We understand the importance of protecting the personal information of our customers and our employees. To earn and maintain your trust we have designed our policy to meet or exceed the requirements of legislation enacted by the United States government and substantially similar state and other legislation (collectively, privacy legislation). In addition, we are constantly looking for new and better ways to secure your personal information and to ensure that it is used in a responsible and respectful manner.
TRI HoldCo, Inc.
Information Security Officer
600 Coolidge Drive, Suite 300,
Folsom, CA 95630
OVERVIEW AND APPLICABILITY
TRI HoldCo, Inc. supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. TRI HoldCo, Inc. supports domestic and international laws and regulations that seek to protect the privacy rights of such individuals, including legislation enacted by the United States government and substantially similar state and other legislation (collectively, privacy legislation) or the order of any court or other lawful authority.
It does not, however, apply to the collection, use or disclosure of the following information by TRI HoldCo, Inc.:
This policy applies to all TRI HoldCo, Inc. employees, contractors, temporaries, consultants and other workers. All of these people are expected to be familiar with and fully in compliance with these policies. Workers who are not in compliance are subject to disciplinary action up to and including termination.
This policy also applies to outsourcing organizations that perform information processing services on behalf of TRI HoldCo, Inc. Use of outsourcing organizations to process personal data must always include a contractual commitment to consistently observe these policies and related TRI HoldCo, Inc. procedures and standards as specified by the Information Security Department. All outsourcing organizations handling personal data provided by TRI HoldCo, Inc. must periodically issue certificates of compliance with this policy and permit TRI HoldCo, Inc. to initiate independent audits to determine compliance with this policy.
Briefly stated, privacy legislation requires that the consent of an individual be obtained for the collection and use of his or her personal information, that steps are taken to protect personal information and that at least one individual is appointed to monitor compliance with the provisions of applicable privacy legislation.
TRI HoldCo, Inc. – means TRI HoldCo, Inc.
Collection – means the act of gathering, acquiring, recording or obtaining personal information from any source, including third parties, by any means.
Consent – means voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require an inference on the part of TRI HoldCo, Inc. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
Customer – means an individual who:
Disclosure – means making personal information available to third parties outside TRI HoldCo, Inc.
Personal information or data – means information about an identifiable individual recorded in any form and includes, but is not limited to, such things as race, ethnic origin, nationality, age, gender, marital status, religion, education, medical information, criminal information, performance reviews, trade union membership, employment and financial history, income, address and telephone number, e–mail address, numerical identifiers such as Social Insurance or Social Security Number, and views and personal opinions. Personal information also includes information about a customer’s product and service subscriptions and usage, credit information, billing records such as credit card number, service and any recorded complaints.
Privacy legislation – means domestic and international laws and regulations that seek to protect the privacy rights of individuals, including legislation enacted by the United States government and substantially similar state and other legislation.
Third party – means an individual, partnership, corporation, public authority, government agency, or any other entity other than the customer or his or her agent or TRI HoldCo, Inc.
Use or Processing – means the treatment, handling and management of personal information by TRI HoldCo, Inc. Any operation or set of operations performed on personal data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure or destruction. No distinction between data, information, knowledge, or wisdom is made in this policy.
PRINCIPLE 1 — ACCOUNTABILITY
1.2 TRI HoldCo, Inc. will provide the name and contact information of the Chief Information Security Officer upon request.
1.3 TRI HoldCo, Inc. shall be responsible for the personal information in its possession or custody, including information that has been transferred to a third party for processing. TRI HoldCo, Inc. shall use contractual or other appropriate means to ensure a comparable level of protection while the information is being processed by a third party.
PRINCIPLE 2 — IDENTIFYING PURPOSE
TRI HoldCo, Inc. will identify the purpose for which personal information is collected at or before the time the information is collected. The purposes for which information is collected, used or disclosed by TRI HoldCo, Inc. must be those that a reasonable person would consider appropriate in the circumstances.
2.1 TRI HoldCo, Inc. will document the purposes for which personal information is collected in order to comply with the Openness requirement (See Principle 8) and the Individual Access requirement (See Principle 9).
2.2 Identifying the purposes for which personal information is collected at or before the time of collection allows TRI HoldCo, Inc. to determine the information it needs to collect to fulfill these purposes. The Limiting Collection requirement (See Principle 4) requires TRI HoldCo, Inc. to collect only that information necessary for the purposes that have been identified.
2.3 The identified purposes for which personal information is collected shall be specified at or before the time of collection to the customer from whom the personal information is collected. Depending upon the way in which the information is collected, this shall be done orally or in writing.
2.4 When TRI HoldCo, Inc. proposes to use personal information that has been collected for a purpose not previously identified, it will identify the new purpose before using such personal information. Unless the new purpose is required by law, or consent is otherwise not required pursuant to privacy legislation, the consent of the individual shall be obtained before the personal information is used for the new purpose.
2.5 Individuals responsible for collecting personal information on behalf of TRI HoldCo, Inc. will explain to customers the purposes for which the information is being collected, including any purposes that may not be immediately obvious to the individual.
2.6 The purposes for which the personal information of customers is collected may include, but is not limited to:
2.7 Information gathered automatically by TRI HoldCo, Inc. through its website may be used for technical, research and analytical purposes. Information collected through surveys, existing files and public archives may be used by TRI HoldCo, Inc. to analyze its markets and to develop or enhance service offerings.
2.8 TRI HoldCo, Inc. collects the following personal information from you about your designated third-party representatives: email address, mailing address, phone number, and uses this information for the sole purpose of completing your request or for whatever reason it may have been provided. If you believe that one of your contacts has provided us with your personal information and you would like to request that it be removed from our database, please contact us at email@example.com.
PRINCIPLE 3 — CONSENT
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where consent is not required by privacy legislation as, for example, where the collection, use or disclosure of personal information is solely for journalistic, artistic or literary purposes.
3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Generally, TRI HoldCo, Inc. will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to the use or disclosure of personal information may be sought after the information has been collected but before the personal information is used (for example, when TRI HoldCo, Inc. wants to use information for a purpose not previously identified). In obtaining consent, TRI HoldCo, Inc. shall use reasonable efforts to ensure that a customer is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the customer.
3.2 TRI HoldCo, Inc. will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
3.3 In obtaining consent, TRI HoldCo, Inc. will take into account the sensitivity of the personal information and the reasonable expectations of its customers. Consent will not be obtained through deception.
3.4 The way in which TRI HoldCo, Inc. seeks consent may vary, depending on the circumstances and the type of information collected. TRI HoldCo, Inc. will generally seek express consent when the information is likely to be considered sensitive. It will rely on implied consent only where collection and use of the personal information is directly related to a transaction or exchange of information in which the individual is directly participating. Consent may also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
3.5 Consent may be obtained in any one of the following ways:
3.6 Generally, the use of products and services by a customer constitutes implied consent for TRI HoldCo, Inc. to collect, use and disclose personal information for all identified purposes.
3.7 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. TRI HoldCo, Inc. will inform individuals of the implications of withdrawing consent. Customers may contact TRI HoldCo, Inc. for more information regarding the implications of withdrawing consent.
PRINCIPLE 4 — LIMITING COLLECTION
TRI HoldCo, Inc. shall limit the collection of personal information to that which is necessary for the purposes identified by the company. Personal information shall be collected by fair and lawful means. We may collect the following personal information from you:
4.1 TRI HoldCo, Inc. will not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified. TRI HoldCo, Inc. shall specify the type of information collected as part of its information handling policies and practices, in accordance with the Openness requirement (See Principle 8).
4.2 The requirement that personal information be collected by fair and lawful means is intended to prevent TRI HoldCo, Inc. from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. Consent to the collection of personal information must not be obtained through deception.
PRINCIPLE 5 — LIMITING USE, DISCLOSURE AND RETENTION
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected. If you wish to cancel your account or request that we no longer use your information to provide you services contact us at firstname.lastname@example.org. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
5.1 Where TRI HoldCo, Inc. intends to use personal information for a purpose not previously identified, TRI HoldCo, Inc. shall document the new purpose and shall obtain the consent of the individual prior to using the information for a new purpose.
TRI HoldCo, Inc. may disclose the personal information of its customers:
5.3 Except as required or permitted by law, when disclosure is made to a party other than TRI HoldCo, Inc. or a third party provider of personal information processing services, the consent of the individual shall be obtained and reasonable steps shall be taken to ensure that any such third party has personal information privacy procedures and policies in place that are at least comparable to those implemented by TRI HoldCo, Inc. Only that information necessary for the third party to provide services is shared. These third party companies do not have access to any financial information and are not allowed to retain, store, or use personal information for any secondary purposes.
5.4 Personal information shall be kept only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer, TRI HoldCo, Inc. shall retain, for a period of time that is reasonably sufficient to allow for access by the customer, either the actual information or the rationale for making the decision.
5.5 TRI HoldCo, Inc. has guidelines and procedures with respect to the retention of personal information. Personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained, shall be destroyed, erased or made anonymous.
5.7 Testimonials. We may display personal testimonials of satisfied customers on our site in addition to other endorsements. With your consent we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at email@example.com.
5.9 As is true of most web sites, we gather certain information automatically and store it in log files. This information includes Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information, to analyze trends, to administer the site, to track users’ movements around the site and to gather demographic information about our user base as a whole.
5.10 Communication Preferences. You may sign-up to receive email or other communications from us. If you would like to discontinue receiving this information, you may update your email preferences by contacting us at firstname.lastname@example.org.
5.12 Our Web site may offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal information from our blog or community forum, contact us at email@example.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
PRINCIPLE 6 — ACCURACY
Personal information shall be as accurate, complete and up–to–date as is necessary for the purposes for which it is to be used.
6.1 Personal information used by TRI HoldCo, Inc. shall be sufficiently accurate, complete and up–to–date to minimize the possibility that inappropriate information may be used to make a decision about the individual customer. The extent to which personal information will be accurate, complete and up–to–date will depend upon the use of the information, taking into account the interests of the individual.
6.2 TRI HoldCo, Inc. will not, however, routinely update personal information, unless this is necessary to fulfill the purposes for which the information was collected. Personal information about customers shall be updated only as and when necessary to fulfill the identified purposes or upon notification by the individual.
6.3 TRI HoldCo, Inc. shall ensure that personal information that is used on an ongoing basis, including information that is disclosed to third parties, is generally accurate and up–to–date, unless limits to the requirement for accuracy are clearly set out.
PRINCIPLE 7 — SAFEGUARDS
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
7.1 TRI HoldCo, Inc. will implement security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the information is held.
7.2 The nature of the safeguards will vary depending on (i) the sensitivity of the information that has been collected, (ii) the amount, distribution and format of the information, and (iii) the method of storage.
7.3 Physical measures such as locked filing cabinets and restricted access to offices, organizational measures such as security clearances and limiting access on a “need–to–know” basis, and technological measures such as the use of passwords and encryption have been adopted by TRI HoldCo, Inc.
7.4 TRI HoldCo, Inc. streamlines and expedites its computerized business interactions with individuals, while striving to be forthright and clear about its privacy policies. To support these objectives and to encourage individuals to use Internet commerce sites and other computerized business systems, TRI HoldCo, Inc. adopts and supports all generally-accepted standards for web content rating, web site privacy protection, and Internet commerce security, including third–party seals of approval. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL).
No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our Web site, you can contact us at firstname.lastname@example.org.
7.5 TRI HoldCo, Inc. does not use externally-meaningful identifiers as its own internal individual account numbers. For example, TRI HoldCo, Inc. will never create account numbers that are the same as your social security number, driver’s license number, or any other identifier that might be used in an unauthorized fashion by a third party.
7.6 When they are no longer needed, all copies of personal data will be irreversibly destroyed. Documents will be destroyed only if all legal retention requirements and related business purposes have been met.
PRINCIPLE 8 — OPENNESS
TRI HoldCo, Inc. shall make readily available to its customers specific information about its policies and practices relating to the management of personal information.
8.1 TRI HoldCo, Inc. will be open about its policies and practices with respect to the management of personal information. Customers shall be able to acquire information about TRI HoldCo, Inc.’s policies and practices with respect to the management of personal information without unreasonable effort.
PRINCIPLE 9 — INDIVIDUAL ACCESS
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information except where TRI HoldCo, Inc. is permitted or required by law not to disclose personal information to the individual customer. An individual customer shall be able to challenge the accuracy and completeness of the information disclosed to him or her and have it amended as appropriate.
9.1 Upon request, TRI HoldCo, Inc. shall inform an individual customer whether it holds personal information about that individual (except where permitted or required by law not to disclose personal information) and shall afford the individual a reasonable opportunity to review the personal information in his or her file at minimal or no cost to the individual. TRI HoldCo, Inc. shall provide an account of the use that has been made or is being made of the personal information and an account of the third parties to which the personal information has been disclosed. Where reasonably possible, TRI HoldCo, Inc. shall indicate the source of the personal information.
9.2 In order to safeguard personal information, a customer may be required to provide sufficient identification information to permit TRI HoldCo, Inc. to account for the existence, use and disclosure of personal information and to authorize access to the individual's file. Any such information shall be used only for this purpose.
9.3 In certain situations, TRI HoldCo, Inc. may not be able to provide access to all of the personal information that they hold about a customer. For example, TRI HoldCo, Inc. is not required to provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Similarly, TRI HoldCo, Inc. may not be required to provide access to information if disclosure would reveal confidential commercial information, if the information is protected by privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal, state or provincial law. If access to personal information cannot be provided, TRI HoldCo, Inc. shall provide the reasons for denying access upon request.
9.4 In providing an account of third parties to which it has disclosed personal information about a customer, TRI HoldCo, Inc. shall attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed personal information, TRI HoldCo, Inc. shall provide a list of organizations to which it may have disclosed personal information about the customer.
9.5 TRI HoldCo, Inc. will respond to an individual’s request within a reasonable time and in any event within thirty (30) days of the request. The time for responding to a request may be extended for up to an additional thirty (30) days if meeting the time limit would unreasonably interfere with the activities of TRI HoldCo, Inc., or if the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet. TRI HoldCo, Inc. may also extend the time for responding for such period of time as is necessary to be able to convert the personal information into an alternative format. TRI HoldCo, Inc. will provide notice to the individual of any extension taken within thirty (30) days of the individual’s request and will advise the individual of the right to make a complaint to the Chief Information Security Officer about the extension. They will provide the requested information or make it available in a form that is generally understandable. For example, if abbreviations or codes are used to record information, TRI HoldCo, Inc. will provide a corresponding explanation.
9.6 Upon request by an individual with sensory disabilities, TRI HoldCo, Inc. will give access to personal information about the individual in an alternative format if a version of the information already exists in that format or if its conversion to an alternative format is necessary to allow the individual to exercise rights to request correction, challenge compliance of TRI HoldCo, Inc. under the Challenging Compliance Requirement (See principle 10) or file a formal complaint pursuant to applicable privacy legislation.
9.7 TRI HoldCo, Inc. shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to the accuracy or completeness shall be noted in the individual’s file. Where appropriate, TRI HoldCo, Inc. shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.
9.8 A customer can obtain information or seek access to his or her individual file by contacting TRI HoldCo, Inc.
9.9 Customers are entirely responsible for maintaining the confidentiality of their identifying information, including account numbers, User ID numbers and passwords.
PRINCIPLE 10 — CHALLENGING COMPLIANCE
10.1 TRI HoldCo, Inc. will address and respond to all inquiries or complaints from its customers about the company’s handling of personal information.
10.2 TRI HoldCo, Inc. will inform their customers about the availability of complaint procedures.
10.4 Any questions about the security of TRI HoldCo, Inc.’s website(s) should be addressed to email@example.com.
10.5 If for any reason an individual believes that TRI HoldCo, Inc. has not adhered to these privacy principles, notification should be emailed to firstname.lastname@example.org.