Twin Peaks Digital Security Policy
I. Purpose and Scope
This Security Policy outlines Twin Peaks Digital’s commitment to protecting personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable privacy laws. It applies to all employees, contractors, and third parties who handle personal information on behalf of Twin Peaks Digital.
II. Accountability
II.I. Twin Peaks Digital designates a Chief Privacy Officer (CPO) responsible for ensuring compliance with this policy and applicable privacy laws.
II.II. The CPO’s contact information is made readily available to individuals who wish to inquire about our privacy practices or file a complaint.
II.III. All employees receive regular training on privacy and security practices.
III. Identifying Purposes and Consent
III.I. We clearly identify the purposes for collecting personal information at or before the time of collection.
III.II. We obtain meaningful consent for the collection, use, and disclosure of personal information, except where inappropriate or where exemptions apply under PIPEDA.
III.III. We do not collect, use, or disclose personal information for purposes that a reasonable person would consider inappropriate.
IV. Limiting Collection, Use, Disclosure, and Retention
IV.I. We collect only the personal information necessary for the identified purposes.
IV.II. Personal information is collected by fair and lawful means.
IV.III. We use or disclose personal information only for the purposes for which it was collected, unless the individual consents or as required by law.
IV.IV. We retain personal information only as long as necessary to fulfill the identified purposes or as required by law, after which it is securely destroyed or anonymized.
V. Accuracy
V.I. We make reasonable efforts to ensure that personal information is accurate, complete, and up-to-date.
V.II. We provide individuals with the means to update or correct their personal information.
VI. Safeguards
VI.I. Physical Safeguards: Access to physical areas where personal information is stored is restricted to authorized personnel. A clean desk policy is enforced to ensure sensitive information is not left unattended.
VI.II. Technical Safeguards: Industry-standard encryption is used for data in transit and at rest. Multi-factor authentication is required for accessing systems containing personal information. Regular security updates and patches are applied to all systems. Intrusion detection and prevention systems are implemented and monitored.
VI.III. Administrative Safeguards: Background checks are conducted for employees handling sensitive information. Access to personal information is granted on a need-to-know basis. Regular security awareness training is provided to all employees. Third-party service providers are contractually obligated to maintain appropriate security measures.
VII. Openness and Individual Access
VII.I. Our privacy practices are clearly communicated through our Privacy Policy, which is easily accessible on our website.
VII.II. Upon request, we inform individuals of the existence, use, and disclosure of their personal information and provide access to that information, subject to legal exceptions.
VII.III. We respond to access requests within 30 days, as required by PIPEDA.
VIII. Challenging Compliance
VIII.I. We have clear procedures for receiving and responding to complaints or inquiries about our privacy practices.
VIII.II. All complaints are investigated, and if found to be justified, appropriate measures are taken to address the issue.
IX. Breach Notification
IX.I. In the event of a breach of security safeguards involving personal information under our control, we will:
Notify affected individuals and the Office of the Privacy Commissioner of Canada if the breach creates a real risk of significant harm.
Maintain a record of all breaches, as required by PIPEDA.
X. Compliance with Other Jurisdictions
X.I. For personal information of individuals outside Canada, we comply with local privacy laws to the extent they apply to our activities.
XI. Policy Review and Update
XI.I. This Security Policy is reviewed annually and updated as necessary to reflect changes in our practices, technology, and regulatory requirements.
*By implementing this Security Policy, Twin Peaks Digital demonstrates its commitment to protecting personal information and complying with PIPEDA and other applicable privacy laws. All employees, contractors, and third parties are required to adhere to this policy in their handling of personal information.
