Privacy Policy
Privacy Policy
Introduction
Fortify Network Solutions, referenced within this document simply as Fortify, provides a broad range of IT services to business clients. We are a Managed Service Provider and a significant part of our business model is SECURITY and keeping your data secure.
Fortify is committed to maintaining the privacy, confidentiality, security and accuracy of client and employee personal information.
In 1996, the Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 (the "CSA Code"), was published as a National Standard of Canada. Subsequently, the CSA Code was largely incorporated into the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5, as amended ("PIPEDA").
The Fortify Privacy Policy ("Privacy Policy") is a formal statement of principles and guidelines concerning the minimum requirements for the protection of personal information provided by Fortify to their clients and employees. The objective of the Privacy Policy is responsible and transparent practices in the management of personal information, in accordance with the CSA Code and federal legislation.
Fortify will continue to review the Privacy Policy at least every five years to make sure it is relevant and remains current with changing technologies and laws and the evolving needs of Fortify, our clients and employees.
Summary of Principles
Principle 1 - Accountability
Fortify is responsible for personal information under their control and shall designate one or more persons who are accountable for compliance with the following principles.
Principle 2 - Identifying Purposes for Collection of Personal Information
Fortify will identify the purposes for which personal information is collected at or before the time the information is collected.
Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information
The knowledge and consent of a client or employee is required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 - Limiting Collection of Personal Information
Fortify will limit the collection of personal information to that which is necessary for the purposes identified. Fortify will collect personal information by fair and lawful means.
Principle 5 - Limiting Use, Disclosure and Retention of Personal Information
Fortify will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Fortify shall retain personal information only for as long as is necessary for the fulfillment of those purposes.
Principle 6 - Accuracy of Personal Information
Personal information shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used.
Principle 7 - Security Safeguards
Fortify will protect personal information by security safeguards appropriate to the sensitivity of the information.
Principle 8 - Openness Concerning Policies and Practices
Fortify will make readily available to clients and its employees’ specific information about their policies and practices relating to the management of personal information.
Principle 9 – Client and Employee Access to Personal Information
Fortify will inform a client or employee of the existence, use, and disclosure of his or her personal information upon request and will give the individual access to that information. A client or employee shall be able to challenge the accuracy and completeness of the information and to have it amended as appropriate.
Principle 10 - Challenging Compliance
A client or employee shall be able to address a challenge concerning compliance with the above principles to the designated group accountable for Fortify’s compliance with the Privacy Policy.
Definitions
Collection - the act of gathering, acquiring, recording or obtaining personal information from any source, including third parties, by any means.
Consent - voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically, or in writing but is always unequivocal and does not require any inference on the part of Fortify. Implied consent is consent that can reasonably be inferred from an individual's action or inaction.
Client - an individual who uses, or applies to use, Fortify products or services or otherwise provides personal information to Fortify during the course of Fortify’s commercial activities.
Disclosure - making personal information available to a third party.
Employee - an employee of Fortify.
Personal information - information about an identifiable individual, but not aggregated information that cannot be associated with a specific individual. For a client, such information includes a client's credit information, billing records, service and equipment, and any recorded complaints. For an employee, such information includes information found in personal employment files, performance appraisals and medical and benefits information.
Third party - an individual other than the client or his agent or an organization other than Fortify.
Use - the treatment, handling, and management of personal information by Fortify.
Privacy Policy in Detail
Scope and Application
The ten principles that form the basis of the Privacy Policy are interrelated and Fortify will adhere to the ten principles as a whole. Each principle must be read in conjunction with the accompanying commentary. As permitted by PIPEDA, the commentary in the Privacy Policy has been tailored to reflect personal information issues specific to Fortify.
The scope and application of the Privacy Policy are as follows:
The Privacy Policy applies to personal information about clients and employees of Fortify that is collected, used, or disclosed by Fortify.
The Privacy Policy applies to the management of personal information in any form, whether oral, electronic, or written.
The Privacy Policy does not impose any limits on the collection, use or disclosure of the following information by Fortify:
information that is publicly available; or
the name, title or business address or telephone number of an employee of an organization.
The application of the Privacy Policy is subject to the requirements or provisions of any applicable legislation, regulations, tariffs or agreements, or the order or determination of any court or other lawful authority.
Principle 1 - Accountability
Fortify is responsible for personal information under their control and shall designate one or more persons who are accountable for compliance with the following principles.
1.1 Responsibility for ensuring compliance with the provisions of the Privacy Policy rests with the senior management of Fortify, which shall designate one or more persons to be accountable for compliance with the Privacy Policy. Other individuals within Fortify may be delegated to act on behalf of the designated person(s) or to take responsibility for the day-to-day collection and processing of personal information.
1.2 Fortify will make known, upon request, the titles of the group members designated to oversee Fortify’s compliance with the Privacy Policy. Fortify has designated a Privacy Group to oversee compliance with the Privacy Policy.
1.3 Fortify is responsible for personal information in their possession or control, including information that has been transferred to a third party for processing. Fortify will use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).
1.4 Fortify has implemented policies and procedures to give effect to the Privacy Policy, including:
implementing procedures to protect personal information and to oversee Fortify’s compliance with the Privacy Policy;
establishing procedures to receive and respond to inquiries or complaints;
training and communicating to staff about Fortify’s policies and practices; and
developing public information to explain Fortify’s policies and practices.
Principle 2 - Identifying Purposes for Collection of Personal Information
Fortify will identify the purposes for which personal information is collected at or before the time the information is collected.
2.1 Fortify collects personal information only for the following purposes:
To establish and maintain responsible commercial relations with clients and to provide ongoing service;
To understand client needs;
To develop, enhance, market or provide products and services;
To manage and develop their business and operations, including personnel and employment matters; and
To meet legal and regulatory requirements.
Further references to "identified purposes" mean the purposes identified in this Principle 2.1.
2.2 Fortify will specify orally, electronically or in writing the identified purposes to the client or employee at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within Fortify who will explain the purposes.
2.3 Unless required by law, Fortify will not use or disclose, for any new purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the client or employee.
2.4 Fortify may use Google Analytics on its websites for the purposes of analyzing how visitors use the site. The anonymous statistics gathered assist in website personalization and support tasks. Fortify websites include, but are not limited to, Fortify.ca and will collectively be referred to as “Fortify Sites.”
As members of the public browse Fortify Sites, Google Analytics places “cookies” on a user’s computer, which are text files that contain anonymized log and visitor behavior information and may in the future include limited demographic information such as age, gender, and interests.
This information will not be used to identify individual users, either by itself or in conjunction with other information. Using appropriate settings found in their internet browsers, or tools available through Google, users may opt out of receiving cookies while visiting Fortify Sites. In doing so, users acknowledge that this may limit the functionality of Fortify Sites.
Google Ad Settings: https://adssettings.google.com/
Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information
The knowledge and consent of a client or employee is required for the collection, use or disclosure of personal information, except where inappropriate.
3.1 In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, Fortify may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a minor, seriously ill or mentally incapacitated.
Fortify may also collect, use, or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information, such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.
Fortify may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.
Fortify may disclose personal information without knowledge or consent to a lawyer representing Fortify, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.
3.2 In obtaining consent, Fortify shall use reasonable efforts to ensure that a client or employee is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the client or employee.
3.3 Generally, Fortify will seek consent to use and disclose personal information at the same time they collect the information. However, Fortify may seek consent to use and disclose personal information after it has been collected but before it is used or disclosed for a new purpose.
3.4 Fortify will require clients to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.
3.5 In determining the appropriate form of consent, Fortify shall take into account the sensitivity of the personal information and the reasonable expectations of their clients and employees.
3.6 In general, the use of products and services by a client, or the acceptance of employment or benefits by an employee, constitutes implied consent for Fortify to collect, use and disclose personal information for all identified purposes.
3.7 A client or employee may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Clients and employees may contact Fortify for more information regarding the implications of withdrawing consent.
Some specific examples of how we use collected information:
Create and manage client services;
Activate services on both proprietary and third-party infrastructure;
Send statements, invoices, and receipts;
Respond to billing and technical support inquiries;
Analyze data to monitor company growth and improve client experience;
Occasional notifications regarding service changes or marketing opportunities;
Examples of how we may share information with third party partners include:
Ordering or disconnecting service;
Initiating trouble ticket;
Providing client support;
Submitting information to collections agency
Examples of how we may disclose information to meet legal obligations include:
As required by law (e.g. to comply with a valid subpoena or another legal process);
When there is legitimate reason to believe that the disclosure is necessary to protect an individual's safety;
To respond to a government or emergency services request
Principle 4 - Limiting Collection of Personal Information
Fortify will limit the collection of personal information to that which is necessary for the purposes identified. Fortify will collect personal information by fair and lawful means.
4.1 Fortify collects personal information primarily from their clients or employees.
4.2 Fortify may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties that represent that they have the right to disclose the information.
Principle 5 - Limiting Use, Disclosure and Retention of Personal Information
Fortify will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Fortify will retain personal information for only as long as is necessary for the fulfillment of those purposes.
5.1 In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. (See Principle 3.1)
5.2 In addition, Fortify may disclose a client's personal information to:
Our partner service providers for the efficient and effective provision of managed IT services;
another entity for the development, enhancement, marketing or provision of any of the products or services of Fortify;
an agent retained by Fortify in connection with the collection of the client's account;
credit grantors and reporting agencies;
a person who, in the reasonable judgment of Fortify, is seeking the information as an agent of the client; and
a third party or parties, where the client consents to such disclosure or disclosure is required by law.
5.3 Fortify may disclose personal information about their employees:
for normal personnel and benefits administration;
in the context of providing references regarding current or former employees in response to requests from prospective employers, to the extent that such references are granted at all; or
where disclosure is required by law.
5.4 Only those employees of Fortify who require access for business reasons, or whose duties reasonably so require, are granted access to personal information about clients and employees.
5.5 Fortify will keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a client or employee, Fortify shall retain, for a period of time that is reasonably sufficient to allow for access by the client or employee, either the actual information or the rationale for making the decision.
5.6 Fortify will maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.
Principle 6 - Accuracy of Personal Information
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
6.1 Personal information used by Fortify will be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a client or employee.
6.2 Fortify will update personal information about clients and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.
Principle 7 - Security Safeguards
Fortify will protect personal information by security safeguards appropriate to the sensitivity of the information.
7.1 Fortify will protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. Fortify shall protect the information regardless of the format in which it is held.
7.2 Fortify will protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.
7.3 All employees of Fortify with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.
Principle 8 - Openness Concerning Policies and Practices
Fortify will make readily available to clients and employees specific information about their policies and practices relating to the management of personal information.
8.1 Fortify will make information about its policies and practices easy to understand, including:
The title and address of the person or persons accountable for Fortify‘s compliance with the Privacy Policy and to whom inquiries or complaints can be forwarded;
The means of gaining access to personal information held by Fortify; and
A description of the type of personal information held by Fortify, including a general account of its use.
8.2 Fortify will make available information to help clients and employees exercise choices regarding the use of their personal information and the privacy-enhancing services available from Fortify.
Principle 9 - Client and Employee Access to Personal Information
Fortify will inform a client or employee of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information. A client or employee shall be able to challenge the accuracy and completeness of the information and to have it amended as appropriate.
9.1 Upon request, Fortify will afford to a client or an employee a reasonable opportunity to review the personal information in the individual's file. Personal information shall be provided in understandable form within a reasonable time and at minimal or no cost to the individual.
9.2 In certain situations, Fortify may not be able to provide access to all the personal information that they hold about a client or employee. For example, Fortify may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Also, Fortify may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, Fortify shall provide the reasons for denying access upon request.
9.3 Upon request, Fortify will provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, Fortify will provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.
9.4 In order to safeguard personal information, a client or employee may be required to provide sufficient identification information to permit Fortify to account for the existence, use and disclosure of personal information and to authorize access to the individual's file. Any such information shall be used only for this purpose.
9.5 Fortify will promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual's file. Where appropriate, Fortify will transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.
9.6 A client can obtain information or seek access to his or her individual file by contacting a client service representative at 1-866-435-7717.
9.7 An employee can obtain information or seek access to his or her individual file by contacting his or her immediate supervisor within Fortify.
Principle 10 - Challenging Compliance
A client or employee shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for Fortify’s compliance with the Privacy Policy.
10.1 Fortify will maintain procedures for addressing and responding to all inquiries or complaints from their clients and employees about Fortify’s handling of personal information.
10.2 Fortify will inform their clients and employees about the existence of these procedures as well as the availability of complaint procedures.
10.3 The person or persons accountable for compliance with the Privacy Policy may seek external advice where appropriate before providing a final response to individual complaints.
10.4 Fortify will investigate all complaints concerning compliance with the Privacy Policy. If a complaint is found to be justified, Fortify will take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A client or employee shall be informed of the outcome of the investigation regarding his or her complaint.
For inquiries, complaints or more information contact:
Changes to our Privacy Policy
We may occasionally update our Privacy Policy to keep it up to date. Whenever we update the policy, we will provide notice on this website and may also notify you by email prior to the change taking effect. Site visitors and Fortify clients are encouraged to occasionally visit this page to review the most current copy of our Privacy Policy. By continuing to visit our website or use our services following any changes, you agree to abide by the updated policy.