Privacy of personal information is an important principle to CMC. We are committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the goods and services we provide. We also try to be open and transparent as to how we handle personal information. This document describes our privacy policies.

What is Personal Information?
Personal information is information about an identifiable individual. Personal information
includes information that relates to their personal characteristics (e.g., gender, age,
income, home address or phone number, ethnic background, family status), their health
(e.g., health history, health conditions, health services received by them) or their
activities and views (e.g., religion, politics, opinions expressed by an individual, an
opinion or evaluation of an individual). Personal information is to be contrasted with
business information (e.g., an individual’s business address and telephone number),
which is not protected by privacy legislation.

Who We Are?
Our company, CMC, use a number of consultants and agencies that may, in the course of their duties, have limited access to personal information we hold. These include [list them by category or name]. We restrict their access to any personal information we hold as much as is reasonably possible. We also have their assurance that they follow appropriate privacy principles.

We Collect Personal Information: Primary Purposes
Like all [name nature of your business], we collect, use and disclose personal
information in order to serve our clients.

For our clients, the primary purposes for collecting personal information are as follows:
[insert purpose identified by you in Part 3(b) of the checklist]. Examples of the type of
personal information we collect for those purposes include the following: [insert
information compiled by you in Part 3(b) of the checklist]. [If you collect personal
information about clients without their consent, provide a brief description of when you
might do this if at all possible.]

For members of the general public, our primary purposes for collecting personal
information are as follows: [insert purpose identified by you in Part 3(b) of the checklist].
Examples of the type of personal information we collect for those purposes include the
following: [insert information compiled by you in Part 3(b) of the checklist]. [If you collect
personal information about members of the general public without their consent, provide
a brief description of when you might do this if at all possible.]

For contract staff (e.g., temporary workers [set out other examples]), our primary
purposes for collecting personal information are as follows: [insert purpose identified by
you in Part 3(b) of the checklist]. Examples of the type of personal information we
collect for those purposes include the following: [insert information compiled by you in
Part 3(b) of the checklist]. [If you collect personal information about contract staff
without their express consent, provide a brief description of when you might do this if at
all possible.]

When we investigate, audit or assess a person for someone else (e.g., [set out
examples such as for a legal investigation, financial audit, medical assessment]), our
primary purposes for collecting personal information are as follows: [insert purpose
identified by you in Part 3(b) of the checklist]. Examples of the type of personal
information we collect for those purposes include the following: [insert information
compiled by you in Part 3(b) of the checklist]. [If you collect personal information about
third parties without their express consent, provide a brief description of when you might
do this if at all possible.]

For [insert other categories, if any], our primary purposes for collecting personal
information are as follows: [insert purpose identified by you in Part 3(b) of the checklist].
Examples of the type of personal information we collect for those purposes include the
following: [insert information compiled by you in Part 3(b) of the checklist]. [If you collect
personal information about [insert other categories, if any] without their consent, provide
a brief description of when you might do this if at all possible.]

We Collect Personal Information: Related and Secondary Purposes
Like most organizations, we also collect, use and disclose information for purposes
related to or secondary to our primary purposes. The most common examples of our
related and secondary purposes are as follows:
q [Set out each related or secondary purpose that relates to your organization as
identified in Part 3(c) of the checklist. Briefly describe the purpose, identify any
additional personal information collected just for that purpose, any limitations in
that collection and the authority for this purpose. See Form 4 for a precedent for
this section.]

You can choose not to be part of some of these related or secondary purposes (e.g., by
declining special offers or promotions, by paying for your services in advance). We do
not, however, have much choice about some of these related or secondary purposes
(e.g., external regulation).

Protecting Personal Information
We understand the importance of protecting personal information. For that reason, we
have taken the following steps [change the following points as necessary as set out in
part 4(b) of the checklist; see Form 4 for an example]:
q Paper information is either under supervision or secured in a locked or restricted
area.
q Electronic hardware is either under supervision or secured in a locked or
restricted area at all times. In addition, passwords are used on computers. All of
our cell phones are digital, which signals are more difficult to intercept.
q Paper information is transmitted through sealed, addressed envelopes or boxes
by reputable companies.
q Electronic information is transmitted either through a direct line or is anonymized
or encrypted.
q Staff are trained to collect, use and disclose personal information only as
necessary to fulfill their duties and in accordance with our privacy policy.
q External consultants and agencies with access to personal information must
enter into privacy agreements with us.

Retention and Destruction of Personal Information
We need to retain personal information for some time to ensure that we can answer any
questions you might have about the services provided and for our own accountability to
external regulatory bodies. However, we do not want to keep personal information too
long in order to protect your privacy. [Summarize your retention and destruction policies
here as set out in Part 4(c) of the checklist. See Form 4 for an example.] We keep our
client files for about ____ years. Our client and contact directories are much more
difficult to systematically destroy, so we remove such information when we can if it does
not appear that we will be contacting you again. However, if you ask, we will remove
such contact information right away. We keep any personal information relating to our
general correspondence with people who are not our clients, newsletters, seminars and
marketing activities for about ____ months after the newsletter, seminar or marketing
activity is over.

We destroy paper files containing personal information by shredding. We destroy
electronic information by deleting it and, when the hardware is discarded, we ensure
that the hard drive is physically destroyed. Alternatively, we may send some or all of the
client file to our client.

You Can Look at Your Information
With only a few exceptions, you have the right to see what personal information we hold
about you. Often all you have to do is ask. We can help you identify what records we
might have about you. We will also try to help you understand any information you do
not understand (e.g., short forms, technical language, etc.). We will need to confirm
your identity, if we do not know you, before providing you with this access. We reserve
the right to charge a nominal fee for such requests.
If there is a problem, we may ask you to put your request in writing. If we cannot give
you access, we will tell you within 30 days if at all possible and tell you the reason, as
best we can, as to why we cannot give you access.
If you believe there is a mistake in the information, you have the right to ask for it to be
corrected. This applies to factual information and not to any professional opinions we
may have formed. We may ask you to provide documentation that our files are wrong.
Where we agree that we made a mistake, we will make the correction and notify anyone
to whom we sent this information. If we do not agree that we have made a mistake, we
will still agree to include in our file a brief statement from you on the point and we will
forward that statement to anyone else who received the earlier information.

Do You Have a Concern?
Our Information Officer, [insert name], can be reached at [insert contact information] to
address any questions or concerns you might have.
If you wish to make a formal complaint about our privacy practices, you may make it in
writing to our Information Officer. S/he will acknowledge receipt of your complaint,
ensure that it is investigated promptly and that you are provided with a formal decision
and reasons in writing.

For more general inquiries, the Information and Privacy Commissioner of Canada
oversees the administration of the privacy legislation in the private sector. The
Commissioner also acts as a kind of ombudsman for privacy disputes. The Information
and Privacy Commissioner can be reached at:

Address
601 Hamburg Turnpike
Suite 211
Wayne, NJ 07470
Telephone: 973-904-9888
Fax: 973-904-9033