I.         Objective 

 

A more innovative and productive Canada will be built by creative and entrepreneurial citizens generating new ideas and working together to make them a reality. Mitacs is passionately committed to supporting this innovation. In designing our programs, processes, systems, and procedures, Mitacs will take best efforts to design around the interests and needs of individual users, who have the greatest vested interest in the management of their own personal data. We seek to assure visibility and transparency of personnel information collected by Mitacs, as they are essential to establishing accountability and trust.

 

Why does Mitacs need a Privacy Policy?  

Mitacs is defined as an ‘organization’ under B.C.’s Personal Information Protection Act, 2003 (PIPA) and must comply with the requirements under this Act. The purpose of the Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Among other requirements under PIPA, organizations must develop and follow policies and practices that meet the purpose of the Act. 

Many of the funding agreements that Mitacs has signed reference other provincial access to information and privacy legislation to which Mitacs must comply. Since Mitacs also offers programs and services to EU data subjects, Mitacs must comply with the General Data Protection Regulation (GDPR). Mitacs is committed to complying with all applicable access to information and privacy laws. A privacy policy is integral to any privacy management program. 

This Privacy Policy is included in Mitacs’ annual review and may be updated from time to time.  A current version will be made available. 

  

II.      Contents 
 

What is covered in this policy?

This policy outlines Mitacs’ privacy practices regarding the collection, use, disclosure, and retention of personal information for which it has custody and control

At Mitacs, we take responsibility for the personal information in our custody and control. This privacy policy applies to all Mitacs employees, Board of Directors, and third parties, including contractors and other service providers engaged by Mitacs.       

Who is responsible for Mitacs’ Privacy Program?

Our Chief Financial and Human Resource Officer (CFHRO) is designated as Chief Privacy Officer (CPO). If anyone wishes to make a complaint about Mitacs personal information management practices or its compliance with this Policy, a written complaint should be sent to the attention of the Privacy Office. The Chief Privacy Officer will ensure that all complaints are investigated, and that responses are made to all written enquiries. If a complaint is found to be justified by the Chief Privacy Officer, Mitacs will take reasonable steps to address the situation and to amend this policy or procedures as appropriate. 

Contact information:

Chief Privacy Officer
Mitacs
Suite 301, Technology Enterprise Facility
University of British Columbia
6190 Agronomy Road
Vancouver, BC, V6T 1Z3 
Email: privacy@mitacs.ca 
Phone:  604-822-9189

Under PIPA, individuals have the right to complain to the B.C. Information and Privacy Commissioner. Individuals also have the right of access to their personal information and the right to correction of their personal information. PIPA also provides protection for an employee who, in good faith, reports contraventions of PIPA to the OIPC, acts in a way to avoid or prevent a contravention of PIPA, or refuses to do anything he or she believes contravenes PIPA. If any of these situations arise, the employee, or “whistleblower,” is protected from any punitive action taken by an organization against him or her, such as suspension or dismissal.

Office of the Information and Privacy Commissioner for British Columbia (OIPC) PO Box 9038 Stn. Prov. Govt.
Victoria B.C. V8W 9A4
Telephone:  (250) 387-5629
Vancouver: (604) 660-2421
Elsewhere in BC: (800) 663-7867
E-mail: info@oipc.bc.ca

Rights of EU Data Subjects 

In addition to rights under PIPA with respect to an individual’s personal information noted above, those residing in the European Union (EU), whose personal information is in Mitacs’ custody and control, have certain additional rights under the General Data Protection Regulation (GDPR):

Restrictions on Further Processing: European data subjects have the right, where there is a dispute in relation to the accuracy or basis of processing of their personal data, to request a restriction on further processing by Mitacs.

Erasure: EU data subjects have the right to erasure of their personal data (“right to be forgotten”) in certain circumstances.

Data Portability: EU data subjects have the right to request that personal data that they have provided to Mitacs be returned to him/her or be provided to another third party of his/her choice, in a structured, commonly used and machine-readable format.

Automated Decision-Making: European citizens have the right not to be subject to a decision based solely on automated decision-making (e.g. AI/machine learning algorithms). In connection with such right, EU data subjects may have the right to request human intervention with respect to such automated decision-making, as well as express his/her point of view or contest any such automated decision-making by Mitacs.

Mitacs Policy 

  1. Mitacs will not collect, use or disclose personal information about an individual unless: a) the individual provides consent; b) it is authorized by legislation; c) consent is deemed to be given under legislation.
  2. Mitacs limits the collection, use, disclosure, and retention of personal information to what is necessary for Mitacs’ use, or as required by law.
  3. The primary purposes for which Mitacs collects, uses, discloses and retains personal information are as follows: 
  • To communicate information about our programs and services and establish or maintain ongoing relationships with individuals;
  • To meet legal, regulatory or contractual requirements, such as providing information about program participation and outcomes to our funding partners;
  • To evaluate an applicant’s eligibility for a Mitacs program or award;
  • To administer Mitacs events;
  • To evaluate and enhance our programs and services;
  • To establish and manage the employment or other work relationship with employees.
  1. Mitacs can rely on implied consent if the individual is aware of the purpose for the collection, use, disclosure, or retention of their personal information and, if the purpose is consistent with those listed above and that which a reasonable person would expect. This is not the case with EU data subjects under GDPR.
  2. Mitacs will get explicit consent from the individual for secondary purposes (i.e. those purposes that have not been identified in this policy), unless it is so similar to those already consented to that it would be expected by the individual (i.e. consistent with the original purpose).
  3. Mitacs will comply with an individual’s request to withdraw consent from the collection, use, disclosure or retention of their personal information, unless it will interfere with a legal or contractual obligation.
  4. Mitacs makes reasonable effort to ensure that personal information collected by or on behalf of Mitacs is accurate and complete.
  5. Mitacs acknowledges that individuals have the right to access and correct their personal information. Mitacs will share information about the existence, use, and disclosure of an individual’s personal information in its custody and control. Mitacs does not charge fees to access information if the requestor is an employee; however, for all other individual requests, Mitacs may charge a minimal fee.
  6. Mitacs acknowledges that EU data subjects have additional rights under GDPR to their personal information under Mitacs’ custody and control and has incorporated these additional rights into its management of personal information.
  7. Mitacs uses reasonable physical, administrative, and technical safeguards to protect personal information from unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks.
  8. Mitacs follows its protocol in the event of a privacy breach.
  9. Mitacs must destroy documents containing personal information or make the information anonymous as soon as it is reasonable to assume the following:

a.  The purpose for which the personal information was collected is no longer being served by keeping the personal information, and
b.  It is no longer necessary to keep the personal information for legal or business purposes.

Exceptions: 

a. If Mitacs uses an individual’s personal information to make a decision that directly affects the individual (e.g. employee, program applicant), Mitacs must keep that information for at least one year after using it so the individual has a reasonable opportunity to obtain access to it.

b. Subject to the above, Mitacs will follow its own retention periods or schedules for documents, based on financial, legal,regulatory, operational, audit or archival requirements.

c. Even if an individual has changed or taken back his or her consent for collecting, using or disclosing information, Mitacs can keep that information if there are legal reasons to do so.

(last updated: November 2018)