Protecting the privacy and confidentiality of Personal Information is essential to CoEnergy’s management of member information. The collection, safety and appropriate use of member Personal Information are crucial to our daily operations. In order to ensure a high standard of privacy and protection of Personal Information at CoEnergy, we developed this Privacy Code to fulfill obligations outlined in the Ontario Freedom of Information and Protection of Privacy Act and the federal Personal Information Protection and Electronic Documents Act. Our Privacy Code ensures that CoEnergy respects the sensitivity of Personal Information of our members, outlining the security processes and procedures we have put in place for their protection. This document is publically available on our website and upon request.
Applicability of Privacy Code
In this Privacy Code, the references to “CoEnergy”, “we”, “us” and “our” mean CoEnergy Ontario Co-operative Inc. (op. CoEnergy). The words “member” and “membership” mean the members of CoEnergy as defined in the Ontario Co-operative Corporations Act.
- “Personal Information” means any information about an identifiable individual and this includes information such as, but not limited to:
- Age, name, mailing and permanent address, e-mail and phone numbers
- Social insurance numbers, banking information and date of birth
- Opinions, evaluations, and comments
CoEnergy’s Privacy Code is based on the 10 key principles of privacy from the Personal Information Protection and Electronic Documents Act as established by the Canadian Standards Association. The next section outlines how OREC satisfies each of the following principles:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Safeguard and Contingency
- Individual Access
- Challenging Compliance
For more on the definition of each principle, please visit the Canadian Standards Association website
CoEnergy allows only designated employees and directors to collect, manage and use Personal Information collected from members as outlined in this Privacy Code. These employees and directors engage with Personal Information in order to satisfy responsibilities associated with providing our Member Management and Administrative services. Each designated employee and director of CoEnergy is responsible for the Personal Information under their possession and custody, including any information handed out by them to a third-party.
CoEnergy has, at any time, a Privacy Officer who is ultimately responsible for compliance with the principles and this Privacy Code. Additionally, the Privacy Officer will appoint one CoEnergy staff member to ensure day-to-day in office compliance of this Privacy Code.
Purposes of collecting Personal Information
CoEnergy will explain to members how we intend to use member Personal Information before or at the time we collect it. CoEnergy will only collect member Personal Information that is relevant to these explained purposes. If CoEnergy wishes to use Personal Information for new purposes not outlined before or at the time of collection, CoEnergy will obtain permission from members for these new uses.
CoEnergy collects member Personal Information on behalf of the Client Co-op for the following purposes:
- To establish and maintain commercial relations with the member (e.g. to payout share dividends;
- To manage and develop CoEnergy’s business and operations;
- To help CoEnergy meet legal and regulatory requirements;
- To provide members with information about CoEnergy.
CoEnergy will not use, collect or distribute to a Third Party any Personal Information without prior consent from the member unless we are required to do so by law or the information could aid in a life-threatening emergency. CoEnergy will use reasonable efforts to advise members on how their Personal Information will be used when asking for consent.
Consent may be expressed in writing or in some cases, verbally, electronically or through an authorised proxy. Consent may also be implied depending on the surrounding circumstances.
CoEnergy will not require members to consent to the use, collection or disclosure of Personal Information beyond the specific purposes in order to use our services.
Members may withdraw consent at any time, subject to legal or contractual restrictions and obligations. We will explain the consequences of withdrawal of consent if it will affect our ability to provide service to its members.
CoEnergy will only collect member Personal Information needed to provide service to members. This type of information usually includes:
- Mailing and Permanent Address
- E-mail Address
- Telephone number (home, business, mobile, etc.)
- Social Insurance Number (only through SSL protected forms when online)
- Date of Birth
- Banking information (for purposes of direct deposit)
- Property ownership status (for Ontario Power Authority community power requirements)
Personal Information may be collected from members, with their consent, in person, by mail, in office, over the telephone or digital correspondence
- On all CoEnergy web pages where identifiable personal information is collected, CoEnergy specifically lists all of the information required to access any product or service you request.
The CoEnergy Ontario Co-operative collects identifiable personal information in the following cases:
- When you become a member of the Co-operative, CoEnergy Ontario Co-operative collects your username, first and last name, password, city, country, postal code, email address, date of birth, and preferences. This includes when you register to become a member on our Web site or when you create an online profile as a member. If you are not a member, we will only collect your username password, email, and electronic consent that you wish to receive our bi-monthly newsletter. CoEnergy may also collect information about each user’s specific preferences or needs.
- When you contact CoEnergy, CoEnergy Ontario Co-operative collects personal information such as your full name, profile identification number, email address, and/or contact number. This includes but is not limited to when you submit a question or suggestion, or ask for help logging on to or accessing your CoEnergy account.
The CoEnergy Profile page allows members to view and edit their account settings as well as their user information. The email settings option lets you change your email address and subscribe/unsubscribe to email notification services. This information is collected so that we may better serve you and your requests.
Limiting Use, Disclosure and Retention
Member Personal Information will be collected, used and disclosed internally within CoEnergy by and among staff members in order to perform their job and duties in providing services to members. Use of Personal Information is limited to the purposes to which the member has given consent, except for circumstances required by law.
There are circumstances that present unavoidable types of disclosure of member Personal Information as part of CoEnergy fulfilling its routine or regulatory obligations. In these circumstances, we provide third parties with only Personal Information that is required. We will ensure that these third parties are made aware of and comply with CoEnergy’s Privacy Code and CoEnergy will subject third parties to strict confidentially provisions. Third parties may include:
- Canada Revenue Agency for tax purposes
- Ontario Power Authority for community power status audits
- A service provider that has been engaged by CoEnergy to perform certain services for us, for example, an electronic funds transfer provider.
Selling Personal Information
CoEnergy will not trade or sell Personal Information to third parties or others.
CoEnergy will ensure within reason that Personal Information shall be as accurate, complete and recent as is necessary to provide services to members.
While we do our best to update information from various sources, CoEnergy relies on member disclosure of all materials that is relevant to changes in their Personal Information. We urge members to contact CoEnergy immediately when their Personal Information is to be updated and provide evidence for name changes.
Safeguards: Protecting Personal Information
CoEnergy protects member Personal Information by using physical, organisation and digital safeguards appropriate to the sensitivity of information. This helps protect Personal Information against unauthorised access, disclosure, copying, modification or use. The level of security varies depending on the sensitivity of the information. The CoEnergy Board will define the process for a regular audit to ensure they are properly administered and remain effective, which will be completed by a non-directing member. If a security measure is deemed inappropriate due to a shift in the environment, CoEnergy will make the necessary changes to adapt our security. OREC protects all members’ Personal Information with the methods below:
Including locked filing cabinets and data servers with restricted access.
Including a limited number of designated CoEnergy staff that can access member the Personal Information database, levels of security clearance and limiting internal exchange of data to a “need-to-know” basis.
Digital and Technical
Including passwords for sensitive data access, database encryption, e-mail encryption and audit trails.
- We want our members and Web site visitors to feel confident about using the CoEnergy site. As a result, we are committed to protecting the information we collect. CoEnergy has implemented a security program to protect the information stored in its systems from unauthorized access. Currently, CoEnergy can only store the information you provide when you register to become a CoEnergy member, create a user profile, book services, or subscribe to our mailing
Our systems are configured to encrypt and scramble data, and are protected by industry-standard technologies and firewalls. When you transmit personal information to CoEnergy over the Internet, your data is protected by Secure Socket Layer (SSL) encryption to ensure safe transmission. The data kept on members and supporters of the CoEnergy is kept in an online database, requiring two-factor authentication to be accessed, and is only accessed by those granted access by the CoEnergy.
Notwithstanding the security measures deployed by CoEnergy to ensure that third parties are unable to obtain your personal information via its Web site, complete confidentiality and security on the Internet cannot be guaranteed by anyone at this time. Communications via the Internet are subject to interception, loss or alteration.
CoEnergy prepared this plain-language Privacy Code to make all members aware of the security policies and procedures we use in managing Personal Information. This Policy Code is available online at coenergy.coop and available in paper copy upon request.
CoEnergy will provide a member access to the Personal Information relevant to the inquiring member within a reasonable time, conditional on the member providing written request and satisfactory proof of identification. Members also have to the right to know how CoEnergy uses their Personal Information. CoEnergy may charge a nominal fee in responding to any request; however the member will be notified of the fee in advance.
If we decline a member’s request for access to Personal Information, the member will be provided a reason in writing by CoEnergy. Typically, Personal Information is not provided if providing access would reveal Personal Information of a third party or if the Personal Information cannot be disclosed for legal, security or proprietary reasons.
If a member has a challenge or concern regarding CoEnergy’s compliance with the Privacy Code, the member should send their challenge or concern to the Privacy Officer at the information below. The Privacy Officer will respond to challenges and concerns and work with the member to find an acceptable solution.
Appendix A – Privacy Code Principles
Ten interrelated principles form the basis of the CSA (Canadian Standards Association) Model Code for the Protection of Personal Information. Each principle must be read in conjunction with the accompanying commentary.
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
- Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.