Customer Privacy Policy

I. Purpose

The Electrical Safety Authority (“ESA”) is committed to maintaining the privacy and security of Personal Information in accordance with applicable Canadian privacy laws and best practice principles of privacy. This Privacy Policy, along with the ESA Access & Privacy Code, provide a statement of our commitment to the protection of Personal Information of our customers, website visitors, mobile application users, and any other members of the public with whom we interact.

II. Policy Content

• Accountability for your Privacy
• Personal Information and How We Collect It
• Obtaining your Consent
• Purposes for Collecting and Using your Information
• Sharing your Information
• Keeping your Information Safe
• Accessing your Personal Information
• How Long we Keep your Information
• Our Privacy Complaint and Breach Management Process
• Cookies and Website Log Data
• Controls for Do-Not-Track Features
• Social Media, Chat Rooms and Discussion Forums
• Collecting Information From Minors
• External Links
• Changes to this Policy
• Getting in Touch

1. Accountability for your Privacy

ESA takes full responsibility for the management and confidentiality of personal information. ESA’s Chief Privacy Officer oversees our privacy practices and has specific duties including:

• Developing and, on a regular basis, reviewing ESA policies and practices with respect to handling personal information to ensure consistent implementation and compliance;
• Ensuring staff are trained on privacy best practices and are aware of the importance of safeguarding any personal information that they are privy to;
• Ensuring that inquiries and complaints relating to privacy are appropriately handled; and
• Requiring that third parties to whom ESA provides access to personal information have committed to appropriate standards of care in managing that information.

2. Personal Information and How We Collect It

For the purposes of this policy, ‘personal information’ is any factual or subjective information, recorded or not, about an identifiable individual

Personal Information does not include:

• business contact information, such as the name, title or position, business address, business telephone number or business e-mail address of a licensee or investigator that is used or disclosed solely for the purpose of communicating with the individual in relation to their business or profession;
• Information such as when an individual became licenced with ESA as a master electrician, any disciplinary sanctions/conditions on licensure, or suspensions/revocations of licensure; or
• Aggregate or de-identified information that cannot be associated with a specific individual.

Types of Personal Information that ESA may collect include your name, home address, home telephone number, personal e-mail address, banking or credit card information, mobile application data including files, images, video recordings, device information and location (including geolocation), and where necessary, information regarding your professional qualifications and background.

Information can be collected in several ways, including through on-line forms when you register for an ESA program or service, or verbally on the telephone, for example if you provide your information to our Customer Service Department. We collect limited personal information as is reasonable to offer and deliver our products or services, and we do so with your consent or as otherwise authorized by law. We identify when information may be provided optionally and when it is necessary in order to serve you.

When it is practical to do so, we will collect personal information we need directly from you. In those instances where personal information is collected indirectly, for example from a neighbour or ESA inspector, your personal information will be respected in exactly the same way as if we collected it from you directly.

3. Obtaining your Consent

We collect, use and disclose your personal information with your consent, except as required or permitted by law. Your consent to the collection, use and disclosure of personal information may be express (that is, where you were asked specifically for your consent, whether verbally or in writing) or implied for non-sensitive information, when we can reasonably conclude based on your actions or inactions that you’ve given consent, or when it is obvious that you would consent if directly asked.

By submitting personal information to ESA or its agents and service providers, you agree that ESA may collect, use, disclose and store such personal information in accordance with this privacy policy, applicable laws or pursuant to our administrative agreement with the province of Ontario.

Note that there may be instances where the law permits or requires the collection, use or disclosure of your personal information without your consent, for example in the context of fraud investigations, and where necessary to protect our legal interests or the safety of others. In other contexts, your consent can be withdrawn at any time, subject to legal or contractual restrictions, by providing us with written notice. Upon receipt of notice of withdrawal of consent, we will inform you of the likely consequences of withdrawing your consent before we process your request, which may include the inability of ESA to provide you with certain information, products or services.

Where an individual is not capable of consenting to the collection, use or disclosure of their own personal information but you wish to provide us with their information on their behalf, you represent that you are legally entitled to do so and/or have obtained all necessary consents.

4. Purposes for Collecting and Using Your Information

Personal information is collected and used by ESA for one or more of the following specific purposes:

• Notifications, Inspections, Incident Reviews and Investigations:
• to process notifications of electrical work and arrange for site inspections and/or to send out confirmations, certificates, etc.;
• to carry out site inspections of electrical installations in person or through review of files, images, video recordings, and location (including geolocation) data submitted via the ESA ON Mobile App, pursuant to the Ontario Electrical Safety Code (the “Code”);
• to carry out site inspections of electrical devices and to provide plan reviews pursuant to the Code;
• to carry out inspections, incident reviews and investigations in relation to complaints, incidents and compliance with the Code as well as licensing, product safety and utilities regulations;
• to respond to requests from regulatory authorities including the Fire Marshal’s Office, Ministry of Labour, Immigration, Training and Skills Development and to respond to Fire Protection and Prevention Act orders;
• to administer ESA’s risk-based oversight program to evaluate the risk profile of specific installations of which ESA is notified;
• to prepare Occupational and Utilities Incident Reports pursuant to ESA’s Agreement with the Ontario Ministry of Labour, Immigration, Training and Skills Development;

• Licensing & Continuing Education:
• to licence Electrical Contractors and Master Electricians and maintain confirmation of compliance with applicable regulatory requirements;
• to deliver training;
• to administer examinations;

• Administration:
• to establish and maintain relations with customers, suppliers, financial institutions, and affiliates, and to provide ongoing products and services, administer accounts, make and receive payments, and fulfill contractual obligations;
• to consider whether ESA should establish or continue a commercial relationship with you, including without limitation, to extend credit, evaluate credit standing and to match credit reporting agency information, to check references, and to confer with banking institutions;
• to facilitate account inquiries and other customer service assistance, such as providing confirmation as to whether there are any outstanding electrical problems at a particular property;

• Communications & Marketing:
• to understand and respond to the needs of website visitors, customers and potential customers, including for receiving and responding to stakeholder complaints;
• to provide, enhance, market, sell and inform you of ESA’s products and services or the products and services of third parties, including our affiliates and suppliers, with whom ESA has a commercial relationship;
• to distribute our newsletters, business updates, safety information, and other materials;
• to conduct surveys, research and statistical analysis, as well as better understand the needs of our customers;
• to update and verify information provided by third parties, and manage our knowledge-management precedent systems and databases;
• to monitor communications to ensure consistency and quality of the provision of ESA products and services;

• Other:
• To administer ESA’s Reviews and Appeals Process;
• to detect and protect ESA and other third parties against error, negligence, breach of contract, fraud, theft and other illegal activity, and to audit compliance with ESA policies and contractual obligations;
• as permitted by, and to comply with, any legal or regulatory requirements or provisions applicable to ESA, or to protect or defend ESA’s legal interests;
• for such other purposes for which you have provided your consent, or as otherwise required or permitted by law

ESA limits both the amount and type of personal information collected to that which is necessary to fulfill the purposes outlined above.

5. Sharing your Information

Your Personal Information is shared only to the extent required to provide you with ESA’s products and services, and to comply with legal requirements. Your Personal Information may be disclosed in the following circumstances:

• to a financial institution, on a confidential basis and solely in connection with the assignment of a right to receive payment, the provision of security or other financing arrangements;
• to a government or regulatory agency, body, institution or office, where such disclosure is permitted or required in order for ESA to comply with legal, statutory or regulatory requirements or provisions applicable to ESA;
• to a person who, in the reasonable judgment of ESA, is seeking the information as your agent;
• as required to reduce the risk of harm if the personal safety of any individual may be compromised;
• where permitted in accordance with the Regulatory Modernization Act;
• to a court, administrative tribunal, governmental agency or other body authorized to compel the disclosure of your personal information, for the purpose of complying with legal requirements such as a statute, regulation, search warrant, court or administrative order, or as otherwise required or permitted by law; or
• to any other third party, where you consent to such reasonable disclosure.

In addition, personal information may be transferred or made accessible to ESA’s affiliates, agents and third party service providers who are retained by ESA to perform functions on its behalf. This may include for marketing, data processing and other IT services, document management, office services, investigations, or to entities retained to evaluate your creditworthiness or to collect debts outstanding on an account. These trusted entities agree to comply with strict privacy and confidentiality obligations. Only personal information that is required by the third party to provide the service in question will be transferred.

Please note that in the context of any of these transfers of data, your personal information may be processed or stored outside of Canada, where such information may be provided to law enforcement or national security authorities of the foreign jurisdiction upon request, in order to comply with foreign laws. We take reasonable steps to ensure that any such third parties who we entrust with your personal information are reputable, and have safeguards in place to protect your information.

6. Keeping your Information Safe

ESA acknowledges that a data security breach could result in potential harm to individuals whose personal information is entrusted to ESA. Thus, we have implemented critical physical, organizational and technical measures to guard against unauthorized or unlawful access to the personal information we manage and store. We have also taken steps to avoid accidental loss or destruction of, or damage to, your personal information. While no system is completely secure, the measures implemented by ESA significantly reduce the likelihood of a data security breach.

Here are some examples of the security controls we have in place:

• Secure office premises;
• Secured filing cabinets and a secure shredding practice for paper records;
• The use of encryption, firewalls, anti-virus programs and robust authentication processes, including complex passwords, for access to electronic records;
• Limited access to personal information by employees who need the information to perform their work-related duties;
• The use of secure on-premise servers as well as managed data centers that implement effective physical and logical data security controls;
• Initiatives to raise awareness amongst staff of their data protection responsibilities; and
• Regular reviews of privacy best practice initiatives.

Never share your password to ESA Online Services with anyone. ESA is not liable for any unauthorized access to your personal information that is beyond our reasonable control.

7. Accessing your Information

ESA takes steps to ensure that the personal information contained in records that we control or have custody over is accurate, complete and up-to-date for the purposes for which we collect it. You can make a written request for access to your personal information at any time, and also request that it be corrected if there are any inaccuracies. You will need to provide as much information as you can to help us process your request and locate the information you require.

If you need assistance in preparing your access request, please get in touch with our Chief Privacy Office (see contact information at the end of this policy). As we take your privacy seriously, we will take reasonable steps to verify your identity before granting you access or making corrections, updates or deletions to your personal information. Upon your written request, ESA will also inform you of how your personal information has been or is being used, and who your personal information has been shared with. If we have obtained information about you from other people, we will let you know who we got it from upon your request.

ESA generally responds to access requests within 30 days, unless an extension of time is required. Please refer to the ESA Access & Privacy Code for more details. Note that there may be contexts where access is refused or only partial information is provided, for example, in the context of an on-going investigation or where another individual’s personal information or identity must be protected.

8. How Long we Keep your Information

ESA retains personal information for as long as necessary to fulfill legal or business purposes and in accordance with our retention schedules. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. ESA is subject to specific legal requirements with respect to retention periods as well.

Once your information is no longer required by ESA to administer products or services and meet legal or regulatory requirements, it is securely destroyed, erased or made anonymous. Keep in mind however that residual information may remain in back-ups for a period of time after its destruction date. Some personal information that is collected in the exercise of ESA’s regulatory authority (for example, with respect to inspection records) may be retained indefinitely by ESA.

9. Our Privacy Complaint and Breach Management Process

ESA takes privacy complaints very seriously and has a procedure in place for escalating and managing any privacy related concerns to ensure that they are responded to in a timely and effective manner. Any suspected privacy breach must be escalated internally to ESA’s Chief Privacy Officer who oversees the containment, investigation and corrective actions for the breach situation.

10. Cookies and Website Log Data

Personal information may be collected when website users conduct activities through one of ESA’s websites. A cookie is a small text file containing a unique identification number that is installed by a website on a device’s local storage. ESA uses cookies and other web technologies for a variety of purposes in the course of administering its websites. ESA uses both session cookies (used only during your visit and that expire when you close your browser) and persistent cookies (stored on your device for longer than your visit to our websites). Cookies may collect certain information from your browser or mobile platform, including the date and time of your visit, your IP address or unique device identifier, browser type and other device information, but do not contain or link to personal information such as your name or e-mail address.

ESA installs first party cookies on devices that access its websites unless the browser used by the device has disabled the installation of cookies. The first party cookies ESA installs ensure the website functions as intended, and in some circumstances are essential for ESA to provide services requested by website visitors. Non-essential cookies are also used by ESA to analyze and improve the performance of our websites, design and layout, and your overall on-line experience. We make no effort to personally identify you based on your visit to our sites if you are not logged into your account. If you wish, you can make use of Google’s free Google Analytics Opt-Out Browser Add-On.

You can opt out of the installation of cookies, or delete cookies that were previously installed, by updating your browser settings. Be aware however that some features and services on our websites may not work properly if you refuse cookies.

Note that your IP address may be used, in addition to analytics, to conduct an investigation in the context of a contractual breach or legal violation, or to facilitate the diagnosis and remedy of a technical problem reported by the user or ESA’s technical team

11. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-NotTrack (“DNT”) feature or setting that you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

12. Social Media, Chat Rooms and Discussion Forums

ESA’s use of social media serves as an extension of our presence on the Internet and helps us build a positive brand image as well as offer our customers personalized service. ESA social media accounts are not hosted on ESA’s servers. Please note that when you publicly post personal information on social media, it can be viewed by anyone who visits our platforms. Users who choose to interact with ESA via social media, such as Twitter, should read the terms of service and privacy policies of these services/platforms.

Likewise, take precaution when posting information to chat rooms or other discussion forums because once posted, the information will be made public and cannot be easily removed from the Internet. This Privacy Policy does not cover information you post to social media, chat rooms or other discussion forums and how persons receiving your information will use that information.

13. Collecting Information From Minors

ESA does not knowingly solicit data from persons under 18 years of age. By interacting with ESA you represent that you are at least 18 years of age or that you are the parent or guardian of such a minor and consent to such minor interacting with ESA’s services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to delete such data from our records. If you become aware of any data we may have collected from persons under the age of 18 please contact our Chief Privacy Officer at chiefprivacyofficer@electricalsafety.on.ca.

14. External Links

We may offer links from our websites to the sites of third parties (including affiliated organizations), that may be of interest to you. Since these sites are not owned or controlled by us, ESA makes no representations as to such third parties’ privacy practices and we recommend that you review their privacy policies before providing your personal information to any such third parties.

15. Changes to this Policy

We may change this Privacy Policy from time to time in order to better reflect our current personal information handling practices. Thus, we encourage you to review this document frequently. The “Last Updated” date at the top of this Privacy Policy indicates when changes to this policy were published and are thus in force. Your continued use of ESA’s services following the posting of any changes to this Privacy Policy means you accept such changes.

16. Getting in Touch

For more information on ESA’s privacy practices, or for assistance with an access request or privacy concern, contact our Chief Privacy Officer at chiefprivacyofficer@electricalsafety.on.ca

Email is the most efficient way to get in touch. However, if you prefer, you may also contact the Chief Privacy Officer by mail at:
Chief Privacy Officer
Electrical Safety Authority
155A Matheson Blvd. W., Suite 202
Mississauga, Ontario
L5R 3L5

Your concerns will receive prompt attention.