We are committed to meeting our privacy commitments to our clients and in complying with the requirements of the federal Protection of Personal Information and Electronic Documents Act (“PIPEDA”) and the B.C. Personal Information Protection Act (“PIPA”).
The Personal Information Protection Act (PIPA) governs how all private sector organizations in British Columbia handle personal information of clients, employees, and others. Personal information is defined as information that can identify an individual and information about an identifiable individual.
This policy formalizes our commitment to protect any personal information received, developed and used by us in the course of providing services to our clients.
Definition of personal information
Personal information means any information about an identifiable individual other than that individual’s name, title, business address or telephone number (often called, “business card” or “phone book” information). Personal information includes age, gender, marital status, health status, financial status, home address, etc. Such information includes information specifically related to you, our client, or personal information of others, such as your employees, clients, or customers, that we may encounter in the course of providing our professional services to you.
Accountability for personal information in our possession or control
We are accountable for all personal information in our possession or control. This includes any personal
information we receive directly from clients who are individuals, or indirectly through clients that are organizations (e.g., corporations, government entities, not-for-profit organizations).
Established and put into effect policies and procedures aimed at properly protecting personal information;
Educated our principals and employees regarding our privacy policies, and of their roles and responsibilities in keeping personal information private; and
Appointed a Privacy Officer (email@example.com) to oversee privacy issues.
We collect personal information from our clients and use and disclose such personal information only for the purposes of providing requested professional services to our clients. We identify the purpose for which we collect personal information from our clients before it is collected.
We obtain client consent before collecting personal information from our clients. Our engagement letters set out your responsibility to obtain any consents required under applicable privacy legislation, for collection, use and disclosure to us of personal information. By signing such engagement letters, you are formally acknowledging this responsibility.
Collection of personal information
We collect only that personal information required to perform our professional services and to operate our
business. This personal information is collected by fair and lawful means. Our principals and employees involved in a particular engagement will access only the information required to complete that engagement or to deal with other matters such as invoicing and general correspondence.
Disclosure and retention of personal information
We use or disclose personal information only for purposes for which we have consent, or as required by law. We retain personal information only as long as necessary to fulfill those purposes. As required by professional standards, rules of professional conduct and regulation, we document the work we performs in records, commonly called working paper files. Such files may include personal information obtained from a client. Working paper files and other files containing, for example, copies of personal tax returns, are retained for the time period required by law and regulation.
The personal information collected from a client during the course of a professional service engagement may be:
Shared with Decision Point personnel participating in such engagement
Disclosed to Decision Point principals and employees to the extent required to assess compliance with applicable professional standards, rules of professional conduct, and our policies, and to conduct quality control reviews of the work performed; and
Provided to the members of an audit committee and to the board of directors of a particular organization, and others in the company that might not otherwise have access to the information, in the course of communicating certain aspects of the results of our engagement.
Decision Point regularly and systematically destroys, erases, or makes anonymous personal information that is no longer required to fulfill the above collection purposes, and is no longer required by laws and regulations.
Protection of personal information
We protect the privacy of personal information in our possession or control by using security safeguards appropriate to the sensitivity of the information. Physical security (e.g., restricted access, locked rooms and filing cabinets) is maintained over personal information stored in hard copy form. Principals and employees are authorized to access personal information based on client assignment and quality control responsibilities. Authentication is used to prevent unauthorized access to personal information stored electronically.
For files and other materials containing personal information entrusted to a third-party service provider (e.g., a provider of paper based or electronic file storage), Decision Point obtains appropriate assurance to affirm that the level of protection of personal information by the third party is equivalent to that of Decision Point.
Managing personal information
Handling of requests from clients
We respond on a timely basis to requests from clients about their personal information that we possess or control.
Individual clients of Decision Point have the right to contact the engagement principal in charge of providing services to them to obtain access to their personal information. Similarly, authorized officers or employees of organizations that are clients of Decision Point have the right to contact the engagement principal in charge of providing services to them to obtain access to personal information provided by that client. In certain situations, however, Decision Point may not be able to give clients access to all their personal information. In such situations, we will explain the reasons why access must be denied and any recourse the client may have, except where prohibited by law.
Approach to complaints and questions relating to privacy
We have policies and procedures to receive, investigate, and respond to client complaints and questions relating to privacy.
The Decision Point Difference
Working with the experienced Decision Point team, you'll have access to specialized knowledge and a customized approach that solves your business' unique operational challenges.