EY is committed to respecting personal privacy. We recognize and respect every individual's right to privacy and acknowledge our obligation to preserve the confidentiality of personal information.
The Protection of Personal Information
EY collects, uses and discloses personal information in accordance with all applicable laws and the following 10 principles, which reflect the principles articulated in the Personal Information Protection and Electronic Documents Act (Canada).
Personal information is information about an identifiable individual, recorded in any form and includes, but is not limited to, such things as race, ethnic origin, age, marital status, religion, education, medical, criminal, employment or financial information, address and telephone number or numerical identifiers such as a Social Insurance Number. It does not include the name, title, business address or business telephone number of an employee of an organization.
The 10 Privacy Principles
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
Ernst & Young LLP
Ernst & Young Tower
100 Adelaide Street West
EY is also responsible for personal information that has been transferred to a third party for processing. We may transfer personal information to third parties for reasons such as data warehousing or administrative services, where the third parties do not make any independent use of the personal information. The firm will use contractual or other means to require such parties to commit to protecting personal information to a level comparable to that provided by EY.
a. procedures to protect personal information;
b. procedures to receive and respond to complaints and inquiries; and
c. training staff and communicating to staff information about EY's policies and practices.
2. Identifying Purposes
EY will identify the purposes for which personal information is collected at or before the time it is collected. The purposes for which information is collected used or disclosed by EY must be those that a reasonable person would consider are appropriate in the circumstances. When EY uses personal information that has been collected for a purpose not previously identified, it will identify the new purpose for the individual to whom the personal information relates prior to using the information in that manner except as permitted or required by law.
EY will obtain the consent of the individual for the collection, use or disclosure of personal information, except where not required to do so by law. To make the consent meaningful, EY will ensure the individual is advised of the purposes for which the personal information is used or disclosed in a reasonably understandable manner.
The form and manner of obtaining consent may vary from express written consent to implied consent, depending upon the circumstances and the type of information. In determining the form and manner of consent, EY will take into account the sensitivity of the information and the reasonable expectations of the individual.
We will collect, use or disclose personal information without consent only where permitted or required by law. For example, when information is being collected for the detection and prevention of fraud, seeking the consent of the individual might defeat the purpose of collecting the information.
Individuals may withdraw their consent at any time, subject to legal or contractual restrictions, by providing reasonable notice to EY. EY will inform the individual of the implications, if any, of such withdrawal.
4. Limiting Collection
EY will limit the collection of personal information to that which is necessary for the identified purposes. EY will only collect personal information by fair and lawful means, and for purposes that a reasonable person would consider appropriate in the circumstances.
5. Limiting Use, Disclosure and Retention
EY will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. EY will only use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. EY generally uses personal information about clients for fair and legitimate purposes relating to the provision of professional services, including obtaining and carrying out client instructions, reporting and communicating with clients, billing and accounting and protecting against fraud, illegal activities and error. To carry out these fair and legitimate purposes, we may from time to time, disclose our client's personal information to Ernst & Young Global Limited member firms, government or regulatory agencies and other third parties to perform services on behalf of EY for the purposes explained in this section.
EY shall retain personal information for the period of time necessary to fulfil the purposes for which the personal information was collected and in accordance with EY's document retention policies. These policies take into account the rules of professional conduct which govern the practice of public accounting and any applicable legal or regulatory requirements. Personal information no longer required to fulfil its identified purposes will be destroyed, erased or made anonymous in a secure manner in accordance with EY's document retention policies.
EY will endeavour to ensure that personal information will be as accurate, complete, and up-to-date as is necessary to fulfil the purposes for which it is to be used. The firm will not routinely update personal information, unless this is necessary to fulfil the purposes for which the information was collected.
EY will take reasonable measures to protect all personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification by security safeguards appropriate to the sensitivity of the information.
The methods of protection include:
a. physical measures (e.g., locked filing cabinets and restricted access to offices);
b. organizational measures (e.g., security clearances and policies governing access to information); and
c. technological measures (e.g., the use of passwords and encryption).
9. Individual Access
Upon request, EY will inform an individual of the existence, use, and disclosure of his or her personal information and provide access to that information, except where access is not required by law. Individuals can challenge the accuracy and completeness of personal information controlled by EY and may have it amended, if appropriate.
Additional rights may apply to personal data subject to the EU General Data Protection Regulation (GDPR). See EY’s Binding Corporate Rules for more information, including Appendix 2 of the BCR governing subject access requests.
10. Challenging Compliance