• Home
  • Privacy Policy

Privacy Policy

Overview

The protection of personal information is important to the Canadian Construction Association (CCA). The CCA is committed to maintaining the accuracy, security and privacy of personal information in accordance with applicable legislation. This CCA privacy policy is a statement of principles and guidelines concerning the protection of personal information of our customers, service providers and other individuals (“you”). Any questions about this policy can be directed to our Privacy Officer (phone 613-236-9455, [email protected]).

Our employees play an important role in protecting personal information. Our employees are required to adhere to this policy and take all reasonable steps to ensure that personal information is protected from unauthorized access.

Consent

By submitting personal information to the CCA, you agree that we may collect, use and disclose such personal information in accordance with this privacy policy and as permitted or required by law. Subject to legal and contractual requirements, you may refuse or withdraw your consent to certain of the identified purposes at any time by contacting the CCA Privacy Officer. If you refuse or withdraw your consent, the CCA may be unable to provide you or continue to provide you with certain services, programs and/or information which may be of value to you.

If you provide the CCA with personal information of another individual, you represent that you have all necessary authority and/or have obtained all necessary consents from such person to enable the CCA to collect, use and disclose such personal information for the purposes set forth in this privacy policy.

Collection of personal information

Canadian privacy legislation defines “personal information” broadly as information about an identifiable individual or as information that allows an individual to be identified. For the purposes of this policy, “personal information” means information about an identifiable individual as defined from time to time in applicable privacy legislation. Generally speaking personal information does not include what is considered business contact information generally found on a business card (i.e. name, title, business number, business fax number, business email address, etc.).

Although the CCA deals commonly with other companies and in those cases does not collect personal information, we also deal with individual customers. We collect the personal information of our individual customers in administering the following:

CCA’s Gold Seal Certification program
Registration for CCA’s conferences/meetings
Technical support for CCA’s electronic construction documents

For the purposes of administering the Gold Seal certification program, the CCA collects the following types of personal information:

name;
telephone number;
email address;
mailing address;
employer name;
employer contact information;
work history;
education and training history;
past certifications;
name of regional association individual is a member of;
name of discipline in which individual received certification;
occupation;
individual’s Gold Seal certification exam results.

When individual customers register for CCA conferences/meetings we may collect the following types of personal information:

name;
spouse’s name;
children’s name(s);
home address, telephone number, and fax number;
email address;
dietary requirements; and
credit card information.

For the purposes of providing technical support to users of CCA’s electronic construction documents, the CCA may collect the following types of personal information:

name;
email address;
registration number.

Use of personal information

The personal information collected by the CCA is used for the following purposes:

  • to contact the individual for instruction;
  • to issue invoices, administer accounts, collect and process payments;
  • to send CCA conference/meeting enrollment confirmation;
  • to plan and arrange for needs while in attendance at a CCA conference/meeting;
  • to develop, enhance, market, sell or otherwise provide CCA’s products and services;
  • to include you on our mailing list for CCA bulletins and event notices;
  • to administer CCA’s Gold Seal certification program;
  • to comply with any legal or regulatory requirements or provisions;
  • for any other purpose to which you consent.

We only collect personal information directly from the individual except when we have the individual’s consent to collect information from elsewhere or are permitted by law to collect it without the individual’s consent.

We use an individual’s personal information strictly for the purposes outlined above. If we need to use the personal information for any other purpose we will contact the individual and obtain consent prior to that use.

Disclosure of personal information

From time to time, the CCA may disclose your personal information to:

  • service providers, including an organization or individual retained by CCA to perform functions on its behalf, such as catering, marketing, data processing, printing, mailing, document management, and office services;
  • an organization or individual retained by the CCA to collect debts outstanding on an account;
  • a financial institution, on a confidential basis and solely in connection with negotiating payment of an account to which you have consented; and
  • any third party or parties, where you consent to such disclosure or where disclosure is required or permitted by law.

When we disclose your personal information to third parties, we require such parties to maintain levels of confidentiality and security, in addition to obtaining such third parties’ representation of the implementation of their own privacy policy.

An individual has the right to withdraw consent for our collection, use or disclosure of their personal information at any time. However, if an individual does so it may affect his/her ability to participate in programs and/or receive services provided by the CCA. If an individual wishes to withdraw consent, or has any questions about withdrawing consent, he or she can contact our privacy officer.

Business contact information is not protected by this policy. This type of information is not considered to be personal information and may be collected, used and disclosed without consent.

Storage of personal information

The CCA has appropriate safeguards in place to protect personal information. The CCA takes all reasonable precautions to ensure that your personal information is kept safe from loss, unauthorized access, modification or disclosure. Among the steps taken to protect your personal information are:

  • premises security;
  • restricted file access to personal information;
  • technological safeguards such as security software and firewalls to prevent hacking or unauthorized computer access;
  • internal password and security policies;
  • proper training of CCA’s employees in respect of privacy matters.

Accuracy of personal information

We try to keep personal information as accurate as possible and individuals can assist us by providing us with updated information when necessary. Information can be updated by contacting CCA privacy officer and president Mary Van Buren.

Retention of personal information

We only keep personal information for as long as is necessary for the purposes outlined above. This may include keeping the information after a service or program has been completed in order to resolve any problems or concerns that may arise. We are also required by law to maintain certain records for set amounts of time.

Access

Individuals have the right to access the personal information we hold about them. You can access your personal information by making a request to our Privacy Officer. The Officer will provide the necessary forms and assistance to make the request and obtain the information. If you believe that some of the personal information is incorrect you can request that the information be corrected.

The CCA may charge an individual for minimal out-of-pocket expenses in responding to an access request. If we decide that a charge is appropriate we will provide you with a written estimate prior to providing access. Any concerns with the estimated charge should be directed to our privacy officer.

Accountability

We apply our best efforts to protect your privacy. If an individual has any concerns they are free to contact our privacy officer. We hope that the Officer will be able to resolve any problems. If concerns are not resolved, the Officer can provide information on making a formal complaint.

Employment inquiries

If you apply for employment at the CCA, we will require your personal information as part of our review process. We normally retain information from candidates after a decision has been made, unless you ask us not to retain the information. If we offer you a job, which you accept, the information will be retained in accordance with our privacy procedures for employee records.

Website

CCA’s website may contain links to other sites, which are not governed by this privacy policy.

On our website, like most other commercial websites, we may monitor traffic patterns, site usage and related site information in order to optimize our web service. We may provide aggregated information to third parties, but these statistics do not include any identifiable personal information.

Policy on privacy breaches/protection of personal information

Background/Purpose: The Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs the CCA in respect of any Personal Information it collects in the course of its operations. PIPEDA has specific requirements that must be followed in the event of unauthorized access to such Personal Information and the purpose of this Policy is to set out the steps that must be followed in the event of unauthorized access to Personal Information held by CCA. 

Application:  This Policy applies to a Breach in respect of Personal Information under the control of CCA, including information held by CCA and Personal Information CCA has provided to a third-party for processing, in the event of a Breach of such third-party.

Responsibility. The CCA Privacy Officer, or their designate, shall be responsible for implementing the steps set out in this Policy.

Interpretation.  For the purposes of this Policy:

  • Breach” is a compromise of security safeguards involving Personal Information under CCA control or the loss of, unauthorized access to or unauthorized disclosure of Personal Information resulting from a breach of CCA’s security safeguards, or from a failure to establish those safeguards. For clarity, a Breach can occur in the event of access to only the Personal Information of a single individual. 
  • Personal Information” is defined in PIPEDA as “information about an identifiable individual” and includes any information identified as such by the CCA’s Privacy Policy.   
  • Commissioner” means the Privacy Commissioner of Canada;
  • Compromised Person” means a person whose Personal Information was accessed, disclosed or compromised as a result of a Breach. “Real Risk of Significant Harm” or “RROSH” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.”

In the Event of Breach:

Internal Notification.  In the event a Breach is suspected or detected, the individual who suspects or detects same shall immediately notify the Privacy Officer at [email protected], who shall notify the CCA President immediately on receipt of such notification.

Process on Breach:

In the event of a Breach, the following steps are required:

  1. Take all possible steps to contain the Breach and secure Personal Information.
  2. Determine the extent of the Breach, including the nature of the Breach and the Personal Information that may have been compromised.
  3. Determine whether the Breach meets the criteria for notification of the Commissioner and Compromised Persons pursuant to PIPEDA, specifically, a notification of breach is required if the Breach could result in Real Risk of Significant Harm (RROSH) to a Compromised Person.

If a Breach requires such notification the CCA must:

  • Notify the Commissioner, using the online form of report available on the Commissioner’s website.
  • Notify the Compromised Persons whose Personal Information was implicated in the Breach.  This notification must occur as soon as feasible after the Breach/determination that a RROSH occurred, must be written in language that is easily understandable and not overly legalistic and must contain:
    • sufficient information to allow the Compromised Person to understand the significance of the Breach, including a description of the Personal Information that was compromised (to the extent same is known);
    • the steps, if any, the Compromised Person should take to reduce the risk of harm or mitigate the harm that could occur from the Breach;
    • a description of the circumstances of the breach, including without limitation the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
    • the steps the CCA has taken to reduce the risk of potential harm that could result from the Breach; and
    • CCA contact information that the Compromised Person can use to obtain further information about the Breach.
  • Notification to Third Parties. In addition to the above, the CCA is required to notify any organizations or institutions that could take steps to mitigate the effects of the Breach, including third parties with whom CCA shares Personal Information (for example, third party payment processors) or the police, if the police could reduce or mitigate harm.   This notification is only required where the Real Risk of Significant Harm threshold is met.

If a Breach does not require such notification: the Breach should be reviewed by the Privacy Officer, which shall determine whether or not further steps are required or desirable. Note that a record of a Breach is required even if a notification is not.

Keep a record of the Breach.  CCA must keep a record of any Breach, whether or not notification of the Commissioner and any Compromised Persons is required and whether or not the Breach resulted in an RROSH, as follows:

  1. These records must be kept for a period of at least two (2) years. 
  2. Records of Breach shall be submitted to [email protected] once complete for record-keeping purposes.
  3. A record of a Breach must include:
    • The date or estimated date of the Breach.
    • A general description of the circumstances of the Breach and the cause of such Breach, if known
    • The nature of the Personal Information involved in the Breach and a description of such information, as much as is possible. A record of a Breach does not need to include the Personal Information compromised itself, unless circumstances of the Breach require same.
    • What steps have been taken to reduce the risk of harm to individuals whose Personal Information was impacted by the Breach.
    • What steps have been taken (or will be taken) to notify any individuals whose Personal Information was impacted by the Breach.
    • Whether the Breach was reported to the Commissioner and Compromised Persons
    • Enough detail in respect of the Breach for the Commissioner to assess whether there was a Real Risk of Significant Harm and whether CCA otherwise met its obligations to report and notify in respect of the Breach.
    • If the CCA did not determine that there was an RROSH and did not report the Breach to the Commissioner or Compromised Persons, the report should include a brief explanation of the reasons for these decisions.
    • If the CCA seeks legal or other professional advice in respect of a Breach, same should be noted in the report and a copy of such advice should be retained.

Reporting:  All Breaches and the steps taken to address same will be reported to the President.  The President shall notify the Chair of the Board in the event of a Breach.

Amendment of this privacy policy

The CCA will from time to time review and revise its privacy practices and this privacy policy. In the event of any amendment, an appropriate notice will be posted on CCA’s website.

Policy approval

This Policy was approved on Feb. 1, 2025 by the CCA Privacy Officer.

Contact information

The CCA has appointed a Privacy Officer to oversee compliance with this privacy policy and applicable privacy laws. For information on CCA’s privacy practices, please contact our privacy officer at:

Canadian Construction Association
Privacy Officer
250 Albert Street, Suite 300
Ottawa, ON K1P 6M1
Tel: 613-236-9455
Email: [email protected]