SOUTH TEMISKAMING COMMUNITY FUTURES DEVELOPMENT CORPORATION
PRIVACY POLICY


TABLE OF CONTENTS

1.0 PURPOSE OF PRIVACY POLICY
1.1 The Ten Principles of PIPEDA Summarized
1.2 Personal Information Defined
2.0 PURPOSES OF COLLECTING PERSONAL INFORMATION
3.0 CONSENT
4.0 LIMITING COLLECTION
5.0 LIMITING USE, DISCLOSURE AND RETENTION
5.1 Use of Personal Information
5.2 Disclosure of Personal Information
5.3 Retention of Personal Information
6.0 ACCURACY
7.0 SAFEGUARDS
8.0 OPENNESS
9.0 INDIVIDUAL ACCESS
10.0 COMPLAINTS / RECOURSE


1.0 Purpose of South Temiskaming Community Futures Development
Corporation Privacy Policy


South Temiskaming Community Futures Development Corporation (STCFDC) is a federally
supported not-for-profit community organization with a volunteer board of directors and
professional staff whose purpose is to develop and diversify local economies. STCFDC
supports community economic development and small business growth by developing and
implementing strategic community plans, delivering a range of counselling and information
services to small business and operating locally controlled investment funds to provide
repayable financing to new and existing businesses.

This privacy policy has been developed to comply with Canada’s Personal Information
Protection and Electronic Documents Act ("PIPEDA"). PIPEDA sets out rules for the collection,
use and disclosure of personal information in the course of commercial activity as defined in the
Act.

1.1 The Ten Principles of PIPEDA Summarized

The ten Principles of PIPEDA that form the basis of this Privacy Policy are as follows:

1. Accountability: organizations are accountable for the personal information they collect, use,
retain and disclose in the course of their commercial activities, including, but not limited to,
the appointment of a Chief Privacy Officer;

2. Identifying Purposes: organizations are to explain the purposes for which the information is
being used at the time of collection and can only be used for those purposes;

3. Consent: organizations must obtain an Individual’s express or implied consent when they
collect, use, or disclose the individual’s personal information;

4. Limiting Collection: the collection of personal information must be limited to only the amount
and type that is reasonably necessary for the identified purposes;

5. Limiting Use, Disclosure and Retention: personal information must be used for only the
identified purposes, and must not be disclosed to third parties unless the Individual consents
to the alternative use or disclosure;

6. Accuracy: organizations are required to keep personal information in active files accurate
and up-to-date;

7. Safeguards: organizations are to use physical, organizational, and technological safeguards
to protect personal information from unauthorized access or disclosure.

8. Openness: organizations must inform their clients and train their employees about their
privacy policies and procedures;

9. Individual Access: an individual has a right to access personal information held by an
organization and to challenge its accuracy if need be; and

10. Provide Recourse: organizations are to inform clients and employees of how to bring a
request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a
request or complaint by the individual.

This Privacy Policy applies to STCFDC's Board of Directors, members, employees and
contracted employees. As well, STCFDC ensures that all third party service providers sign
confidentiality agreements prior to any transfer of an individuals personal information in the
course of providing the business loans, business development advice, and other related
information and/or services.

1.2 Definitions

"Personal information" means any information about an identifiable individual. It includes,
without limitation, information relating to identity, nationality, age, gender, address, telephone
number, e-mail address, Social Insurance Number, date of birth, marital status, education,
employment health history, assets, liabilities, payment records, credit records, loan records,
income and information relating to financial transactions as well as certain personal opinions or
views of an Individual.

"Business information" means business name, business address, business telephone number,
name(s) of owner(s), officer(s) and director(s), job titles, business registration numbers (GST,
PST, source deductions), financial status. Although business information is not subject to
PIPEDA, confidentiality of business information will be treated with the same security measures
by STCFDC staff, members and Board members, as is required for individual personal
information under PIPEDA.

"Client" means the business that is applying for or has been approved for a loan, (including sole
proprietorships and individuals carrying on business in a partnership);
"Individual" means the client’s owner(s) or shareholders, co-signers, and/or any guarantor
associated with a client.

"Member" means a person who volunteers on a STCFDC committee, but who is not a current or
active board member, or chair of the committee.

"Application" means the application form or related forms completed by the individual(s) to
request financing for the client through the Investment Fund of STCFDC.
"Data base" means the list of names, addresses and telephone numbers of clients and
individuals held by STCFDC in the forms of, but not limited to, computer files, paper files, and
files on computer hard-drives.

"File" means the information collected in the course of processing an application, as well as
information collected/updated to maintain /service the account.

"Express consent" means the individual signs the application, or other forms containing
personal information, authorizing STCFDC to collect, use, and disclose the individual's personal
information for the purposes set out in the application and/or forms.
"Implied Consent" means the organization may assume that the individual consents to the
information being used, retained and disclosed for the original purposes, unless notified by the
individual.

"Third Party" means a person or company that provides services to STCFDC in support of the
programs, benefits, and other services offered by STCFDC, such as other lenders, credit
bureaus, persons with whom the individual or client does business, but does not include any
Government office or department to whom STCFDC reports in the delivery of such programs,
benefits or services.

2.0 Purposes of Collecting Personal Information

Personal information is collected in order to assess the eligibility of the individual completing an
application for financial assistance, as well as to report to Industry Canada. The individual is the
main source of information but STCFDC will also ask to obtain information directly from a third
source where the individual does not have the required information.
Only that information which is required to make a determination of an individual's eligibility will
be collected. Although the individual's Social Insurance Number may be requested in the
application for confirming identification of the individual to the credit reporting agency, provision
of this personal information is optional. The individual may provide alternative forms of
identification, such as date of birth and driver's license number.

3.0 Consent

An individual’s express, written consent will be obtained before or at the time of collecting
personal information. The purposes for the collection, use or disclosure of the personal
information will be provided to the individual at the time of seeking his or her consent. Once
consent is obtained from the individual to use his or her information for those purposes,
STCFDC has the individual's implied consent to collect or receive any supplementary
information that is necessary to fulfil the same purposes. Express consent will also be obtained
if, or when, a new use is identified.

By signing the application and/or other forms, implied consent is granted by the individual to
obtain and/or to verify information from third parties such as banks, credit bureaus, other
lenders, and insurance companies in the process of assessing the eligibility of an individual or
client. Implied consent is also granted by the individual to permit STCFDC to report or otherwise
disclose information to Industry Canada, the federal department that administers the Ontario
Community Futures Program.

An individual can choose not to provide some or all of the personal information at any time, but
if STCFDC is unable to collect sufficient information to validate the request for financing, the
individual's application for such financing may be turned down.

A client or an individual can withdraw consent to STCFDC’s use of personal information at any
time prior to the application being approved, by making such request in writing. Once a loan
has been approved, an individual cannot withdraw consent authorizing STCFDC to use and
disclose the personal information for the purposes set out in this Privacy Policy. Express

consent will be obtained from the individual prior to disclosing the individual's personal
information to other lenders, credit insurers and credit bureaus.
This Privacy Policy does not cover statistical data from which the identity of individuals cannot
be determined. STCFDC retains the right to use and disclose statistical data as it determines
appropriate.

4.0 Limiting Collection

Personal information collected will be limited to the purposes set out in this Privacy Policy,
STCFDC applications, and/or other forms.

5.0 Limiting Use, Disclosure and Retention


5.1 Use of Personal Information

Personal information will be used for only those purposes to which the individual has consented
with the following exceptions, as permitted under PIPEDA:

STCFDC will use personal information without the individual's consent, where:

• the organization has reasonable grounds to believe the information could be useful when
investigating a contravention of a federal, provincial or foreign law and the information is
used for that investigation;
• an emergency exists that threatens an individual’s life, health or security;
• the information is for statistical study or research;
• the information is publicly available;
• the use is clearly in the individual’s interest, and consent is not available in a timely way;
• knowledge and consent would compromise the availability or accuracy of the information,
and
• collection is required to investigate a breach of an agreement.

5.2 Disclosure and Transfer of Personal Information

Personal information will be disclosed to only those STCFDC employees, members of STCFDC
committees, and the Board of Directors that need to know the information for the purposes of
their work or making an assessment as to the individual's eligibility to the loan program.
Personal information will be disclosed to third parties with the individual's knowledge and
consent.

PIPEDA permits STCFDC to disclose personal information to third parties, without an
individual's knowledge and consent, to:

• a lawyer representing STCFDC;

collect a debt owed to STCFDC by the individual or client;
• comply with a subpoena, a warrant or an order made by a court or other body with
appropriate jurisdiction;
• a law enforcement agency in the process of a civil or criminal investigation;
• a government agency or department requesting the information; or,
• as required by law.
PIPEDA permits STCFDC to transfer personal information to a third party, without the
individual's knowledge or consent, if the transfer is simply for processing purposes and the third
party only uses the information for the purposes for which it was transferred. STCFDC will
ensure, by contractual or other means, that the third party protects the information and uses it
only for the purposes for which it was transferred.


5.3 Retention of Personal Information


Personal information will be retained in client files as long as the file is active and for such
periods of time as may be prescribed by applicable laws and regulations.
A file will be deemed inactive if the Investment Committee rejects an application, when a loan is
repaid in full and securities are discharged, or when a guarantee is terminated. Information
contained in an inactive file will be retained for a period of seven (7) years, except in the case
where an application is rejected. Where an application has been rejected, the file and all
personal information contained in the file will be retained for a period of two (2) years.

6.0 Accuracy

STCFDC endeavours to ensure that any personal information provided by the individual in his or
her active file(s) is accurate, current and complete as is necessary to fulfill the purposes for
which the information has been collected, used, retained and disclosed. Individuals are
requested to notify STCFDC of any change in personal or business information.
Information contained in inactive files is not updated.

7.0 Safeguards

STCFDC will use physical, organizational, and technological measures to safeguard personal
information to only those STCFDC employees, volunteers, or third parties who need to know
this information for the purposes set out in this Privacy Policy.


Organizational Safeguards: Access to personal information will be limited to the Loans Officer,
the Administration Officer, and/or the Executive Director who have to make a determination as
to the individual's eligibility for a business loan. Personal information provided to members of
STCFDC committee(s) will be limited to only that information required to carry out the mandate
of that committee. Members of the STCFDC committee(s) and/or Board of Directors are not
permitted to copy or retain any personal information on individuals or clients and must return for
destruction all such information given to them to review once the purpose for being provided
with this information has been fulfilled.

Employees and members of STCFDC committee(s) and/or Board of Directors are required to
sign a confidentiality agreement binding them to maintaining the confidentiality of all personal
information to which they have access.


Physical Safeguards: Active files are stored in locked filing cabinets when not in use. Access to
work areas where active files may be in use is restricted to STCFDC employees only and
authorized third parties.

All inactive files or personal information no longer required are shredded prior to disposal to
prevent inadvertent disclosure to unauthorized persons.


Technological Safeguards: Personal information contained in STCFDC computers and
electronic data bases are password protected in accordance with STCFDC's Information
Security Policy. Access to any of the STCFDC's computers also is password protected.
STCFDC's Internet router or server has firewall protection sufficient to protect personal and
confidential business information against virus attacks and "sniffer" software arising from
Internet activity. Personal information is not transferred to volunteer committee members, the
Board of Directors, or third parties by e-mail or other electronic form.

8.0 Openness

STCFDC will endeavour to make its privacy policies and procedures known to the individual via
this Privacy Policy as well as the STCFDC Privacy Statement. This document will also be
available on STCFDC’s website: www.southtemiskaming.com

9.0 Individual Access

An individual who wishes to review or verify what personal information is held by STCFDC, or to
whom the information has been disclosed (as permitted by the Act), may make the request for
access, in writing, to the STCFDC's Chief Privacy Officer. Upon verification of the individual's
identity, the Chief Privacy Officer will respond within 60 days.
If the individual finds that the information held by STCFDC is inaccurate or incomplete, upon the
individual providing documentary evidence to verify the correct information, STCFDC will make
the required changes to the individual's active file(s) promptly.

10.0 Complaints/Recourse

If an individual has a concern about STCFDC's personal information handling practises, a
complaint, in writing, may be directed to the STCFDC's Chief Privacy Officer.
Upon verification of the individual's identity, STCFDC's Chief Privacy Officer will act promptly to
investigate the complaint and provide a written report of the investigation's findings to the
individual.

Where STCFDC's Chief Privacy Officer makes a determination that the individual's complaint is
well founded, the Chief Privacy Officer will take the necessary steps to correct the offending
information handling practise and/or revise STCFDC's privacy policies and procedures.

Where STCFDC's Chief Privacy Officer determines that the individual's complaint is not well
founded, the individual will be notified in writing.

If the individual is dissatisfied with the finding and corresponding action taken by STCFDC's
Chief Privacy Officer, the individual may bring a complaint to the Federal Privacy Commissioner
at the address below:

The Privacy Commissioner of Canada Email address: www.privcom.gc.ca.
112 Kent Street, Ottawa,
Ontario K1A 1H3
Tel 1-800-282-1376
Questions/Access Request/Complaint
Any questions regarding this or any other privacy policy of STCFDC may be directed to the
Chief Privacy Officer. Requests for access to information, or to make a complaint, are to be
made in writing and sent to the Chief Privacy Officer at the address below:

Chief Privacy Officer Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
South Temiskaming CFDC
P.O. Box 339,
Haileybury, Ontario
P0J 1K0

Amendment to STCFDC's Privacy Policies

This STCFDC's Privacy Policy is in effect December 23, 2003 and is retroactive to January 1,
2003. This policy is subject to amendment in response to developments in the privacy
legislation. The Chief Privacy Officer will review and revise the Privacy Policy from time to time
as required by changes in privacy law. Notification of any changes in the Privacy Policy will be
posted on STCFDC's website, as well as in STCFDC's Privacy Statement. Any changes in the
Privacy Policy will apply to Personal information collected from the date of the posting of the
revised Privacy Policy on STCFDC's website: www.southtemiskaming.com