PRIVACY POLICY

1.     Summary Statement

This Policy sets forth Zuptu’s requirements for privacy practices applicable to Zuptu, consistent with the expectations and plans of Zuptu, and in consideration of IsoCapt LLC' requirements. Zuptu is committed to respecting and protecting the privacy and security of Personal Information of individuals with whom it interacts, ensuring compliance with applicable law and Zuptu’s policies, standards, frameworks, and guidelines.

2.    Objectives

The objectives of this Policy are to:

  • Outline Zuptu’s practices for collecting, using, and disclosing the Personal Information of individuals who interact with Zuptu;
  • Minimize the exposure and risk to Zuptu of potential reputational, regulatory, civil or other damages resulting from a breach of privacy legislation; and
  • Outline the appointment and role of Zuptu’s Privacy Officer and the situations in which he/she should be contacted.

3.    Scope

This Policy applies to Employees, Contractors, and Consultants.

This Policy governs the use of the Personal Information of any individuals in any sort of engagement with Zuptu, including suppliers, directors, officers, permanent and temporary Employees, Contractors, or Consultants, volunteers, landowners, customers, and any other individuals from whom Zuptu may obtain Personal Information. All Managers and Supervisors are expected to become familiar with, support, and oversee privacy compliance.

4.    Definitions

Capitalized terms used herein have their meanings set forth in the Master Glossary.

Management

Employees in Zuptu who are in a supervisory capacity, in accordance with the Limits of Authority Standard.

Personal Information

Any information about an identifiable individual or that permits an individual to be identified, such as name, date of birth, marital status, dependents, beneficiaries, home or mailing address, personal telephone numbers, personal email addresses, emergency contact information, social insurance number, bank account numbers, other ID numbers, income, employment or education history, credit records, loan records, medical records, and financial history. It does not include an individual’s business contact information (i.e., name, title, business telephone number, address, e-mail address or fax number) when that information is used to contact an individual in relation to his/her business responsibilities.

Privacy Officer

A role appointed to serve as the primary contact for privacy issues related to Zuptu’s operations.

5.    Requirements

5.1        Purposes for Collection, Use, and Disclosure

Zuptu will obtain consent from the individual prior to the collection, use, and/or disclosure of Personal Information, and will identify the purpose of such collection unless otherwise permitted by law. Personal Information collection will be restricted to the information required for business purposes and will be collected, to the extent possible, directly from the individual concerned. Zuptu does not sell, trade, barter, transfer, or exchange for consideration any Personal Information it has obtained.

Personal Information may be subject to transfer to another entity in the event of a change of ownership of all or part of Zuptu. This will only occur if the parties in the change of ownership transaction have entered into an agreement under which the collection, use, and disclosure of the information is restricted to purposes that are related to the business transaction and will be used by the parties to carry out and complete the business transaction.

Zuptu may disclose Personal Information to organizations that perform services on behalf of Zuptu. Personal Information will only be disclosed to organizations that provide services to Zuptu and that agree to use the Personal Information solely for the purposes of providing services to Zuptu and to otherwise adhere to this Policy.

5.2       Deemed Consent

When an individual voluntarily provides Personal Information for a particular purpose, and it is reasonable that he/she would do so, Zuptu may take the view that the individual has provided consent. If Personal Information is voluntarily provided in accordance with applicable law, Zuptu is entitled to act on that individual’s consent and consider that the individual has consented to the collection, use, or disclosure of Personal Information, as necessary, to carry out the purposes for which the information was provided, in accordance with this Policy.

5.3       Refusal of Consent

If an individual does not wish to consent to the collection, use, or disclosure of Personal Information, they should not provide any Personal Information to Zuptu. However, as certain agreements can only be completed and performed if Personal Information is provided, a failure to provide Personal Information may preclude Zuptu from concluding such contracts. 

5.4       Collection, Use, and Disclosure without Consent

Pursuant to applicable law, Zuptu may collect, use, and disclose Personal Information without consent in the following scenarios.

    5.4.1         For Employees Following Notification

The law allows Zuptu to collect, use, and disclose Personal Information about an Employee without the consent of the Employee as long as the individual is an Employee of Zuptu or if the collection is for the purpose of recruiting a potential Employee, and if:

  • The collection, use, or disclosure is reasonable for the purposes for which it is being collected, used, or disclosed;
  • The information is related to a potential or actual employment relationship with Zuptu; and
  • Zuptu has, with current Employees, provided notification of the collection, use, or disclosure of the information and the purposes for doing so.

    5.4.2        Circumstances without Consent

There are circumstances in which the collection, use, or disclosure of Personal Information without consent may be justified, permitted, or obligated. These include:

  • Where authorized or required by law or by order of a court, administrative agency, or other governmental entity;
  • Where a reasonable person would consider that the collection, use, or disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way, or the individual would not reasonably be expected to withhold consent;
  • Where the collection, use, or disclosure of the information is reasonable for the purposes of an investigation or proceeding;
  • Where the information is publicly available;
  • Where the collection, use, or disclosure of the information is necessary in order to collect a debt owed to Zuptu, or for Zuptu to repay to an individual money owed by Zuptu;
  • Where the disclosure of the information is necessary to determine the individual's suitability to receive an honour, award, or similar benefit, including an honorary degree, scholarship, or bursary that the individual applied for;
  • Where the disclosure of the information is for the purposes of protecting against fraud, or for the prevention, detection, or suppression of fraud; and
  • Where it is necessary to permit Zuptu to pursue available remedies or limit any damages that it may sustain.

The obtaining of access of Personal Information is done in accordance with the Business Record Access Standard.  Where obliged or permitted to disclose information without consent, Zuptu will not disclose more information than is required.

5.5       Personal Information of Employees

Zuptu collects Personal Information about its Employees in an employment file. The information collected and purposes for it can be found in the Employee Personal Information Guideline. Most of the information is either required by law, or used to properly identify Employees. Zuptu relies on Employees to update their own Personal Information.

5.6       Third Parties

All persons and organizations collecting information on Zuptu’s behalf, including third parties, are expected to adhere to privacy principles, applicable law, and this Policy. On occasion, Zuptu may use third-party service providers in and outside Canada and will ensure that such third parties are aware of this Policy and applicable law with respect to Personal Information. Zuptu will ensure that Personal Information will be transferred securely and the collection, use, and disclosure, if applicable, will be restricted by the stated purpose. If Personal Information is transferred to a jurisdiction outside of Canada, the law of the foreign jurisdiction will likely apply. In such instances, the Privacy Officer will have more detailed information in respect to these arrangements.

5.7       Computer and Email Use

Zuptu owns the computer systems that Employees, Contractors, and Consultants use in the course of business. Zuptu has the right and ability to monitor and review use of Zuptu’s system by all individuals. Please refer to the Information Security Policy for additional information.

5.8       Security of Personal Information

Zuptu strives to maintain adequate physical, procedural, and technical security with respect to its offices and information storage facilities, in order to prevent any loss, misuse, unauthorized access, disclosure, or modification of Personal Information.

Access to Personal Information is restricted to Employees, Contractors, and Consultants that require it to perform special services and fulfil obligations. 

    5.8.1         Employment Files

Employment files are securely maintained in the Human Resources department of Zuptu. Zuptu only shares Personal Information with Employees, Contractors, and Consultants, who are involved in payroll, hiring, promotions, discipline, termination, or auditing those functions. Personal Information in physical form is kept in secure, locked offices and electronic information is maintained in secure files with limited access.

    5.8.2        Access to Personal Information

The law permits individuals to submit written requests to Zuptu to provide them with:

  • Access to their Personal Information that is under the custody or control of Zuptu;
  • Information about the purposes for which their Personal Information that is under the custody or control of Zuptu has been and is being used; and
  • The names of organizations or persons to whom, and the circumstances in which, Personal Information has been and is being disclosed by Zuptu.

Details on how to request access to Personal Information can be found in the Employee Personal Information Guideline.

Please note that an individual's ability to access his/her Personal Information under Zuptu’s control is not an absolute right. The law provides that Zuptu must not disclose Personal Information where:

  • The disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
  • The disclosure would reveal Personal Information about another individual; or
  • The disclosure would reveal the identity of an individual, who has in confidence provided Zuptu with an opinion about another individual and the individual providing the opinion does not consent to the disclosure of his/her identity.

The law also provides that Zuptu may choose not to disclose Personal Information where:

  • The Personal Information is protected by any legal privilege;
  • The disclosure of the information would reveal confidential commercial information, and it is not unreasonable to withhold that information;
  • The Personal Information was collected by Zuptu for an investigation or legal proceeding; and
  • The disclosure of the Personal Information might result in similar information no longer being provided to Zuptu when it is reasonable that it would be provided.

5.9       Retention of Personal Information

Zuptu maintains employment files for as long as an Employee is with Zuptu. Some of the information relating to payroll and compensation must be maintained for seven years after an Employee leaves, as these documents are required by law for audit and tax purposes. Information that is not necessary for audit and taxation purposes is generally destroyed after a period of three years following employment, but may be retained longer where reasonable to do so for business or legal purposes.

Should any consent, where required, to the use, disclosure, or retention of Personal Information be revoked, the law also allows Zuptu to continue to retain the information for as long as is reasonable for legal or business purposes. In the event that revocation of any required consent may have consequences to the individual concerned, Zuptu will advise the individual of the consequences of revoking their consent where it is reasonable to do so.

Please refer to the Information Management Policy for additional information.

5.10   Request for Correction of Personal Information

The law permits individuals to submit written requests to Zuptu to correct errors or omissions in their Personal Information that is in Zuptu’s custody or control. If an individual becomes aware that the information Zuptu has about himself/herself is incorrect, the individual should notify the Human Resources department or the Privacy Officer, who will review the information and take appropriate steps. 

5.11     Privacy Officer

The Privacy Officer serves as the primary contact for privacy issues related to Zuptu’s operations. The Privacy Officer, and other individuals within Zuptu, may be delegated to act on direction from Management or take responsibility for the day-to-day collection and processing of Personal Information. When required, other individuals may be appointed by Management to act in the place of the Privacy Officer. Zuptu has appointed the Director of the Legal department as the Privacy Officer, who can be reached as set forth in Section 0. An individual may contact the Privacy Officer if he/she has any Personal Information inquiries.

5.12    Filing a Complaint

An individual may make a written complaint to the Privacy Officer if he/she is dissatisfied with this Policy or Zuptu’s privacy practices. Any complaint should provide sufficient, precise, and relevant information pertaining to, among others, individuals, dates, places, names, witnesses, numbers, actual or potential violations, and Zuptu so that a reasonable investigation can be conducted. An individual is not expected to prove the truth of the allegation; however, the Complainant needs to demonstrate that there are sufficient grounds for concern. A complaint may be submitted through one of the following means of communication:

(i)           In writing:          Zuptu

7315 Stafford Drive

Council Bluffs, IA 51503

Attention: Trevor Carritt

Privacy Officer (STRICTLY CONFIDENTIAL)

(ii)          By electronic mail to the Privacy Officer at

                                             Trevor.Carritt@zuptu.com

(iii)        By telephone to the Zuptu Ethics Point Compliance Hotline

North American:  402-689-9105

International: +1-402-689-9105

The Privacy Officer will then investigate the matter, which may require the involvement of Zuptu’s Management. The Privacy Officer will report back to the individual and advise him/her of any steps taken to correct the problem. All investigations will be conducted in accordance with the Whistleblower Investigation Framework.

If the individual is still unsatisfied with the response, he/she may choose to make a written complaint to the Information and Privacy Commissioner of Alberta.

If an individual feels reporting to the Privacy Officer is either inappropriate or insufficient to address their concerns, Zuptu’s Whistleblower Policy outlines procedures to file a complaint against the actions of another individual or group of individuals within Zuptu in respect to breaches of any policy or procedure of Zuptu or applicable law.

Powered By Nodlays