Forum Research's Commitment to Privacy

Mandate

At Forum Research, we know that without the cooperation of respondents, we could not be in business. Our longstanding commitment to safeguarding your right to privacy is the reason for our reputation as a leader in the protection of privacy. Each year, we ensure that our employees sign a code of business conduct that requires the safeguarding and proper use of personal information. We also place strict controls on the protection and use of personal information within our systems and web site and ensure that our employees are trained to respect your privacy at all times.

Our Privacy Policy spells out the commitments of our company and the rights of respondents regarding personal information. We also comply fully with the Personal Information Protection and Electronic Documents Act, which has applied to our company since January 1, 2004.

In addition to the Privacy Policy, our company may also be subject to the requirements of applicable legislation and regulations.

Any time you have contact with our company, or with anyone acting as an agent on our behalf, you are protected by the rights and safeguards contained in the Policy.

We take all of the necessary precautions to ensure the safeguarding of your information, whether it is stored electronically or in paper format. In all cases, information is retained in secure facilities, protected from unauthorized access and kept only as long as is reasonably required. For example, our electronic files are backed up for redundancy, password protected and accessible only by authorized employees, on a need-to-know basis.

Information Practices

To ensure our commitment to your privacy is upheld, we have updated our existing company policies setting out your rights and our obligations respecting the treatment of your personal information by our company. Our company policies comply with the requirements of the Personal Information Protection and Electronic Documents Act as well as the standards of the Canadian Research Insights Council (CRIC)..

Employees and Agents

The company policies also govern the behaviour of our employees and agents acting on our behalf. All of our employees who have access to personal information have been trained on the handling of such information. And, new employees receive training on privacy as a fundamental part of their initial company training. All of our employees must review and commit to the Privacy Policy annually.

Personal Information

Personal information is information about an identifiable individual. Publicly available information, such as a public directory listing of your name, address, telephone number, electronic address, is not considered to be personal information.

Collecting Information Helps Our Clients Serve You Better

We collect personal information only for the following purposes:

  • to help our clients establish and maintain responsible commercial relations with you and provide you with ongoing service;
  • to help our clients understand your needs and eligibility for products & services;
  • to help our clients recommend particular products & services to meet your needs;
  • to help our clients develop, enhance, market or provide products and services;
  • to help our clients manage and develop their business and operations, including personnel and employment matters; and
  • to help our clients meet legal and regulatory requirements.

Your personal information will not be used for any other purpose without your consent.

Use of 'Cookies'

During user interaction with our web site, we may use a browser feature called a 'cookie' to allow us to remember your password for you and provide other enhancements. A cookie is a small text file containing a unique identification number that identifies your browser - but not you - to our computers each time you visit one of our sites that uses cookies. This helps us to enhance the on-line experience of visitors to our site.

Unless you specifically advise us, we will not know who you are, even though we may assign your computer a cookie. We cannot use cookies, by themselves, to disclose the individual identity of any site user, and we never combine information gathered by a cookie with personally identifiable information like your name, telephone number, or even your e-mail address without your consent.

You will find that most major web sites use cookies and most major browsers are set up to accept them. If you wish, you can reset your browser either to notify you when you have received a cookie, or to refuse to accept cookies. You do not need cookies to visit our web site. However, if you refuse to accept cookies, you may not be able to use some of the features available on our site such as personalization features.

Protection of Children

As an added protection for children, on any of our services directed to children under 13 years of age, we will obtain the permission of a parent or legal guardian before collecting, using or disclosing any personally-identifiable information about a child, e.g., for participation in a survey.

Do Not Call

If you've been called by us to do a survey and don't wish to participate in this survey, please click here to have your telephone number taken off the calling list for this survey.

Limiting the Collection, Use & Disclosure of Personal Information

The collection of personal information shall be limited to that which is necessary for the identified purposes. Personal information shall not be collected indiscriminately, and only by fair and lawful means, without misleading or deceiving you about the purposes for collection, and without deception in obtaining consent.

Forum Research will collect personal information directly from individuals only for purposes that are reasonable and will only collect information that is reasonable for carrying out those purposes. Personal information collected will be limited to what is necessary to carry out our obligations to the client.

Retention, Archiving & Destruction of Personal Information

Forum Research has established information retention guidelines that define consistent minimum standards and requirements for the length of time client information are to be maintained.

We have established appropriate practices for the timely and secure disposal - consistent with confidentiality, legal and regulatory requirements.

Forum Research is responsible for the storage/retention of research data, at minimum for the length of its contract with a custodian or as required by regulatory bodies, whichever is greater.

A research project or activity should be regarded as having ended after (a) final reporting to the research sponsor, (b) final financial closeout of a sponsored research award, or (c) final publication of research results, whichever is later.

Ensuring Safeguards for Personal Information

Forum Research will protect the safety and respect the confidentiality of personal information through appropriate safeguards, as per Information Security & Appropriate Use of Technology policy.

We take all of the necessary precautions to ensure the safeguarding of information, whether it is stored electronically or in paper format. In all cases, information is retained in secure facilities, protected from unauthorized access and kept only as long as is reasonably required. Electronic files are backed up for redundancy, password protected and accessible only by authorized employees, on a need-to-know basis.

We conduct thorough risk self-assessments once every two years to identify privacy threats and vulnerabilities, determine risks, and recommend appropriate control measures.

Employee Training & Awareness

Forum Research employees are aware of the importance of maintaining the confidentiality. As a condition of employment, all new employees/agents sign a Confidentiality Agreement. This safeguard may also be facilitated through contractual provisions. Additionally, employee, contractors, and volunteers’ access to sensitive information are restricted as much as possible and we review access logs regularly.

Ongoing education efforts are delivered to ensure employees, agents, and third parties are provided with tools, training and support as appropriate to enable them to fulfill their duties.

Enforcement

Forum Research is constantly monitoring adherence to this policy using a risk-based model, and report to the appropriate governance bodies.

Accountability for compliance with this policy rests with the President and Chief Executive Officer. In addition, other individuals within the company are delegated to act on behalf of the Chief Executive Officer, such as the Senior Vice-president and Chief Information Officer or the designated privacy contact person, the Enterprise Privacy and Access Officer.

Breaches of this policy and related privacy policies may be subject to disciplinary action, as outlined in the Confidentiality Agreement.

Forum Research and its agents are also subject to the fines and penalties set out in PHIPA: up to $50,000 for individuals and $250,000 for the organization, and PIPEDA: up to $10,000 on summary conviction or up to $100,000 for an indictable offence.

Privacy Incidents and Breaches

In the event of a privacy breach, the management staff responsible must immediately inform the Enterprise Privacy and Access officer. In addition, any employee, consultant, volunteer, and contractor may approach the EPAO directly at any time to raise concerns, ask questions, request information, or make complaints relating to data protection or data security issues.

Violations and infractions relating to privacy issues are documented, and appropriate sanctions are made in accordance to this policy.

We undertake the following steps when responding to a privacy breach:

  • Breach Containment
  • Risk evaluation, including identification of information involved, cause and extent of the breach, individuals affected, and foreseeable harm resulting from the incident
  • Notification of all affected parties
  • Prevention of future reoccurrence

Decisions made by the Enterprise Privacy and Access Officer to remedy data protection breaches must be upheld by management.

Responsibilities

1. Enterprise Privacy and Access Officer (EPAO)

  • Enterprise governance, framework, strategy
  • Development of enterprise policies, procedures, controls, standards
  • Reporting and escalation to senior management team/board

2. Management / Supervisor

  • Comprehend and adhere to this policy
  • Develop operating procedures/practices within department (including supporting documentation that support this policy)
  • Know where the policies/supporting tips are published
  • Ensure staff, consultants, contractors, and volunteers are knowledgeable of policies, standards and procedures
  • Ensure that EPAO is aware of all the technologies that are being utilized for storing and transporting sensitive information
  • Monitor employees daily for privacy compliance as well as quality assurance and information accuracy purposes

3. Employees, Consultants, Contractors, and Volunteers

  • Comprehend and adhere to this policy and supporting departmental procedures
  • Know where the policies/supporting tips are published
  • Only use technologies that are supported by FRI policies
  • Ask questions when unsure of a policy or procedure

Data Storage

There are 10 aspects to our evidence to support that all data shall be stored within Canada, remain in Canada, and be accessible only within Canada:

  • We are 100% Canadian-owned, so we are not subject to non-Canadian ownership impacts.
  • We have no non-Canadian affiliates or subsidiaries.
  • All staff with access to our data centres are Canadian citizens.
  • We operate our own Canada-based data centre (at 180 Bloor St. W., Suite 1400, Toronto, ON M5S 2V6). All data is backed-up to our Montreal data centre (at 355, rue Sainte-Catherine Ouest, bureau 400, Montréal, QC H3B 1A5)
  • We manage and fortify our own data vault at our data centres.
  • We do not store any data anywhere other than in our own data vault.
  • We do not use any cloud services.
  • We only use Canadian IT vendors.
  • companies operating on Canadian infrastructure.
  • All of our servers are located on-site in a secure server room at our headquarters in Toronto, Ontario.

Most importantly, the data for this project will not be accessible outside our premises unless we specifically initiate the access; and when this access is initiated, it is on a one-time basis with the previous approval of our client.

Third-Party Providers

Forum Research utilizes one third-party service provider that is fully monitored and audited for privacy. Third-party access is restricted as much as possible and third-party access logs are reviewed on a regular basis. Upon client request, highly sensitive data is encrypted using an encrypting file system (EFS).

No personal information provided by the client or respondents, is shared with third parties within or outside Canada.

Definitions

Agent: A person that, with the authorization of FRI, acts for or on behalf of the organization in respect of personal health information for the purposes of FRI and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by FRI and whether or not the agent is being remunerated. Examples of agents of FRI include, but are not limited to, employees, volunteers, consultants, researchers.

Confidential information: Confidential information maintained at FRI can fall under three categories, Personal Health Information, Personal Information, and Corporate Confidential Information.

Corporate confidential information (CCI): Information maintained by FRI that is not routinely made publicly available, including financial, administrative, commercial and technical information, and can also include records containing legal advice and employee-related information. These records may be subject to the Freedom of Information and Protection of Privacy Act (FIPPA).

Health information custodian (Custodian): Listed persons or organizations under the Personal Health Information Protection Act, such as hospitals, who have custody or control of personal health information as a result of the work they do.

Personal health information (PHI): Any identifying information about an individual related to the individual’s health or to the provision of health care to the individual. For example, an individual’s health number and/or medical record would be considered personal health information, subject to the Personal Health Information Protection Act (PHIPA).

Personal information (PI): Identifying information about an individual that does not contain health care information. Examples include an individual’s age, religion, address and telephone number. Records that contain PI may be subject to the Freedom of Information and Protection of Privacy Act (FIPPA).

Record of personal health information: The Personal Health Information Protection Act defines a record as personal health information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise.

Respondents' Rights

Forum Research will make specific information about its policies and practices relating to the management of personal information readily available.

An individual will be able to address a challenge concerning compliance with this policy.

We will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. We will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures, including amending its policies and practices if necessary.

Exceptions

Any exceptions to this policy must be approved in advance by the Enterprise Privacy and Access Officer and may require the involvement of other groups. The Forum Research Inc. main office may be contacted to initiate the request, by phone at 416-960-9600 or by email to inquiry@forumresearch.com.

Any exceptions to related policies must be approved in advance by their respective owners.