Last updated March 29, 2019
NPC must comply with the requirements of FIPPA, PIPEDA and the Breach of Security Safeguards Regulations for the protection of Personal Information. PIPEDA applies to all provincial jurisdiction organizations that collect, use and disclose Personal Information relating to commercial activities (i.e. Personal Information collected from clientele and customers for services and merchandise).
“FIPPA” means the Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31.
“NPC” means the corporation of The Niagara Parks Commission.
“Personal Information” means recorded information about an identifiable individual. This information could include name, address, gender, age, education, employment history, medical history and any other Personal Information held by a public institution.
“PIPEDA” means Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5.
Collection of Information
Personal Information is any information about an identifiable individual. This includes information such as name, address, e-mail address and any payment information. All Personal Information collected by NPC is provided voluntarily when an individual chooses to contact the organization or to purchase merchandise and/or services. NPC collects only the information that is required to provide the services requested. NPC will not retain Personal Information for longer than is reasonably necessary or applicable law permits.
NPC may also use an individual’s Personal Information to create aggregated data. Aggregated data is data that is placed in a format that prevents or seriously limits the possibility of revealing an individual’s identity. It may be used to show general statistics or track customer behaviour as a whole. Such aggregated information is used by NPC to plan, develop, implement, market and promote its services and products; it will not be used to identify an individual.
Video Recording Systems
NPC uses Closed Circuit Television (CCTV) recording systems as part of its continuing efforts to ensure the safety and security of its visitors, employees and numerous sites and facilities. The Personal Information collected by the use of CCTV recording systems is collected under the authority of the Niagara Parks Act, R.S.O. 1990, c. N.3 and the Occupier’s Liability Act, R.S.O. 1990, c. O.2.
In order to provide notice to all individuals that a CCTV video recording system is in use, all NPC venues and WEGO buses where video recording systems are monitored are posted with appropriate signage in prominent locations, which are readily visible to members of the public.
Any questions about the collection of Personal Information by these recording systems can be directed to NPC’s Freedom of Information and Privacy Coordinator.
Disclosure of Personal Information
NPC will not provide an individual’s Personal Information to third parties unless the disclosure of that information is permitted by FIPPA. FIPPA permits disclosure in the following circumstances (among others):
- with the individual’s consent;
- in compelling circumstances affecting the health or safety of an individual;
- to a law enforcement agency to aid in an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result; and
- in the case of security records, to address a safety or security concern.
In the event that it is necessary to provide Personal Information to one of the business partners with which NPC contracts to provide services, those partners will have contractually agreed to adhere to the privacy provisions under which NPC operates.
Security of Personal Information
NPC has procedures in place to secure all Personal Information in its possession. Access to an individual’s Personal Information is limited to those staff members and business partners who require it in order to fulfil the individual’s requests. Additionally, NPC maintains a secure server and an up-to-date security system to safeguard transactions and the information individuals provide.
Accessing Personal Information
Should an individual wish to view, delete or change his/her Personal Information, he/she must advise NPC. In an effort to ensure that the information provided is accurate, up-to-date and retained only as long as required, the information is destroyed within a specified period following an individual’s last purchase and/or correspondence.
Any questions or concerns regarding this policy or the use of Personal Information provided to NPC must be directed to NPC’s Privacy Coordinator at:
Freedom of Information and Privacy Coordinator
The Niagara Parks Commission
P.O. Box 150
Niagara Falls, ON L2E 6T2
Additional Information for Individuals Subject to the GDPR
Under the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person”. The term “Personal Information” used in this policy is approximately equivalent to the term “personal data” under the GDPR. The legal basis for NPC to process personal data is primarily that processing the data is necessary for providing services and that processing the data is carried out in NPC’s legitimate interests. NPC may also process and request, as appropriate, personal data upon an individual’s consent.
Under the GDPR, an individual may be entitled to additional rights, including:
- the right to withdraw consent to processing at any time, where consent is the basis of processing;
- the right to request from the data controller access to and rectification or erasure of personal data, under certain conditions;
- the right to request from the data controller a restriction to processing personal data or to object to data processing, under certain conditions;
- the right to request from the data controller data portability concerning personal data that the individual provided to the data controller, under certain conditions;
- the right to object to decisions being taken by automated means which produce legal effects or similarly significantly affect the individual, under certain conditions; and
- the right to lodge a complaint with data protection authorities.
Additional information about an individual’s rights under the GDPR is available at the European Commission’s page on Data Protection (https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en).
When NPC discloses an individual’s personal data to third parties, reasonable measures are taken to ensure that the rules set forth in this policy are complied with and the third parties provide sufficient guarantees to implement appropriate technical and organisational measures to protect the personal data.
If an individual resides in a jurisdiction governed by the GDPR, NPC will not transfer his/her personal data to another jurisdiction unless permitted to do so under the GDPR. Personal data may be transferred to NPC’s locations in Canada, and the European Commission has determined that Canada has adequate safeguards under the GDPR. Personal data may be transferred to NPC’s service providers located in Canada or the United States. NPC only uses service providers from the United States who are participants in the EU-U.S. Privacy Shield, or who have entered into standard contractual clauses with NPC, or who otherwise qualify under the GDPR to receive transfers of personal data.
An individual living in a country in the European Union/European Economic Area (EU/EEA) must be at least 16 years old to use NPC’s products and services or such a greater age required in his/her country to register for or use NPC’s products and services. In addition to being of the minimum required age to use NPC’s products and services, under applicable law, if an individual is not old enough to have authority to agree to this policy in his/her country, his/her parent or guardian must agree to this policy on his/her behalf.