PRIVACY POLICY
Northern Micro is committed to keeping personal information confidential and secure.

PURPOSE
The purpose of this policy is to comply with the new legislation related to Canada’s Privacy Law. The Act balances the privacy rights of customers and employees and the reasonable needs of organizations to use personal information. The Act affects the rights and obligations of private sector organizations with respect to their collection, use, disclosure, retention and disposal of personal information.

SCOPE
The Northern Micro Privacy Policy applies to personal information about customers and employees of Northern Micro that is collected, used or disclosed. It applies to the management of personal information in any form whether oral, electronic or written.

This policy does not impose any limits on the collection, use or disclosure of the following information:

• information that is publicly available such as a customer’s name, address, telephone number and elec- tronic address, when listed in a directory or made available through directory assistance; • the name, title or business address or telephone number of an employee of an organization.

SUMMARY OF PRINCIPLES
Northern Micro collects personal information for the following purposes:

• to establish and maintain responsible commercial relations and provide ongoing service;

• to understand customer needs and eligibility for products and services;

• to recommend particular products and services to meet customer needs;

• to develop, enhance, market or provide products and services;

• to mange and develop Northern Micro’s business and operations, including personnel and employment matters;

• to meet legal and regulatory requirements.

Northern Micro’s policy with regards to personal information will follow ten principles to protect the privacy of customer and employee personal information while carrying out business activities.

1. Accountability Northern Micro will be responsible for the personal information under their control. The Privacy Officer will ensure that the organization is in compliance with the Act.

2. Identifying Purposes Northern Micro shall identify the purposes for which personal information is collected at or before the time the information is colleted.

3. Consent The knowledge and consent of a customer or employee is required for the collection, use, or disclosure of personal information, except where inappropriate. Consent may be implied or expressly given, it may be provided orally or in writing.

4. Limiting Collection Northern Micro shall limit the collection of personal information to that which is necessary for the purposes identified. Northern Micro shall collect personal information by fair and lawful means.

5. Limiting Use, Disclosure and Retention Northern Micro shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Northern Micro shall retain per- sonal information only as long as necessary for the fulfillment of those purposes or as required by law.

6. Accuracy of Personal Information Personal information shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used.

7. Safeguards Northern Micro shall protect personal information by security safeguards appropriate to the sensitivity of the information.

8. Openness Northern Micro shall make readily available to customers and employees specific information about its poli- cies and practices relating to the management of personal information.

9. Individual Access Northern Micro shall inform a customer or employee of the existence, use and disclosure of his or her per- sonal information upon request and shall give the individual access to that information. A customer or em- ployee shall be able to challenge the accuracy and completeness of the information and to have it amended as appropriate.

10. Challenging Compliance A customer or employee shall be able to address a challenge concerning compliance with the above prin- ciple to the designated person or persons accountable for the Northern Micro compliance with the policy.

NORTHERN MICRO PRIVACY POLICY IN DETAIL
Principle 1 – Accountability

Northern Micro will be responsible for the personal information under their control. The Privacy Officer will ensure that the organization is in compliance with the Privacy Act.

1.1 NM is responsible for personal information under its control, and shall make known, upon request, the name of the person designated to oversee the companies’ compliance with the Privacy Act. Comments and questions regarding this Privacy Policy or its administration should be forwarded to the Privacy Officer.

1.2 NM is responsible for personal information in its possession including information that has been transferred to a third party for processing.

1.3 NM has implemented policies and procedures to give effect to the principles of the Act, including: a) procedures to protect personal information; b) procedures to receive and respond to inquires and complaints; c) training staff and communicating information to staff about NM’s policies and procedures;

Principle 2 – Identifying Purposes

Northern Micro shall identify the purposes for which personal information is colleted at or before the time the information is collected.

2.1 NM collects personal information for the following purposes; a) To establish and maintain responsible commercial relations with customers and to provide ongoing service; b) To understand customer needs; c) To develop, enhance, market or provide products and services; d) To manage and develop their business and operations, including personnel and employment mat- ters; e) To meet legal and regulatory requirements.

2.2 NM identifies the purposes for which it collects personal information at or before the time of collec- tion from an individual, and collects only the information necessary for the purposes that have been identi- fied. This may be specified orally, electronically, in writing or by means of implied consent.

2.3 When NM wishes to use personal information for a purpose not previously specified, it will identify the new purpose prior to such use. The individual whose personal information is at issue must consent before NM can use the information for this new purpose, unless the use is to comply with a law, to collect an account for services that NM has provided to the individual, or consent is implied.

Principle 3 – Consent

The knowledge and consent of a customer or employee is required for the collection, use, disclosure of personal information, except where inappropriate. Consent may be implied or expressly given, it may be provided orally or in writing.

3.1 In certain circumstances personal information can be collected, used or disclosed without the knowl- edge and consent of the individual. For instance, if it is clearly in the interest of the indiv Northern Micro may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.

Northern Micro may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.

Northern Micro may disclose personal information without knowledge or consent to a lawyer representing the company, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be other- wise required by law.

3.2 In obtaining consent, Northern Micro shall use reasonable efforts to ensure that a customer or em- ployee is advised of the identified purposes for which personal information will be used or disclosed. Pur- poses shall be stated in a manner that can be reasonably understood by the customer or employee.

3.3 Generally, Northern Micro shall seek consent to use and disclose personal information at the same time it collects the information. However, Northern Micro may seek consent to use and disclose personal information after it has been collected but before it is used or disclosed for a new purpose.

3.4 Northern Micro will require customers to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.

3.5 In determining the appropriate form of consent, Northern Micro shall take into account the sensitiv- ity of the personal information and the reasonable expectations of its customers and employees.

3.6 In general, the use of products and services by a customer, or the acceptance of employment or ben- efits by an employee, constitutes implied consent for Northern Micro to collect, use and disclose personal information for all identified purposes.

3.7 A customer or employee may withdraw consent at any time, subject to legal or contractual restric- tions and reasonable notice.

Principle 4 – Limiting Collection of Personal Information

Northern Micro shall limit the collection of personal information to that which is necessary for the purposes identified. Northern Micro shall collect personal information by fair and lawful means.

4.1 Northern Micro collects personal information primarily from their customers or employees.

4.2 Northern Micro may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties that represent that they have the right to disclose the information.

Principle 5 – Limiting Use, Disclosure and Retention

Northern Micro shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Northern Micro shall retain per- sonal information only as long as necessary for the fulfillment of those purposes or as required by law.

5.1 In certain circumstance personal information can be collected, used or disclosed without the knowl- edge and consent of the individual. (See Principle 3.1)

5.2 In addition, Northern Micro may disclose a customer’s personal information to: a) another company for the efficient and effective provision of computer related services; b) a company involved in supplying the customer with computer or related products or services; c) another person for the development, enhancement, marketing or provision of any of the products or services of Northern Micro; d) an agent retained by Northern Micro in connection with the collection of the customer’s account; e) credit grantors and reporting agencies; f ) a person who, in the reasonable judgment of Northern Micro, is seeking the information as an agent of the customer; and g) a third party or parties, where the customer consents to such disclosure or disclosure is required by law.

5.3 Northern Micro may disclose personal information about its employees; a) for normal personnel and benefits administration; b) in the context of providing references regarding current or former employees in response to requests from prospective employers; or c) where disclosure is required by law.

5.4 Only those employees of Northern Micro who require access for business reasons, or whose duties reasonably so require, are granted access to personal information about customers and employees.

5.5 Northern Micro shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or employee, Northern Micro shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or employee, either the actual informa- tion or the rationale for making the decision.

5.6 Northern Micro shall maintain reasonable and systematic controls, schedules and practices for infor- mation and records retention and destruction which apply to personal information that is no longer nec- essary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.

Principle 6 – Accuracy of Personal Information

Personal information shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used.

6.1 Personal Information used by Northern Micro shall be sufficiently accurate, complete and up to date to minimize the possibility that inappropriate information may be used to make a decision about a customer or employee.

6.2 Northern Micro shall update personal information about customers and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.

Principle 7 – Safeguards

Northern Micro shall protect personal information by security safeguards appropriate to the sensitivity of the information.

7.1 Northern Micro shall protect personal information against such risks as loss or theft, unauthorized ac- cess, disclosure, copying, use, modification or destruction, through appropriate security measures. Northern Micro shall protect the information regardless of the format in which it is held.

7.2 Northern Micro shall protect personal information disclosed to third parties by contractual agree- ments stipulating the confidentiality of the information and the purposes for which it is to be used.

7.3 All employees of Northern Micro with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.

Principle 8 – Openness Concerning Policies and Practices

Northern Micro shall make readily available to customers and employees specific information about its poli- cies and practices relating to the management of personal information.

8.1 Northern Micro shall make information about its policies and practices easy to understand, including: a) The title of the person or persons accountable for the companies’ compliance with the Policy and to whom inquiries or complaints can be forwarded; b) The means of gaining access to personal information held by the company; and c) A description of the type of personal information held by the company, including a general account of its use.

8.2 Northern Micro shall make available information to help customers and employees exercise choices regarding the use of their personal information and the privacy enhancing services available from the com- pany.

Principle 9 – Customer and Employee Access to Personal Information

Northern Micro shall inform a customer or employee of the existence, use and disclosure of his or her per- sonal information upon request and shall give the individual access to that information. A customer or em- ployee shall be able to challenge the accuracy and completeness of the information and to have it amended as appropriate.

9.1 Upon request, Northern Micro shall afford to a customer or an employee a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in under- standable form within a reasonable time and at minimal or no cost to the individual.

9.2 In certain situations, Northern Micro may not be able to provide access to all of the personal informa- tion that they hold about a customer or employee. For example, Northern Micro may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Also, Northern Micro may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, Northern Micro shall provide the reasons for denying access upon request.

9.3 Upon request, Northern Micro shall provide an account of the use and disclosure of personal infor- mation and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, Northern Micro shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.

9.4 In order to safeguard personal information, a customer or employee may be required to provide suffi- cient identification information to permit Northern Micro to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.

9.5 Northern Micro shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, Northern Micro shall transmit to third parties having access to the personal informa- tion in question any amended information or the existence of any unresolved differences.

9.6 A customer can obtain information or seek access to his or her individual file by contacting a desig- nated representative of Northern Micro.

9.7 An employee can obtain information or seek access to his or her individual file by contacting his or her immediate supervisor. The request will be directed to Human Resources.

Principle 10 – Challenging Compliance

A customer or employee shall be able to address a challenge concerning compliance with the above prin- ciple to the designated person or persons accountable for the Northern Micro compliance with the policy.

10.1 Northern Micro shall maintain procedures for addressing or responding to all inquiries or complaints from its customers and employees about the companies’ handling of personal information.

10.2 Northern Micro shall inform their customers and employees about the existence of these procedures as well as the availability of complaint procedures.

10.3 The person or persons accountable for compliance with the Privacy Policy may seek external advice where appropriate before providing a final response to individual complaints.

10.4 Northern Micro shall investigate all complaints concerning compliance with the Privacy Policy. If a complaint is found to be justified, the company shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A customer or employee shall be informed of the outcome of the investigation regarding his or her complaint.