Privacy Policy

CountrySTAT is dedicated to maintaining both a high standard of privacy and a high standard of data protection in all its activities. It must balance that respect for the privacy rights of its customers, staff members, employees and contractors with public responsibilities in the administration of the United Nations(?). We also must consider the responsibility of ensuring that thorough security measures are in effect. This may involve verifying and testing assertions, practices, and the conduct of individuals and organizations and may have an impact on, or involve the use of, personal information. This policy, based on the standard required by the Personal Information Protection and Electronic Documents Act, reflects CountrySTAT's interpretation of these responsibilities. We welcome your comments and suggestions.

The Privacy Policy is divided into 10 sections

INDEX

1. What is Personal Information
2. Accountability
3. Purpose
4. Consent
5. Collection and Use
6. Disclosure of Personal Information
7. Accuracy and Retention
8. Safeguards
9. Access to Information
10. Feedback and Complaints

1. What is Personal Information (back to Index)

Personal information is information about an identifiable individual. This, however, does not include:

a) the name;
b) title;
c) business address; and
d) business telephone number,

of an employee of an organization.

In addition, information which is anonymous, i.e., where the identifying data fields are removed, is also not considered personal information.

2. Accountability (back to Index)

Contact the Chief Privacy Officer at privacy@CountrySTAT.fao.org,

All contractors and other third parties with whom we have a contractual arrangement and with whom we share personal data are contractually obligated to ensure that their practices meet our standards and are fully compliant with PIPEDA and other applicable privacy legislation.

3. Purpose (back to Index)

Our primary business is to operate the Canadian country-code top-level domain (.ca). This entails the management of personal data. Historically, much of the information about Registrants that has been collected by domain name Registries, whether the Registrants are natural or legal persons, has been made available over the Internet through the WHOIS database and we too offer certain Registrant information via the WHOIS. Notwithstanding that, we are committed to ensuring that our practices comply with PIPEDA.

Personal information about Registrants may be collected and used for the following purposes:

• To register a dot-ca domain name;
• To manage a dot-ca domain name registration;
• To enable others to check a registration;
• To contact Registrants about CountrySTAT member issues, domain name registration issues, and in order to facilitate the resolution of any kind of dispute (be it via the CountrySTAT dispute resolution process or any other judicial process);
• To ensure good customer service, in the event a Registrant requires support or makes inquiries;
• To identify the individual(s) to law enforcement agencies, competent courts, and other competent judicial bodies under appropriate legal circumstances; and
• To enable us to manage the dot-ca registry in accordance with our by-laws.

Personal information may be gathered from the public and used in the following situations:

• If an individual visits our website, the web server logs IP addresses and associated information relating to the requests made;
• If an individual initiates a CountrySTAT process, then we may gather transactional information as part of the process;
• If an individual makes an inquiry or complaint, applies for a job, or visits the premises;
• If an individual responds to a survey or a call for public comment; and
• If an individual registers for a CountrySTAT event, activity, or contest.

Finally, regardless as to how and from whom we collected information, we will not sell your personal information to any organization for any purpose.

4. Consent (back to Index)

We, pursuant to the Purpose, require the submission of personal information from the individual for the registration of domain names. We have attempted to limit the information we collect to the absolute minimum. Domain name registration is done online, and we seek the positive affirmation of all registrants:

• That they have read and understood this policy;
• That they understand that we require the information for the proper operation of the Registry; and
• That they agree to the collection, use and disclosure of their personal information as described herein.

Individuals may withdraw consent for the further use of their information at any time, by contacting our Chief Privacy Officer. However, if the information in question, is that which must be collected in order to register a domain name, withdrawing consent will lead to the cancellation of the domain name registration.

5. Collection and Use (back to Index)

This section lists the data elements that are most commonly collected and used in connection with a domain name registration:

Registrants:

• The name, address, phone number, email, 2nd email (if voluntarily provided), legal type, and fax number (if voluntarily provided);
• The name, address, phone number, email address, language, title, job title (if voluntarily provided), nationality (if voluntarily provided), company (if voluntarily provided), mobile phone number (if voluntarily provided), 2nd phone (if voluntarily provided), 2nd email address (if voluntarily provided), and fax number (if voluntarily provided) of the Administrative Contact and Technical Contact;
• We may contact Registrants to inform them of domain name registration issues, conferences, elections, or other matters related to their domain name registration;
• The Registrant's CountrySTAT assigned registrant number;
• Each domain name registration and the CountrySTAT assigned domain number for each domain name registration;
• The description field which the Registrant or the Registrant's Registrar filled out during the registration process describing the Registrant or the Registrant's business;
• The Registrant's OpenPGP-compatible key;
• The Internet Protocol Number of the primary name server and secondary name server(s) and, if applicable the tertiary, quaternary, quinary, and senary name servers for each domain name registration;
• The corresponding names of those name server;
• The registration date and the date that each domain name registration was last changed;
• Whether the domain name registration has been suspended or is in the process of being transferred;
• The expiration date of each domain name registration the Registrant holds;
• The name of the Registrar that is responsible for each of the Registrant's domain name registrations;
• The IP address, time, date, and the type of transaction the person was involved in;
• Any historical information about the transactions in regard to a domain name and/or a Registrant; and
• Any response to a CountrySTAT dispute resolution process complaint.

Registrants or potential Registrants who have a dispute that they wish to settle:

• The name, address, e-mail address, telephone, and facsimile number of the Complainant and of any representative authorized to act for the Complainant in the CountrySTAT dispute resolution process; and
• The complaint and any supporting material thereof.

Visitors:

• While we do not actually look at the identity of individuals visiting our site, we may use session cookies to ensure a smooth and convenient site visit;
• The previous page visited prior to accessing our web page is automatically logged by the servers, although we do not look at these logs for any purpose; and
• For a detailed discussion of cookies and web server logs, you may wish to consult www.epic.org, or www.privcom.gc.ca.

If an individual contacts us:

• To apply for a job, we send the resume or letter to the human resource department which will keep it for one year;
• By telephone, we may record the call for the purposes of ensuring quality control for customer care. Individuals are offered the opportunity to opt-out;
• If an individual arrives at our offices in person, their entry to and exit from the premises may be captured by security cameras and retained on video tape; and
• Unless other retention periods apply, we send personal correspondence to the appropriate responsibility centre which will keep it for one year.

Contractors and partners:

• All contractors and partners are contractually bound to abide by all applicable privacy legislation. If they work onsite, they will have security control badges and are in many respects treated like staff;
• Information collected for employment and payment may include name, address, phone number, social insurance number, bank account information, business and GST registration numbers, references, etc.;
• We share all of our information with our auditors, who are bound to CountrySTAT by contract and by professional rules to maintain confidentiality and return all documents to us; and
• We have the right to audit any of our Registrars. In the event of an investigation of a Registrar for fraud, criminal activity, breach of contract, or just quality assurance, we may enter the premises and acquire personal information of both Registrants and staff of the Registrar. This right is agreed to by contract.

6. Disclosure of Personal Information (back to Index)

Our business is to operate and administer the dot-ca Internet domain name registry and any ancillary matters related and/or linked thereto. We do not use information for marketing purposes, and do not share or disclose the information to other parties unless specifically stated in this policy. We do provide, to a person who, in accordance with our "Registration Information Access Rules and Procedures" (at www.CountrySTAT.ca/en/cat_Registrar.html) requests in writing, a list of the dot-ca domain names registered in the name of a Registrant. This is done to facilitate bona fide rights holders to determine infringements of intellectual property rights.

In the event that a law enforcement agency, court of competent jurisdiction, or any other judicial body of competent jurisdiction requests personal information, we will only disclose personal information if we are obligated to do so by law or if we have received a warrant, subpoena, court order, or an order from another lawful authority. All such disclosures are documented unless prohibited by law.

We make certain information available to the public through the WHOIS service. The information is currently limited to the following:

• The name, address, phone number, email, and fax number (if provided) of the Administrative Contact and Technical Contact;
• The Registrant's CountrySTAT assigned Registrant number;
• The name of the Registrant;
• Each domain name registration and the CountrySTAT assigned domain number for each domain name registration held by the Registrant;
• The description field which the Registrant or the Registrant's Registrar filled out during the registration process describing the Registrant or the Registrant's business;
• The Internet Protocol Number of the primary name server and secondary name server(s) and, if applicable the tertiary, quaternary, quinary, and senary name servers for each domain name registration;
• The corresponding names of those name servers;
• The registration date and the date of each domain name registration was last changed;
• The expiration date of each domain name registration held by the Registrant; and · The name of the Registrant's Registrar responsible for each domain name registration.

Any person may use the WHOIS service, provided it is for the following purposes only:

(a) to query the availability of a domain name;

(b) to identify the holder of a domain name; and/or

(c) to contact the holder of a domain name registration in regard to the domain name or in regard to the respective website.

The WHOIS information shall not be used for any other purposes other than those mentioned above. Purposes which are prohibited shall include, but are not limited to, any activities which are unsolicited and can reasonably be viewed as harvesting WHOIS addresses (electronic or otherwise) for the purpose of transmitting by e-mail, telephone, facsimile, or regular mail any commercial, advertising, market research, solicitation activities, or any other purposes which may be reasonably viewed as intrusive to a reasonable domain name holder.

No user of the WHOIS is permitted to utilize automated and/or electronic processes that send queries or data to the WHOIS, except as is reasonably necessary to register domain names or modify existing registrations.

7. Accuracy and Retention (back to Index)

It is important that the information we obtain from Registrants is accurate. Information that we will act on, (such as contact information, complaints, disputes, resumes, etc.) must be accurate. If you think we have information about you that is not accurate, you are encouraged to contact us at the address provided in section 10 of this policy and indicate the necessary changes. We may require that you follow certain procedures that are utilized by us for the authentication and verification of your identity.

We retain information according to retention schedules, which depend on the purpose of the information and any legal or contractual requirements with which we might need to comply.

8. Safeguards (back to Index)

It is important that the information maintained by us on behalf of Registrants is accurate, protected from interference by other parties, and treated in confidence by as few personnel as necessary. We maintain state of the art firewall and antivirus protection on our servers, train our staff, and hire only responsible and capable contractors to manage our systems. If you detect any anomalies that might lead you to believe there has been a security infraction or hacking of our system, we will be pleased to investigate. Please contact security@CountrySTAT.ca.

9. Access to Information (back to Index)

The intention of this policy is to answer your questions about our privacy policy and practices. Should you be interested in more detailed information about our procedures and practices, please contact our CPO at privacy@CountrySTAT.ca.

Should you wish to access your own personal information, please write to our CPO at (back to Index). Upon receipt of a request from you, our CPO will send you, by email, mail, or facsimile, an "Access Request Form" or a "Correction Request Form" for you to fill out. Provided we can, to our satisfaction, authenticate your identity and subject to certain exceptions prescribed by law, you will be given reasonable access to your personal information and/or you will be entitled to challenge the accuracy and completeness of the information and have it appropriately amended. Please note that the provisions under PIPEDA for access to personal information and the right to correct records are not intended to replace existing procedures. If you are interested in correcting information, related to your domain name registration, (after having reviewed the information you obtained from us via this procedure), we will be pleased to forward the request to your registrar. The routine procedures for correcting registration information will be followed, unless you have described to us extraordinary circumstances that would warrant the use of a different procedure. In most cases, the routine procedures are the most efficient procedures for correcting registration information.

At the time of your request, we may need further information from you to verify your identity, before we can provide you with the personal information we hold.

There may be instances when we will not be able to provide you with the personal information that you request. For example. if the personal information:

a) Contains references to other persons;
b) Has already been destroyed due to legal requirements or because we no longer needed it for our purposes;
c) Is subject to solicitor-client or litigation privilege; and/or
d) Cannot be disclosed for other legal reasons.

If you are a Registrant, and if you wish to see the information that others see in a WHOIS search, you may do so by typing your dot-ca domain name in the WHOIS search engine .

10. Feedback and Complaints (back to Index)

We take privacy seriously and consider that our treatment of personal information is part of the service that we offer. We appreciate hearing any comments that you may have about our policy, practices, and customer service. Please contact

Chief Privacy Officer
CountrySTAT
350 Sparks Street
Suite 1110
Ottawa, Ontario
K1R 7S8
privacy@CountrySTAT.ca

If you are interested in more information about the Personal Information Protection and Electronic Documents Act, the Office of the Privacy Commissioner of Canada has detailed information on their website at www.privcom.gc.ca.