Ernst & Young LLP Privacy Policy

EY is committed to respecting personal privacy. We recognize and respect every individual's right to privacy and acknowledge our obligation to preserve the confidentiality of personal information.
This Privacy Policy applies to EY in its collection, use and disclosure of personal information in the course of commercial activities. These standards are in addition to our usual professional obligations of confidentiality relating to all client information in accordance with the rules established by the Institutes of Chartered Accountants. The term EY refers to Ernst & Young LLP and other Ernst & Young Global Limited member firms in Canada.
EY does not collect, use or disclose personal information except for the purposes of conducting its business of providing professional services to its clients. EY reserves the right to modify the terms and conditions of this Privacy Policy at any time, and such modifications shall be effective immediately, unless otherwise provided.
The Protection of Personal Information
EY collects, uses and discloses personal information in accordance with all applicable laws and the following 10 principles, which reflect the principles articulated in the Personal Information Protection and Electronic Documents Act (Canada).
Personal information is information about an identifiable individual, recorded in any form and includes, but is not limited to, such things as race, ethnic origin, age, marital status, religion, education, medical, criminal, employment or financial information, address and telephone number or numerical identifiers such as a Social Insurance Number. It does not include the name, title, business address or business telephone number of an employee of an organization.
The 10 Privacy Principles
  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance
1. Accountability
EY is responsible for the personal information under its control and has designated a Privacy Officer who is accountable for ensuring the firm's compliance with this Privacy Policy.  The Privacy Officer may, from time to time, designate one or more other individuals within EY to act on his or her behalf. The Privacy Officer may be contacted as follows:
Privacy  Officer
Ernst & Young LLP
Ernst & Young Tower
100 Adelaide Street West
Toronto, Ontario
M5H 0B3
EYCanada.Privacy.Officer@ca.ey.com
EY is also responsible for personal information that has been transferred to a third party for processing. We may transfer personal information to third parties for reasons such as data warehousing or administrative services, where the third parties do not make any independent use of the personal information. The firm will use contractual or other means to require such parties to commit to protecting personal information to a level comparable to that provided by EY.
EY's policies and practices that give effect to the principles and procedures in this Privacy Policy, include:
a. procedures to protect personal information;
b. procedures to receive and respond to complaints and inquiries; and
c. training staff and communicating to staff information about EY's policies and practices.
EY will monitor compliance with the policies and procedures in this Privacy Policy on an ongoing basis.
2. Identifying Purposes
EY will identify the purposes for which personal information is collected at or before the time it is collected. The purposes for which information is collected used or disclosed by EY must be those that a reasonable person would consider are appropriate in the circumstances. When EY uses personal information that has been collected for a purpose not previously identified, it will identify the new purpose for the individual to whom the personal information relates prior to using the information in that manner except as permitted or required by law.
3. Consent
EY will obtain the consent of the individual for the collection, use or disclosure of personal information, except where not required to do so by law. To make the consent meaningful, EY will ensure the individual is advised of the purposes for which the personal information is used or disclosed in a reasonably understandable manner.
The form and manner of obtaining consent may vary from express written consent to implied consent, depending upon the circumstances and the type of information. In determining the form and manner of consent, EY will take into account the sensitivity of the information and the reasonable expectations of the individual.
We will collect, use or disclose personal information without consent only where permitted or required by law. For example, when information is being collected for the detection and prevention of fraud, seeking the consent of the individual might defeat the purpose of collecting the information.
Individuals may withdraw their consent at any time, subject to legal or contractual restrictions, by providing reasonable notice to EY. EY will inform the individual of the implications, if any, of such withdrawal.
4. Limiting Collection
EY will limit the collection of personal information to that which is necessary for the identified purposes. EY will only collect personal information by fair and lawful means, and for purposes that a reasonable person would consider appropriate in the circumstances. 
5. Limiting Use, Disclosure and Retention
EY will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. EY will only use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. EY generally uses personal information about clients for fair and legitimate purposes relating to the provision of professional services, including obtaining and carrying out client instructions, reporting and communicating with clients, billing and accounting and protecting against fraud, illegal activities and error. To carry out these fair and legitimate purposes, we may from time to time, disclose our client's personal information to Ernst & Young Global Limited member firms, government or regulatory agencies and other third parties to perform services on behalf of EY for the purposes explained in this section.
EY shall retain personal information for the period of time necessary to fulfil the purposes for which the personal information was collected and in accordance with EY's document retention policies. These policies take into account the rules of professional conduct which govern the practice of public accounting and any applicable legal or regulatory requirements. Personal information no longer required to fulfil its identified purposes will be destroyed, erased or made anonymous in a secure manner in accordance with EY's document retention policies.
6. Accuracy
EY will endeavour to ensure that personal information will be as accurate, complete, and up-to-date as is necessary to fulfil the purposes for which it is to be used. The firm will not routinely update personal information, unless this is necessary to fulfil the purposes for which the information was collected.
7. Safeguards
EY will take reasonable measures to protect all personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification by security safeguards appropriate to the sensitivity of the information.
The methods of protection include:
a. physical measures (e.g., locked filing cabinets and restricted access to offices);
b. organizational measures (e.g., security clearances and policies governing access to information); and
c. technological measures (e.g., the use of passwords and encryption).
8. Openness
EY will make readily available to individuals specific information about its policies and practices relating to the management of personal information. All enquiries about this Privacy Policy or the firm's personal information management practices are to be referred to the Privacy Officer.
9. Individual Access
Upon request, EY will inform an individual of the existence, use, and disclosure of his or her personal information and provide access to that information, except where access is not required by law. Individuals can challenge the accuracy and completeness of personal information controlled by EY and may have it amended, if appropriate.
Additional rights may apply to personal data subject to the EU General Data Protection Regulation (GDPR). See EY’s Binding Corporate Rules for more information, including Appendix 2 of the BCR governing subject access requests.
10. Challenging Compliance
All enquiries about this Privacy Policy or the personal information management practices of EY are to be referred to our Privacy Officer as indicated in paragraph 1. We will inform individuals who make inquiries or lodge complaints about our complaint procedures. EY will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures, including, if necessary, amending our policies and practices.