Privacy policy.

Pehta’s Privacy Guidelines incorporate the provisions of Part 1 of the Personal Information and Electronic Documents Act (PIPEDA - Government of Canada), the principals of the Personal Information Protection Act (PIPA - Government of Alberta) and the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information.

Application of Privacy Principles

1. RESPONSIBILITY

Pehta has appointed a Privacy Officer who is responsible for ensuring compliance with Pehta’s Privacy Policy and Guidelines. Responsibility rests with the Privacy Officer even though other individuals within Pehta’s may be responsible for the day-to-day collection and processing of personal information.

Pehta is responsible for all personal information in its possession or control, including information that has been transferred to a third-party for processing. Pehta’s will use contracts or other means to provide an appropriate level of protection when a third-party processes information on behalf of the company.

Pehta will, from time to time, enhance our processes and procedures to maintain our commitment to privacy, including:

· Procedures to protect personal information;

· Procedures to receive and respond to complaints and inquiries;

· Communications and training programs to provide information to Pehta staff about privacy policies and practices.

2. IDENTIFYING PURPOSES

Pehta will identify & document how and why personal information will be used at or before the time the information is collected.

Pehta will only collect information necessary to perform the activities outlined.

Pehta will articulate through verbal, electronic or written means - the purpose for the collection of the personal information at or before the time for which personal information is collected.

When personal information is collected for a new means - not previously identified – we will engage the affected individual(s) prior to use. In such cases, the consent of the individual is required before the information is used for a new purpose.

Pehta collects personal/contact information in order to:

· Manage customer accounts;

· Follow-up with individuals to determine their interest in the products and services provided by Pehta and inform them of new products, services or promotions;

· Screen individuals for employment, volunteer or contracting suitability;

· Manage and administer personnel (including performance appraisals, security, access control and disciplinary measures);

· Manage and administer compensation and benefits programs;

· Administer payroll;

· Administer occupational health and safety programs;

· Monitor and track skills and competency development;

· Meet legal and regulatory requirements (e.g. Employment Standards Legislation, Canada Customs and Revenue Agency reporting requirements);

· Facilitate Pehta audits when required to do so;

· Provide contact information of Pehta staff and volunteers to Pehta insurers;

· Provide such information as may be required for administration of Pehta programs.

Pehta is not responsible for the management of Personal Information collected by its customers through use of Pehta products and services. However, Pehta employs reasonable measures to ensure the safety and protection of its customers’ information. Pehta employs strict policies and procedures to protect and maintain the confidentiality of this information. These measures are outlined in the contracts signed by Pehta customers. Furthermore, Pehta considers all information collected by its customers as confidential and does not access or use its customer’s information other than for data maintenance, auditing or trend analysis (e.g. benchmarking).

3. CONSENT

Pehta uses reasonable efforts to ensure that individuals understand how their personal information will be used. Pehta obtains consent as required for the collection, use and disclosure of personal information.

When determining the form of consent, Pehta considers the sensitivity of the information and the reasonable expectations of the individual. Express consent will be obtained when the information is likely to be considered sensitive; implied consent may be appropriate when information is less sensitive. Consent may also be given through an individual’s authorized representative (such as a legal guardian or a person having power of attorney).

Pehta obtains consent for the collection, use or disclosure of information through various means, including verbal, written (e.g. signed forms) or electronic processes.

In rare circumstances, Pehta may collect and use personal information without the individual’s knowledge or consent. For example:

· If consent cannot be obtained in a timely way (e.g. when the individual is seriously ill);

· If obtaining prior consent would defeat the purpose of collecting the information (e.g. in the investigation of alleged criminal activity);

· In the case of an emergency where the life, health or security of the individual is threatened.

Pehta generally seeks to obtain consent at the same time personal information is collected. Pehta may, however, seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose (e.g. before disclosing board member information to a funding organization, if this purpose was not previously contemplated).

Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. Pehta and/or the Privacy Officer informs individuals of the implications for withdrawing consent.

4. LIMITING COLLECTION

Pehta limits the amount and type of personal information collected to that which is necessary for the identified purpose.

Pehta collects information by fair and lawful means.

Pehta may collect the following information from employees, contractors and suppliers:

· Demographic and contact information including home address and telephone number, date of birth, and social insurance number;

· Training, experience and skills as necessary to establish competence, and regulatory, employer or industry standards compliance;

· Education and employment history;

· Banking or financial information;

· Health information;

· Security background checks, as required.

Pehta may collect the following personal information from customers of Pehta:

· Names and contact information, including home address and telephone numbers;

· Indigenous partnership, indigenous community, indigenous spend, indigenous performance data, assessments, audits and, and any other relevant audit documentation;

· Demographic information about customer(s) for Pehta programs, including number and ages of employees, and interest in programs or facilities for system planning purposes;

· Financial information, if members involved in programs with financial eligibility requirements, or where payment is required for programs or services;

· Limited medical information for members or employees of members participating in business activities.

Pehta may collect personal information through the following means:

· Solicited and unsolicited resumes and correspondence;

· Completed application forms (paper or on-line format) for employment, benefits, grants and bursaries, volunteer opportunities, business and other program registrations, etc.;

· Worksite audits, inspections and assessments in person and through telephone interviews;

· Online forms through the website.

5. LIMITING USE, DISCLOSURE AND RETENTION

Pehta does not use or disclose personal information other than for the purpose for which it was collected, except with the consent of the individual or as required by law.

Notwithstanding the above, Pehta may disclose personal information without consent:

· To a lawyer representing Pehta;

· To a company or individual employed by Pehta to perform functions on its behalf (e.g. outsourced information processing function, administration of health services plan);

· In order to collect a debt owed by the individual to Pehta;

· To comply with a subpoena, warrant or court order;

· As required or authorized by law (e.g. Employment Standards Legislation);

· When the information is publicly available (e.g. telephone directory information);

· To a public authority in the event of imminent danger to any individual.

Pehta obtains consent for all other disclosures of personal information for purposes other than those for which the information was initially collected (e.g. to provide references regarding current or former employees. Pehta does not require consent to confirm an individual’s employment record (e.g. confirm years of employment, and position held).

Only Pehta employees, contractors or volunteers with a business need-to-know, or whose duties so require, are granted access to personal information.

Pehta has developed guidelines and implemented procedures with respect to the retention of personal information. Pehta retains personal information only as long as it is necessary for the identified purpose, or as required by law. Where personal information is used to make a decision about an individual, Pehta retains the information, or the rationale for making the decision, long enough to allow the individual access to the information after the decision has been made.

Personal information that is no longer required to fulfill the identified purposes or required by law to be retained is destroyed, erased or made anonymous.

6. ACCURACY

Pehta provides our best efforts to ensure that personal information collected, used and disclosed is as accurate, complete and up-to-date as necessary for the intended purpose.

Personal information is kept sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the subject individual.

Pehta updates personal information as and when necessary to fulfill the identified purpose or upon notification by the individual who is the subject of the information.

7. SAFEGUARDS

Pehta protects personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, regardless of the format in which it is held.

Pehta has developed and implemented information security policies and procedures that outline physical, organizational, and technological measures in place to protect personal information as appropriate to the sensitivity of the information. These same measures are employed in the safeguarding and protection of information resources of Pehta customers.

Pehta protects personal information disclosed to, or processed by third-parties by contractual agreements which address the following as necessary:

· Identifying the types of records provided, collected, created or maintained in order to deliver the service, and specifying any applicable privacy legislation;

· Stipulating the confidentiality of the information and the purposes for which it is to be used;

· Identifying the organization(s) having custody and control of the records, including the responsibility and process for handling requests for access to information;

· Ensuring that third-parties and their employees having access to Pehta and information assets are aware of, and understand their responsibility to adhere to Pehta information handling and security policies, including maintaining the confidentiality of personal information;

· Ensuring that Pehta has access to information produced, developed, recorded or acquired by third-parties as a result of the contract, including timely access in response to requests for information, and specifying that third-parties shall not deny access to, or retain custody of, personal information because of late or disputed payment for services;

· Requiring third-parties to report breaches of confidentiality and privacy to Pehta Privacy Officer within 48 hours of knowing that the breach occurred;

· Addressing disaster recovery and backup of any information assets and systems in the custody of the third-party;

· Addressing the disposition (e.g. destruction or return) of all of Pehta information assets (e.g. records, hardware, system documentation) upon termination of the contract;

· Specifying any audit or enforcement measures that Pehta will undertake to ensure that third-parties comply with information handling and security provisions outlined in contractual agreements (for example, non-disclosure agreements, audit trails, regular review of third-party access requirements, inspection of third-party premises).

Pehta ensures that all employees and volunteers are aware of its privacy policies and procedures, and understand the importance of maintaining the confidentiality of personal information.

Care shall be taken in the disposal or destruction of personal information to prevent unauthorized parties from obtaining access to the information.

8. OPENNESS

Upon request, Pehta makes available specific information about its policies and practices relating to the management of personal information, including:

· The means of gaining access to personal information held by Pehta;

· Identification of personal information held by Pehta and a general account of its use;

· Pehta Privacy Policy, Guidelines and related procedures are posted and available on our website;

· Reference to the statement of Pehta Privacy Policy on Pehta website, if applicable.

To make an inquiry or lodge a complaint about Pehta personal information handling policies and procedures, contact:

Pehta Privacy Officer Suite 601, 10526 Jasper Ave. Edmonton, Alberta Canada T5J1Z7 privacy@pehta.com

9. INDIVIDUAL ACCESS

Upon request, Pehta provides individuals with access to their personal information held by the company. Individuals have the right to challenge the accuracy and completeness of their personal information held by Pehta, and to have it amended as appropriate.

All requests by individuals (e.g. customers, employees, volunteers, contractors) to access their personal information held by Pehta, or to correct or amend their personal information, should be directed to the designated Privacy Officer. Such requests should be in writing.

Pehta responds to requests for access to personal information within 45 calendar days.

Responding to an individual’s request for information is usually done at no or minimal cost to the individual. However, a fee for reasonable costs incurred may be charged when responding to more complex requests, provided the individual is informed in advance.

In order to safeguard personal information, Pehta may request sufficient information from the individual to verify that person’s identity.

Limitations to Individual Access

Pehta provides individuals access to their personal information, subject to limited and specific exceptions. Pehta will refuse access to personal information if:

· Pehta has disclosed information to a government institution for law enforcement or national security reasons;

· It would reveal personal information about a third-party unless there is consent or a life-threatening situation;

· Doing so could reasonably be expected to threaten the life or security of another individual;

· The disclosure would reveal confidential commercial information;

· The information is protected by solicitor-client privilege;

· If access to information is refused, Pehta shall, in writing, inform the individual of the refusal, the reason(s) for the refusal, and any recourse the individual may have to challenge Pehta decision.

Correction/Amendment of Personal Information

Pehta corrects or amends personal information as required when an individual successfully demonstrates the inaccuracy or incompleteness of the information. Amendment may involve the correction, deletion, erasure, or addition to any personal information found to be inaccurate or incomplete.

Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, Pehta shall inform any third-parties having access to the personal information in question as to any amendments, or the existence of any unresolved differences between the individual and Pehta.

10. CHALLENGING COMPLIANCE

Pehta investigates all complaints concerning compliance with its Privacy Policy, Guidelines and practices, and responds within 45 days of receipt of a complaint. If a complaint is found to be justified, Pehta takes appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. Individuals shall be informed of the outcome of the investigation regarding their complaint.

Complainants may address inquiries or complaints concerning compliance with these policies or guidelines by contacting Pehta Privacy Officer as set out in these Guidelines under Principle 8 (Openness). A complaint may also be addressed in writing to the Privacy Commissioner of Canada at 112 Kent Street, Ottawa, Ontario, K1A 1H3 -or- to the Office of the Information and Privacy Commissioner of Alberta, #410 - 9925 - 109th Street, Edmonton, AB, T5K 2J8, 780-422-6860, www.oipc.ab.ca..