquiries
Where a party made an inquiry for services but did not purchase services from Valo, their contact information will be retained for 6 months unless the Customer expressly requests their records be deleted from Valo’s system. The mechanism for submitting such a request is described in Section 5.3.2 of this Policy.
4.3 Record Destruction
When a Customer record has exceeded the retention periods described in sections 4.2.3 and 4.2.4, or where a request for the deletion of record has been received as per Section 5.3.3, Valo will remove the record from its system. In the case of an electronic record, the data will be erased.
5 Access to Information
5.1 Valo Employee Access
Valo employee access to information will be restricted according to the employee’s need. Special access may be granted on an as-needed basis by Valo’s President.
5.2 Customer Portal
Valo makes use of an online customer portal through which a customer can access their account details. Each customer will be assigned a unique username that is associated only with that customer’s account. The customer will also set a password as part of the account creation process. This username and password become part of the customer data retained by Valo and is subject to the same data protection measures implemented by Valo for all customer data.
5.3 Customer Requests
Valo will make an unsubscribe mechanism available to all recipients of commercial electronic messages (CEMs) distributed by Valo. The unsubscribe mechanism will be in a form that complies with applicable legislation and regulations. Upon receiving an unsubscribe request from a Customer, Valo will take effect of the request within ten (10) business days of the receipt of the request. The requestor’s contact address will be removed from the communication list(s) as specified in the request.
5.3.2 Personal Information on File
Individuals may, at any time, make a request in writing to Valo regarding any personal information that Valo has kept on file. This request may be made to the contact information provided in Section 1.2 of this Policy.
Once a written request has been received by Valo, Valo will make every reasonable effort to respond within thirty (30) days. Valo may extend the response time according to Subsection 8(4) of PIPEDA.
Valo may deny a request for disclosure of personal information if the exception conditions outlined in Section 9 of PIPEDA are met. In this case, reasons for the denial of the request will be provided to the requesting individual.
5.3.3 Deletion of Personal Information
An individual may request Valo delete their Personal Information that Valo has on file. Such a request must be made in writing to the contact information provided in Section 1.2 of this Policy. Valo will respond to the request in a timely manner.
5.4 Sharing with Third Parties
Valo does not sell Personal Information about its Customers, Employees and/or Web Site Users. Valo reserves the right to share Personal Information collected with its partners, associates, third-party vendors and other parties as Valo may deem appropriate in its sole but reasonable discretion from time to time. In such cases, the relationship with the partner, associate or third party is governed by strict confidentiality standards and policies to ensure the Customer’s Personal Information is secure and treated in accordance with PIPEDA and with the utmost care and respect.
An individual may, at any time, request that their personal information not be shared by Valo.
Under no circumstances will Valo share banking, payment or financial information of its Customers with any third party, unless required to in accordance with Section 5.5 of this Policy.
5.5 Disclosure Required by Law
Valo may from time to time receive requests from government organizations, including law enforcement agencies. These requests are individually reviewed internally by Valo. Valo will only disclose Personal Information in response to these requests when permitted by law, in accordance with PIPEDA.
5.6 Withdrawal of Consent
Consent may be withdrawn at any time, subject to legal or contractual restrictions and upon providing Valo reasonable notice. Requests to withdraw consent can be sent to the contact information provided in Section 1.2.
As certain Personal Information is required by Valo to provide its services, Valo may not be able to continue to provide services following the receipt of such a request. Valo will verify that this is the requestor’s desire in such situations. If Valo is no longer able to provide services as a result of withdrawal of consent, this shall be deemed a cancellation of the contract by the customer, and the customer will be required to pay any applicable early cancellation fee.
6.1 Submission of Complaint to Valo
Privacy complaints may be submitted to Valo at the contact information provided in Section 1.2 of this Policy.
6.2 Escalation and Resolution
Upon receiving notice of a privacy complaint, Valo will review and escalate the issue(s) as appropriate. This may include:
• Conducting an investigation, internal and/or external;
• Escalation to and notification of management and/or authorities, as appropriate;
• Implementation of emergency procedures; and
• Implementation of new preventative measures.
6.3 Submission of Complaints to Office of the Privacy Commissioner
The Office of the Privacy Commissioner of Canada (OPC) is independent of Canadian government and has a mandate to oversee compliance with Canadian privacy laws.
Information on submitting a complaint, formal or informal, to the OPC can be found on their website at www.priv.gc.ca or by calling 1-800-282-1376.
7 Breach of Privacy
7.1 Response to Breach
If Valo discovers a breach of privacy, immediate action will be taken as this could become a serious issue. Various members of Valo will be involved and consulted as required.
7.2 Notification of Breach
7.2.1 Notification to OPC
Where a breach has been determined to present a real risk of significant harm to an individual, the breach must be reported to the OPC.
7.2.2 Real Risk of Significant Harm
While there is no explicit definition and threshold provided by the OPC on what constitutes a real risk of significant harm, the following general factors should be considered:
• the sensitivity of the Personal Information involved; and
• the probability the Personal Information has been/is/will be misused.
Whether a real risk of significant harm is present will vary on a case-by-case basis, the determination of which will be made at Valo’s discretion. Guidance criteria on this determination can be found in Appendix A to this Policy.
7.2.3 Notification to Affected Individuals
Individuals to whom are exposed to a real risk of significant harm as a result of the breach will be notified of the breach. The notification will be made in accordance with PIPEDA regulations and include:
• a description of the circumstances of the breach;
• the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
• a description of the personal information that is the subject of the breach to the extent that the information is known;
• a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
• a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
• contact information that the affected individual can use to obtain further information about the breach.
Notification will be made as soon as feasible after determining that the breach presents a real risk of significant harm.
Direct notification will be given unless:
• direct notification would be likely to cause further harm to the affected individual;
• direct notification would be likely to cause undue hardship for the organization; or
• the organization does not have contact information for the affected individual.
7.2.4 Notification to Authorities
Where and when it has been determined that a breach involves a real risk of significant harm and notification has been given to the affected individuals, Valo will also notify any government institutions or organizations that it believes can reduce the risk of harm that could result or mitigate the harm.
7.3 Record of Breach
Records of every breach of security safeguards involving Personal Information must be kept by Valo. The records must enable the OPC to verify compliance with breach of security safeguards reporting and notification requirements as specified in sections 10.1(1) and (3) of PIPEDA. Records should include, at minimum:
• date or estimated date of the breach;
• general description of the circumstances of the breach;
• nature of information involved in the breach; and
• whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified.
A record of the determination of whether a real risk of significant harm was present or not must also be kept.
Records of breaches will be kept by Valo for 2 years
8.1 Review of Policy
This Policy will be reviewed on an annual basis.
8.2 Updates to Policy
Updates to this Policy will be made annually, as required, in conjunction with its review. Updates may be made more frequently if determined appropriate or required.
8.3 Reference to Other Documents
This Policy makes reference to various other documents, both internal and external to Valo. As these other documents may be updated from time to time with or without Valo’s knowledge, the section number references made in this Policy may become inaccurate. In such situations, the content of sections in a referenced document will take precedence over the section number listed in this Policy.
Appendix A: Guidance for Determining whether a Breach Presents a Real Risk of Significant Harm
As stated by the OPC, factors relevant to determining whether a breach of security safeguards creates a real risk of significant harm to an individual include:
• the sensitivity of the Personal Information involved in the breach; and
• the probability that the Personal Information has been, is being, or will be, misused.
“Sensitivity” is not defined by PIPEDA although some guidance is offered in Principle 4.3.4:1
Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
The conditions of a breach will be unique and have a significant factor in determining what presents a real risk of significant harm. Consider:
• What type of information was obtained?
• What happened and how likely is it that someone would be harmed by the breach?
• Who actually accessed or could have accessed the personal information?
• How long has the personal information been exposed?
• Is there evidence of malicious intent (e.g., theft, hacking)?
• Were a number of pieces of personal information breached, thus raising the risk of misuse?
• Is the breached information in the hands of an individual/entity that represents a reputation risk to the individual(s) in and of itself? (e.g. an ex-spouse or a boss depending on specific circumstances)
• Was the information exposed to limited/known entities who have committed to destroy and not disclose the data?
• Was the information exposed to individuals/entities who have a low likelihood of sharing the information in a way that would cause harm? (e.g. in the case of an accidental disclosure to unintended recipients)
• Was the information exposed to individuals/entities who are unknown or to a large number of individuals, where certain individuals might use or share the information in a way that would cause harm?
• Is the information known to be exposed to entities/individuals who are likely to attempt to cause harm with it (e.g. information thieves)?
• Has harm materialized (demonstration of misuse)?
• Was the information lost, inappropriately accessed or stolen?
• Has the personal information been recovered?
• Is the personal information adequately encrypted, anonymized or otherwise not easily accessible?
1 Found in Schedule 1 to PIPEDA