Security, Storage, Retention and Disposal of Personal Information
JSI implements the following practices and procedures to ensure the safe storage and disposal of personal information.
1. Security
1.1. JSI is housed in a stand-alone building owned and occupied entirely by JSI. The building is protected by a security system that controls access and is monitored 24 hours a day when the building is not occupied. Only JSI staff members are permitted to have access to the name and address information stored at JSI and the level of their access to this information is enabled based on the jobs they fulfill at JSI.
1.2. JSI computer systems are protected by a variety of electronic security methods. We do not publicly describe the specific methods.
1.3. Personal information held by JSI may be in one of the following forms:
1.3.1. "Active" files for jobs in progress that are stored on disc on computer;
1.3.2. "Active" databases that are stored on disc on computer;
1.3.3. Files associated with “active” jobs that are stored on "backup" electronic media to permit recovery of data;
1.3.4. Files associated with completed jobs that are stored on "backup" electronic media;
1.3.5. Copies of databases that are stored on "backup" electronic media to permit “recovery” of data;
1.3.6. Print "samples" that are produced randomly during data processing operations and stored on paper;
2. Retention, Storage and Backup, Data Files
JSI’s policy related to the retention of files and databases stored on backup media is as follows:
2.1. We distinguish between files and databases that are maintained at JSI on an ongoing basis and those that are created for specific jobs on a time-limited basis.
2.2. Files and databases associated with time-limited jobs are retained for a period of four months after the job is concluded. At the end of this period, the storage media is erased. The retention period is determined (a) to allow identification of the source of personal information should a mailing result in such an inquiry by an individual and (b) by business practices that require that we retain an "audit trail" on job processing should a client question the processing performed by JSI.
2.3. At the request of clients, specific files associated with a job may be stored for a longer period if the file is to be used again in a subsequent job. If we are so directed by a client, such a stored file may be retained until the "next" job and for four months thereafter.
2.4. JSI’s policy related to the retention of files and databases stored on electronic "backup" media maintained at JSI are determined by the requirements of the clients who own the data. The maximum period for retention of such data is one year.
2.5. Databases of records maintained by JSI on a continuing basis for clients are retained for periods of time determined by the client.
3. Printed Material
In the course of running jobs, JSI prints "sample records," names and addresses that are displayed with the sole purpose of allowing visual inspection to determine whether or not name address information is being correctly supplied to JSI and/or is correctly formatted in data output. Such records are randomly sampled and the printed versions of the records form part of the paper trail that details the processing enabled on the job. JSI retains job folders for a two-year period with the sole purpose of allowing JSI to repeat similar jobs by copying the methods used on a past job should another similar job be required. Name and address information residing as samples in job files is produced randomly and is therefore "searchable" only by inspecting all such printed names/addresses. All paper output that contains name/address information is shredded prior to its being recycled.
4. Receipt of Personal Information from other Organizations
4.1. All of the personal information that JSI receives is supplied to JSI by other organizations. In handling this information, JSI acts entirely as a subcontractor to its clients and any handling and processing of personal information at JSI is entirely based on instructions we receive from the client organizations for which we perform services. Any end-uses made of personal information stored at JSI are therefore those end-uses determined by JSI’s organizational clients.
4.2. The personal information supplied to JSI by clients or by organizations acting on the instructions of our clients is of two main types:
4.2.1. The information has been collected by the organization that is JSI’s client or by a subcontractor acting on behalf of JSI’s client and is therefore directly owned and controlled by JSI’s client; or
4.2.2. The personal information supplied to JSI by clients or by organizations acting on the instructions of our clients is of two main types: subscribers to JSI where it is compared to other lists of names and addresses and forms a portion of the name/address file to which XYZ Foundation mails a solicitation.
4.3. The collection and use of personal information by JSI clients is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). JSI does not collect the personal information it receives and therefore cannot directly ensure that such data are handled in a manner consistent with those sections of PIPEDA governing collection and use. Therefore, JSI, as a condition of receiving personal information from or on behalf of clients, requires clients to supply personal information (a) that has been collected in a manner consistent with the requirements of PIPEDA and (b) to direct JSI to use information on behalf of the client in a manner consistent with PIPEDA.
4.4. JSI will refuse to accept files of personal information from clients where it has reason to believe that the personal information contained therein has been collected or is being used in a manner inconsistent with the provisions of PIPEDA.
4.5. All personal information received on or on behalf of clients is treated as confidential and is used only as directed by the client on whose behalf we have received the information. Personal information housed at JSI is protected by the mechanisms described at Section 4 above. Exception: as required by PIPEDA, JSI will respond to the requests of individuals to identify information held by JSI on them. See Privacy and Personal Information.