The Saint John Airport Inc. (the “SJAI”) is committed to serving the needs of our employees, directors, clients, stakeholders, and members of the public while at the same time complying with all applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
This policy applies to the personal information about identifiable individuals collected, used, disclosed stored or disclosed by the SJAI in the course of its commercial activities.
This policy applies to all personal information now in the SJAI’s custody or control, and all personal information that it subsequently collects or acquires.
All directors, employees, and agents of the SJAI are required to comply with this policy.
DEFINITIONS
The following defined terms are used throughout this policy:
“collection” means the act of gathering, acquiring, recording or obtaining personal information from any source, including from third parties, by any means, whether written or verbal;
“client” means an individual who applies to use or uses the SJAI’s products, services, or facilities, and includes a tenant of the SJAI, a concessionaire of SJAI, a guarantor of their obligations, and airline passengers or others using the SJAI’s facilities;
“consent” means voluntary agreement for the collection, use, or disclosure of personal information;
““disclosure” means making personal information available to a third party outside of the SJAI;
“employee” means an employee or former employee of the SJAI;
“personal information” means information about an identifiable individual, whether recorded or not, and includes, but is not limited to, such things as race, ethnic origin, nationality, colour, age, gender, marital status, religion, education, medical information, criminal information, employment history, performance reviews, disciplinary actions, trade union membership, financial history, income, credit records, credit card numbers, information pertaining to existence of a dispute between an employer/employee, landlord/tenant, or business/consumer, intentions (such as intention to acquire goods/services, or provide/withdraw services (e.g. an airline route) home address, home telephone number, email address, numerical identifiers such as social insurance number, and personal opinions or evaluations. “Personal Information” does not include:
the name, title, business address, or business telephone number, of an employee of an organization;
information that is publicly available, such as a client’s name, home address, home telephone number, if published in a public telephone directory, made available through directory assistance, or some other public source (e.g. a web page);
information that pertains only to a commercial or corporate entity;
aggregate information that cannot be associated with any specific individual.
“third party” means an individual or organization outside the SJAI;
“use” means use within the SJAI;
THE TEN PRINCIPLES
This policy has been developed in accordance with the standards set out in PIPEDA including Schedule 1 of PIPEDA, which is modelled on the Canadian Standards Association Model Code for the Protection of Personal Information. In collecting, using, and disclosing personal information, the SJAI shall conform to the provisions of PIPEDA, including Schedule 1.
Principle 1 – Accountability:
The SJAI is responsible for the personal information in its custody or under its control, and shall designate one or more individuals who will be accountable for its compliance with PIPEDA and this policy.
The SJAI’s Manager, Regulatory Affairs, shall be the individual responsible for SJAI’s compliance with PIPEDA and this policy. He or she shall be known as the SJAI’s Privacy Officer. The SJAI’s Privacy Officer may, from time to time, designate one or more individuals within the SJAI to act on his or her behalf.
The SJAI has be responsible for the personal information in its custody or control, including information that has been transferred to a third party for processing. The SJAI shall use contractual or other appropriate means to ensure that information is afforded a comparable level of protection while it is being processed by a third party.
SJAI has implement policies and practices to give effect to the principles and procedures set out in PIPEDA and this policy.
Principle 2 – Identifying Purpose
The SJAI will identify the purpose for which personal information is collected at or before the time of the collection. The purposes for which information is collected, used, or disclosed by the SJAI must be those that a reasonable person would consider appropriate in the circumstances.
The SJAI will document the purposes for which it collects personal information.
Every individual responsible for collecting personal information on behalf of the SJAI will explain to the individual from whom the information is sought, why the information is being collected in a manner that can be reasonably understood. This shall be done at or before the time of collection and may, depending upon the way in which the information is collected, be done orally, in writing, or electronically. If this is done orally, a note to file shall be made. This policy may be used to identify such purposes.
If the SJAI proposes to use personal information that it has collected for a purpose not previously identified, it will identify the new purpose to the individual concerned before using that personal information for that new purpose. The consent of that individual must also be obtained before the personal information is used for the new purpose.
The explanation and consent referred to in para. 2.2 and 2.3 is not required where consent to the collection of the information is not required by law (see: para. 3.3).
The purpose for which the personal information of SJAI employees is collected may include, but is not limited to:
processing employment applications and assessing suitability for employment;
entering into, and administering employment contracts;
responding to employer inquiries;
administrating employee payroll and benefits;
conducting employee performance evaluations;
effecting training of employees;
conducting occupational medical assessments of employees, where such medical assessments are required;
regulating attendance;
managing disability and return to work situations;
conducting disciplinary investigations and taking disciplinary action against an employee;
participating in union negotiations and labour arbitrations;
obtaining security clearances (such as a Restricted Area Pass which is required by Aerodome Security Measures for employees who need access to restricted areas of the airport in order to perform their duties);
enhancing safety and security (e.g., we may use security cameras to monitor access, egress, and use of public and restricted areas);
facilitating contacts in the event of an emergency;
complying with legal and regulatory requirements (e.g. subpoenas, and court orders).
The purpose for which personal information of tenants/concessionaires is collected may include, but is not limited to:
processing lease or concession applications;
checking credit and other references;
administering lease and concession agreements;
communicating with tenants/concessionaires and responding to their inquiries;
invoicing and collecting rent or fees, and otherwise enforcing any lease or concession agreement;
tax reporting, where required;
reporting to our insurers, where necessary;
enhancing safety and security (e.g. we may use cameras to monitor access, egress, and use of public and restricted areas);
complying with legal and regulatory requirements (e.g. subpoenas, and court orders).
The purpose for which personal information is collected from other clients or individuals may include, but is not limited to:
providing products, services, or facilities requested by the client or individual;
processing payment for the use of such products, services, or facilities (e.g. where payment for parking facilities is made by credit card);
responding to inquiries by the client or member of the public;
for identification purposes (if you are an airline passenger, you will be asked for identification by security personnel before departure);
enhancing safety and security (e.g. we may use cameras to monitor access, egress, and use of public and restricted areas);
complying with legal and regulatory requirements.
Principle 3 – Consent
The knowledge and consent of the individual is required for the collection, use, or disclosure of personal information, except where consent is not required by applicable privacy legislation.
The SJAI will collect personal information only with the knowledge and consent of the individual concerned, except where knowledge and consent is not required by applicable privacy legislation, or where collection without knowledge or consent is permitted by law. Consent will obtained at or before the time of collection.
The way in which the SJAI will seek consent may vary, depending on the circumstances and the type of information collected. We can obtain consent through e.g. application, enrolment or contract forms, facsimiles, e-mail, and telephone conferences. Express consent will usually be obtained when the information is likely to be considered sensitive (such as medical information). Implied consent may generally be relied upon where a reasonably person would infer that the employee, client, or other individual has consented by his or her action or inaction.
There are circumstances in which such consent is not required such as:
where we collect information in the individual’s interest and timely consent is unavailable, or to investigate a breach of an agreement (e.g. an employment or lease agreement), or a contravention of the law;
where we use personal information without consent for reasons similar to those described above, or in an emergency situation in which an individual’s life, health, or security is threatened;
where we disclose information without consent for law enforcement, national security, for debt collection, to our lawyers, or in an emergency situation in which an individual’s life, health, or security is threatened.
The SJAI will not require, as a condition of supply of products, services or facilities, that an individual consent to the collection, use, or disclosure of information beyond that required to fulfill SJAI’s explicitly specified and legitimate purposes.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The SJAI will inform individuals of the implications of withdrawing consent.
Principle 4 – Limiting Collection
The SJAI shall limit the collection of personal information to that which is necessary for the purposes identified by the SJAI. Personal information shall be collected by fair and lawful means.
The SJAI will not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes stated.
The SJAI, in collecting information, will use fair and lawful means and will not mislead or deceive individuals about the purpose for which information is being collected.
Principle 5 – Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected by the SJAI.
The SJAI will only use or disclose personal information for legitimate, identified purposes (except with the consent of the individual or as required or permitted by law).
Where the SJAI intends to use personal information for a purpose not previously identified, the SJAI shall document the new purpose and shall obtain the consent of the individual prior to using the information for that new purpose (except where such consent is not required by law).
The SJAI may disclose the personal information of its employees to the following third parties:
to third party service providers for the purposes of administering employee payroll or benefits programs, or obtaining human resource assistance or advice;
to union representatives, (where required by law or under a collective agreement, or otherwise with the employee’s consent), and to labour tribunals;
to our external consultants (e.g. to our lawyers, auditors, accountants, and information technology consultants);
to prospective employers and/or financial institutions, seeking references, provided the consent of the employee has first been obtained;
to prospective purchasers or purchasers of our business;
to responsible government bodies for the purpose of obtaining necessary security clearances for the employee (e.g. to Transport Canada, and the R.C.M.P.);
to any third party where disclosure is required or permitted by law (e.g. to Canada Customs and Revenue Agency).
The SJAI may disclose the personal information of its clients to the following third parties:
to third parties named as credit or other references by the client;
to a credit bureau where the client has authorized us to conduct a credit check;
to our lenders, where required by them;
to government tax authorities, where required;
to a third party who processes credit card transactions;
to third party service providers for the purposes of debt collection;
to our external consultants (e.g. our lawyers, auditors, accountants, and information technology consultants);
to our insurers, where required;
to prospective tenants or concessionaires, or real estate agents (disclosure is limited to the existing tenant or concessionaire’s name, space, and rent);
to prospective purchasers or purchasers of our business; and
where disclosure is required or permitted by law.
Unless authorized by the employee, client or other individual, the SJAI will not sell, lease, or trade personal information with third parties.
Personal information shall be kept only as long as it remains necessary or relevant for the identified and legitimate purposes, or as required or permitted by law. Where personal information has been used to make a decision about an individual, SJAI will retain that personal information for a period of time that is reasonably sufficient to allow for access to that information by that individual, and to allow that individual to exhaust any legal recourse he or she has.
Personal information that is no longer required to fulfill the SJAI’s identified purposes shall be destroyed, erased, or made anonymous.
Principal 6 – Accuracy
Personal information shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used.
Personal information used by the SJAI shall be kept sufficiently accurate, complete and up to date.
The SJAI will not, however, routinely update personal information, unless this is necessary to fulfill the purposes for which the information was collected.
Principal 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
SJAI is committed to protecting personal information held by it, and to ensure that information is not obtained by others without the consent of the individual.
The SJAI will ensure security procedures are in place to safeguard and protect personal information against loss, theft, unauthorized access, disclosure, copying, and use, modification, or destruction.
The SJAI shall maintain appropriate safeguards and security procedures such as:
physical measures (e.g. providing and using locked filing cabinets for hard copy personal information, and restricting access to offices);
technical measures, (such as requiring passwords for access for electronic personal information, and using encryption, and firewalls); and
organizational measures, (e.g. permitting access to employees on a “need to know” basis, and staff training).
The nature of the safeguards implemented will vary depending on:
the sensitivity of the information that has been collected;
the parties to whom information will be disclosed;
the amount of information held;
the format of the information; and
the manner of storage.
Each director, employee, and agent of the SJAI shall be made aware of the importance of complying with this policy. Any director, employee, or agent who violates this policy or applicable privacy legislation shall be subject to disciplinary action, up to including removal, dismissal, or contract termination.
Personal information disclosed by the SJAI to third parties shall be protected by contractual agreements stipulating the confidentiality of the information and the purpose for which it is to be used.
We ensure that our employers are aware of the importance of maintaining the security and confidentiality of personal information.
The SJAI will use care when disposing of or destroying personal information and shall do so in a manner that will ensure that no one will be able to retrieve the information.
Principle 8 – Openness
The SJAI shall make readily available to its employees, clients, and other individuals specific information about its policies and practices relating to the management of personal information.
The SJAI will be open about its policies and practices with respect to the management of personal information, the name or our Privacy Officer and how to contact him or her.
Information shall be made available to SJAI employees, clients, and other individuals upon request in written form, and shall also be available through the SJAI website.
Principle 9 – Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information except where the SJAI is permitted or required by law not to disclose personal information to the individual.
Upon written request, the SJAI shall inform an employee, client, or other individual as to whether it holds personal information about the individual (except where the SJAI is or required or permitted by law not to disclose personal information), and shall afford the individual a reasonable opportunity to review the personal information in his or her file at minimal or no cost to the individual. The SJAI shall also provide an account of the use that has been made or is being made of the personal information, and of the third parties to whom the personal information has been disclosed.
An employee can obtain information or seek access to his or her individual file by contacting his or her immediate supervisor.
A client can obtain information or seek access to his or her individual file by contacting the SJAI’s privacy officer.
We will normally respond to a request for access for access to personal information within 30 days, however, that time period may be extended under PIPEDA for another 30 days in certain circumstances.
The SJAI is not required by law to permit access to personal information kept in our files. Where we refuse such a request we will, within the period referred to in para. 9.4, provide reasons and will advise the individual of his or her recourse under applicable privacy laws.
An individual also has the right to request, in writing, that the SJAI correct personal information that the SJAI has in its custody and control. The SJAI shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to the accuracy or completeness shall be noted in the individual’s file. Where appropriate, the SJAI shall transmit to third parties that were given access to the personal information in question any amended information or will inform them the existence of any unresolved differences.
Principle 10 – Challenging Compliance
An individual customer or employee shall be able to address a challenge concerning compliance with the provisions of this policy to the SJAI’s privacy officer.
The SJAI shall maintain procedures for addressing and responding that all inquiries or complaints from its employees and customers about the SJAI’s handling of personal information.
The SJAI will inform its employees, clients, and other individuals who make inquires or complaints, about the existence of these procedures as well as the availability of complaint procedures.
The SJAI shall investigate all written complaints concerning compliance with this policy. If a complaint is found to be justified, SJAI shall take appropriate measures to resolve the complaint.
If an individual is not satisfied with the response from the SJAI’s Privacy Officer, he or she may have recourse to additional remedies under applicable privacy legislation.
Any individual who has an inquiry or complaint may contact our Privacy Officer:
Angela McLean
Saint John Airport Inc.
4180 Loch Lomond Road
Saint John, NB
E2N 1L7
Telephone: 506-638-5578
Facsimile: 506-638-5550
E-Mail:
Effective Date and Amendment
This policy is effective as of l , 2004. The SJAI reserves the right to amend this policy from time to time for any reason.
