1. Accountability: An organization is responsible for personal information under its control. It must appoint a Privacy Officer whose purpose is to ensure compliance with PIPEDA.
The Privacy Officer at DRVR Training is the director Jacqueline Shephard. Jacqui ensures that all policy and procedure at DRVR Training is in line with GDPR and PIPEDA. Compliance is ensured through the thorough development of policy and procedure and regular compliance checks.
2. Identifying Purposes: Organizations must identify the purposes for which personal data is being collected before or at the time of collection.
Data is collected at DRVR Training to identify learners in order to support them and their booking entities/ employers with the relevant evidence of compliance and professional development training.
3. Consent: Individuals’ consent is needed for the collection, use or disclosure of personal information.
Data is given by the learner with full disclosure as to what is collected and what how their data will be used.
4. Limiting Collection: Information must be collected by fair and lawful means and must be limited to the data needed for the purpose identified by the organization.
Data is collected directly from the learner and only information relevant to identifying the learner and tracking training progress is collected and stored.
5. Limiting Use, Disclosure, and Retention: Personal information can only be used or disclosed for the purposes for which it was collected and must be kept solely for the duration required to serve those purposes unless the individual consents otherwise or it is required by law.
Data is only disclosed with the express permission of the learner for the purpose of validating training completion progress. Data is kept for a duration required to validate and provide supporting evidence of completed training. A student may request their data is deleted at any time and a hard driver deletion can be enacted.
6. Accuracy: Personal information must be as accurate, complete, and as up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Data is provided by the learner and data integrity is checked where possible.
7. Safeguards: Personal information must be protected through appropriate security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
Data is stored in a secure LMS platform that has undergone third-party penetration testing to ensure safety. All employees with access to data have read, understood and signed confidentiality agreements and have been trained in the company data protection policy.
8. Openness: Organizations must be open about their policies and practices relating to the management of personal data and ensure that such information is easily available to individuals in a generally understandable format.
DRVR training has a data management policy freely available to individuals
9. Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to it. Individuals have the right to challenge the accuracy and completeness of that information and have it amended as appropriate. Organizations may deny access to personal data if the information cannot be disclosed for legal, security, or commercial proprietary reasons or is subject to solicitor-client or litigation privilege.