Oshawa Power is committed to maintaining the accuracy, confidentiality, security and privacy of your personal information. We adhere to the obligations in the Personal Information Protection and Electronic Documents Act and the Municipal Freedom of Information and Protection of Privacy Act, which provide rules governing the collection, use and disclosure of personal information.
Collection means the act of gathering, acquiring, recording or obtaining personal information from any source, including third parties, by any means.
Consent means your voluntary agreement to the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by you or through your authorized representative. Express consent can be given orally, electronically or in writing, but is always unequivocal and does not require any inference on our part. Implied consent is consent that can reasonably be inferred from your actions or inaction.
Disclosure means making personal information available to a third party, not including agents acting on our behalf.
Personal Information means any information about an identifiable individual, recorded in any form, including for example, email addresses, contact details, credit information, billing records and recorded complaints. Personal information does not include the name, title, business address or telephone number of any employee of an organization, nor does it include aggregated information that cannot be associated with an identifiable individual
Third party means an individual other than yourself or your agent, or an organization other than us.
Use means our treatment, handling, and management of personal information.
Key Principles of Privacy
Principle 1 – Accountability
- We are responsible for personal information in our possession or control, including any personal information that has been transferred to a third party. We will use contractual or other means to provide a comparable level of protection for personal information while such information is in the hands of a third party.
- The President & CEO of Oshawa Power has ultimate responsibility for the protection of your personal information. All our staff share responsibility for adhering to our privacy policies and procedures.
- implementing procedures to protect personal information;
- establishing procedures to receive and respond to inquiries or complaints with respect to your personal information;
- training staff and communicating to staff about our privacy policies and practices; and
- developing information to explain our policies and procedures.
Principle 2 – Identifying Purposes
- We will identify, orally, in writing or electronically, the purposes for the collection, use and disclosure of personal information to you at the time such personal information is collected.
- We shall document the purposes for which personal information is collected. Notices of Collection will be created for circumstances where personal information is collected.
- Identifying the purposes for which personal information is collected at or before the time of collection allows us to obtain meaningful consent. We collect personal information only for the following purposes:
- to establish and maintain responsible commercial relationships with customers and to provide ongoing service, including but not limited to: delivering electricity, construction and maintenance services; providing information to customers about our rates, programs, initiatives or services or the electricity industry; verifying a customer’s identity; responding to customer inquiries; billing or collecting bills; conducting customer surveys, contests and consultations; monitoring or assessing quality of service; managing the supply and demand of our customers; assessment of customer eligibility for our programs and initiatives; extending credit to our customers; facilitating customer relationships with their chosen retailers; and providing services through our website; and
- to meet all our legal and regulatory requirements.
- Unless required by law, we will not use or disclose, for any new purpose, personal information that has already been collected without first identifying and documenting the new purpose and obtaining your consent.
Principle 3 – Consent
- We will ask for your consent for the collection, use and disclosure of your personal information when we collect your information, except where inappropriate. To ensure you have sufficient information to provide your consent, we will advise, in a comprehensive and understandable manner:
- what personal information is being collected;
- for what purposes personal information is collected, used or disclosed;
- with which parties personal information is being shared; and
- the risk of harm and other consequences, if any, from the collection, use or disclosure
- We may require you to consent to the collection, use or disclosure of certain personal information only where such personal information is necessary in order to provide you with electricity services. We will not withhold services for failure to consent to the collection, use or disclosure of personal information which is not essential for the delivery of services. For the collection of personal information beyond that which is necessary to provide services, you will be given clear options to say ‘Yes’ or ‘No’.
- Generally, we will seek your consent for use and disclosure of personal information before or when we collect, use or disclose your personal information. In certain circumstances, we may seek your consent to use and disclose personal information after it has been collected but before it is used or disclosed for a purpose not previously identified.
- You may refuse or withdraw consent at any time, subject to legal or contractual restrictions, and reasonable notice. You may contact us for more information regarding the withdrawal of consent and any implications of such withdrawal.
- In determining an appropriate form of consent, we will take into account the sensitivity of the personal information, your reasonable expectation with respect to the protection, collection, use and disclosure of the personal information and the risk of harm. We will obtain express consent when the information being collected, used or disclosed is sensitive; the collection, use or disclosure is outside of the reasonable expectations of the individual; and/or the collection, use or disclosure creates a meaningful residual risk of significant harm.
- In certain circumstances, personal information may be collected, used or disclosed without your knowledge and consent. For example, some legal, medical or security reasons may make it impossible or impractical to seek consent, or if it is clearly in your best interests to do so and consent cannot be sought in a timely manner. An example of such circumstances is in the case of an emergency where the life, health or security of an individual is threatened.
Principle 4 – Limiting Collection
- We will limit the amount and type of personal information collected to that which is necessary for the purposes identified and documented. We will collect personal information using fair and lawful means.
- In addition to collecting information directly, we may also collect personal information from other sources for purposes we have identified including, but not limited to, credit bureaus or other third parties who represent that they have the right to disclose the information.
Principle 5 – Limiting Use, Disclosure, and Retention
- We will not use or disclose your personal information for purposes other than those for which it was collected, unless you have given consent or as required by law.
- Under certain exceptional circumstances, we may have a legal duty or right to disclose personal information without the individual’s knowledge or consent.
- If we use personal information for a new purpose, we will document this purpose.
- Only our employees who need to know for legitimate business reasons are granted access to your personal information.
- We may disclose your personal information to the following:
- an agent we retain in connection with the collection of your account;
- credit grantors and reporting agencies;
- the Independent Market Operator, a customer’s retailers, if applicable, and any other entity necessary for the efficient provision of electricity;
- a person who, in our reasonable judgement, is seeking the information as your agent;
- to a person or corporation as part of conducting business or negotiating a relationship for a legitimate business purpose related to the distribution of electricity or the provision of default supply to our customers; and
- any other third party or parties, where you have provided consent to such disclosure or where disclosure is required by law.
- We do not provide or sell our customer lists, or other personal information, to any outside company for use in its marketing or solicitation.
- We will maintain reasonable and systematic controls, practices and procedures for the protection of your personal information. Procedures include minimum and maximum retention periods.
- We will retain your personal information only as long as necessary for the fulfilment of the identified purposes or as required by law. Personal information that is no longer required to fulfill the identified purposes or as required by law will be destroyed, erased or made anonymous. We will develop guidelines and implement procedures to govern the destruction of personal information.
Principle 6 – Accuracy
- We will keep the personal information in our possession or control accurate, complete and up-to-date as necessary for the purposes for which it is to be used.
- Personal information used by us will be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about you.
- We will update your personal information only if it is necessary to fulfill the purposes for which it was collected or upon your notification requesting that your personal information be updated or amended.
Principle 7 – Safeguards
- Your personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Security safeguards will protect your personal information against loss or theft, unauthorized access, disclosure, copying, use, modification or destruction through appropriate security measures. We will protect all personal information regardless of the format in which it is held.
- We will protect personal information we disclose to third parties by contractual agreements that stipulate the confidentiality of the information and the purposes for which it is to be used.
- The nature of the safeguards will vary depending on the sensitivity of the information, amount, distribution, format and method of storage. We will give the highest level of protection to the most sensitive personal information.
- The methods of protection include:
- physical security, such as controlled access to cabinets and restricted access to offices;
- organizational security, such as security clearances and limiting access on a “need to know” basis;
- technological security, such as electronic access controls, firewalls, the use of passwords and encryption; and
- effective destruction, such as shredding of hard copy documents.
- All of our employees with access to personal information are required, as a condition of employment, to respect the confidentiality of personal information.
- In the event of a breach of security safeguards with respect to personal information resulting in the loss of, unauthorized access to or unauthorized disclosure of personal information, we will consult with legal counsel regarding the existence and extent of reporting and notification obligations and best practices.
Principle 8 – Openness
Principle 9 – Individual Access
- Upon request, we will inform you of the existence, use, disclosure, and source of your personal information in our possession and you will be given access to that information. You can also challenge the accuracy and completeness of the information and have it amended where necessary.
- In certain situations, we may not be able to provide access to all the personal information we hold about you; however, such exceptions to the access requirement are limited and specific. Exceptions may include information that is prohibitively expensive to provide, information that contains references to other individuals and information that cannot be disclosed for legal, security, or commercial proprietary reasons.
- In order to safeguard personal information, you may be required to provide sufficient information to properly identify yourself to assure us that we are providing personal information to the correct individual. Any information provided for identification purposes will only be used for such purpose.
- In providing a list of third parties to which we have disclosed your personal information, we will provide as much information as possible. When it is not possible to provide a list of third parties to whom we have actually disclosed your information, we will provide a list of third parties to whom we may have disclosed your information.
- We will respond to your request within a reasonable time and may charge you a minimal fee. The requested information will be provided or made available in a form that is generally understandable.
- We will promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness will be noted in your file. Where appropriate, we will transmit to third parties having access to the information any amended information and identify the existence of any unresolved differences.
Customers can make their requests to the Chief Privacy Officer by telephone at (905)-743-4623 x5274, via email firstname.lastname@example.org or in writing to: Chief Privacy Officer, Oshawa Power, 100 Simcoe St., S. Oshawa, ON L1H 7M7. Response to an individual’s request will be made in a timely and efficient manner.
Principle 10 – Challenging Compliance
- We will maintain procedures for receiving, addressing and responding to all inquiries or complaints from our customers relating to our handling of personal information.
- If you make an inquiry or lodge a complaint, we will inform you about the existence of these procedures as well as the existence of complaint mechanisms.
- If you are not satisfied with the way we have responded to your complaint, you may contact the Office of the Privacy Commissioner of Canada or the Information and Privacy Commissioner of Ontario at https://www.priv.gc.ca/en/report-a-concern/