A complete version of the Privacy Act & other related documents are available at the federal Privacy Commissioner’s Web site, www.privcom.gc.ca.
The Act has 10 privacy principles set out.
- Identifying purposes
- Limiting collection
- Limiting use, disclosure & retention
- Individual Access
- Challenging Compliance
Most data collection conducted at Dufferin Research is online.
Typically Dufferin Research sends out email invitations to respondents to participate in a survey. In other cases, a "pop-up" invitation is launched from a relevant website. In either the invitation or within survey introduction, there is an advisory passage mentioning that responses are used strictly for research purposes.
Email invitations clearly identify Dufferin Research and/or another Survey Research partner on whose behalf we are conducting the online survey research. A reply to the sending address always goes to the individual responsible for the survey who can further clarify the purpose of that particular study.
Dufferin Research provides aggregate data from all surveys to clients who sponsor that study. Non-aggregated personal information is only released to other Research partners for research purposes, such as verification of authenticity or follow-up studies where permission has been obtained.
Personal information is never released for non-research purposes to any client or research partner.
A respondent's participation in online research is by nature voluntary because it is a self-completed survey. By clicking the link or proceeding past the first page of a popup survey, implicit consent has been given to conduct the survey.
Non-response categories are usually available for most questions (e.g. refused/don't know/not applicable/rather not say). Where questions are deemed critical to a successful completion of a survey and such options are not available, a respondent can discontinue participation, thus withdrawing consent, should they not wish to answer.
Most online surveys conducted at Dufferin Research have temporary "session" cookies placed on the users computer to maintain connectivity to the webserver. These cookies automatically expire as soon as the user closes their browser session. No personal information is collected by the session cookies.
The webserver does collect information about the user's "http environment variables". This is necessary and is done by all webservers. This contains only relevant hardware and software information needed by the webserver to do its job. No personal information is collected in this fashion.
The amount and type of personal information collected is limited to that which is deemed necessary for the purpose of the study. In almost all cases, personal information is collected for the purpose of grouping aggregate data, not for identifying individuals.
In rare cases where the purpose is for re-contact, such purposes will be made clear to the respondent prior to answering the question and consent to do so will be explicitly obtained.
Dufferin Research makes use of or discloses personal information only for the reason(s) it was collected and for which we have obtained consent. Since the survey is typically completed online, the consent given by the respondent was obtained at the time of the survey , and this is adhered to.
The only exception to this stated policy would be if Dufferin Research were required to disclose information for legal reasons, for example if issued a subpoena or other court or government orders.
Dufferin Research keeps personal information only as long as deemed necessary by the sponsor of the survey and it is kept only for the identified purposes.
Once personal information is no longer needed for its identified purposes or for legal requirements, it is destroyed. Paper records are shredded. Electronic records are erased.
Dufferin Research updates personal information only if it is necessary for the purposes for which it was collected. Due to the nature of the online research conducted, most contacts are on a one-time basis only, and as such are never modified while stored at Dufferin Research.
Should Dufferin Research be required to keep personal information that is to be used on an ongoing basis (which is not the normal practice of Dufferin Research), every reasonable effort will be made to ensure the accuracy of this data.
Several security measures are in place to safeguard personal information.
The company offices have 24-hour electronic security monitoring, to limit unauthorized physical access to the data stored within.
Production web servers (and the data stored therein) are housed at a secure data centre in Ottawa, physical restriction of the equipment includes such measures as Iris scans to identify persons authorized to enter the building, as well electronic pass cards to access restricted corridors. Within these confines the equipment is stored in a private locked unshared server cabinet.
Electronic security is ensured by multi-level firewalls and a secure password policy to prevent unauthorized access to personal information stored on the network. Intrusion attempts are monitored.
Dufferin Research informs all persons granted network access or physical access to areas containing personal information about its policies and procedures regarding confidentiality, security and privacy. The expectation of compliance with these policies is made clear.
Confidentiality agreements are routinely signed with third parties engaged in the survey collection process (even if not privy to personal information).
Dufferin Research shreds paper documentation containing personal information in order to prevent unauthorized access at the time of disposal. Old, unused or defective computer hard drives containing personal information are destroyed prior to disposal to prevent data recovery.
Upon request, an individual will be informed of the existence, use and disclosure of any personal information about them that is currently in the possession or control of Dufferin Research.
Individuals can have access to personal information about themselves after providing proof of identity (to ensure personal information is never released to the wrong person inadvertently) and a written request to the Privacy Officer.
We will also honour requests to identify the source of an individual's email address, in the case of online surveys, so that the respondent can take steps to ensure their removal from that list should this be desired.
If for any reason access to personal information is denied, if for example the information was collected for the purposes of a legal investigation, a written reply stating the reasons for refusal will be provided. The individual may then challenge Dufferin Research’s decision.
Dufferin Research will investigate all complaints and attempt to resolve those that it finds are justified and, if necessary, will amend its policies and procedures to reflect these findings.
If anyone is unsatisfied with Dufferin Research's response to their complaint, they can contact the Federal Privacy Commissioner.