PRIVACY POLICY
Core Community Pilates (“Core Community”) recognizes the importance of privacy and the sensitivity of personal information. Core Community is committed to respecting the privacy rights of all individuals, including employees, contractors, clients and other individuals involved with Core Community, by ensuring that their personal information is collected, used, and disclosed in accordance with applicable privacy legislation.
A. SCOPE
This privacy policy applies to all personal information collected, used, disclosed, and retained in any form by Core Community about our employees, contractors, clients and other individuals involved with Core Community.
Personal information includes any information about an individual that does or could identify an individual, including information relating to personal characteristics, physical description, activities or views. It does not include aggregated information that cannot be associated with a specific individual. Personal information also does not include name, title, or business contact information.
The application of this policy is subject to the requirements and provisions of applicable federal and provincial privacy legislation and any other applicable legislation or regulations. Core Community may change the terms of this policy from time to time and will make available any updated version of this policy.
B. PRINCIPLES
1. Accountability and Security
Core Community is accountable for personal information in its custody or control.
Core Community has implemented procedures to protect the privacy of personal information with safeguards appropriate to the sensitivity of the information . For example, Core Community will safeguard personal information in its custody or control from loss or theft and from unauthorized access, use, disclosure, copying or modification through appropriate security measures depending on the sensitivity, format and storage of the personal information. As well, Core Community will use care when destroying or disposing of personal information to prevent unauthorized access, use or disclosure of any personal information.
Core Community will seek assurances regarding the privacy of personal information that has been transferred to a third party for use or processing by requiring that those third parties safeguard all personal information as required by law.
Core Community employees and contractors with access to personal information are expected to respect the confidentiality of such information.
2. Notice and Consent
Core Community will generally obtain consent from individual employees, contractors, clients and others regarding the purpose for collection, use or disclosure of personal information before, or at the time it collects the personal information, except as required or otherwise permitted by law.
Consent may be express, deemed or implied. Consent can be implied where the purpose for collecting, using or disclosing the personal information would be considered obvious to a reasonable person, and where an individual voluntarily provides their personal information for that purpose. Consent may also be implied where an individual is given notice and a reasonable opportunity to opt out of their personal information being used or disclosed, and the individual does not opt out.
Except in limited circumstances, the consent of an individual may be withdrawn at any time by providing Core Community reasonable notice. These limited circumstances include where the personal information is required to provide the product or service, or the withdrawal of the consent would frustrate the performance of a legal obligation. The withdrawal of consent may restrict Core Community’s ability to provide a particular product or service— if this is the case, Core Community will explain the situation to assist the individual in making the decision.
Pursuant to applicable provincial legislation, Core Community will provide notice to its employees and contractors before collecting, using or disclosing personal information reasonably necessary for establishing, managing, or concluding the employment or contractor relationship. Notice may be express, constructive or implied in the circumstances.
In determining the appropriate form of consent, or notice if applicable, Core Community will consider the sensitivity of the personal information and the reasonable expectations of the individual in question.
In seeking consent or in giving notice of collection, Core Community will explain in plain language the purposes for which personal information will be collected, used or disclosed. The purposes may be expressed orally or in writing.
Core Community may collect personal information using a variety of means, including written and verbal communications and through its website.
Core Community collects, uses and discloses personal information for a variety of purposes, including:
(a) to understand the needs and preferences of employees, contractors, and clients;
(b) to develop, enhance, market or provide products and services to meet the needs or expectations of clients;
(c) to maintain complete and accurate client files for business purposes (e.g. communication with clients, marketing dissemination, and the delivery of products or services);
(d) to maintain complete and accurate employee and contractor files for management purposes;
(e) to manage and develop business and operations, including personnel and employment matters, and billing for goods and services;
(f) to meet legal and regulatory requirements;
(g) to comply with lawful requests from government agencies (e.g. Revenue Canada); and
(h) such additional purposes that are identified to an individual.
On request, persons collecting personal information will elaborate on the purpose or object for such collection or refer the individual to the designated person who can do so.
Core Community may also disclose personal information to third parties such as its agents, suppliers and/or service providers with whom it has contracted to provide certain services. The third parties will have access to personal information needed to perform their functions, but are only provided the limited amount of information required to perform their services or functions. When Core Community uses agents, suppliers and/or service providers, it requires them to protect personal information in accordance with the law and with the same or more stringent security and privacy standards than Core Community. Any such disclosure of personal information by Core Community to a third party will be conditional upon the information being used solely for the purpose for which it has been disclosed. If an individual does not wish Core Community to provide their personal information to a third party, there may be situations where Core Community will be unable to provide that individual with products and services.
Personal information will not be used or disclosed for any new purpose without first identifying the new purpose and providing notice to or obtaining the consent of the individual, as applicable, unless otherwise permitted by law.
In some circumstances, Core Community may collect, use or disclose personal information without notice or consent. Some examples include when:
(a) it is reasonable to expect that the collection with the consent of the individual would compromise the availability or the accuracy of the personal information and the collection is reasonable for an investigation or a proceeding;
(b) it is clearly in the individual’s best interest and the appropriate notice or consent cannot be obtained in a timely manner;
(c) there is an emergency that threatens an individual's life, health, or personal security;
(d) it is to a lawyer representing Core Community; and
(e) it is required or authorized by law.
3. Limiting Collection, Use, Disclosure, and Retention of Personal Information
Core Community only collects personal information which is reasonably necessary for its identified purposes, and will take reasonable steps to limit the amount and type of personal information it collects, uses, and discloses. Core Community will keep personal information for only as long as necessary for the identified purposes or as required by law.
If personal information has been used to make a decision about an employee or another individual, Core Community will keep the personal information for at least one year and, if necessary, a reasonably sufficient additional period to allow the individual to have access to it after the decision has been made. Subject to this one-year retention requirement, Core Community will only retain personal information for as long as necessary to fulfill the identified purposes, or for as long as required for a legal or business purpose.
Core Community will maintain controls, schedules, practices and procedures for retention and destruction of personal information.
4. Access, Openness, and Compliance
Core Community is open about its privacy policy and will make this policy available to employees, contractors, clients and to other individuals upon request. On request, Core Community will also advise if and how an individual can access their personal information.
Any individual may request to be informed of the existence, use and disclosure of personal information pertaining to them by making a written request to Core Community’s Privacy Officer. Employees can also seek access to their personal information by contacting their immediate manager or supervisor. The written request must provide sufficient detail to allow Core Community to identify the personal information being sought. Unless exempted by law, Core Community will provide the individual with access to their personal information under Core Community’s possession or control and an accounting of the collection, use and disclosure of his or her personal information.
Except for employee personal information, Core Community may charge a reasonable fee for access. Core Community may provide an estimate of the fee in advance and in some cases may require a deposit for all or part of the fee. The requesting individual may be asked to prove their identity.
Core Community will not disclose personal information that:
(a) could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
(b) can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
(c) would reveal personal information about another individual; and
(d) would reveal the identity of an individual who has provided personal information about another individual, such as reports, assessments, and reviews, and the individual providing the personal information does not consent to disclosure of his or her identity.
In some cases, Core Community may not provide access to personal information. Examples of when this may occur include where:
(a) it is work product information and/or disclosing the personal information could reveal confidential commercial or corporate information;
(b) the personal information is protected by solicitor-client privilege;
(c) the personal information is collected for purposes of an investigation or the information is the result of an arbitration, mediation, or other formal dispute resolution process;
(d) the request is frivolous or vexatious; and
(e) the denial of access is required or authorized by law.
If Core Community denies an individual’s request for access to personal information, Core Community will advise the individual of the reason for the refusal.
Core Community will use reasonable efforts to ensure that personal information is accurate and complete for the purposes for which it is to be used. An individual is permitted to challenge the accuracy and completeness of their personal information and, in appropriate circumstances, Core Community will amend its records. Any differences as to accuracy or completeness that cannot be resolved will be noted in the individual’s file, if applicable.
Employees and contractors are expected to comply with this policy at all times. In particular, employees and contractors must comply with this policy when handling the personal information of third parties in the course of their employment or engagement with Core Community, as applicable. Any breach of this policy by an employee is grounds for discipline and may result in termination of employment. Any breach of this policy by a contractor is grounds for termination of the individual’s engagement with Core Community.
Core Community will not disadvantage an individual because the individual, acting in good faith, has invoked or may invoke, the provisions of this policy or any applicable privacy legislation.