Introduction:

Given the nature of PB Imprinting’s business, there may be incidences where we collect, use, print and distribute sensitive, private or protected client information. This policy is our first defence and step toward building better privacy protection into our business. Information about our customers – their names, addresses, purchasing history, product preferences – is a valuable business asset. But unlike other assets, there are strings attached. Our customers retain an interest in what we do with their personal information. Mishandling it exposes our business to risks. It can damage our reputation in our community, lead to legal liability and fines, and destroy the trust that is the cornerstone of good relationships with our customers. Building privacy protections into our business will limit these risks and protect our investment in a valuable business asset – our customer information.

References:

We follow privacy laws in accordance with:
Office of the Information and Privacy Commissioner for British Columbia

P.O. Box 9038, Stn. Prov. Govt.
756 Fort Street, 3rd Floor
Victoria, British Columbia V8V 1X4
Phone: (250) 387-5629
Toll-free: 1 (800) 663-7867 (free within B.C.)
Email: [email protected]
Web Site: https://www.oipc.bc.ca/
The Privacy Commissioner of Canada
The Canadian Privacy Act.

Security and Privacy Compliance Officer:

PB Imprinting Director and/or senior management team shall elect or delegate the duties of Security and Privacy Compliance Officer to one senior management member who, given the nature of their primary duties, can exercise their authority with minimal conflict of interest or agency issues.

Duties and Responsibilities

The duties and responsibilities of the Security and Privacy Compliance Officer include but are not limited to the following:

  • Organize and oversee all facility security;
  • Organize and oversee all employee security training;
  • Organize and oversee all facility privacy compliance;
  • Organize and oversee all employee privacy training;
  • Organize and oversee all records and data storage compliance;
  • Organize and oversee all records and data destruction / deletion compliance;
  • Organize and oversee all security and privacy customer relations issues;
  • Organize and oversee all security and privacy breach or incident protocols;
  • Ensure all employees are aware and can locate provincial and federal security and privacy act information;
  • Perform routine employee security and privacy compliance audits;
  • Organize and oversee all security and privacy transparency protocols; and
  • Review and amend this and other security and privacy company policies at a minimum of every 365 days.

Consent Practices:

Our Consent Practices clarify when we can assume a customer is consenting to the collection, use and disclosure of information, and when you need to provide an opt-out or get express consent.

PB Imprinting obtains implied consent to collection of information when customers fill out the order forms. However, that information is only to be used to complete that single transaction.

All other customer information collected by PB Imprinting is to be collected by the Office Manager only, will be used to aid in a single order/transaction only, and to be stored or destroyed in accordance with Federal/Provincial laws and this policy.

PB Imprinting Cannot refuse to complete a transaction if the customer refuses to consent to the collection of information that isn’t necessary to complete the transaction.

Security Plan:

General

In order to safeguard this information and ensure the highest level of protection, the following security measures are in place and to be followed by all PB Imprinting employees and management:

  1. All employees will undergo security and privacy training in accordance with this policy;
  2. PB Imprinting shall employ a Security and Privacy Compliance Officer;
  3. The Security and Privacy Compliance Officer shall execute her duties as outlined below;
  4. PB Imprinting facility is not open to the general public;
  5. Delivery service drivers are not allowed into the production area at any time;
  6. The facility shall be equipped with multiple door lock redundancies, a separate one for each of the following areas:
    • Main door / exterior door bolt
    • Main office door bolt
    • Director’s office door lock
    • Production floor door bolt
    • Desk drawer locks
    • Filing cabinet locks

Records and Data

PB Imprinting does collect some sensitive information in order to service our clients and complete their orders. This information includes:

  • Name (personal)
  • Name (company / branch)
  • Address (company / branch)
  • Postal Code (company / branch)
  • Email address (company / branch but personalized)
  • Phone Number (company / branch with personal extensions)
  • Fax Number (company / branch)
  • Branch Identifier (company / branch)
  • Payment card number (company / branch)
  • Payment Card expiry Date (company / branch)
  • Purchase history (company / branch)
  • Product / service preferences (company / branch)
  • Some sensitive product information (company / branch)
  1. All employee records and personnel files will be kept in a locked filing cabinet within a locked office. Both office and cabinet are to be locked at all times when not in use or inhabited;
  2. All customer records will be kept in a locked cabinet in a locked office. Both office and cabinet are to be locked at all times when not in use or inhabited;
  3. All customer records can be kept for up to 7 years. After 7 years this information must be destroyed in accordance with legal security and privacy acts;
  4. All payment card information will be destroyed or deleted immediately unless it is required to be held for claim refute reasons, in which case it will be destroyed / deleted within 18 months of acquisition;
  5. All sensitive production information will be held for 90 days and destroyed or deleted in accordance with legal security and privacy acts;
  6. All miss printing, manufacturing defects and miss manufactured items will be reported, logged by the production manager and immediately destroyed in accordance with legal security and privacy acts.

Information Technology

All sensitive information is to be held on a “stand-alone”, internal server which is to be located in a locked room. The server is to be password protected and be equipped with anti-theft anti-tamper security alarm systems.

When required, all hard drives and computer systems shall be sanitized internally unless specifically requested in an outside client contract.

All sensitive information contained on hard drives and CPUs shall be sanitized in accordance with the time lines listed in “Records and Data”.

At no time will staff or management engage in data copying of any type, to include but not limited to the following:

  • No screen shots;
  • No picture taking of any kind in the office or production area;
  • No removal of any computer equipment without the prior consent of the Security and Privacy Compliance Officer.

All staff and management shall at all times keep their personal passwords secret, never written down or stored in their work area. Passwords shall be changed frequently as per the Security and Privacy Compliance Officer’s directions.

Training:

1. All employees will undergo security and privacy training:

  • To be completed before official hire date;
  • To be reviewed and refreshed annual as directed by the Security and Privacy Compliance Officer;
  • To be reviewed and refreshed if there is a privacy or security employee infraction, as directed by the Security and Privacy Compliance Officer; and
  • To be reviewed and refreshed if and when there are updates to the Security and Privacy Policy, as directed by the Security and Privacy Compliance Officer.

2. Security and privacy training will be organized and executed by the Security and Privacy Compliance Officer and will include the following:

  • Which employees are allowed to obtain client consent;
  • How to obtain client consent;
  • How to answer client’s privacy and security questions
  • The type of information which PB Imprinting collects and which information is considered sensitive;
  • How to store and destroy electronic and hard copy information;
  • Facility security protocols;
  • Production security protocols;
  • Being made intimately aware of this policy; and=
  • Made aware of the BC and Federal security and privacy protocols and where they can be found.