ThinkDox

ThinkDox Inc. Privacy Policy

Our Privacy Commitment to You

The ThinkDox Privacy Policy incorporates the provisions of Part1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) (Statutes of Canada 2000, Chapter 5) and includes the ten principles of the Canadian Standards Association (CSA) Model Policy for the Protection of Personal Information (CAN/CSA-Q830-96), which was published in March 1996 as a National Standard of Canada.
Introduction

ThinkDox Inc. is a Records Management company that specializes in paperless office technologies. ThinkDox Inc. is committed to the protection of all personal information under its custody and control while providing the right of access to information by PIPEDA. ThinkDox will continue to review its Privacy Policy to ensure it is relevant and remains current with changing technologies and laws. Most importantly, ThinkDox wants to ensure it continues to meet the evolving needs of our clients and employees.

Scope and Application

The scope and application of the ThinkDox Privacy Policy are as follows:
• The Policy applies to personal information about ThinkDox’s clients and employees that is collected, used, or disclosed by ThinkDox.
• The Policy applies to the management of personal information in any form whether oral, electronic or written.
• The Policy does not impose any limits on the collection, use, or disclosure of the following information by ThinkDox:
o a client’s name, address, telephone number & e-mail address, when listed in a directory or available through directory assistance
o an employee’s name, title, business address (including e-mail address) or
business telephone; or
o other information about the client or employee that is publicly available and is specified by regulation pursuant to the Personal
Information Protection and Electronic Documents Act.
• The Policy does not apply to information regarding ThinkDox’s corporate clients; however, such information is protected by other

ThinkDox policies and practices and through contractual arrangements.
ThinkDox supports the 10 principles that make up our Privacy Policy as endorsed by PIPEDA and the Canadian Standards Association (CSA) Fair Information Privacy Principles which outline the rules for the collection, use, and disclosure of personal information, as well as for providing access to personal information. These commitments are intended to foster a culture of privacy with respect to how ThinkDox collects, uses, discloses, secures, retains, and disposes of personal information and confidential records. It also ensures the
right of individuals to have access to personal information about themselves and, as appropriate, to have it corrected.
The Principles are as follows:

Principle 1 – Accountability

ThinkDox is responsible for personal information under its control and shall designate one or more persons who are accountable for the company’s compliance with the following principles.
Responsibility for ensuring compliance with the provisions of the ThinkDox Privacy Policy rests with the senior management of ThinkDox which has designated the Chief Privacy Officer to be accountable for compliance with the Policy. Other individuals within
ThinkDox may be delegated to act on behalf of the designated person(s) or to take responsibility for the day-to-day collection and processing of personal information.
ThinkDox shall make known, upon request, the title of the person or persons designated to oversee ThinkDox compliance with the ThinkDox Privacy Policy.
ThinkDox is responsible for personal information in its possession or control. shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).
ThinkDox shall implement policies and procedures to give effect to the ThinkDox Privacy Policy, including:
a) implementing procedures to protect personal information and to oversee ThinkDox’s compliance with the ThinkDox Privacy Policy;
b) establishing procedures to receive and respond to inquiries or complaints;
c) training and communicating to staff about ThinkDox’s policies and practices; and
d) developing public information to explain ThinkDox’s policies and practices.

Principle 2 – Identifying Purposes for Collection of Personal Information

ThinkDox shall identify the purposes for which personal information is collected at or before the time the information is collected.
ThinkDox collects personal information only for the following purposes:
a) to establish and maintain responsible commercial relations with clients and to
provide ongoing service;
b) to understand client needs and preferences;
c) to develop, enhance, market or provide products and services;
d) to manage and develop ThinkDox’s business and operations, including personnel and employment matters; and
e) to meet legal and regulatory requirements.

Further references to “identified purposes” mean the purposes identified in this Principle. ThinkDox shall specify orally, electronically or in writing the identified purposes to the client or employee at or before the time personal information is collected.
Upon request, the persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within ThinkDox who shall explain the purposes. Unless required by law, ThinkDox shall not use or disclose for any new purpose personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the client or employee.

Principle 3 – Obtaining Consent for Collection, Use, or Disclosure of Personal Information

The knowledge and consent of a client or employee are required for the collection, use, or disclosure of personal information, except where inappropriate. The knowledge and consent of a client or employee are required for the collection, use, or disclosure of personal information, except where inappropriate. In certain circumstances, personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, ThinkDox may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual
is seriously ill or mentally incapacitated. ThinkDox may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information, such as in the investigation of a breach of an agreement or a contravention
of a federal or provincial law.
ThinkDox may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health, or security of an individual is threatened.
ThinkDox may disclose personal information without knowledge or consent to a lawyer representing ThinkDox, to collect a debt, comply with a subpoena, warrant or other court order, or as may be otherwise required or authorized by law. In obtaining consent, ThinkDox shall use reasonable efforts to ensure that a client or employee is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the client or employee. Generally, ThinkDox shall seek consent to use and disclose personal information at the same time it collects the information. However, ThinkDox may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose. ThinkDox will require clients to consent to the collection, use, or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.
In determining the appropriate form of consent, ThinkDox shall take into account the sensitivity of the personal information and the reasonable expectations of its clients and employees. In general, the use of products and services by a client, or the acceptance of
employment or benefits by an employee, constitutes implied consent for ThinkDox to collect, use and disclose personal information for all identified purposes. A client or employee may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice. Clients and employees may contact ThinkDox or more information regarding the implications of withdrawing consent.

Principle 4 – Limiting Collection of Personal Information

ThinkDox shall limit the collection of personal information to that which is necessary for the purposes identified by the company. ThinkDox shall collect personal information by fair and lawful means. ThinkDox collects personal information primarily from its clients or employees. ThinkDox also collects personal information from other sources including credit bureaus, employers or personal references, or other third parties who represent that they have the right to disclose the information.

Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information

ThinkDox shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. ThinkDox shall retain personal information only as long as necessary for the fulfillment of those purposes.
ThinkDox may disclose a client’s personal information to:
a) a person who in the reasonable judgment of ThinkDox is seeking the information as an agent of the client;
b) another company in ThinkDox’s line of business for the efficient and cost-effective provision of support and/or services.
c) a company involved in supplying the client with related services;
d) a company or individual employed by ThinkDox to perform functions on its behalf, such as research or data processing;
e) another company or individual for the development, enhancement, marketing, or provision of any of ThinkDox’s products or services
f) an agent used by ThinkDox to evaluate the client’s creditworthiness or to collect the client’s account;
g) a credit reporting agency;
h) a public authority or agent of a public authority, if in the reasonable judgment of ThinkDox, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information; and
i) a third party or parties, where the client consents to such disclosure or disclosure is required by law.

ThinkDox may disclose personal information about its employees:
a) for normal personnel and benefits administration;
b) in the context of providing references regarding current or former employees in response to requests from prospective employers;  or
c) where the employee consents to such disclosure or disclosure is required by law.
Only ThinkDox employees with a business need to know, or whose duties reasonably so require, are granted access to personal information about clients and employees.
ThinkDox shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to decide about a client or employee, ThinkDox shall retain, for a reasonably sufficient period to allow for access by the client or employee, either the actual information or the rationale for making the decision. ThinkDox shall maintain reasonable and systematic controls, schedules, and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased, or made anonymous.

Principle 6 – Accuracy of Personal Information

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Personal information used by ThinkDox shall be sufficiently accurate, complete, and up to date to minimize the possibility that inappropriate information may be used to decide for a client or employee. ThinkDox shall update personal information about clients and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.

Principle 7 – Security Safeguards

ThinkDox shall protect personal information by security safeguards appropriate to the sensitivity of the information. ThinkDox shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. ThinkDox. shall protect the information regardless of the format in which it is held. ThinkDox shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used. All of ThinkDox’s employees with access to personal information shall be required to respect the confidentiality of that information.

Principle 8 – Openness Concerning Policies and Practices

ThinkDox shall make readily available to clients and employees, specific information about its policies and practices relating to the management of personal information. ThinkDox shall make information about its policies and practices easy to understand, including:
a) the title and address of the person or persons accountable for ThinkDox’s compliance with the ThinkDox Privacy Policy and to whom inquiries or complaints can be forwarded;
b) the means of gaining access to personal information held by ThinkDox; and
c) a description of the type of personal information held by ThinkDox, including a general account of its use.
ThinkDox shall make available information to help clients and employees exercise choices regarding the use of their personal information and the privacy-enhancing services available from ThinkDox.

Principle 9 – Client and Employee Access to Personal Information

ThinkDox shall inform a client or employee of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information. A client or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Upon request, ThinkDox shall afford clients and employees a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in an understandable form within a reasonable time, and at minimal or no cost to the individual. In certain situations, ThinkDox may not be able to provide access to all the personal information that it holds about a client or employee. For example, ThinkDox may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Also, ThinkDox may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor – client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, ThinkDox shall provide the reasons for denying access upon request. Upon request, ThinkDox shall provide an account of the use and disclosure of personal
information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, ThinkDox shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list. To safeguard personal information, a client or employee may be required to provide sufficient identification information to permit ThinkDox to account for the existence, use and disclosure of personal information and to authorize access to the
individual’s file. Any such information shall be used only for this purpose. ThinkDox shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, ThinkDox shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences. Clients can seek access to their personal information by contacting a designated representative at ThinkDox business offices. Employees can seek access to their personal information by contacting their immediate supervisor within ThinkDox.

Principle 10 – Challenging Compliance

A client or employee shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for ThinkDox compliance with the ThinkDox Privacy Policy. ThinkDox shall maintain procedures for addressing and responding to all inquiries or complaints from its clients and employees about ThinkDox‘s handling
of personal information.
ThinkDox shall inform its clients and employees about the existence of these procedures as well as the availability of complaint procedures. The person or persons accountable for compliance with the ThinkDox Privacy Policy may seek external advice where appropriate before providing a final response to individual complaints. ThinkDox shall investigate all complaints concerning compliance with the ThinkDox Privacy Policy. If a complaint is found to be justified, ThinkDox shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A client or employee shall be informed of the outcome of the investigation regarding his or her complaint. A client or employee may seek advice from the Office of the Privacy Commissioner of Canada at 1-800-282-1376 or info@privcom.gc.ca and, if appropriate, file a written complaint with that office. However, the client or employee is encouraged to use ThinkDox internal information and complaint procedures first.
For more information on ThinkDox’s privacy practices, visit the ThinkDox Privacy
website at www.thinkdox.com or call 1-866-692-4448.

Definitions

ThinkDox– ThinkDox Inc. is a records management company that specializes in paperless office technologies for its valued clients.
Collection – the act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.
Consent – voluntary agreement with the collection, use, and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically, or in writing, but is always unequivocal and does not require any inference on the part of ThinkDox. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
Client – an individual who uses, or applies to use, ThinkDox products or services.
Disclosure – making personal information available to a third party.
Employee – an employee of ThinkDox.
Personal information – information about an identifiable client or employee but does not include aggregated information that cannot be associated with a specific individual. For a client, such information includes a client’s credit information, billing records, service and equipment, and any recorded complaints. For an employee, such information includes information found in personal employment files, performance appraisals, and medical and benefits information, but does not include the employee’s name, title, business address(including e-mail address), or business telephone numbers.
Third-party – an individual or organization outside ThinkDox.
Use – the treatment, handling, and management of personal information by and within ThinkDox.