SurroCanada CORPORATE PRIVACY POLICY

Last Updated November 3, 2022


Purpose:

The purpose of this Privacy Policy document is to outline the policies and procedures on privacy, including the handling of personal information, protection of privacy, and breach reporting procedures. 

Scope:

SurroCanada respects privacy. This Privacy Policy summarizes what personal information is collected from all sources, including clients, donors, surrogates, employees, and other third-party individuals, and how such information is used and disclosed by SurroCanada. SurroCanada website terms of use is incorporated here by reference. SurroCanada policy, including this Privacy Policy, may change from time to time without notice. It is recommended that you visit our website for the current version of the Privacy Policy

What Personal Information is Collected:

Personal Information is any factual or subjective information about an identifiable individual (“Personal Information”). This includes information in any form. The Personal Information collected will depend on its purpose and the service requested, and may include the following: 

  1. age, name, contact information, such as a residential address, telephone number, email address, ID numbers, income, ethnic origin, etc.
  2. government-issued identification documents
  3. medical and or psychological report
  4. employment information
  5. financial information, credit records, credit card information, payment records 
  6. opinions, evaluations, comments, social status, disciplinary actions
  7. additional background information submitted to us, such as criminal record check, employment record, etc. 
  8. intentions (for example, to acquire goods or services, or change residence or jobs)

 SurroCanada collects Personal Information when it is voluntarily provided to SurroCanada through any means of communication. For example, SurroCanada may collect Personal Information when a client:

  • Contact us through email, telephone, mail, website form; or other correspondence; 
  1. Register for a service we provide; or,
  1. Register to receive our marketing materials

Collection of Personal Information: 

Personal Information will be collected, used, and stored with the client’s informed, active consent prior to the collection. 

SurroCanada reserves the right to transfer Personal Information in the event that we merge with or are acquired by a third party. We also may disclose Personal Information for any other purpose permitted by law or to which the Client provided consent.

How We Protect Stored Personal Information:

The security of Personal Information is important to us. We protect Personal Information by maintaining physical, organizational, and technological safeguards appropriate to the sensitivity of such Personal Information. Personal Information collected from clients is stored on CRM, Google Drive, and/or other SurroCanada-approved cloud-based storage. On a regular basis, SurroCanada will review whether its third-party cloud storage is meeting our security needs. Such review will happen from time to time as needed, and at least once every 3 years. Personal Information may only be accessed by SurroCanada personnel who require such access to provide services. 

We retain Personal Information that we collect for as long as necessary to carry out the purposes for which it was collected, or to meet legal requirements. We destroy Personal Information when it is no longer needed. Personal Information collected from clients is stored for a minimum of 2 years after we complete the provision of services. Donor and surrogate reimbursement information needs to be kept for a minimum of 6 years. 

Some or all of the Personal Information SurroCanada collect may be stored or processed in jurisdictions outside of Canada, including the United States. As a result, this information may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to laws in those jurisdictions.

Use of Personal Information:

SurroCanada may use Personal Information for the purposes for which the information was collected, as provided in this Privacy Policy, or for other purposes that are disclosed to the client and to which the client consents.

For example, SurroCanada may use Personal Information:

  1. to respond to inquiries;
  2. to supply requested services;
  3. to send informational or promotional communications; 
  4. to carry out other purposes that are disclosed to the client and to which the client consents; or,
  5. to carry out the employment of its staff, to carry out any other purpose permitted or required by law. 

SurroCanada may transfer Personal Information to third-party service providers that assist us with carrying out these purposes.

Personal Information may only be accessed by personnel within SurroCanada who require such access to provide the services indicated above, and such personnel should only access the information necessary to complete the specific task required.

Disclosure of Personal Information:

SurroCanada may disclose Personal Information for the purposes for which the information was collected, as provided in this Privacy Policy, or for other purposes to which the client consents.

For example, SurroCanada may disclose Personal Information: 

  1. to make referrals to professional services;
  2. to provide marketing or social media posting services;
  3. to assist in the introduction of third-party Intended Parents, donors or surrogates,
  4. to carry out educational or promotional purposes; or
  5. to conduct internal inquiries regarding complaints initiated by the client or on their behalf.

Prior to the disclosure of Personal Information, SurroCanada personnel who makes the disclosure must ensure that the appropriate consent has been acquired, by verifying that:

  1. the appropriate checkbox has been marked on the consent document to allow the specific disclosure,
  2. the correct signature has been given,
  3. the consent has not been revoked, and,
  4. the correct recipient is the one to receive the disclosure, i.e. ensure that only the intended recipient’s correct email address is put in; ensure that the correct attachment is enclosed; verify the identity of the corresponding recipient on the phone; website address of any third-party website, database, or social media site; and never use suspicious links to redirect you to a third-party website and input any Personal Information.

The consent verification process needs to be followed each time any Personal Information is to be disclosed, including but not limited to:

  1. Sending any document with Personal Information to any person or entity outside of SurroCanada;
  2. Sharing of Profiles which includes Personal Information;
  3. Posting Personal Information on social media; or,
  4. Inputting Personal Information into a website, database, payment system, or any other program not approved by SurroCanada, that the client specifically consented

Breach or Incident Reporting:

SurroCanada Personnel must report all incidents of a suspected breach, an actual breach, near-miss, or other privacy-related concerns or issues to management by using the Incident Reporting Form.

Investigation and Recommendations:

Each incident reported is investigated by the SurroCanada Privacy Officer, or alternatively, the HR or the COO. Once an investigation is concluded, it will be signed off by the COO of the founder. Incident investigation usually involves some or all of the following steps: Gathering information, identifying the risk/breach/harm, evaluating any obligation to report the breach, preparing a report which may include recommendations, and, changing SurroCanada Privacy Policy or practice.

Breach Disclosure to Affected Individual:

A breach does not have to be disclosed to the individual whose Personal Information was affected if the breach both accidental and the Personal Information is encrypted or de-identified. Breach Disclosure is mandatory when any of the following applies:

  • When the Personal Information is private, sensitive, or can otherwise be used or abused to the detriment of the individual whose Personal Information was affected,
  • When the breach is repeated, continuous over a long period of time, or otherwise significant,
  • When the breach is the result of malicious or intentional action,
  • When the breach happened to a large volume of information or is otherwise large in scale,
  • Following a breach or suspected breach, the Personal Information is being further used or disclosed, 
  • Any other situation where there was no reason to withhold the breach to the individual

Breach should be disclosed to affected individual as soon as reasonably practicable once the breach has been discovered, and in any event within 2 business day. A follow-up may be done by the Privacy Officer during the Investigation process and should include the following:

  • a summary of the incident,
  • any preliminary findings, and,
  • any containment effort already made. 

A final correspondence should be done once the Investigation is complete and closed, and include a full summary of the incidents along with any recommendations made, and any changes to the Privacy policy or practice. 

Regular Updates and Review:

Privacy training will be included in new-staff onboard training. Privacy Policy is reviewed annually, or updated on an as-needed basis. Any important updates which may impact the daily operation of SurroCanada will be dissimilated through e-mail to appropriate departments. Any non-urgent updates will be presented during an all-staff meeting. SurroCanada Privacy Policy and practice will continue to grow as we guard the privacy of our clients, the company, and its employees.

Access and Rectification:

Clients have a right to access their own Personal Information and to request a correction to it if they believe it is inaccurate. If a client submitted Personal Information and would like to have access to it, or if the client would like to have it corrected, they should be encouraged to contact their case coordinator, or by using the contact information provided below.

When SurroCanada personnel corresponds with a client, or meets a client either virtually or face-to-face, please be conscious that any notes taken, any written or audio recording of the correspondence, and any video recording, may form a part of the disclosure if requested through an access to information request, made by the client or others, in the context of a public inquiry, litigation, performance review, audit, or for other possible purposes.


Contact Us About Questions Regarding Privacy

 

Clients and the general public may send any questions regarding this Privacy Policy, or access of information requests, to SurroCanada Privacy Officer at PrivacyOfficer@babiescometrue.com.