Testimonials

Thanks so much, once again, Maria, for your expertise and professional manner in dealing with these troublesome files....and to George, of course, for still practising in his chosen field of law.

Cheers,

- LR

Resources

Resources
Richards and Richards Online Privacy Policy

At Richards & Richards, we are committed to providing our clients and other individuals with exceptional service.  As providing this service involves the collection, use and disclosure of some personal information about our clients and other individuals, protecting their personal information is one of our highest priorities.

 

While we have always respected our clients and other individuals privacy and safeguarded their personal information, we have strengthened our commitment to protecting personal information as a result of British Columbia’s Personal Information Protection Act (PIPA).  PIPA, which came into effect on January 1, 2004, sets out the ground rules for how B.C. businesses and not-for-profit organizations may collect, use and disclose personal information. As well we are compliant with the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

 

This Personal Information Protection Policy, in compliance with PIPA and PIPEDA, outlines the principles and practices we will follow in protecting the personal information of clients and other individuals.  Our privacy commitment includes ensuring the accuracy, confidentiality, and security of the personal information of clients and other individuals and allowing our clients and other individuals to request access to, and correction of, their personal information.

 

Our Privacy Policy incorporates and expands on the 10 principles for the protection of personal information, as set out in PIPEDA.


 

Scope of this Policy 

 

This Personal Information Protection Policy applies to Richards & Richards and to any service providers collecting, using or disclosing personal information on behalf of Richards & Richards.

 

 

Definitions

 

Personal Information –means information about an identifiable individual such as name, age, home address and phone number, social insurance number, marital status, religion, income, credit history, medical information, education, employment information].  Personal information does not include contact information (described below).

 

 

Contact information – means information that would enable an individual to be contacted at a place of business and includes name, position name or title, business telephone number, business address, business email or business fax number.  Contact information is not covered by this policy, PIPA or PIPEDA. Even though business contact information is not generally considered personal information through PIPEDA and is not covered, we follow our clients instructions and in fact do consider business contact information to be personal information as set out in schedule 1201 when it comes to privacy of personal information, for example: debtor’s place of employment.
 

Privacy Officer – means the individual designated responsibility for ensuring that Richards & Richards complies with this policy, PIPA and PIPEDA. 

 

1.         Accountability

 

1.1       Richards & Richards is accountable for the protection of all personal information

within the organization's possession or control and has established a Privacy Officer, who has overall

responsibility for protection of personal information and for compliance with this Privacy Policy.

 

2.         Openess

 

2.1       We will inform our clients and other individuals of why and how we collect, use and disclose their personal information, obtain their consent where required, and only handle their personal information in a manner that a reasonable person would consider appropriate in the circumstances.

 

3.         Collecting Personal Information - the Purpose and the Limits

 

3.1  Unless the purposes for collecting personal information are obvious and the client or other individual voluntarily provides his or her personal information for those purposes, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of collection. 

 

3.2  We will only collect client or other individual information that is necessary to fulfill the following purposes: 

 

To verify identity;

To verify creditworthiness;

To identify client or other individual preferences;

To deliver requested products and services

To provide legal services;

To ensure a high standard of service to our clients and other individuals; 

To meet regulatory requirements; 

To meet anti-money laundering requirements; (added 200211)

 

 

4.         Consent

 

4.1  We will obtain client or other individual consent to collect, use or disclose personal information (except where, as noted below, we are authorized to do so without consent). 

 

4.2  Consent can be provided orally, in writing, electronically, through an authorized representative or it can be implied where the purpose for collecting using or disclosing the personal information would be considered obvious and the client or other individual voluntarily provides personal information for that purpose.

 

4.3  Consent may also be implied where a client or other individual is given notice and a reasonable opportunity to opt-out of his or her personal information being used for mailing or calling and the client or other individual does not opt-out. 

 

4.4  Subject to certain exceptions (e.g., the personal information is necessary to provide the service or product, or the withdrawal of consent would frustrate the performance of a legal obligation), clients and other individuals can withhold or withdraw their consent for Richards & Richards to use their personal information in certain ways.  A client’s or other individual’s decision to withhold or withdraw their consent to certain uses of personal information may restrict our ability to provide a particular service or product.  If so, we will explain the situation to assist the client or other individual in making the decision. 

 

4.5  We may collect, use or disclose personal information without the client’s or other individual’s knowledge or consent in the following limited circumstances: 

 

When the collection, use or disclosure of personal information is permitted or required by law;

When the personal information is available from a public source (e.g., a telephone directory);

In order to provide legal advice;

For the purposes of collecting a debt;

To protect ourselves from fraud;

To investigate an anticipated breach of an agreement or a contravention of law 

 

 

5.         Using and Disclosing Personal Information - Limiting Use

 

5.1  We will only use or disclose client or other individual personal information where necessary to fulfill the purposes identified at the time of collection or for a purpose reasonably related to those purposes such as: 

 

To enhance the provision of our services;

To contact our clients and other individuals directly about products and services.

 

5.2  We will not use or disclose client or other individual personal information for any additional purpose unless we obtain consent to do so. 

 

5.3  We will not sell client or other individual lists or personal information to other parties. 

 

6.         Retaining Personal Information

 

6.1  If we use a client's or other individual's personal information to make a decision that directly affects the client or other individual, we will retain that personal information for at least one year so that the client or other individual has a reasonable opportunity to request access to it. 

 

6.2  Subject to policy 4.1, we will retain client or other individual personal information only as long as necessary to fulfill the identified purposes or a legal or business purpose. 

 

 

7.         Ensuring Accuracy of Personal Information

 

7.1  We will make reasonable efforts to ensure that client or other individual personal information is accurate and complete where it may be used to make a decision about the client or other individual or disclosed to another organization. 

 

7.2  Clients and other individuals may request correction to their personal information in order to ensure its accuracy and completeness.  A request to correct personal information must be made in writing and provide sufficient detail to identify the personal information and the correction being sought. A request to correct personal information should be forwarded to the Privacy Officer.

 

7.3  If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information in the previous year.  If the correction is not made, we will note the client's, or other individual's correction request in the file. 

 

 

8.         Securing Personal Information - Safeguards

 

8.1  We are committed to ensuring the security of client or other individual personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. 

 

8.2  The following security measures will be followed to ensure that client or other individual personal information is appropriately protected: 

 

•           the use of locked filing cabinets; 

•           physically securing offices where personal information is held; 

•           the use of user IDs, passwords, encryption, firewalls; 

•           restricting employee access to personal information as appropriate (i.e., only those that need to know will have access; 

•           contractually requiring any service providers to provide comparable security measures].

 

8.3  We will use appropriate security measures when destroying client’s or other individual’s personal information such as:

  

•           shredding documents, 

•           deleting electronically stored information. 

 

8.4  We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security. 

 

9.         Providing Clients and Other Individuals Access to Personal Information

 

9.1  Clients and other individuals have a right to access their personal information, subject to limited exceptions, such as:

 

•           solicitor-client privilege, 

•           disclosure would reveal personal information about another individual

•           a full list of exceptions can be found at section 23 of the PIPA.

 

9.2  A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought.  [IF APPLICABLE:  A request to access personal information should be forwarded to the Privacy Officer [or designated individual] 

 

9.3  Upon request, we will also tell clients and other individuals how we use their personal information and to whom it has been disclosed if applicable. 

 

9.4  We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request. 

 

9.5  A minimal fee may be charged for providing access to personal information.  Where a fee may apply, we will inform the client or other individual of the cost and request further direction from the client or other individual on whether or not we should proceed with the request. 

 

9.6  If a request is refused in full or in part, we will notify the client or other individual in writing, providing the reasons for refusal and the recourse available to the client or other individual. 

 

10.       Questions and Complaints - Challenging Compliance:  The Role of the Privacy Officer or designated individual

 

10.1  The Privacy Officer or designated individual is responsible for ensuring Richards & Richards’s compliance with this policy and the Personal Information Protection Act. 

 

10.2  Clients and other individuals should direct any complaints, concerns or questions regarding Richards & Richards’s compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the client or other individual may also write to the Information and Privacy Commissioner of British Columbia. 

Contact information for Richards & Richards’s Privacy Officer or designated individual:

 

Privacy Officer – George H. Richards

Richards & Richards

10325 150th Street, Surrey, BC, V3R 4B1

Telephone: 604.588.6844 x 132

Facsimile: 604.588.8800

Email: Privacy@RichardsLaw.com

 

11.Process for Responding to Privacy Breaches 

1. Purpose 

1.1 This document sets out the steps that Richards & Richards will follow when responding to a privacy breach:

  1. Richards & Richards Privacy Officer is responsible for the coordination, investigation, and resolution of information incidents. 
  2. All actual or suspected information incidents must be reported immediately. 
  3. Richards & Richards Privacy Officer is solely responsible for liaising with the parties involved regarding an actual or suspected privacy breach.  

2. What is a Privacy Breach? 

2.1 A privacy breach is a collection, use, disclosure, access, disposal, or storage of personal information, whether accidental or deliberate, that is not authorized. 

3. Process 

3.1  All known or suspected privacy breaches require immediate remedial action, no matter the sensitivity of the personal information. Given the varied nature of privacy breaches, no “one-size-fits-all” response is possible, and actions are proportional and appropriate to each privacy breach. 

3.2  The following steps are used to address privacy breaches. As the circumstances for each privacy breach vary, these steps might occur concurrently or in quick succession; they do not necessarily need to follow the order given below: 

A. Report Immediately 

• Employees, service providers or others must report suspected or actual privacy breaches immediately to their supervisor. The supervisor and/or employee, or other person also reports immediately to the Richards & Richards Privacy Officer (RnR PO) by: 

o emailing, telephone, personal meeting

In all cases, the person who identifies a breach must make contact themselves. 

This will invoke the privacy breach management process. 

B. Contain the Privacy Breach 

• Employees should take immediate action to contain the privacy breach and to limit its impact. Appropriate actions will depend on the nature of the breach and may include:
o Isolating or suspending the activity that led to the privacy breach; 

o Correcting all weaknesses in physical security;
o Taking immediate steps to recover the personal information, records or equipment from all sources, where possible;
o Determining if any copies have been made of personal information that was breached, and recovering where possible. 

Note: Where the privacy breach involves information technology, the Richards & Richards IT incident response process must also be initiated before taking any containment steps. 

C. Assess the Extent and Impact of the Privacy Breach 

• As part of the Management Process all parties will work with the RnR PO to determine the: 

(i) Personal Information Involved 

o What personal information has been breached?
o Is the personal information sensitive? Examples are social insurance numbers, financial information or information that can be used for identity theft. A combination of personal information is typically more sensitive than a single piece of personal information. 

(ii) Cause and Extent of the Breach 

o What was the cause of the breach?
o What programs and systems are involved?
o Is the personal information encrypted or otherwise not readily accessible? o Has the personal information been recovered?
o What steps have already been taken to minimize the harm?
o Is this a one-time occurrence or an ongoing problem? 

(iii) Individuals Affected by the Breach 

o Who is affected by the breach? For example, employees, public, contractors, clients, service providers, other organizations. 

o How many individuals are, or are estimated to be, affected by the breach? 

(iv) Foreseeable Harm from the Breach 

o What possible use is there for the personal information? Can the information be used for exploitation, fraud or other harmful purposes? 

o Who is in receipt of the personal information? For example, a stranger who accidentally receives personal information and voluntarily reports the mistake is less likely to misuse the information than an individual suspected of criminal activity. 

o Is there a relationship between the unauthorized recipient(s) and the data subject(s)? A close relationship between the two might affect the likelihood of harm. 

o Is there a risk of significant harm to the individual as a result of the breach? For example: §security risk (e.g. physical safety)
§identity theft or fraud
§access to assets or financial loss 
§loss of business or employment opportunities
§breach of contractual obligations
§hurt, humiliation, embarrassment, damage to reputation or relationships 

o Is there a risk of significant harm to party(ies) exposed as a result of the breach? For example:
§loss of public trust 
§loss of assets 
§financial exposure
§loss of contracts or business 
§risk to safety 

D. Document the Privacy Breach and Corrective Action Taken 

• As part of the Information Incident Management Process, all parties will work with the RnR PO to: 

1) ensure that evidence of the privacy breach is preserved; and 

2) document the privacy breach in detail, including: 

o what happened and when;
o how and when the privacy breach was discovered;
o the personal information involved and scope of the breach;
o who was involved, if known;
o individuals interviewed about the breach;
o whether privacy the breach has been contained and any lost personal information retrieved; o who has been notified;
o the corrective action taken, including any steps to assist affected individuals in mitigating harm (for example, providing credit watch services if appropriate); and
o recommendations, including corrective action that still needs to be taken. 

E. Consider Notifying Affected Individuals

• The impact of privacy breaches must be reviewed to determine if it is appropriate to notify individuals whose personal information has been affected by the breach. As part of the Information Incident Management Process, the RnR PO will notify affected parties and take other required actions, as appropriate. 

(i) Notifying affected individuals 

o The key consideration in deciding whether to notify an affected individual is whether it is necessary to avoid or mitigate harm to an individual, such as: 

  • A risk of identity theft or fraud (usually because of the type of information that has been compromised such as SIN, banking information, identification numbers); 
  • A risk of physical harm (for example, if the compromised information puts an individual at risk of revenge or harassment); 
  • A risk of hurt, humiliation or damage to reputation (for example, when the compromised information includes medical or disciplinary records, criminal histories or family information); or 
  • A risk to business or employment opportunities. 

o Other considerations in determining whether to notify individuals include: 

  • Legislative requirements for notification; 
  • Contractual obligations requiring notification; 
  • A risk of loss of confidence in Richards & Richards and/or good customer/client relations dictates that notification is appropriate. 

(ii) When and how to notify

o If it is determined that notification of individuals is appropriate: 

  • When: Notification should occur as soon as possible following the breach. (However, if law enforcement authorities have been contacted, it may be appropriate to work with those authorities in order not to impede their investigation.) 
  • How: Affected individuals should be notified directly – by phone, email, letter or in person – whenever possible. Indirect notification using general, non-personal information should generally only occur when direct notification could cause further harm, is prohibitive in cost, or contact information is lacking. Using multiple methods of notification – website publication, posted notices, media – in certain cases may be the most effective approach. 

(iii) What should be Included in the notification 

o Notifications should include the following information, as appropriate: 

  • Date of the breach. 
  • Description of the breach (extent). 
  • Description of the information compromised. 
  • Risk(s) to individual caused by the breach. 
  • Steps taken to mitigate the breach and any harms. 
  • Next steps planned and any long-term plans to prevent future breaches. 
  • Steps the individual can take to further mitigate the harm, or steps Richards & Richards has taken to assist the individual in mitigating harm. For example, how to contact credit reporting agencies to set up a credit watch, or information explaining how to change a personal health number or driver’s licence.
  • Contact information of an individual within Richards & Richards who can answer questions or provide further information.
  • The right to complain to the Office of the Information and Privacy Commissioner and the necessary contact information. If Richards & Richards has already contacted the Commissioner’s office, include this detail in the notification letter. 

o Notifications should not include the following information: 

  • Personal information about others or any information that could result in a further privacy breach. 
  • Information that could be used to circumvent security measures. 
  • Information that could prompt a misuse of the stolen information (for example, if hardware for wiping and destruction is stolen, but the breach notification prompts someone to realize that personal information is on the hardware and could be of some value if accessed). 

F. Inform Other Parties as Appropriate 

  • As part of the Management Process, RnR PO will work with the affected staff so the staff can notify affected parties and take other required actions, as appropriate. Affected parties may include, for example: insurers, professional or other regulatory bodies, third-party contractors, internal business units, or unions.
  • The RnR PO is solely responsible for liaising with the Office of the Information and Privacy Commissioner regarding an actual or suspected privacy breach. The following factors are relevant in determining whether to report a privacy breach to the Office of the Information and Privacy Commissioner: 

o The sensitivity of the personal information
o Whether the breached information could result in identity theft or other harm, including pain and suffering or loss of reputation
o A large number of people are affected by the breach
o The information has not been fully recovered
o The breach is the result of a systemic problem or a similar breach has occurred before 

G. Prevent Future Privacy Breaches 

  • Richards & Richards, (including supervisors, staff and service providers) or others will work with the RnR PO, or others to investigate and manage the privacy breach. 
  • Richards & Richards will, as applicable, implement recommendations in accordance with this Management Process. 

Version 200211/Schedule 7204