HESA is committed to the protection of any and all private data shared by clients and research participants.
The Manager, Academic Program Analysis shall be the designated Privacy Officer responsible for the company’s compliance under this policy. Ultimate responsibility for HESA’s privacy management rests with the President.
The President shall also appoint an Alternate Company Security Officer, as defined by the Government of Canada.
HESA will only collect confidential data and personal information of specific relevance to the project in question and must restrict its use of private data to the purposes initially communicated during data collection or which should be obvious from the manner in which the information was requested.
Personal information is information about an identifiable individual but does not include business contact information such as the name, title, business address or telephone number of an employee of an organization. It also does not include information that cannot be associated with a specific individual, or information that is available in the public domain.
Personal information is information about an identifiable individual but does not include business contact information such as the name, title, business address or telephone number of an employee of an organization. It also does not include information that cannot be associated with a specific individual, or information that is available in the public domain.HESA may collect personal information for the following purposes:
To conduct quantitative and/or qualitative marketing and social research;
To analyse participants’ responses and options and to share such analysis and reports with our clients;
To analyse participants’ opinions to determine suitability for further marketing and social research;
To conduct future surveys or other forms of research such as interviews or focus groups;
To communicate with you by way of regular mailings;
To inform you that you may be a potential winner of a draw; and,
To comply with legal and regulatory requirements.
HESA will only collect personal information by fair and lawful means.
HESA will secure the informed consent of clients and research participants prior to collecting data and personal information. In securing informed consent, HESA will communicate the purposes to which the data will be used, plans to store the data, its commitment to destroying data at project end, and any other elements of these policies considered relevant. HESA will also provide contact information for the Privacy Officer and an invitation to follow up on any questions that may arise.
Consent to participate in research is always voluntary. Providing consent indicates agreement that HESA may collect, use and disclose personal information as set out in these policies or required by law.
Consent can be express, implied or given through an authorised representative such as a lawyer, agent or broker. It may be provided orally, in writing, electronically, by negative option or otherwise.
Participants may withdraw consent at any time, subject to legal or contractual restrictions, and provided that they give reasonable notice of withdrawal of consent. Upon receipt of notice of withdrawal of consent, HESA will inform the participant of likely consequences of withdrawal, which may include the loss of opportunities to participate in future surveys and to enter any relevant draw. Withdrawal of consent should be communicated in writing or orally to the Privacy Officer or the representative implementing the project under the authority of the Privacy Officer.
HESA may collect, use or disclose personal information without the person’s knowledge or consent where: the personal information is publicly available from a public source, such as a public website; we are obtaining legal advice; and we reasonably expect that obtaining consent would compromise an investigation or proceeding. Other exceptions may apply.
HESA will not sell or trade personal information with other persons or organisations except to organisations affiliated with the organisation including the Company’s clients.
Otherwise HESA may only disclose personal information when required by law, for example to comply with valid legal processes such as a subpoena or a court order, or where failure to disclose may put someone’s personal safety at risk.
HESA will separate personally identifying information from data collected except when otherwise authorised by the research participant, and will not collect personally identifying information at all if this is not necessary for research objectives.
Private, non-anonymised digital data will be stored in the HESA filing system in files only accessible to system managers and staff directly involved in the research in question, or in online services such as the survey tool with access restricted to system managers and those staff directly involved in the research in question. Where relevant, files and online materials will be password protected, including using HESA password management software.
Where HESA must transmit private information by email, it will do so in an encoded document, providing the password separately by phone or text message.
Private data in physical form will be protected in a locked space or compartment, with access only given to those authorized by the President and the Alternate Company Security Officer.
HESA will only communicate personal information to clients in aggregate form, such that it is impossible to identify an individual respondent’s personal information. Only in exceptional cases will HESA share individuals’ responses to a particular survey, and in such cases only when information that could be used to identify an individual respondent is removed by the Company prior to disclosure.
HESA will destroy, erase or anonymise any and all private research data within six (6) months of project completion as confirmed by submission of the final output or the client’s final payment – whichever occurs later.
In the event that HESA requires the services of a third party for the collection or analysis of personal information, HESA will only provide to the third-party information necessary for research purposes and will ensure the information is returned or destroyed once the purpose for which it was given is fulfilled. The Company will ensure that the third party adheres to privacy procedures at least as strict as these and will keep the personal information confidential.
HESA will make every reasonable effort to ensure that private information it collects and uses is accurate and complete. Where, whether from the information provider or by some other means, it becomes clear that personal information is inaccurate or incomplete, HESA will amend the information as required and send amended information to any third parties to whom the information has been disclosed. Where a request to modify information is not approved, HESA will annotate the relevant data to indicate a correction was requested but not made.
HESA’s President and/or Privacy Officer will conduct investigations where the Company has reasonable grounds to believe that personal information is being inappropriately collected, used or disclosed.
HESA will provide its privacy and data management policies on its website and in writing to all HESA clients at project initiation.
HESA will respond to requests for information on its privacy and data addressed to the Privacy Officer, but reserves the right to refuse to disclose sensitive information to ensure the integrity of security procedures.
Persons who provide personal information to HESA have the right to access that information. Upon written request and authentication of identity, HESA will provide a summary of personal information in the company’s possession, a description of how that information is being used, and a list of individuals and organisations to whom the information has been disclosed. Information will be provided within 30 days of the request or provide written notice where additional time is required.
HESA may charge a reasonable fee to provide information in response to an access request and will provide an estimate of any such fee upon receipt of an access to information request. HESA may further require a deposit of all or part of this fee prior to providing the information.
HESA may not be able to provide access to certain personal information in some cases, such as when disclosure would reveal personal information about a third party or commercial information that could harm the Company’s competitive position, or where restricted by law from providing access. Where an access request is refused, HESA will notify the relevant person in writing, document the reasons for refusal and outline further available steps.