Protecting the privacy and confidentiality of Personal Information is essential to OREC’s management of member information. The collection, safety and appropriate use of member Personal Information are crucial to our daily operations. In order to ensure a high standard of privacy and protection of Personal Information at OREC, we developed this Privacy Code to fulfill obligations outlined in the Ontario Freedom of Information and Protection of Privacy Act and the federal Personal Information Protection and Electronic Documents Act. Our Privacy Code ensures that OREC respects the sensitivity of Personal Information of our members, outlining the security processes and procedures we have put in place for their protection. This document is publically available on our website and upon request.
Applicability of Privacy Code
In this Privacy Code, the references to “OREC”, “we”, “us” and “our” mean Ottawa Renewable Energy Co-operative Inc. (op. OREC Renewable Energy Co-op). The words “member” and “membership” mean the members of OREC as defined in the Ontario Co-operative Corporations Act.
- “Personal Information” means any information about an identifiable individual and this includes information such as, but not limited to:
- Age, name, mailing and permanent address, e-mail and phone numbers
- Social insurance numbers, banking information and date of birth
- Opinions, evaluations, and comments
OREC’s Privacy Code is based on the 10 key principles of privacy from the Personal Information Protection and Electronic Documents Act as established by the Canadian Standards Association. The next section outlines how OREC satisfies each of the following principles:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Safeguard and Contingency
- Individual Access
- Challenging Compliance
For more on the definition of each principle, please visit the Canadian Standards Association website
OREC allows only designated employees and directors to collect, manage and use Personal Information collected from members as outlined in this Privacy Code. These employees and directors engage with Personal Information in order to satisfy responsibilities associated with providing our Member Management and Administrative services. Each designated employee and director of OREC is responsible for the Personal Information under their possession and custody, including any information handed out by them to a third-party.
OREC has, at any time, a Privacy Officer who is ultimately responsible for compliance with the principles and this Privacy Code. Additionally, the Privacy Officer will appoint one OREC staff member to ensure day-to-day in office compliance of this Privacy Code.
Purposes of collecting Personal Information
OREC will explain to members how we intend to use member Personal Information before or at the time we collect it. OREC will only collect member Personal Information that is relevant to these explained purposes. If OREC wishes to use Personal Information for new purposes not outlined before or at the time of collection, OREC will obtain permission from members for these new uses.
OREC collects member Personal Information on behalf of the Client Co-op for the following purposes:
- To establish and maintain commercial relations with the member (e.g. to payout share dividends;
- To manage and develop OREC’s business and operations;
- To help OREC meet legal and regulatory requirements;
- To provide members with information about OREC.
OREC will not use, collect or distribute to a Third Party any Personal Information without prior consent from the member unless we are required to do so by law or the information could aid in a life-threatening emergency. OREC will use reasonable efforts to advise members on how their Personal Information will be used when asking for consent.
Consent may be expressed in writing or in some cases, verbally, electronically or through an authorised proxy. Consent may also be implied depending on the surrounding circumstances.
OREC will not require members to consent to the use, collection or disclosure of Personal Information beyond the specific purposes in order to use our services.
Members may withdraw consent at any time, subject to legal or contractual restrictions and obligations. We will explain the consequences of withdrawal of consent if it will affect our ability to provide service to its members.
OREC will only collect member Personal Information needed to provide service to members. This type of information usually includes:
- Mailing and Permanent Address
- E-mail Address
- Telephone number (home, business, mobile, etc.)
- Social Insurance Number (only through SSL protected forms when online)
- Date of Birth
- Banking information (for purposes of direct deposit)
- Property ownership status (for Ontario Power Authority community power requirements)
Personal Information may be collected from members, with their consent, in person, by mail, in office, over the telephone or digital correspondence
- On all Ottawa Renewable Energy Co-operative Web pages where identifiable personal information is collected, the Ottawa Renewable Energy Co-operative specifically lists all of the information required to access any product or service you request.
The Ottawa Renewable Energy Co-operative collects identifiable personal information in the following cases:
- When you become a member of the Co-operative, the Ottawa Renewable Energy Co-operative collects your username, first and last name, password, city, country, postal code, email address, date of birth, and preferences. This includes when you register to become a member on our Web site or when you create an online profile as a member. If you are not a member, we will only collect your username password, email, and electronic consent that you wish to receive our bi-monthly newsletter. The Ottawa Renewable Energy Co-operative may also collect information about each user’s specific preferences or needs.
- When you contact the Ottawa Renewable Energy Co-operative, the Ottawa Renewable Energy Co-operative collects personal information such as your full name, profile identification number, email address, and/or contact number. This includes but is not limited to when you submit a question or suggestion, or ask for help logging on to or accessing your Ottawa Renewable Energy Co-operative account.
The Ottawa Renewable Energy Co-operative Profile page allows members to view and edit their account settings as well as their user information. The email settings option lets you change your email address and subscribe/unsubscribe to email notification services. This information is collected so that we may better serve you and your requests.
Limiting Use, Disclosure and Retention
Member Personal Information will be collected, used and disclosed internally within OREC by and among staff members in order to perform their job and duties in providing services to members. Use of Personal Information is limited to the purposes to which the member has given consent, except for circumstances required by law.
There are circumstances that present unavoidable types of disclosure of member Personal Information as part of OREC fulfilling its routine or regulatory obligations. In these circumstances, we provide third parties with only Personal Information that is required. We will ensure that these third parties are made aware of and comply with OREC’s Privacy Code and OREC will subject third parties to strict confidentially provisions. Third parties may include:
- Canada Revenue Agency for tax purposes
- Ontario Power Authority for community power status audits
- A service provider that has been engaged by OREC to perform certain services for us, for example, an electronic funds transfer provider.
Selling Personal Information
OREC will not trade or sell Personal Information to third parties or others.
OREC will ensure within reason that Personal Information shall be as accurate, complete and recent as is necessary to provide services to members.
While we do our best to update information from various sources, OREC relies on member disclosure of all materials that is relevant to changes in their Personal Information. We urge members to contact OREC immediately when their Personal Information is to be updated and provide evidence for name changes.
Safeguards: Protecting Personal Information
OREC protects member Personal Information by using physical, organisation and digital safeguards appropriate to the sensitivity of information. This helps protect Personal Information against unauthorised access, disclosure, copying, modification or use. The level of security varies depending on the sensitivity of the information. The OREC Board will define the process for a regular audit to ensure they are properly administered and remain effective, which will be completed by a non-directing member. If a security measure is deemed inappropriate due to a shift in the environment, OREC will make the necessary changes to adapt our security. OREC protects all members’ Personal Information with the methods below:
Including locked filing cabinets and data servers with restricted access.
Including a limited number of designated OREC staff that can access member the Personal Information database, levels of security clearance and limiting internal exchange of data to a “need-to-know” basis.
Digital and Technical
Including passwords for sensitive data access, database encryption, e-mail encryption and audit trails.
- We want our members and Web site visitors to feel confident about using the Ottawa Renewable Energy Co-operative site. As a result, we are committed to protecting the information we collect. The Ottawa Renewable Energy Co-operative has implemented a security program to protect the information stored in its systems from unauthorized access. Currently, the Ottawa Renewable Energy Co-operative can only store the information you provide when you register to become an Ottawa Renewable Energy Co-operative member, create a user profile, book services, or subscribe to our mailing
Our systems are configured to encrypt and scramble data, and are protected by industry-standard technologies and firewalls. When you transmit personal information to the Ottawa Renewable Energy Co-operative over the Internet, your data is protected by Secure Socket Layer (SSL) encryption to ensure safe transmission. The data kept on members and supporters of the Ottawa Renewable Energy Co-operative is kept in an online database, requiring two-factor authentication to be accessed, and is only accessed by those granted access by the Ottawa Renewable Energy Co-operative.
Notwithstanding the security measures deployed by the Ottawa Renewable Energy Co-operative to ensure that third parties are unable to obtain your personal information via its Web site, complete confidentiality and security on the Internet cannot be guaranteed by anyone at this time. Communications via the Internet are subject to interception, loss or alteration.
OREC prepared this plain-language Privacy Code to make all members aware of the security policies and procedures we use in managing Personal Information. This Policy Code is available online at orec.ca and available in paper copy upon request.
OREC will provide a member access to the Personal Information relevant to the inquiring member within a reasonable time, conditional on the member providing written request and satisfactory proof of identification. Members also have to the right to know how OREC uses their Personal Information. OREC may charge a nominal fee in responding to any request; however the member will be notified of the fee in advance.
If we decline a member’s request for access to Personal Information, the member will be provided a reason in writing by OREC. Typically, Personal Information is not provided if providing access would reveal Personal Information of a third party or if the Personal Information cannot be disclosed for legal, security or proprietary reasons.
If a member has a challenge or concern regarding OREC’s compliance with the Privacy Code, the member should send their challenge or concern to the Privacy Officer at the information below. The Privacy Officer will respond to challenges and concerns and work with the member to find an acceptable solution.
Appendix A – Privacy Code Principles
Ten interrelated principles form the basis of the CSA (Canadian Standards Association) Model Code for the Protection of Personal Information. Each principle must be read in conjunction with the accompanying commentary.
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
- Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.