Personal & Application Information Protection Policy
CloudMask is committed to safeguarding the personal information entrusted to us by our clients. We manage your personal information in accordance with Ontario’s Personal Information Protection Act and other applicable laws.
We also interact with our clients' 3rd party applications in order to discover and protect sensitive data. This policy outlines the principles and practices we follow in protecting your personal information as well as application data.
This policy applies to CloudMask and to any person providing services on our behalf. A copy of this policy is provided to any client on request.
What is personal information?
Personal information means information about an identifiable individual. This includes an individual’s name, home address and phone number, age, sex, marital or family status, an identifying number, financial information, educational history, etc.
What personal information do we collect?
We collect only the personal information that we need for the purposes of providing services to our clients, including personal information needed to:
- deliver requested products and services
- enrol a client in a program
- send out association membership information
We normally collect client personal information directly from our clients. We may collect your information from other persons with your consent or as authorized by law.
We inform our clients, before or at the time of collecting personal information, of the purposes for which we are collecting the information. The only time we don’t provide this notification is when a client volunteers information for an obvious purpose (for example, producing a credit card to pay a membership fee when the information will be used only to process the payment).
How we protect 3rd party application data?
In order to discover and encrypt sensitive data, we require access to 3rd party applications, such as Gmail, Google Drive, MS Office 365, etc. Data fetched from 3rd party application are only used for the purpose of detecting and encrypting sensitive data.
In cases where encryption is performed on the user device, plain text data is never transmitted over the network. When detection or encryption is delegated to our servers, CloudMask never stores such data and instead performs necessary encryption in-memory and writes the result back to the 3rd party application. As always, CloudMask does not have access to the keys necessary to reverse the encryption process.
Use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.
We ask for consent to collect, use or disclose client personal information, except in specific circumstances where collection, use or disclosure without consent is authorized or required by law. We may assume your consent in cases where you volunteer information for an obvious purpose.
We assume your consent to continue to use and, where applicable, disclose personal information that we have already collected, for the purpose for which the information was collected.
We ask for your express consent for some purposes and may not be able to provide certain services if you are unwilling to provide consent to the collection, use or disclosure of certain personal information. Where express consent is needed, we will normally ask clients to provide their consent orally (in person, by telephone), or in writing (by signing a consent form).
In cases that do not involve sensitive personal information, we may rely on “opt-out” consent. For example, we may disclose your contact information to other organizations that we believe may be of interest to you, unless you request that we do not disclose your information. You can do this by checking the appropriate box on our application form or by telephoning our local number/toll-free number.
A client may withdraw consent to the use and disclosure of personal information at any time, unless the personal information is necessary for us to fulfil our legal obligations. We will respect your decision, but we may not be able to provide you with certain products and services if we do not have the necessary personal information.
We may collect, use or disclose client personal information without consent only as authorized by law. For example, we may not request consent when the collection, use or disclosure is to determine suitability for an honour or award, or in an emergency that threatens life, health or safety.
How do we use and disclose personal information?
We use and disclose client personal information only for the purpose for which the information was collected, except as authorized by law. For example, we may use client contact information to deliver goods.
If we wish to use or disclose your personal information for any new business purpose, we will ask for your consent. We may not seek consent if the law allows this (e.g. the law allows organizations to use personal information without consent for the purpose of collecting a debt).
What is personal employee information?
Personal employee information is personal information about an employee or volunteer which is collected, used or disclosed solely for the purposes of establishing, managing or terminating an employment relationship or a volunteer work relationship. Personal employee information may, in some circumstances, include a Social Insurance Number, a performance review, etc.
We can collect, use and disclose your personal employee information without your consent only for the purposes of establishing, managing or ending the employment or volunteer relationship. We will provide current employees and volunteers with prior notice about what information we collect, use or disclose and our purpose for doing so.
What personal employee information do we collect, use and disclose?
We collect, use and disclose personal employee information to meet the following purposes:
- Determining eligibility for employment or volunteer work, including verifying qualifications and references
- Establishing training and development requirements
- Assessing performance and managing performance issues if they arise
- Administering pay and benefits (paid employees only)
- Processing employee work-related claims (e.g. benefits, workers’ compensation, insurance claims) (paid employees only)
- Complying with requirements of funding bodies (e.g. lottery grants)
- Complying with applicable laws (e.g. Canada Income Tax Act, Ontario Employment Standards Code)
We only collect, use and disclose the amount and type of personal employee information that is reasonable to meet the above purposes. The following is a list of personal employee information that we may collect, use and disclose to meet those purposes.
- Contact information such as your name, home address, telephone number
- Criminal background checks
- Employment or volunteer information such as your resume (including educational background, work history and references), reference information and interview notes, letters of offer and acceptance of employment, policy acknowledgement forms, background verification information, workplace performance evaluations, emergency contacts, etc.
- Benefit information such as forms relating to applications or changes to health and insurance benefits including medical and dental care, life insurance, short and long term disability, etc. (paid employees only)
- Financial information, such as pay cheque deposit information and tax-related information, including Social Insurance Numbers (paid employees only)
- Other personal information required for the purposes of our employment or volunteer relationship
We will inform our employees and volunteers of any new purpose for which we will collect, use, or disclose personal employee information, or we will obtain your consent, before or at the time the information is collected.
We will obtain your consent to collect, use and disclose your personal information for purposes unrelated to the employment or volunteer relationship (e.g. such as providing you with information about our workplace charity program).
What information do we provide for employment/volunteer references?
In some cases, after your employment or volunteer relationship with us ends, we will be contacted by other organizations and asked to provide a reference for you. It is our policy not to disclose personal information about our employees and volunteers to other organizations who request references without consent. The personal information we normally provide in a reference includes:
- Confirmation that an individual was an employee or volunteer, including the position, and date range of the employment or volunteering
- General information about an individual’s job duties and information about the employee or volunteer’s ability to perform job duties and success in the employment or volunteer relationship
How do we safeguard personal information?
We make every reasonable effort to ensure that personal information is accurate and complete. We rely on individuals to notify us if there is a change to their personal information that may affect their relationship with our organization. If you are aware of an error in our information about you, please let us know and we will correct it on request wherever possible. In some cases we may ask for a written request for correction.
We protect personal information in a manner appropriate for the sensitivity of the information. We make every reasonable effort to prevent any loss, misuse, disclosure or modification of personal information, as well as any unauthorized access to personal information.
We use appropriate security measures when destroying personal information, including shredding paper records and permanently deleting electronic records.
We retain personal information only as long as is reasonable to fulfil the purposes for which the information was collected or for legal or business purposes.
Access to records containing personal information
Individuals have a right to access their own personal information in a record that is in the custody or under the control of CloudMask, subject to some exceptions. For example, organizations are required under the Personal Information Protection Act to refuse to provide access to information that would reveal personal information about another individual.
If we refuse a request in whole or in part, we will provide the reasons for the refusal. In some cases where exceptions to access apply, we may withhold that information and provide you with the remainder of the record.
You may make a request for access to your personal information by writing to CloudMask Admin. You must provide sufficient information in your request to allow us to identify the information you are seeking.
You may also request information about our use of your personal information and any disclosure of that information to persons outside our organization. In addition, you may request a correction of an error or omission in your personal information.
We will respond to your request within 45 calendar days, unless an extension is granted. We may charge a reasonable fee to provide information, but not to make a correction. We do not charge fees when the request is for personal employee information. We will advise you of any fees that may apply before beginning to process your request.
Questions and complaints
If you have a question or concern about any collection, use or disclosure of personal information by CloudMask, or about a request for access to your own personal information, please contact CloudMask at firstname.lastname@example.org.
If you are not satisfied with the response you receive, you should contact the Information and Privacy Commissioner of Ontario.