Confidentiality and Data Protection Policy
1. Introduction
Confidentiality, privacy, and security are priorities for Thinkmax to ensure the protection of its customers and relevant individuals. The protection of information is a paramount business requirement, but the ability to access information and work effectively is also critical.
This policy outlines behaviors expected of all Thinkmax staff (including employees, temporary and agency workers, contractors, interns, volunteers and apprentices) who handle information.
Thinkmax’s Management board has approved this Policy to apply to all Thinkmax offices and operations in Canada and internationally (the "Group").
2. Purpose
The purpose of this Policy is to establish common and general principles and guidelines for conduct for the Group in order to protect:
- the integrity and confidentiality of business information
- protection of personal information of individuals
and also to increase all staff’s awareness and understanding of information security and their responsibility to protect the information that they handle.
Confidentiality is a broader concept than data protection but there is overlap between the two areas:
Confidentiality refers to all forms of information, including personal information, but in particular information about Thinkmax and its customers, owners or suppliers. Examples include:
- the terms and conditions of agreements and the fact that we are discussing or negotiating with another person or organization;
- commercial information, e.g. details and results of past, present or future agreements, billing data, margins, costs, or other financial information relating to a particular customer;
- all information, intellectual property rights, know how, ideas, and concepts developed by Thinkmax or its business partners, product and service information, financial information and any other commercially valuable information, including by way of example inventions, concepts, trade secrets, business plans, staff, customer, supplier or investor information, graphs, drawings, designs, formulae, databases, software, code, samples, sales, marketing or promotional material, planned future products or services;
- business opportunities, potential customers, potential partnerships, intermediaries, or financing sources, and possible participation in business transactions.
This includes information held on computer systems, hand-held devices, phones, or paper records, information transmitted orally and other types of information that are shared with us or created by or for us during the course of our business.
Data protection concerns personal information in any form, including any factual or subjective information, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, purchases, online behavior;
- opinions, evaluations, comments, social status, or interests; and
- employee files, credit records, loan records, disputes or intentions (for example, to acquire goods or services, or change jobs).
Personal information that Thinkmax receives may relate to customers, business contacts, or staff, but also data provided or made available to us by our customers in order to provide our services (to which we must give additional protection). Note that identifiers such as cookie and device IDs, user agent, or IP addresses may be personal information, so this concept is broader than just names and addresses or personally identifiable information.
Some information is regarded by law as particularly sensitive. This may include any of the following data types, and if we are asked to process them then the Privacy Officer must be informed:
- social security, driver’s license, identification card, or passport numbers
- account log-ins, financial account, debit card, or credit card numbers
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or trade union membership
- contents of mail, emails, and text messages not directed to Thinkmax
- genetic data
- biometric information
- data concerning a person’s health
- data relating to a person’s sex life or sexual orientation
- personal information relating to criminal convictions and offenses.
3. Compliance with laws and good practices
All Thinkmax and customer information must be treated as commercially valuable and protected from loss, theft, misuse or inappropriate access or disclosure.
In relation to confidential Information Thinkmax must comply with applicable intellectual property and trade secrets laws. In relation to personal information, Thinkmax must comply with privacy or personal information protection laws that apply to us, and respect all rights applicable to the relevant individuals.
Thinkmax must obtain information only from authorized sources that comply with state, provincial, national and international intellectual property and privacy laws. For example, email lists should not be purchased or used without authorization from the Privacy Officer.
Thinkmax also strives to ensure that the principles set out in this Policy are taken into account (i) in provision of our products and services; and (ii) in the implementation and use of any processes, systems, and platforms that allow access to personal information.
4. Use of confidential information and personal information
Confidential information and personal information received by Thinkmax must be collected, used, and disclosed solely for the purpose of fulfilling the requirements of the intended project and not for any other purposes (i.e. not for any personal purpose or for any other work being carried out for Thinkmax or any other customer).
5. Commercially sensitive information
Thinkmax must keep dealings with each of our customers confidential. This means that commercially sensitive information such as pricing, costs, performance, profitability, etc. should not be shared with external third parties, but also not with colleagues, even in the same department.
Unless authorized by a manager, no Thinkmax employee should not reveal customer or campaign financial information in meetings, Teams channel, KPI sheets, email alias groups, Sharepoint, presentations, or shared docs. Customer-related meetings, email aliases, other channels, and shared files should be strictly limited to those working specifically with the particular customer.
6. Information Security
Rules and guidance on information security for Thinkmax staff and third-party providers are set out in Thinkmax’ s Information Security Policy.
General principles of information security that all Thinkmax staff must follow include:
Access to information
Thinkmax’s policy is to limit access to confidential information, personal information (and Customer data in particular) to the minimum number of people necessary for the purpose for which we hold it. Customer data must not be made available outside the relevant project teams.
Credentials for access to systems containing Confidential information or personal information (including Microsoft Sharepoint or other third party platforms) must be kept secret and must not be shared, even with other Thinkmax staff.
Staff personal information is especially sensitive and must be accessed only by HR and senior management and the relevant staff member.
Storage and copying
Thinkmax must not make copies of confidential information or personal information unless necessary for a project.
Confidential information or personal information should only be stored on Thinkmax’s authorized cloud systems. If information is stored on local computers then this should be on a temporary basis only, and staff should move it to Thinkmax storage or delete it as soon as possible. No personal email accounts or cloud storage accounts unauthorized for business purposes should be used.
Disclosures or transfers to third parties
Customer confidential information or personal information must not be shared with other third parties unless authorized by the Customer or the Privacy Officer.
Encryption will be applied where appropriate in accordance with Thinkmax’s IT Security Policy.
Any service provider that may have access to, or provide or create, confidential information or personal information must be approved by the Privacy Officer and must have a written contract approved by Thinkmax management. This includes providers of storage, analytics, anti-fraud services, back-ups, call recording or summarizing, and any other vendor. In the course of your work for Thinkmax, you should not use any application or software that may collect or transmit personal data without approval from the Company.
General security
Staff should not disclose any confidential information or personal information to anyone other than Thinkmax staff or the relevant customer. Communications or files containing confidential information or personal information should where possible be marked ‘confidential’.
If Thinkmax receives a request to disclose confidential information or personal information, we must always ask for this to be put in writing and pass it to the Privacy Officer. This includes requests from any third party, including law enforcement, government, or regulators. If we receive a request from an individual who believes that we are processing their personal information (for example to exercise their rights of access or deletion) staff should not agree to any particular action but pass the request immediately to the Privacy Officer who will direct next steps (e.g. that it should be sent to the relevant customer for action).
Staff should avoid exchanging personal information or comments about individuals with whom they have a professional relationship. Staff should avoid talking about Thinkmax or our customers’ business or contacts in social settings or where you may be overheard.
7. Retention of information
Confidential information and personal information must be kept for no longer than is necessary for the original purpose and stored and destroyed in accordance with the relevant legislation, customer contracts, and Thinkmax policies.
Aggregated and anonymized or statistical data may be retained for a longer period where authorized by the Privacy Officer.
8. Security Breach
A security breach (which may lead to a breach of confidentiality or data security) does not just refer to an outside attack or unauthorized access to systems. A security breach can include any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, information.
This may be a result of human errors, computer system errors, malicious activities, such as:
- loss or theft of data or equipment on which personal information is stored
- unauthorized access to or use of personal information either by a member of staff or third party
- loss of data resulting from an equipment or systems (including hardware and software) failure;
- accidental deletion or alteration of data
- sending data to the wrong recipient
- unforeseen circumstances, such as a fire or flood
- deliberate attacks on IT systems, such as hacking, viruses or phishing scams; or
- social engineering or ‘blagging’, where information is obtained by deceiving the person that has access to it.
Any suspected, potential, or actual breach of security, confidentiality, or personal information must be reported immediately to Thinkmax’ s Privacy Officer as soon as you become aware of it. When confidential information or personal information affected or possibly affected has been provided to Thinkmax by a customer then the Group needs to inform them (often within 24 hours) so they can also decide what actions and notifications to carry out.
Misuses of personal information and security incidents must be reported in as much detail as possible, so that steps can be taken to rectify the problem and to ensure that the same problem does not occur again.
9. Privacy Impact Assessment
Significant new projects, processes and systems (including software and hardware) which are introduced must meet confidentiality and data protection requirements. The Privacy Officer should be involved at the earliest possible stage and may require a privacy impact assessment to be carried out to identify any privacy risks to individuals and decide on solutions.
Any new relationship with a third party which may require us to transfer personal information outside Québec or Canada (or outside of the place where it was obtained) should be notified to the Privacy Officer and only implemented where Thinkmax have assessed any privacy impact and concluded that the information will receive adequate protection.
10. Training
All staff must undergo information security training annually. Additional training may be provided in specialist areas such as sales, HR, or IT.
11. Breach of confidentiality
Staff accessing unauthorized files, confidential information or personal information or breaching confidentiality may face disciplinary action. Former staff who are in breach of their confidentiality obligations may face legal action.
12. Further Information
Thinkmax’s Privacy Officer is Marc Belliveau – President.
Thinkmax's IT Director is responsible for implementing the Group’s information technology systems, controls and updates with a view to ensuring compliance with this Policy, and monitoring and evaluating their effectiveness.