Introduction

Manitoba Telecom Services Inc. and its subsidiaries (hereafter the “Company”) provides a complete range of services to customers, including local and long distance voice and data, wireless, directory, Internet access, television and security alarm services in Canada.

The Company is committed to maintaining the accuracy, confidentiality, security and privacy of personal information of customers and employees. The Company’s “Privacy Code” is a formal statement of principles and guidelines concerning the minimum requirements for the protection of personal information provided by the Company to its customers and employees. The objective of the Privacy Code is to ensure responsible and transparent practices in the management of personal information, in accordance with the national standard and federal legislation. This version of the Privacy Code was updated December 2013.

The Company will review its Privacy Code at least every five years to ensure it is relevant and remains current with changing technologies and laws and the evolving needs of the Company, its customers and employees.

Summary of Principles

Principle 1 – Accountability

The Company is responsible for personal information under its control. The Privacy Officer for Manitoba Telecom Services Inc. is accountable for the Company’s compliance with the Company Privacy Code.

Principle 2 – Identifying Purposes for Collection of Personal Information

The Company shall identify the purposes for which personal information is collected at or before the time the information is collected.

Principle 3 – Obtaining Consent for Collection, Use or Disclosure of Personal Information

The knowledge and consent of a customer or employee are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4 – Limiting Collection of Personal Information

The Company shall limit the collection of personal information to that which is necessary for the purposes identified by the Company. The Company shall collect personal information by fair and lawful means.

Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information

The Company shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The Company shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.

Principle 6 – Accuracy of Personal Information

The personal information the Company maintains shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 – Security Safeguards

The Company shall protect personal information through the use of security safeguards appropriate to the sensitivity of the information.

Principle 8 – Openness Concerning Policies and Practices

The Company shall make readily available to customers and employees specific information about its policies and practices relating to its management of personal information.

Principle 9 – Customer and Employee Access to Personal Information

The Company shall inform a customer or employee of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 – Challenging Compliance

A customer or employee shall be able to address a challenge concerning compliance with the above principles to the person accountable for the Company’s compliance with this Privacy Code.

Scope and Application

The ten principles that form the basis of the Company’s Privacy Code are interrelated and the Company shall adhere to the ten principles as a whole. Each principle must be read in conjunction with the accompanying commentary. As permitted by the Personal Information Protection and Electronic Documents Act, the commentary in this Privacy Code has been tailored to reflect personal information issues specific to the Company.

The scope and application of the Privacy Code are as follows:

  1. The Privacy Code applies to Manitoba Telecom Services Inc. and its various subsidiaries offering communication and other services to customers, including local and long distance voice and data, wireless, directory, Internet access, television and security alarm services, and the Company’s various retail locations (and any successor company or companies of the above, as a result of corporate reorganization or restructuring). The Privacy Code applies to any business a customer does with the Company or anyone acting as an agent on the Company’s behalf.
  2. The Privacy Code applies to personal information about the Company’s customers and employees that is collected, used, or disclosed by the Company.
  3. The Privacy Code applies to the management of personal information in any form whether oral, electronic or written.
  4. The Privacy Code does not impose any limits on the collection, use or disclosure of the following information by the Company:
    1. information that is publicly available, such as a customer’s name, address, telephone number and electronic address, when listed in a directory or made available through directory assistance; or
    2. the name, title or business address or telephone number of an employee of an organization; or
    3. other information about the customer or employee that is publicly available and is specified by regulation pursuant to the Personal Information Protection and Electronic Documents Act.
  5. The Privacy Code does not apply to customers that are not individuals, such as corporate customers. Information collected for such customers is protected by other Company policies and practices and by application contractual terms.
  6. The application of the Company’s Privacy Code is subject to the requirements or provisions of Part I of the Personal Information Protection and Electronic Documents Act, the regulations enacted thereunder, and any other applicable legislation or regulation, including any applicable regulations of the Canadian Radio-television and Telecommunications Commission and the requirements of any applicable legislation, regulations, tariffs or agreements, such as collective agreements, or the order of any court, or other lawful authority.

Definitions

collection
the act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.
consent
voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing, but is always unequivocal and does not require any inference on the part of the Company. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
customer
an individual who uses, or applies to use, the Company’s products or services or otherwise provides personal information to the Company in the course of the Company’s commercial activities or participating in Company’s contests and promotions.
disclosure
making personal information available to a third party.
employee
an employee or pensioner of the Company, and for the purpose of this Privacy Code only, includes independent and other contractors performing services within the Company.
Company
Manitoba Telecom Services Inc. and its subsidiaries from time to time.
personal information
information about an identifiable individual but not aggregated information that cannot be associated with a specific individual.For a customer, such information includes credit information, billing records, service and equipment, and any recorded complaints.For an employee, such information includes information found in personal employment files, performance appraisals, and medical and benefits information.
third party
an individual other than the customer, or the customer’s agent, or organization outside the Company.
use
the treatment, handling, and management of personal information by and within the Company.

The Privacy Code in Detail

Principle 1 – Accountability

The Company is responsible for personal information under its control. The Privacy Officer for Manitoba Telecom Services Inc. is accountable for the Company’s compliance with the Privacy Code.

  1. Other individuals within the Company may be delegated to act on behalf of the Privacy Officer or to take responsibility for the day-to-day collection and processing of personal information.
  2. The Company is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing or other purposes related to the Company’s business and operations. The Company shall use contractual or other means to provide a comparable level of protection while the information is in the possession of the third party. (See principle 7)
  3. The Company has implemented policies and procedures to give effect to the Privacy Code, including:
    1. implementing procedures to protect personal information and to oversee the Company’s compliance with the Privacy Code;
    2. establishing procedures to receive and respond to inquiries or complaints;
    3. training and communicating to employees about the Company’s policies and practices; and
    4. developing public information to explain the Company’s policies and practices.

Principle 2 – Identifying Purposes for Collection of Personal Information

The Company shall identify the purposes for which personal information is collected at or before the time the information is collected.

  1. The Company collects personal information only for the following purposes:
    1. to establish and maintain responsible commercial relations with customers and to provide ongoing service;
    2. to understand customer needs and preferences and determine eligibility for products and services;
    3. to recommend certain products and services to meet customer needs;
    4. to develop, enhance, market or provide products and services;
    5. to manage and develop the Company’s business and operations, including personnel and employment matters; and
    6. to meet legal and regulatory requirements.

    Further references to “identified purposes” in this Privacy Code mean the purposes identified in this Principle 2.

  2. The Company shall specify orally, electronically or in writing the identified purposes to the customer or employee at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within the Company who shall explain the identified purposes.
  3. Unless required or permitted by law, the Company shall not use or disclose for any new purpose personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer or employee.

Principle 3 – Obtaining Consent for Collection, Use or Disclosure of Personal Information

The knowledge and consent of a customer or employee are required for the collection, use, or disclosure of personal information, except where inappropriate.

  1. In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, the Company may collect, use or disclose personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way.The Company may also collect, use and disclose personal information without knowledge or consent if:
    1. seeking the consent of the individual might defeat the purpose of collecting the information, such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law;
    2. there is an emergency where the life, health or security of an individual is threatened; or
    3. disclosure is to a lawyer representing the Company, to collect a debt, to comply with a subpoena, warrant or other court order, or otherwise required or permitted by law.
  2. In obtaining consent, the Company shall use reasonable efforts to ensure that a customer or employee is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the customer or employee.
  3. Generally, the Company shall seek consent to use and disclose personal information at the same time it collects the information. However, the Company may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.
  4. The Company will require customers to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.
  5. In determining the appropriate form of consent, the Company shall take into account the sensitivity of the personal information and the reasonable expectations of its customers and employees.
  6. In general, the use of the Company’s products and services by a customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for the Company to collect, use and disclose personal information for all identified purposes.
  7. A customer or employee may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Customers and employees may contact the Company for more information regarding the implications of withdrawing consent.

Principle 4 – Limiting Collection of Personal Information

The Company shall limit the collection of personal information to that which is necessary for the purposes identified by the Company.

The Company shall collect personal information by fair and lawful means.

  1. The Company collects personal information primarily from its customers or employees.
  2. The Company may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties that represent that they have the right to disclose the information.
  3. For safety, security and liability purposes, the Company may use cameras in its retail stores and adjoining areas such as exterior hallways and parking lots. Information recorded by such cameras is retained for a short period, unless needed in conjunction with an investigation.

Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information

The Company shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

The Company shall retain personal information only as long as necessary for the fulfillment of those purposes.

  1. In certain circumstances, personal information can be collected, used or disclosed without the knowledge and consent of the individual. (See Principle 3.1)
  2. In addition, the Company may disclose a customer’s personal information to
    1. another telecommunications company for the efficient and cost-effective provision of telecommunications services;
    2. a company involved in supplying the customer with communications or communications directory related services;
    3. a company or individual retained by the Company to perform functions on the Company’s behalf, such as research and data processing;
    4. another person for the development, enhancement, marketing or provision of any of the Company’s products or services;
    5. credit grantors and reporting agencies;
    6. an agent used by the Company to evaluate a customer’s credit worthiness or to collect the customer’s account;
    7. a public authority or agent of a public authority, if in the reasonable judgment of the Company, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information;
    8. a person who, in the reasonable judgment of the Company, is seeking the information as an agent of the customer; and
    9. a third party or parties, where the customer consents to such disclosure or disclosure is required or permitted by law.
  3. The Company may disclose personal information about its employees:
    1. for normal personnel and benefits administration;
    2. in the context of providing references regarding current or former employees in response to requests from prospective employers; or
    3. where disclosure is required or permitted by law.
  4. Only those Company employees who require access for business reasons, or whose duties reasonably so require are granted access to personal information about customers and employees.
  5. The Company shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or employee, the Company shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or employee, either the actual information or the rationale for making the decision.
  6. The Company shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.
  7. When outsourcing certain business or operational functions, the Company strives to minimize the personal information stored or processed outside of Canada. However, in some cases, personal information may be stored or processed outside of Canada to provide customer or employees with service or to support the Company’s operations, and therefore may be subject to the legal jurisdiction of such non-Canadian territory. The Company only provides this information to companies it outsources upon negotiating suitable contracts which stipulate, among other things, that the personal information may only be used for the purposes of providing the services in question.

Principle 6 – Accuracy of Personal Information

The personal information the Company maintains shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

  1. Personal information used by the Company shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a customer or employee.
  2. The Company shall update personal information about customers and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.

Principle 7 – Security Safeguards

The Company shall protect personal information through security safeguards appropriate to the sensitivity of the information.

  1. The Company shall use appropriate security measures to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction regardless of the format in which it is held. The Company shall use care in disposing of or destroying personal information to prevent unauthorized parties from gaining access to the information.
  2. The Company shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information, the purposes for which it is to be used, limits on the number of Company personnel or agents that access the information to those whose job functions require access to the information, and security measures required to safeguard such personal information.
  3. All employees of the Company, with access to personal information shall be required as an ongoing condition of employment to respect the confidentiality of personal information.

Principle 8 – Openness Concerning Policies and Practices

The Company shall make readily available to customers and employees specific information about its policies and practices relating to the management of personal information.

  1. The Company shall make information about its policies and practices easy to understand, including:
    1. The title and address of the person or persons accountable for the Company’s compliance with the Privacy Code and to whom inquiries or complaints can be forwarded;
    2. The means of gaining access to personal information held by the Company; and
    3. A description of the type of personal information held by the Company, including a general account of its use.
  2. The Company shall make available information to help customers and employees exercise choices regarding the use of their personal information and the privacy-enhancing services available from the Company.

Principle 9 – Customer and Employee Access to Personal Information

The Company shall inform a customer or employee of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information, except in certain circumstances.

  1. A customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.Upon request, the Company shall afford customers and employees a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in understandable form within a reasonable time and at a minimal or no cost to the individual.
  2. In certain situations, the Company may not be able to provide access to all of the personal information it holds about a customer or employee. The Company shall provide the reasons for denying access upon request. For example:
    • if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual;
    • if disclosure would reveal confidential commercial information;
    • if the information is protected by solicitor-client privilege;
    • if the information was generated in the course of a formal dispute resolution process;
    • if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law; or
    • if the information is prohibitively costly to provide and it is reasonable for the Company to not provide the information on such basis.
  3. Upon request, the Company shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, the Company shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.
  4. In order to safeguard personal information, a customer or employee may be required to provide sufficient identification information to permit the Company to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.
  5. The Company shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, the Company shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.
  6. A customer can obtain information or seek access to his or her individual files by contacting a customer service representative.
  7. An employee can obtain information or seek access to his or her individual files by contacting his or her manager or Human Resources.

Principle 10 – Challenging Compliance

A customer or employee shall be able to address a challenge concerning compliance with the above principles to the Company’s Privacy Officer, the person accountable for the Company’s compliance with the Privacy Code.

  1. The Company shall maintain procedures for addressing and responding to all inquiries or complaints from its customers and employees about the Company’s handling of personal information.
  2. The Company shall inform its customers and employees about the existence of these procedures as well as the availability of complaint procedures.
  3. The person or persons accountable for compliance with the Privacy Code may seek external advice where appropriate before providing a final response to individual complaints.
  4. The Company shall investigate all complaints concerning compliance with the Privacy Code. If a complaint is found to be justified, the Company shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A customer or employee shall be informed of the outcome of the investigation regarding his or her complaint.

For more information on the Company’s commitment to privacy please feel free to Contact Us and our customer service representatives would be pleased to assist you.

For detailed inquiries or unresolved privacy concerns related to Allstream Inc., please contact:
Allstream Privacy Officer
privacyoffice@mtsallstream.com

www.mtsallstream.com
200 Wellington Street West, Suite 1200
Toronto, Ontario M5V 3G2

For all other detailed inquiries or unresolved privacy concerns related to the Company including related to MTS Inc., please contact:
MTS Privacy Officer
privacyoffice@mtsallstream.com

www.mtsallstream.com
P.O. Box 6666
333 Main Street
Winnipeg, Manitoba R3C 3V6

For a copy of the Personal Information Protection and Electronic Documents Act, please contact the Privacy Commissioner of Canada web site at www.privcom.gc.ca.

For a copy of the CSA Model Code for the Protection of Personal Information contact:
Canadian Standards Association
178 Rexdale Blvd.
Etobicoke, Ontario M9W 1R3
For more information on the CSA Model Code visit http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code.