Privacy Policy

AURUM GROUP'S PRIVACY POLICY & PRIVACY CODE

1. AURUM GROUP

The Aurum Group of Companies is committed to protecting your right to privacy. The following describes how the personal information, which we collect from you will be handled and your rights to limit use of that information.
Your privacy is of utmost concern to us, and this Privacy Policy manual will explain both your rights and ours. Each employee or representative of the Aurum Group of Companies is responsible for maintaining and protecting all personal information under their control. Each employee or representative has been informed of these responsibilities through this Privacy Policy and our Privacy Code. We have also designated a Chief Privacy Officer to oversee our compliance with PIPEDA, Provincial Private Sector Privacy Laws, US Privacy Laws, and this Privacy Policy.

2. PIPEDA AND WHAT IT MEANS TO US AND YOU

In brief, PIPEDA is the acronym for the Personal Information Protection and Electronic Documents Act, which sets out basic policies for the management of personal information collected, used, and distributed in the private business sector in Canada. It is federal legislation applicable to all provinces in Canada, except where a Province may have adopted similar legislation (see exceptions in Section 3 below).
PIPEDA is an Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

Under the Act, organizations must obtain an individual’s consent when collecting, using, or disclosing that information. The individual has the right to access that information held, and to contest the correctness if warranted. The information can only be used for the purpose for which it was originally collected. If we need to or would like to use it for another objective, consent must then be acquired again.
However, not all privacy issues fall under the oversight of the Office of the Privacy Commissioner of Canada under PIPEDA. PIPEDA sets national standards for privacy practices in the private sector.

3. PROVINCIAL LEGISLATIONS SIMILAR TO PIPEDA

Some provinces have comprehensive privacy laws deemed substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.
A provincial privacy law is considered substantially similar to PIPEDA if it:

  • provides equal privacy protection
  • contains the following ten principles of PIPEDA:
      1.  ACCOUNTABILITY
      2. IDENTIFYING PURPOSE
      3. CONSENT
      4. LIMITING COLLECTION
      5.  LIMITING USE, DISCLOSUR, RETENTION
      6. ACCURACY
      7. SAFEGAURDS
      8. OPENNESS
      9. INDIVIDUAL ACCESS
      10. CHALLENGING COMPLIANCE
  • provides for independent oversight and redress with the power to investigate.
  • allows the collection, use and disclosure of personal information only for appropriate or legitimate purposes

The Provinces of Alberta, British Columbia and Quebec have their own private sector comprehensive privacy laws that govern the collection, use or disclosure of personal information that occurs within their Province. However, in these provinces, PIPEDA still applies to transactions involving personal information transferred across borders.

ALBERTA

PERSONAL INFORMATION PROTECTION ACT

Alberta has its own private sector privacy law, the Personal Information Protection Act (PIPA), which is deemed substantially similar to PIPEDA, and is governed by the Office of the Information and Privacy Commissioner of Alberta.
In Alberta, PIPA provides rights to individuals to request access to their personal information collected by private sector organizations. Furthermore, PIPA provides a framework to organizations like ours as to how to collect, use, and disclose such personal information. The purpose of PIPA is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of an individual to have his or her personal information protected and
the need of organizations to collect, use or disclose personal information for purposes that are reasonable. Subject to some exceptions within the Act, the Act applies to every organization and in respect of all personal information.

Under the Act, “personal information” is defined as “information about an identifiable individual”, and “personal employee information” means, in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purposes of (i) establishing, managing or terminating an employment or volunteer-work relationship, or (ii) managing a post-employment or post-volunteer-work relationship between the organization and the individual, but does not include personal information about the individual that is unrelated to that relationship.
Sections 5 through 12 herein this Policy set out the framework for our collection, use and disclosure of your personal information in the Province of Alberta.

ALBERTA HEALTH INFORMATION ACT

Alberta also has its own Health Information Act (the HIA). The HIA provides individuals with the right to request access to their own health information in the custody of or under the control of health “custodians” while providing custodians with a framework for conducting the collection, use and disclosure of health information.
There are many organizations that fit within the definition of Custodian under the Act. For our purposes, health services provider who are designated in the regulations as a custodian, or who are within a class of health services providers that is designated in the regulations, such as dentists, denturists and dental hygienists. As Aurum Group works closely with dentists and denturists, we are responsible for any Personal Information we receive from these custodians.
In addition to regulating information access, collection, use and disclosure practices of custodians, HIA also covers the actions of affiliates. Affiliates include employees, volunteers, contractors and agencies under contract to a custodian. Ultimately custodians are responsible for the information collected used or disclosed by their affiliates.

HIA also gives individuals the right to request corrections and to have custodians consider their wishes regarding how much of their health information is disclosed or made accessible through Alberta Netcare, the Provinces electronic health record system.
Sections 4 through 12 herein this Policy set out the framework for our collection, use and disclosure of your personal information in the Province of Alberta.

BRITISH COLUMBIA

PERSONAL INFORMATION PROTECTION ACT

British Columbia has its own private sector privacy law, the Personal Information Protection Act (PIPA), which is deemed substantially similar to PIPEDA, and is governed by the Office of the Information and Privacy Commissioner for British Columbia.

The purpose of PIPA is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. With exceptions set out under PIPA, the Act applies to every organization that collects, uses, and discloses personal information.

Under the Act “personal information” means information about an identifiable individual and includes employee personal information but does not include:

  • (a) contact information, or
  • (b) work product information (information prepared or collected by an individual or group of individuals as a part of the individual’s or group’s responsibilities or activities related to the individual’s or group’s employment or business but does not include personal information about an individual who did not prepare or collect the personal information).

Sections 4 through 12 herein this Policy set out the framework for our collection, use and disclosure of your personal information in the Province of British Columbia.

QUEBEC

LOI SUR LA PROTECTION DES RENSEIGNEMENTS PERSONNELS

Le Québec a sa propre loi pour dans le secteur privé, la Loi Sur La Protection des Renseignements Personnels (la “Loi”) supervisée par le Commissaire d’accès à l’information du Québec.
La présente Loi a pour objet d’établir, pour l’exercice des droits conférés par les articles 35 à 40 du Code civil concernant la protection des renseignements personnels, des règles particulières à l’égard des renseignements personnels relatifs à d’autres personnes qu’une personne recueille, détient, utilise ou communique à des tiers dans le cadre de l’exploitation d’une entreprise au sens
de l’article 1525 du Code civil. La loi s’applique à ces informations quelle que soit la nature de leur support et quelle que soit la forme sous laquelle elles sont accessibles, qu’elles soient écrites, graphiques, enregistrées, filmées, informatiques ou autres.

Récemment, des changements importants aux exigences régissant la collecte, l’utilisation et la communication des renseignements personnels au Québec ont été promulgués. Toute personne exploitant une entreprise au Québec doit établir et mettre en oeuvre des politiques et des pratiques de gouvernance en matière de renseignements personnels qui assurent la protection de ces renseignements.

Ces politiques et pratiques doivent notamment encadrer la conservation et la destruction des informations, définir les rôles et responsabilités des membres de son personnel tout au long du cycle de vie des informations et prévoir un processus de traitement des plaintes concernant la protection des informations.

Les politiques et pratiques doivent également être proportionnées à la nature et à l’étendue des activités de l’entreprise et être approuvées par la personne responsable de la protection des renseignements personnels.

Des informations détaillées sur ces politiques et pratiques, notamment en ce qui concerne le contenu requis en vertu du premier alinéa, doivent être publiées dans un langage simple et clair sur le site Internet de l’entreprise ou, si l’entreprise n’a pas de site Internet, rendues disponibles par tout autre moyen approprié.

Il est obligatoire pour les organismes opérant au Québec de:

  • Désigner un responsable de la protection de la vie privée pour superviser le traitement des informations personnelles;
  • Aviser la Commission d’accès à l’information et les personnes concernées de tout incident lié à la confidentialité, y compris les atteintes à la vie privée et l’accès/l’utilisation/la divulgation non autorisés de renseignements personnels;
  • Tenir un registre de tous les incidents de sécurité pendant une période de cinq ans (sous réserve de l’adoption de la réglementation);
  • Exiger des évaluations des facteurs relatifs à la vie privée (ÉFVP) obligatoires pour le transfert de renseignements personnels à l’extérieur du Québec;
  • Dispositions obligatoires dans tous les contrats d’externalisation;
  • L’adoption de mécanismes de confidentialité par défaut pour les nouvelles technologies.

Toute personne qui recueille des renseignements personnels auprès de la personne concernée doit, lors de la collecte des renseignements et par la suite sur demande, informer cette personne:

  1. des finalités pour lesquelles les informations sont collectées;
  2. des moyens par lesquels les informations sont collectées;
  3. des droits d’accès et de rectification prévus par la loi;
  4. du droit de la personne de retirer son consentement à la communication ou à l’utilisation des renseignements recueillis.

Sur demande, la personne concernée est également informée des renseignements personnels recueillis auprès d’elle, des catégories de personnes qui y ont accès au sein de l’entreprise, de la durée de conservation des renseignements et des coordonnées du responsable de la protection des renseignements personnels.

Les informations doivent être fournies à la personne concernée dans un langage clair et simple, quel que soit le moyen utilisé pour collecter les informations personnelles.

En plus des renseignements qui doivent être fournis conformément à la Loi, toute personne qui recueille des renseignements personnels auprès de la personne concernée au moyen d’une technologie comportant des fonctions permettant d’identifier, de localiser ou de profiler la personne concernée doit, au préalable, informer la personne:

  1. de l’utilisation de cette technologie;
  2. des moyens disponibles pour activer les fonctions permettant d’identifier, de localiser ou de profiler une personne.

Le « profilage » désigne la collecte et l’utilisation de renseignements personnels pour évaluer certaines caractéristiques d’une personne physique, notamment dans le but d’analyser les performances au travail, la situation économique, la santé, les préférences personnelles, les intérêts ou le comportement de cette personne.

Les articles 4 à 12 de la présente politique définissent le cadre de notre collection, utilisation et divulgation de vos informations personnelles dans la province de Québec.

ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR

Quebec has its own private sector privacy laws, the Act Respecting the Protection of Personal Information in the Private Sector (the “Act”) overseen by the Commissioner d’accès à l’information du Québec.

The object of this Act is to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code concerning the protection of personal information, particular rules with respect to personal information relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code. The Act applies to such information whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized, or other.

Recently, significant changes to the requirements governing the collection, use, and communication of personal information in Québec have been enacted.

Any person carrying on an enterprise in Québec must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Such policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information. The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information.

Detailed information about those policies and practices, in particular as concerns the content required under the first paragraph, must be published in simple and clear language on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means.

It is mandatory for organizations operating in Québec to:

  • Designate a privacy officer to oversee the handling of personal information;
  • Notify the Commission d’accès à l’information and affected individuals of any confidentiality incidents, including privacy data breaches and the unauthorized access/use/disclosure of personal information;
  • Keep a record of all security incidents for a period of five years (subject to regulation’s adoption);
  • Require mandatory Privacy Impact Assessments (PIA) for the transfer of personal information outside of Québec;
  • Mandatory provisions within all outsourcing contracts;
  • The adoption of privacy by default mechanisms for new technologies.

Any person who collects personal information from the person concerned must, when the information is collected and subsequently on request, inform that person:

  1. of the purposes for which the information is collected;
  2. of the means by which the information is collected;
  3. of the rights of access and rectification provided by law; and
  4. of the person’s right to withdraw consent to the communication or use of the information collected.

On request, the person concerned is also informed of the personal information collected from him, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information.

The information must be provided to the person concerned in clear and simple language, regardless of the means used to collect the personal information.

In addition to the information that must be provided in accordance with the Act, any person who collects personal information from the person concerned using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person:

  1. of the use of such technology; and
  2. of the means available to activate the functions that allow a person to be identified, located or profiled.

“Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.

Sections 4 through 12 herein this Policy set out the framework for our collection, use and disclosure of your personal information in the Province of Quebec.

In addition to more comprehensive privacy laws that apply to organizations in B.C., Alberta and Quebec, there are also four provincial health information laws that are considered substantially similar to PIPEDA. These laws apply to personal health information within their respective provinces:

  • New Brunswick: Personal Health Information Privacy and Access Act
  • Newfoundland and Labrador: Personal Health Information Act
  • Nova Scotia: Personal Health Information Act
  • Ontario: Personal Health Information Protection Act

Sections 4 through 12 herein this Policy set out the framework for our collection, use and disclosure of your personal information in those Provinces.

GOVERNMENT OF CANADA DIGITAL CHARTER

The Government of Canada has announced its Digital Charter and launched its National Digital and Data consultations by publishing an accompanying paper entitled Strengthening Privacy for the Digital Age, which included numerous recommendations for amending PIPEDA.

In its Digital Charter, the Government of Canada tackles digital and data transformation, setting out its ten principles to guide amendments to PIPEDA. The proposed amendments include:

  1. Enhancing the control and transparency that individuals have over their personal information by requiring specific standardized plain language information on its use;
  2. Providing data mobility opportunities to support greater individual control over data and promotion of consumer choice; and
  3. Strengthening enforcement mechanisms, including enhanced penalties for non-compliance.

The Prime Minister’s Office has delivered a mandate letter to the Minister of Innovation, Science and Industry, outlining a number of data protection initiatives for the Ministry, to potentially include:

  1. Advancing Canada’s Digital Charter;
  2. Enhancing the power of the Office of Privacy Commissioner of Canada, such as adding the ability to award administrative monetary penalties, creating new offences, or providing additional oversight by the Federal Court of Canada to incentivize compliance;
  3. Establishing a new set of rights for individuals online, including:
    • Data portability/privacy; and
    • The right to be forgotten.
  4. Enhancing knowledge of how personal data is being used; and
  5. Creating new regulations for large digital companies to protect personal data and to encourage greater competition in the digital space.

Each of these amendments, if implemented, have the potential to effect a fundamental change in the way we would be able to collect, use, and disclose personal information. These amendments would serve to better align us with the data protection regime in the European Union under the General Data Protection Regulation (GDPR); to better allow for free data exchanges between the EU and Canada, with the exception of employee data and under certain conditions.

We will stay on top of these announcements by the Canadian Government and revise our Privacy policy accordingly when these Privacy changes come to PIPEDA.

THE USA: Health Insurance Portability and Accountability Act (HIPAA)

The Privacy rules in the USA under HIPAA address patient privacy issues and regulate how private health information can be used and disclosed. This private health information includes all personal medical records and any other health information that is created or received by a health care provider. As we work closely with dentists to treat their patients, we may come into contact with some of this health information, and as such, we have a duty to protect patient privacy. We have implemented policies and procedures for ensuring proper protection of privacy and data security.

Each employee or representative of the Aurum Group is responsible for maintaining and protecting all personal information under their control. Each employee or representative has been informed of these responsibilities through this Privacy Policy and our Privacy Code. Aurum Group has also designated a Chief Privacy Officer to oversee our compliance with HIPAA and our Privacy Policy.

However, the Privacy Rules under HIPAA do not require that we establish a Business Associate Agreement with our Dentist customers regarding the protected health information, as dental laboratories are defined as “Health Care Providers” under HIPPA, and the “laboratory services” being rendered by us are for “treatment” purposes only and do not include any other administrative services provided on behalf of the dentist.

Moreover, the Aurum Group does not receive the following patient information:

  • a) patients’ telephone numbers
  • b) patients’ addresses
  • c) patients’ medical records
  • d) patients’ personal family information
  • e) or any other personal information belonging to the patient not required for treatment purposes.

The information that we receive from the dentist is limited to:

  • a) the patient’s name
  • b) sometimes gender
  • c) if required, the patient’s health issues used to identify and aid in the treatment of their case.

We do not receive, collect, or maintain:

  • a) patients’ telephone numbers,
  • b) patient addresses,
  • c) patient birth dates,
  • d) patient social security numbers
  • e) patient medical records or
  • f) data directly identifying individuals’ relatives, employers, or household members; such information being defined as the “Protected Health Information”.

Health care providers are allowed under the HIPAA privacy rule to disclose individually identifiable health information to another health care provider as necessary for patient treatment. In the case of a dental laboratory, such treatment includes communication between the dentist or denturist with our dental laboratory, and our actions in providing the prosthesis to the Dentist or Denturist for their patient.

Furthermore, the NADL, the ADA, and the Office of Civil Rights (the Health and Human Services agency charged with HIPAA Privacy Rule enforcement provisions) reinforce the belief that dental laboratories are health care providers, and as such so no Business Associate Agreement is required to share protected health information for treatment purposes.

Concerned US dentists can access the American Dental Associate’s HIPAA Hotline at 312-440-2899, ext.3, for a recorded message explaining that dental laboratories are not business associates and thus no business associate agreements are required.

Although a business associate agreement may not be required between us and the dentist, we are dedicated to preserving the confidentiality of all of our customers, and no privileged doctor-patient confidential information we receive from you will be released without your specific permission.

4. Personal Information

4.1 Collection

The Aurum Group collects personal information by reasonable, lawfully permitted means and thus we limit the collection, use, and disclosure of personal information to that which is reasonably necessary to administer our dental laboratory business.

This may include collection to understand your specific needs, in order to meet legal, regulatory, and contractual requirements, to facilitate the delivery of products and services to you, to maintain your contact information, and to provide information to you.

We will identify the reasons for which we collect your personal information, either before or at the time of collection.

We will only collect, use, and disclose your personal information with your knowledge and consent, except where otherwise permitted or required by law.

Our collection of your personal information will be restricted to what is reasonable and necessary for the reasons identified to you and shall only be collected by reasonable and lawful means, and as per the laws and regulations set under each Province or Territory where the Personal Information is being gathered.

Your personal information will only be used, disclosed, or retained for the purposes for which it was originally collected, unless you have permitted otherwise, or when required or permitted by law.

We will only retain your personal information for the period necessary to fulfill the purposes for which it was collected.

`

a. Personal Information Defined

“Personal Information” can include but ids not limited to, the information provided to us by our customers, employees, suppliers, contractors, and consultants, and may also include customer account information, dentist’s patient health information if required for the treatment of that patient’s case, information customers provide to us during the normal course of communication between dentists and Aurum Group staff.

More specifically what we may collect is dependent upon the party who the information is being collected from and the reason for its collection.

4.2 Forms of Collection

a. Email and Email Campaigns:

If you are a customer of the Aurum Group (dentist, denturist, orthodontist, dental group, etc), prior to marketing to you through email, we will confirm with you that we have your permission to do so. All email campaigns will be compliant with HIPAA and PIPEDA, will comply with Canada’s Anti-Spam Legislation (CASL), as well as any other legislation or regulations applicable to email use in Canada and the USA, and specifically will include the following:

  • a double opt-in where permission to send the email is received both at the time of sign-up with us, and upon receipt of the first message;
  • identification of the message source, and if to USA recipients’, a postal address for the message origin;
  • an “unsubscribe” function; and
  • a contact email address for questions and concerns.

b. The Aurum Group Website:

Prior to collecting any of your personal information through our website, we will explain to you what we intend to do with that information.

4.3 Employees, Suppliers, Consultants, & Contractors

If you are, or are potentially, an employee or contractor/consultant, we collect your name, address, telephone number, and other relevant personal information that may include (if applicable) emergency contacts, family and health benefit information, past employment, educational experience, and evaluative information.

We use your personal information for lawfully authorized purposes relevant to our employment/contracting relationship including:

  • Administration of benefits and payroll
  • Entitlement for benefits, raises, bonuses, and/or promotions
  • Business development and marketing

4.4 Customers

If you are a customer, we may collect information that we require to complete your project satisfactorily. We may collect information about you, and, if applicable, your employees, and/or others associated with your organization (such as contractors or consultants).

These requests may include name, telephone, fax, email address, job title, and any other information that may be required as your project progresses. This information is used for:

  • Confirming your business identity
  • Entering into a service contract with us
  • Development of plans and documents necessary for the satisfactory completion of your project
  • Providing ongoing service in doing a project for you, we may require your patient information, including:
  • The name of your patient
  • If applicable, your patient’s health information provided solely for the purpose of completing the project

5. Consent

Consent is defined as the “voluntary agreement with what is being done or proposed”. Consent can be explicit or implied, or by not opting out. Express consent is given explicitly, either orally or in writing. Express consent is undisputable and does not necessitate any presumption on the part of Aurum Group when seeking the consent. Implied consent occurs where consent may logically be understood from the action or inaction of the individual.

Consistent with privacy principles and applicable legislation, and where reasonably possible, the Aurum Group only collects, uses, or discloses personal information with the consent from the individual. The Aurum Group is careful to select a fair and reasonable form for the consent required in the circumstances.

If you are an employee or contractor/consultant, you are hereby notified that your personal information will be collected, used, and disclosed to establish and generally manage our employee or contractor/consultant relationship and facilitate the completion of projects with third parties. In certain limited circumstances consistent with law and regulation (e.g., legal, medical, or security reasons) personal information can be collected, used, or disclosed without your knowledge or consent.

If you are a customer, you consent to supply certain pertinent personal information. You consent to the use of that personal information to administer, implement, and perform our services as they relate to your project. You also represent that you have obtained the consent required by applicable laws and policies for the disclosure of that personal information.

7. Use & Disclosure of Personal Information

The Aurum Group will not use or disclose Personal Information for purposes other than those for which it was collected, except with your consent or as required by law. Your Personal Information shall be disclosed only to those who have a “need to know” and the specific information shall be restricted to only that information relevant to the recipients’ need to know. Those who need to know may include employees, contractors, consultants, and dental and other health benefit providers. Also, the Personal Information disclosed is limited to only that Personal Information required for the purpose. You may specify any restrictions on the disclosure of your Personal Information to or restrict the content

WE WILL NOT SELL YOUR PERSONAL INFORMATION. We will not use or disclose it to third parties without your knowledge or permission, except in special circumstances, where consent is not required under legislation.

7. When we may use your information without your consent

The Aurum Group may use your Personal Information without your consent or knowledge only where:

  • We have reasonable grounds to believe that the Personal Information could be useful when investigating a contravention of a federal, State, provincial, or foreign law and the information is used for that investigation
  • For an emergency that threatens an individual’s life, health, or security
  • For statistical or scholarly study or research, archival institutions for archival purposes (depending on in which Province or Territory this Personal information is collected, the Aurum Group may be required to notify the Privacy Commissioner of Canada before using the information)
  • If it is publicly available as specified in the applicable legislations
  • If the use is clearly in the individual’s interest and consent is not available in a timely way
  • If knowledge and consent would comprise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of federal, State, or provincial law

8. When we may disclose your information without your consent

The Aurum Group may disclose your Personal Information without your consent or knowledge only:

  • To a lawyer representing the Aurum Group
  • To collect a debt you may owe to the Aurum Group
  • To comply with a subpoena, a warrant, or an order made by the court or other body with appropriate jurisdiction
  • To the Financial Transaction and Reports Analysis Centre of Canada (FINTRAC) as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, or any other applicable anti-money laundering Act
  • To a government institution that has requested the information, identified its lawful authority to obtain the information, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; or is for the purpose of administering any federal, state, or provincial law
  • To an investigative body named in applicable Regulations of Provincial, Territorial, State, or Federal Acts, as required under applicable Provincial, Territorial, State, or Federal Acts, or any government institution on the Aurum Group’s initiative where the Aurum Group has reasonable grounds to believe that the Personal Information concerns a breach of an agreement, or a contravention of a federal, State, provincial, territorial or foreign law, or suspects the information relates to national security, the defence of Canada or the USA, or the conduct of international affairs
  • If made by an investigative body for the purposes related to the investigation of a breach of an agreement or a contravention of a federal, State, or provincial law
  • In an emergency threatening an individual’s life, health, or security (the organization must inform the individual of the disclosure)
  • For statistical scholarly study or research, or archival institutions for archival purposes (depending on in which Province or Territory this Personal information is collected, the Aurum Group may be required to notify the Privacy Commissioner of Canada before using the information)
  • 20 years after the individual’s death or 100 years after the record was created if in Canada
  • If it is publicly available as specified in the applicable legislations
  • If required by law

We may disclose your personal information as follows:

  • To someone authorized to collect it on your behalf
  • To others within Aurum Group for management and administration of our business relationship
  • For benefits, raises, and payroll purposes

For business development and marketing, we may disclose the information we collect to certain third parties including:

  • Third parties such as contractors, suppliers, and consultants, as required to satisfactorily complete their contractual obligations with you
  • Other business units of Aurum Group to help serve you better

Any information shared will be done so with the condition that they will only use and retain such Personal Information for the specific purpose for which they are engaged by Aurum Group. Any third party to which Aurum Group discloses your Personal Information is required to protect the confidentiality of your Personal Information in a manner consistent with our own internal process, or as required by law.

9. Third Party Transfer

As specified in Section 6 above, from time to time the Aurum Group may retain third parties to help us promote, implement, and administer our services. As such, the Aurum Group may need to transfer to these third parties, Personal information they need to perform their obligations.

“Transfer” is a “use” by an organization and is not to be confused with disclosure. In such cases, the Aurum Group must take all reasonable steps to protect the personal information from unauthorized uses and disclosures while in the hands of the third party. The Aurum Group will thus take all reasonable contractual steps to ensure that a comparable level of personal information protection is provided by these third parties, including restricting their using the information for any other purpose.

When we disclose or provide your personal information to a third party as permitted by these principles, the Aurum Group will require them, by agreement, instruction or otherwise, to comply with the requirements that are embodied in these principles.

We will also ensure that it is satisfied that the third party has similar policies and processes in place, including training of the staff and other effective security measures to ensure that the information in its care is properly safeguarded at all times.

The Aurum Group will also retain the right to audit and inspect how the third party handles and stores the information transferred to them, and we will, if needed, exercise our right to audit and inspect the information.

10. Accuracy

The Aurum Group will make every reasonable effort to ensure that the personal information we obtain from you will be maintained as accurately and completely as necessary for its purpose. Your Personal Information will be verified in our records and updated, if necessary, each time you notify us of a change, and as practical during the course of our business relationship with you.

It is your responsibility to notify us immediately of any change in personal information which you have previously supplied to us. For more information on accuracy of your information, please see Section 10 below.

11. Retention and Security of Your Information

We will only retain your personal information for the period required to fulfill the purposes for which it was collected, or as required by law. We will protect the personal information we collect with security safeguards appropriate to the sensitivity of the information.

The Aurum Group maintains complete records of the storage locations of personal information, both paper and electronic.

The Aurum Group will take appropriate security measures to protect your personal information against loss, theft, unauthorized access or disclosure, improper use, alteration or destruction. We currently employ physical safeguards such as security systems, locked storage on and off-site, locked storage access limited to restricted personnel only, offsite backup, etc.

We also have technological safeguards in place such as, network security, firewalls, antivirus, and encryption, etc. The administrative safeguards we have in place include employee training in privacy issues, circulation and mandatory compliance with Privacy Policies and Privacy Code.

If you are a customer, upon your written and reasonable request, your personal information will be erased from our records, though removal of your personal information from our records may affect our ability to provide you with our services or products.

If you are an employee or contractor/consultant, personal information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. We may retain your personal information for up to seven (7) years.

If you are a customer, personal information that is no longer necessary or relevant for the identified purposes or required to be retained by law will be destroyed, erased or made anonymous or unidentifiable. When seven (7) years have elapsed after the substantial completion of your last contract, all personal information pertaining to you and your employees will be permanently destroyed and erased from our records.

12. Access

You have the right to ask whether we hold any personal information about you, what kind of information we are holding, and what we use and disclose your information for.

You can request access to your personal information maintained by Aurum Group at any time. We will respond to your request within 45 days. There may be a small charge for each request. If charges apply, we will notify you in writing and seek your approval of the charges prior to processing your request.

If you believe any of the information we have collected from you is incorrect or incomplete, you have the right to request us to change it. Where we have obtained medical information about you from a dentist, we will only release this information to you and /or back to the dentist.

You may submit your request in writing to the Aurum Group’s Privacy Officer:

Aurum Group
115-17th Avenue S.W.
Calgary, AB T2S 0A1
Attn: Rita Schlegel
Chief Privacy Officer

Please specify as much as possible which personal information you are requesting. We will respond as quickly as possible, and we will inform you if for some reason we are unable to respond within the 45-day time frame. In certain specific circumstances, we have the legal right to refuse your request for access.

13. Complaint

You may contact us at any time with suggestions, questions, and complaints about our Privacy policy and Privacy Code. If you feel the Aurum Group has not complied with appropriate privacy principles or practices, you may register a privacy-related complaint with our Chief Privacy Officer. You may at such time request that we correct or remedy such non-compliance and we will respond to your complaint promptly once we have had an opportunity to complete an investigation. If a complaint is justified, we will take all reasonable steps to correct the non-compliance, which may include updating our policies and practices at the Aurum Group.

Please address any complaints to:

Aurum Group
115-17th Avenue S.W.
Calgary, AB T2S 0A1
Attn: Rita Schlegel
Chief Privacy Officer

The Aurum Group may from time to time make changes to this privacy policy to reflect changes in its legal or regulatory obligations or in the manner in which we deal with your personal information. Any changes will be effective from the time they are communicated, provided that any change that relates to why we collect, use or disclose your personal information will not apply to you, where your consent is required to such collection, use or disclosure, until we have obtained your consent to such change.

We reserve the right to revise this policy from time to time, as privacy laws and practices evolve and will publish revisions at our earliest reasonable convenience.

Aurum Group © (2023). Reproduction of this work in whole or in part by any means whatsoever is strictly prohibited without the express written consent of the Aurum Group. All rights reserved.

This privacy statement was last reviewed on August 3, 2023 and applies to the Aurum Group Ltd. and its subsidiaries.