1. Accountability

6. Accuracy

Polar is responsible for personal information under its control and will designate a Privacy Officer who is accountable for Polar’s compliance with the principles of the PIPEDA and the Company SP Policy.

Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

2. Identifying Purposes

7. Safeguards

The purposes for which personal information is collected will be identified by Polar at or before the information is collected.

Security safeguards appropriate to the sensitivity of the information will protect personal information.

3. Consent

8. Openness

The knowledge and consent of the Customer or Employee are required for the collection, use, or disclosure of personal information, except in specific circumstances as described within the SP Policy.

Polar will make readily available specific, understandable information about its policies and practices relating to the management of personal information.

4. Limiting Collection

9. Inspanidual Access

The collection of personal information will be limited to that which is necessary for the purposes identified by Polar. Information shall be collected by fair and lawful means.

Upon request, a Customer or Employee will be informed of the existence, use, and disclosure of their personal information, and will be given access to that information. A Customer or Employee is entitled to challenge the accuracy and completeness of the information and have it amended as appropriate.

5. Limiting Use, Disclosure, and Retention

10. Compliance

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the Customer, Employee or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

A Customer or Employee will be able to question compliance with the above principles to Polar’s Privacy Officer. Polar will have policies and procedures to respond to the Customers or Employees questions and concerns.

Collection

The act of gathering, acquiring, or obtaining personal information from any source, including Third Parties, by any means.

Consent

Voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of Polar. Implied consent arises where consent may reasonably be inferred from the action or inaction of the Customer or Employee.

Customer

Includes inspaniduals, partnerships, and corporations who receive product and/or services from Polar.

Disclosure

Making personal information available to others outside Polar.

Employee

Includes inspaniduals who receive financial remuneration from Polar, regular, part-time, casual, contract, and temporary.

Organization

Includes an organization, partnership, association, business, charitable organization, club, government body, institution, professional practices and unions.

Privacy Officer

The person within Polar who is responsible for overseeing the collection, use, disclosure and protection of Customer or Employee personal information, and Polar’s day-to-day compliance with the SP Policy.

Personal information

Any information that is about or can be linked to an identifiable inspanidual, such as age, name, weight, height, gender, ID numbers, income, martial status, race, ethnic origin, nationality, religious or political beliefs, social status, medical records, education, employment or criminal records, employee files, disciplinary action, loan or credit records, internet browsing logs, existence of a dispute between a consumer and a merchant, and intentions (For example: to acquire goods, or change jobs). 

Third Party

Any person or organization other than Polar and the Customer or Employee.

Subsidiary

A company or organization wholly-owned or controlled by Polar.

Use

The treatment and handling of personal information within Polar.

­Any applicable federal & provincial government Privacy Act exclusions: Such as

An employee’ s name, title, business address, telephone number, faxes number, and email address.

Business information, such as business name, address, telephone number, fax number, and email address.

Principle 1 - Accountability

Polar is responsible for personal information under its control and will designate a Privacy Officer who is accountable for Polar’s compliance with the principles of the SP Policy.

1.1 ultimate accountability for Polar’s compliance with the principles rests with Polar’s Board of Directors. Other persons within Polar may be accountable for the day-to-day collection and processing of personal information, or to act on behalf of the Privacy Officer.

1.2 Polar will identify to its Employees the Privacy Officer, and to others, where appropriate.

1.3 Polar is responsible for personal information in its control. Polar will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

1.4 Polar will implement policies and procedures to give effect to the principles, including:

• Procedures to protect personal information
• Procedures to receive and respond to concerns and inquiries
• Training staff to understand and follow Polar’s policies and procedures
• Annual review of the effectiveness of polices and procedures to ensure compliance with the SP Policy and consideration of any revisions as deemed appropriate.

Principle 2 - Identifying Purposes

The purposes for which personal information is collected will be identified by Polar when or before the information is collected.

2.1 Polar will document the purposes for which personal information is collected prior to the information being collected.

2.2 Polar will make reasonable efforts to ensure that Customers and Employees are aware of the purposes for which personal information is collected, including any disclosures to third parties.

2.3 The identified purposes should be specified to the person from whom the personal information is being collected. This can be done orally, electronically or in writing. A memo with the purposes highlighted, for example, may give notice of the purposes.

2.4 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless law requires the new purpose, the consent of the Customer or Employee is required before information can be used for that purpose.

2.5 Identifying the purposes for which personal information is being collected at or before the time of collection also defines the information needed to fulfill these purposes. Polar will collect personal information for the following purposes:

• To understand Customers needs for products and services
• To open, maintain and administer charge (credit) accounts for inspaniduals, partnerships, and corporations
• To process COD orders or payment on account where a personal cheque or credit card number has been provided
• To identify chattels pledged and/or the officers of a corporation who may be providing personal security
• To track and exercise legal options on inspaniduals and business owners that have defaulted in their payment obligations
• To meet personnel requirements
• Comply with legal and regulatory requirements

2.6 For the purposes above, Polar may need to share your personal information with third parties. These other parties commonly include:

• Credit agencies
• Trade references
• Insurance agencies
• Credit personnel within the Company
• Financial institutions when conducting reference checks
• Potential employers
• Legal counsel retained by the Company
• When required by court order

Principle 3 - Consent

The knowledge and consent of the Customer or Employee is required for the collection, use, or disclosure of personal information, except in specific circumstances as described within the SP Policy.

Note: In certain circumstances personal information may be collected, used, or disclosed without the knowledge or consent of the Customer or Employee. These circumstances include, but are not limited to:

• Where clearly in the interests of the Customer or Employee and consent cannot be obtained in a timely way
• To avoid compromising information availability or accuracy and if reasonable to investigate a breach of an agreement or a contravention of the laws of Canada or a province
• Where the information is considered by law to be publicly available
• To act in respect of an emergency that threatens the life, health or security of a Customer or Employee;
• To investigate an offence under the laws of Canada, a threat to Canada's security, to comply with a subpoena, warrant or court order, or rules of court relating to the production of records, or otherwise as required by law.

3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. In certain circumstances, consent may be sought after the information has been collected but before use (for example, when existing information is to be used for a purpose not previously identified). Polar may be required to collect, use, or disclose personal information without Customer or Employee consent for certain purposes, including the collection of overdue accounts, and legal or security reasons.

3.2 The principle requires "knowledge and consent". Polar will make a reasonable effort to ensure that Customers and Employees are aware of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the Customer or Employee can reasonably understand how the information will be used or disclosed.

3.3 Polar will not, as a condition of the supply of a product or service, require a Customer or Employee to consent to the collection, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.

3.4 In determining the form of consent to use, Polar will take into account the sensitivity of the information. Although some information (for example, medical and financial records) is almost always considered to be sensitive, any information can be sensitive depending on the context.

3.5 In obtaining consent, the reasonable expectations of the Customer or Employee are relevant. For example, Customers and Employees dealing with Polar should reasonably expect Polar to periodically supply information on Company developments, products and services, and to provide ongoing services. Similarly, further consent will not be required when personal information is transferred to agents of Polar to carry out functions such as data processing. In this case, Polar can assume that the Customer or Employee’s request constitutes consent for specifically related purposes. On the other hand, a Customer or Employee would not reasonably expect that personal information given to Polar would be given to a third party company selling insurance products, unless consent was obtained. Consent will not be obtained through deception.

3.6 The way in which Polar seeks consent may vary, depending on the circumstances and the type of information collected. Polar will seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.

3.7 Customers or Employees can give consent:

• In writing, such as when completing and signing an credit application, by mail, fax, or the Internet
• Through inaction, such as failing to check a box indicating that they do not wish their names and addresses to be used for optional purposes
• Orally, such as when information is collected over the telephone or in person
• Implied, such as at the time they request or use a product or service
• Through an authorized representative (such as a legal guardian, a person having power of attorney, company officer)

3.8 A Customer or Employee may withdraw consent at any time, subject to legal or contractual restrictions, provided that:

• Reasonable notice of withdrawal of consent is given to Polar
• Consent does not relate to a credit product requiring the collection and reporting of information after credit has been granted
• The withdrawal of consent is in writing and includes understanding by the Customer or Employee that withdrawal of consent could mean that Polar cannot provide the Customer with a related product, service or information of value or the Employee with employment. Polar will inform the Customer or Employee of the implications of such withdrawal.

Principle 4 - Limiting Collection

The collection of personal information will be limited to that which is necessary for the purposes identified by Polar. Information will be collected by fair and lawful means.

4.1 Polar will not collect personal information indiscriminately. Polar will specify both the amount and the type of information collected, limited to that which is necessary to fulfill the purposes identified, in accordance with Polar’s policies and procedures.

4.2 Polar will collect personal information by fair and lawful means, and not by misleading or deceiving Customers or Employees about the purpose for which information is being collected.

Principle 5 - Limiting Use, Disclosure, and Retention

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the Customer or Employee or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

5.1 When Polar uses personal information for a new purpose, the purpose will be documented.

5.2 Polar will maintain guidelines and procedures with respect to the retention of personal information. These guidelines include minimum and maximum retention periods. Personal information that has been used to make a decision about a Customer or Employee will be retained long enough to allow the Customer or Employee access to the information after the decision has been made. Polar may be subject to legislative requirements with respect to retention of records.

5.3 Subject to any requirement to retain records, personal information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous. Polar will develop guidelines and implement procedures to govern the destruction of personal information.

5.4 Polar will protect the interests of Customers and Employees by taking reasonable steps to ensure that:

• Orders or demands comply with the laws under which they were issued
• Only the personal information that is legally required is disclosed and nothing more
• Without consent, casual requests for personal information are denied

Polar will make reasonable efforts to notify Customers and Employees that an order has been received, if not contrary to the security of Polar and if the law allows it. Notification may be in person, by telephone, or by letter to a Customer or Employee’s usual address.

5.5 An Employee’s health records at Polar may be used for employment purposes and related insurance purposes. An Employee’s health records will not be collected from, or disclosed to, any other organization.

Principle 6 - Accuracy

Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

6.1 The extent to which personal information will be accurate, complete, and up-to-date will depend upon the uses of the information, taking into account the interests of the Customer or Employee. Polar relies on Customers and Employees to keep certain personal information, such as address information, accurate, complete and up-to-date. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a Customer or Employee.

6.2 Polar will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.

6.3 Personal information that is used on an on-going basis, including information that is disclosed to third parties, will generally be accurate and up-to-date unless limits to the requirement for accuracy are clearly set out.

Principle 7 - Safeguards

Security safeguards appropriate to the sensitivity of the information will protect personal information. Polar will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature.

7.1 The security safeguards will protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure or disposal. Polar will protect personal information regardless of the format in which it is held.

7.2 The nature of the safeguards will vary depending on the sensitivity, amount, distribution and format of the information, and the method of storage. A higher level of protection will safeguard more sensitive information.

7.3 The methods of protection will include:

• Physical measures, for example, locked filing cabinets and restricted access to offices
• Organizational measures, for example, controlling entry to data centers and limiting access to information to a "need-to-know" basis
• Technological measures, for example, the use of passwords, encryption, and firewalls
• Investigative measures, in cases where Polar has reasonable grounds to believe that personal information is being inappropriately collected, used or disclosed.

7.4 Polar will periodically remind employees, officers and directors of the importance of maintaining the confidentiality of personal information.

7.5 Care will be taken in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.

7.6 Third parties will be required to safeguard personal information disclosed to them in a manner consistent with the policies of Polar. Examples include group insurance provider, credit collection, and credit bureaus.

Principle 8 - Openness

Polar will make readily available specific, understandable information about its policies and procedures relating to the management of personal information.

8.1 Polar will be open about privacy policies and procedures with respect to the management of personal information and will make them readily available in a form that is generally understandable.

8.2 The information made available will include:

• The name or title, and the address of the Privacy Officer who is accountable for compliance with Polar’s policies and procedures and to whom inquiries or complaints can be forwarded
• The means of gaining access to personal information held by Polar
• A description of the type of personal information held by Polar, including a general account of its uses
• A copy of any brochures or other information that explains Polar’s policies, procedures, standards or codes
• The types of personal information made available to related organizations such as subsidiaries or other suppliers of services

8.3 Polar may make information on its policies and procedures available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, Polar may choose to mail information to Customers, provide on-line access, or establish a toll-free telephone number.

Principle 9 - Inspanidual Access

Upon request, a Customer or Employee will be informed of the existence, use, and disclosure of their personal information, and will be given access to that information. A Customer or Employee is entitled to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, Polar may not be able to provide access to all the personal information it holds about a Customer or Employee. Exceptions to the access requirement will be limited and specific. The reasons for denying access include, but are not limited to the following:

• Providing access would likely reveal personal information about a third party, unless such information can be severed from the record or the third party consents to the disclosure, or the information is needed due to a threat to life, health or security
• The personal information has been requested by a government institution for the purposes of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out any investigation related to the enforcement of any law, the administration of any law, the protection of national security, the defense of Canada or the conduct of international affairs
• The information is protected by solicitor-client privilege
• Providing access would reveal confidential commercial information, provided this information cannot be severed from the file containing other information requested by the Customer or Employee
• Providing access could reasonably be expected to threaten the life or security of another person, provided this information cannot be severed from the file containing other information requested by the Customer or Employee
• The information was collected without the knowledge or consent of the Customer or Employee for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
• The information was generated in the course of a formal dispute resolution process

9.1 Upon request, Polar will inform a Customer or Employee of the existence, use, disclosure, and source of personal information about the Customer or Employee held Polar, and will allow the Customer or Employee access to this information. However, Polar may choose to make sensitive medical information available through a medical practitioner.

9.2 For Polar to provide an account of the existence, use, and disclosure of personal information held by Polar, a Customer or Employee may be asked to provide sufficient information and identification to aid in the search. The additional information provided will only be used for this purpose.

9.3 In providing an account of third parties to which it has, or may have, disclosed personal information about a Customer or Employee, Polar will be as specific as possible, including a list of third parties.

9.4 Polar will respond to a Customer or Employee’s request within a reasonable time and at no cost, or reasonable cost, to the Customer or Employee. The requested information will be provided or made available in a form that is generally understandable. For example, if Polar uses abbreviations or codes to record information, an explanation will be provided.

9.5 When a Customer or Employee successfully demonstrates the inaccuracy or incompleteness of personal information, Polar will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.

9.6 When a challenge is not resolved to the satisfaction of a Customer or Employee, the substance of the unresolved challenge will be recorded by Polar. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.

Principle 10 - Challenging Compliance

A Customer or Employee will be able to question compliance with the above principles to Polar’s Privacy Officer. Polar will have policies and procedures to respond to a Customer or Employee’s questions and concerns.

10.1 The name of the Privacy Officer will be known to staff. Customers can request Information on how to contact the Privacy Officer.

10.2 Polar will maintain procedures to receive and respond to inquiries or complaints about their policies and procedures relating to the handling of personal information. The complaint procedures will be easily accessible and simple to use.

10.3 Members who make inquiries or lodge complaints will be informed by Polar of the existence of relevant complaint procedures. Polar will also inform Customers and Employees of their right to file a complaint with the Privacy Commissioner of Canada.

10.4 Polar will investigate all complaints. If a complaint is justified, Polar will take appropriate measures, including revision of the personal information and, if necessary, amending Polar’s policies and procedures.