Personal Information Protection and Electronic Documents Act. (PIPEDA)

PIPEDA is federal legislation overseen by the Federal Privacy Commissioner and enforced by the federal court.


1. All data collected from customers must be intended for reasonable purposes and obtained with consent.
2. Utilized only on the basis for which it was collected, that is, consent must be obtained for any additional purpose.
3. It is the company’s responsibility to ensure that if data is stored, it must be accurate.
4. Data must be accessible (for possible inspection).

For the purposes of PIPEDA the following is considered personal info:

1. Names of persons 

2. Names of businesses 

3. Addresses 

4. Telephone numbers 

5. Gender 

6. Numbers (ie. SIN) 

7. Bank information 

8. Intention to purchase goods or services

Rough Policy Wording

1. (Accountability) C3RM is responsible for all personal information under its control, including any personal information that is transferred to third parties for processing, storage or other purposes. 

2. C3RM identifies the purpose for which your personal information is collected. We do this before or at the time the information is actually being collected.
3. (Consent) C3RM obtains your consent to collect, use or disclose personal information. You can change your consent preferences at any time by contacting us.
4. C3RM collects only the information required to implement our services. If we require data from a customer for further purposes, we will first obtain consent.
5. (Disclosure) C3RM uses personal information solely for the purposes it was collected. C3RM will never sell information to another company or person for any reason.
6. C3RM ensures retained personal data is accurate and relevant for its intended purposes. Customers may request access to our records in order to view and amend or correct them as necessary.
7. C3RM takes the following steps to ensure your privacy:

  • Information is only accessible to the relevant employee on a need-to-know basis.
  • Our office practices IT security including the use of password protection and encryption.
  • Hard copies of files containing personal data are locked.
  • Back-up copies are accounted for and under C3RM’s full control.

8. C3RM publishes its privacy policy here.
9. You can request access to your personal information kept on file by contacting us in-writing or by telephone. We will provide your full record and allow you to make amendments.
10. C3RM will always respond in a timely fashion regarding your personal data. You can contact us at 519.747.2549.

Complaints can be forwarded in writing to:


375 Hagey Boulevard, Suite 302

Waterloo, Ontario N2L 6R5

Attn: Director of Privacy Policy

C3RM is dedicated to improving cyber risk awareness and developing better cyber risk management technologies, programs and practices.