|PRIVACY LEGISLATION POLICY|
1. Privacy of Users
This section outlines general principles and legal requirements, regarding User and former User privacy and the confidentiality of Users’ and former Users’ information, that govern KEV Software Inc.’s (“KEV”) conduct. In this policy, the term “User” will include Users and former Users.
(b) Principles of Privacy Law
KEV is required to comply with its privacy policies in all of its business practices that involve personal information about individuals, as opposed to institutional, Users.
This document cannot be copied and used by any party for any purpose except as a reference to KEV’s Privacy Legislation Policy.
Personal information of Users collected by KEV will be referred to as “User Information” below.
Principle 1 – Accountability
All inquiries or concerns regarding the use of User Information, including information that has been transferred by KEV to a third party, must be directed to the Privacy Officer at 1-866-891-9138 or email@example.com as the first point of contact at KEV. The Privacy Officer will take the necessary action.
Principle 2 – Identifying Purposes
The purposes for which User Information is collected and used must be identified, documented and disclosed to Users at or before the time their information is collected.
KEV is only permitted to collect, use, disclose and retain User Information to the extent necessary to fulfill the purpose for which the information was collected.
Before KEV may use User Information for a purpose not previously identified to the User, the new purpose must be identified and unless the use is required by law, User consent must be obtained before his or her information may be used for the new purpose.
KEV collects User Information for the following purposes:
- providing Services (as defined in the services agreements School Boards enter into with KEV), such as School Cash Online, School Cash Register and School Cash Accounting, to Users;
- enabling the import of the School Board’s student system data into the School Cash of products as applicable;
- storing the School Board’s data on its secured server;
- storing User payment history on its secured server;
- providing Users with the best possible service and customer support;
- protecting KEV and its Users from error and fraud; and
- for any other purpose related to the products and services of KEV or its affiliates to which Users may consent.
Principle 3 – Consent
Knowledge and consent of Users are required for the collection, use and disclosure of User Information.
The consent obtained by KEV will generally be express consent, with notice of the purposes of collection and other relevant information being provided to Users on KEV’s websites:
- [name of school district].schoolcashonline.com;
- schoolcash.net; and
Subject to restrictions imposed by law or under a contract and reasonable notice, consent may, at any time, be withdrawn by a User. KEV must inform Users where there are implications of withdrawing or refusing their consent.
Principle 4 – Limiting Collection
As mentioned above, User Information is not to be collected indiscriminately.; The amount and the type of User Information collected must be limited to that which is necessary for the purpose of the collection identified to the Users by KEV.
Principle 5 – Limiting Use, Disclosure, and Retention
Caution should be exercised in regard to the disclosure of User Information. In general, User Information should only be disclosed for the purpose for which it was collected, with the express consent of the User or as required by law. If there is any doubt, KEV Personnel should speak to the Privacy Officer prior to disclosing User Information. In some circumstances, for example where it is necessary in connection with the provision of a service and User consent has been obtained, KEV may disclose User Information to an affiliate, including financial service providers, such as banks, payment processors, and others involved in financing or facilitating KEV’s operations.
User Information will be retained for a reasonable period of time in order to comply with applicable legislation following the end of the User relationship. Following the end of the User relationship, User Information will be stored in a secure storage facility. After the aforementioned reasonable period of time elapses, all User documentation will be destroyed in a manner commensurate with its sensitivity unless there are legal requirements that require its retention.
KEV transfers User Information to service providers under contract to KEV that provide technical support, accounting, legal, tax preparation and like services. KEV remains responsible for User Information while it is in the hands of third party service providers and protects the information (and KEV) through contractual requirements for its service providers to afford User Information the same level of protection as it is given by KEV.
Principle 6 – Accuracy
User Information must be as accurate, complete, and up to date as necessary for the purposes for which it is to be used and will only be routinely updated where necessary for those purposes.
Principle 7- Safeguards
User Information will be protected against loss, theft, unauthorized access, use, disclosure, copying, or modification by safeguards appropriate for sensitive information.
User Information (and confidential information of KEV) will be retained in a designated secure area or electronic database.
Some examples of the safeguards used to protect User Information include:
- Physical Measures i.e. locking filing cabinets in which User Information is stored and restricting access to offices in which User Information may be accessible;
- Organizational Measures i.e. security clearance is required for anyone entering areas in which User Information is accessible and access to User Information is restricted to personnel who “need to know” the information to provide a service in accordance with KEV’s highest security standards; and
- Technological Measures i.e. computers are passwords protected and offsite service backups are stored in a secured service storage facility.
- Financial transaction information (for example personal credit card information) is stored by the merchant. KEV encourages Users who wish to obtain security and privacy information from the merchant to contact their applicable school or school board contact.
- KEV has entered into written agreements with service providers that include provisions on privacy and confidential information.
KEV Personnel are individually responsible for ensuring the confidentiality, appropriate use and protection of all User Information to which they have access.
Principle 8 – Openness
Principle 9 – Individual Access
Upon written request, a User shall be informed of whether or not KEV is holding his or her User Information, the use to which it has been put by KEV and the organizations or individuals to which it has been disclosed or the type of organizations to which it may have been disclosed where more precise information is not available.
- Requests for access must be made in writing to firstname.lastname@example.org and access to a User’s own User Information will be provided except where doing so would likely reveal personal information about a third party that cannot be severed from the User Information. Access may also be withheld where:
- “the User Information is protected by solicitor-User privilege;
- “providing access would reveal confidential commercial information;
- “providing access could reasonably be expected to threaten the life or security of another individual;
- “the User Information was collected without consent because obtaining consent could have compromised the availability or accuracy of the information and the information is required for investigating the breach of a contract, federal or provincial law; or
- “the information was generated in the course of a formal dispute resolution process.
KEV will endeavour to respond to requests for access within thirty days unless responding in that time frame would unreasonably interfere with its business or it needs information to make a decision on access that is not available in that time frame. In such cases, KEV may extend the time for responding to an access request by thirty days or the period that is required to convert User Information into an alternative format (for example, to download it onto a CD). KEV will give notice to the User where it requires an extension and include the reasons for the extension as well as advice that the User may make a complaint to the Office of the Privacy Commissioner of Canada (“OPC”) in respect of the extension. It is important for KEV to respect the timelines as a failure to respond to an access request within the time lines will be deemed to be a refusal of the request.
KEV will inform the User in writing if it refuses his or her request for access, setting out the reasons for the refusal and the right of the User to complain to the OPC. Information that is the subject of a complaint must be retained by KEV until the User’s rights are exhausted.
KEV will process access requests. The costs of these access requests will be paid by the User, but may be waived by KEV at its sole discretion. As such, prior to proceeding with such access request, KEV will inform the User that submits an access request of the approximate cost of the access request and will obtain approval to proceed from the User.
Specific rules apply in regard to requests for access to information provided to government agencies for purposes including law enforcement and all such requests should be directed to the Privacy Officer.
Principle 10 – Challenging Compliance
As mentioned above, Users have the right to challenge the accuracy and completeness of their User Information and to have it amended as appropriate.