General Privacy Guidelines
What is “personal information”?
Under PIPEDA (Personal Information Protection and Electronic Documents Act), personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Organizations must follow a code for the protection of personal information, which is included in PIPEDA as Schedule 1. The code was developed by business, consumers, academics and government under the auspices of the Canadian Standards Association.
The 10 principles that businesses must follow are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
Here is how our company plans to adhere to these principles:
We collect personal information from customers for three main purposes.
- We are required by law to record customer details for buy and pawn transactions. We are using this information to protect the customer from having their pledged goods turned over to the wrong person. We are also using this information to help guard against the intake of stolen goods and to provide recourse in the rare instance when we do find ourselves in possession of stolen goods.
- For all other transactions, we use the customer’s name as a method of tracking receipts. As long as we have at least a name, we can lookup a customer’s transaction even if they have lost their receipt. Phone numbers, and sometimes email addresses are collected to contact customers about their accounts. We do no voice telephone marketing.
- We collect email address and cell phone numbers for marketing purposes. A limited amount of messages go out each month and the customer must provide express consent by opting in.
All personal information is gathered with the expressed consent of the customer. Consent is obtained verbally in-store, or electronically via the website. The purpose for gathering information should always be explained to the customer when obtaining consent.
Only the required amount of data is recorded for each transaction. For example, a pawn loan requires an ID number to be recorded, a sale does not.
Limiting Use, Disclosure and Retention
A customer’s personal information will not be made available to any other business or member of the general public without the express consent of the customer. Personal information will be made available to law enforcement where it is part of an active investigation. Hard copies of customer data is not kept for more than 6 months. Electronic records are kept indefinitely. Buy and Pawn customers may ask to have their personal information (other than name) removed from record if they have not done business with us for a period of 3 years or more. Other customers may ask to have personal information (other than name) removed at any time. However, they should be informed that doing so may affect warranty or other provided services. Personal data from electronic devices sold to the store or recovered from pawn will never be kept without the express consent of the customer.
Double check all spellings and other data to ensure that all information recorded is accurate. Out of date information should be removed from a customer’s account. Always confirm the data on file each time a customer does business with us. Merge duplicate customer accounts when found.
Electronic data is stored off site in a secure cloud based storage system. Hard copies of customer transactions should always be stored where customers have no access to them. Employees should always take precaution to keep their passwords hidden. If you suspect someone may know your password, ask to have it changed right away. Customers (or any member of the public) should never be allowed behind the counters or in the back rooms of the store. If someone outside the company does need access to the back rooms, they should be accompanied by an employee at all times. Care should be taken that computer monitors displaying customer information are never in view of customers. Discussions that contain a customer’s personal information should never take place within hearing distance of another customer. Discussions about customers should never take place outside of the store, with anyone outside the company (including friends and family), or on any public electronic discussion forum or social media platform.
Our customers have a right to see what personal information about them we have collected. If they would like a copy of this data, they must present a written request in person with appropriate identification and we will respond to the request within 30 days. Any information that relates to another customer or to a police investigation cannot be disclosed.